Thanks to everybody for their suggestions, and for the pointer to getent, which was a gap in my sysadmin toolchest. I figured out the problem. The problem was that nslcd wasn't starting properly because the nslcd user didn't exist. We're using the same base passwd file for both centos5 and centos6, and that extra user didn't get added. Switching /etc/nslcd.conf to use an extant uid/gid allowed nslcd to start, and that allowed the query to work, and the test user can log in. I had never heard of nslcd--and it doesn't appear to have any man pages :-/, but inspection of the config file yields the impression of nscd for ldap, and it's config either supersedes or replaces /etc/ldap.conf. Thanks for all the good ideas, -- Mitch Patenaude mpatenaude at shutterfly.com From: Mitch Patenaude <mpatenaude at shutterfly.com<mailto:mpatenaude at shutterfly.com>> Date: Mon, 31 Oct 2011 15:10:31 -0700 To: CentOS mailing list <centos at centos.org<mailto:centos at centos.org>> Subject: NSS ldap problems I'm having trouble setting up ldap based authenication. I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine. However, I set up a virtual box running CentOS 6, and I can't get it to authenicate. I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in. /var/log/secure shows that it doesn't find the user, and as a test I came up with the following perl snippet: perl -e 'print join(" ",getpwnam("testuser")),"\n";' And it properly finds the test user on the 5.4 box, but not the 6.0 box. I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about right. Here are the ldap related packaged installed on the 6.0 box: [root at vburntest02 ~]# rpm -qa | grep ldap openldap-2.4.19-15.el6_0.2.x86_64 pam_ldap-185-5.el6.x86_64 nss-pam-ldapd-0.7.5-3.el6.x86_64 openldap-clients-2.4.19-15.el6_0.2.x86_64 apr-util-ldap-1.3.9-3.el6.x86_64 Any idea what to check next? Thanks, -- Mitch