[pam ldap] user console login

[Todd Hunter-Gilbert]

Hello all,

I've got a redhat 8 box I'm trying to make an ldap client.  It is talking
to the server.  From the client, I can do ldapsearch and other similar
commands.

On the client, I can log in as local user (i,e, root) in all normal
fashions.  As a non-local user (non-priviledged user from ldap database),
I can log in via ssh.  I cannot log in at console.

/var/log/messages gets few error lines when I attempt this.  First is
"pam_tally: pam_get_uid; no such user todd"

Then "check pass; user unknown" (this is gdm(pam_unix))

then "authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm
rhost=localhost" (this is gdm(pam_unix))

looking in /etc/pam.d I see:

gdm is identical to sshd except for one line (sshd requires pam_limits.so
for session).  Everything else is kicked to system-auth.

system-auth goes like this (apologies for the shorthand, order preserved)

auth:
required pam_env.so
required pam_tally.so onerr=fail no_magic_root
sufficient pam_unix.so likeauth nullok
sufficient pam_ldap.so use_first_pass
required pam_deny.so

account:
required pam_unix.so remember 10
required pam_tally.so per_user deny=5 no_magic_root
sufficient pam_ldap.so (will remember work here?)
required pam_permit.so

password:
requisite pam_cracklib.so [with password restrictions that don't seem to
be taking effect, is "requisite" correct?]
sufficient pam_unix.so nullok use_authtok md5 shadow
sufficient pam_ldap.so use_authtok
required pam_deny.so

session:
required pam_limits.so
required pam_unix.so
optional pam_ldap.so


Can anybody see why console logins would be failing?

BTW, my pam versions are
pam-0.75-40
pam_smb-1.1.6-5
pam_krb5-1.56-1
pam-devel-0.75-40

Thanks in advance,
Todd Hunter-Gilbert