pam_ldap on woody

[nate]

anyone here gotten this working? I seem to be able to
get it to query the LDAP server as long as there is
an existing account in /etc/passwd, but without an existing
account, pam does not query the LDAP server(running slapd
with debug 4095)

my /etc/pam.d/login:
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so


my /etc/pam.d/ssh:
auth       sufficient   /lib/security/pam_ldap.so
account    sufficient   /lib/security/pam_ldap.so
session    sufficient   /lib/security/pam_ldap.so

my /etc/pam_ldap.conf:
host 127.0.0.1
base o=aphroland,c=us
ldap_version 2
rootbinddn cn=admin,o=aphroland,c=us
pam_filter objectclass=uid
pam_login_attribute uid
pam_password md5

the account im trying to login as(in LDIF format)
dn: cn=test account, ou=Information Technology, o=aphroland, c=us
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
jpegPhoto:< file:///home/aphro/genericuser.jpg
uid: testa
cn: test account
sn: account
givenname: test
userpassword: {MD5}MjF1X8aWeXmvUXrKsCV4Dg==
telephoneNumber: 000-000-0000
facsimiletelephonenumber: 000-000-0000
mobile: 000-000-0000
postaladdress: my_address
labeleduri: http://portal.aphroland.org/
mail: [EMAIL PROTECTED]
loginShell: /bin/bash
uidNumber: 1010
gidNumber: 1010
homeDirectory: /home/testa
gecos: test
description: System Admin
localityName: Bellevue

(i changed a buncha stuff to remove the personal info ..)

the password is 'hoth'. It appears to work as i can 'login'
to the LDAP using the netscape address book, and it works.
I use slappasswd to generate the password.

If i install the nss ldap package i can finger the account,
but still cannot login.

there has to be another pam setting somewhere that is blocking
account checking because it doesn't exist in /etc/passwd

i've gone to half a dozen or more different sites that talk
about LDAP with PAM but have not been able to find info
to help. also read about a dozen posts in the archives to
no avail either.

I have tried at least 5 different variations on /etc/pam.d
configuration.

pullin my hair out!!

any ideas appreciated as usual :)

thanks!

nate