pam_ldap doesn't bind SIMPLE for anonymous auth?

[Jo Rhett]

I'm seeing a problem where I can authenticate as a user using the ldap tools 
(ie ldapsearch) but I am unable to login using PAM.

Comparing debug on the server shows that ldapsearch is doing a new BIND, 
where's PAM is not:

Jun  4 14:58:52 ldap-server slapd[5158]: => dn: [1]  
Jun  4 14:58:52 ldap-server slapd[5158]: => acl_get: [2] attr userPassword 
Jun  4 14:58:52 ldap-server slapd[5158]: access_allowed: no res from state 
(userPassword) 
Jun  4 14:58:52 ldap-server slapd[5158]: => acl_mask: access to entry 
"uid=jrhett,ou=Users,dc=equinix,dc=com", attr "userPassword" requested 
Jun  4 14:58:52 ldap-server slapd[5158]: => acl_mask: to value by "", (=0)  
Jun  4 14:58:52 ldap-server slapd[5158]: <= check a_dn_pat: anonymous 
Jun  4 14:58:52 ldap-server slapd[5158]: <= acl_mask: [1] applying auth(=xd) 
(stop) 
Jun  4 14:58:52 ldap-server slapd[5158]: <= acl_mask: [1] mask: auth(=xd) 
Jun  4 14:58:52 ldap-server slapd[5158]: => access_allowed: auth access granted 
by auth(=xd) 
Jun  4 14:58:52 ldap-server slapd[5158]: send_ldap_result: conn=75 op=2 p=3 
Jun  4 14:58:52 ldap-server slapd[5158]: send_ldap_result: err=49 matched="" 
text="" 
Jun  4 14:58:52 ldap-server slapd[5158]: send_ldap_response: msgid=3 tag=97 
err=49 
Jun  4 14:58:52 ldap-server slapd[5158]: conn=75 op=2 RESULT tag=97 err=49 text=

Now ldapsearch has identical debug output down until just below the 
access_allowed line.

Jun  4 15:02:54 ldap-server slapd[5158]: => acl_get: [2] attr userPassword
Jun  4 15:02:54 ldap-server slapd[5158]: access_allowed: no res from state 
(userPassword)
Jun  4 15:02:54 ldap-server slapd[5158]: => acl_mask: access to entry 
"uid=jrhett,ou=Users,dc=equinix,dc=com", attr "userPassword" requested
Jun  4 15:02:54 ldap-server slapd[5158]: => acl_mask: to value by "", (=0)
Jun  4 15:02:54 ldap-server slapd[5158]: <= check a_dn_pat: anonymous
Jun  4 15:02:54 ldap-server slapd[5158]: <= acl_mask: [1] applying auth(=xd) 
(stop)
Jun  4 15:02:54 ldap-server slapd[5158]: <= acl_mask: [1] mask: auth(=xd)
Jun  4 15:02:54 ldap-server slapd[5158]: => access_allowed: auth access granted 
by auth(=xd)
Jun  4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 BIND 
dn="uid=jrhett,ou=Users,dc=equinix,dc=com" mech=SIMPLE ssf=0 
Jun  4 15:02:54 ldap-server slapd[5158]: do_bind: v3 bind: 
"uid=jrhett,ou=Users,dc=equinix,dc=com" to 
"uid=jrhett,ou=Users,dc=equinix,dc=com" 
Jun  4 15:02:54 ldap-server slapd[5158]: send_ldap_result: conn=83 op=0 p=3 
Jun  4 15:02:54 ldap-server slapd[5158]: send_ldap_result: err=0 matched="" 
text="" 
Jun  4 15:02:54 ldap-server slapd[5158]: send_ldap_response: msgid=1 tag=97 
err=0 
Jun  4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 RESULT tag=97 err=0 text= 
Jun  4 15:02:54 ldap-server slapd[5158]: daemon: activity on 1 descriptor 
Jun  4 15:02:54 ldap-server slapd[5158]: daemon: activity on:

Can someone give me a clue what's going wrong here?

The key to this problem is that I'm trying to avoid putting system logins, 
rootbinddns on each server, and just do anonymous bind's for authentication.   
No configuration file on this client has a valid Manager or any other 
authentication password, and I'm trying to keep it that way.   In theory, this 
should work ;-)  I mean, ldapsearch works fine ...

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other 
randomness