LDAP clients use the pam(3) modules for user authentication during the logins. When using the standard UNIXTM PAM module, the password is read from the server and checked on the client side. This can fail due to one of the following reasons.
ldap not used by the passwd service in the /etc/nsswitch.conf file
The user's userPassword attribute on the server list is not readable by the proxy agent. You need to allow at least the proxy agent to read the password because the proxy agent returns it to the client for comparison. pam_ldap does not require read access to the password
Proxy agent might not have correct password
The entry does not have the shadowAccount objectclass
There is no password defined for the user
When you use ldapaddent, you must use the -p option to ensure that the password is added to the user entry. If you used ldapaddent without using the -p option, the, users's password will not be stored in the directory unless you also add the /etc/shadow file using ldapaddent.
None of the LDAP servers are reachable.
Check the status of the servers.
# /usr/lib/ldap/ldap_cachemgr —g
pam_conf is configured incorrectly.
The user is not defined in the LDAP namespace.
NS_LDAP_CREDENTIAL_LEVEL is set to anonymous for pam_unix and userPassword attribute is not available to anonymous users.
Password is not stored in crypt format.