This is more of a pam config problem than openldap related... but your account section probably needs either ldap or unix to be required/sufficient rather than optional. As it is now it will check that there is no nologin file, and then check through your pam login.access file, it will check that the user exists in passwd or ldap but wont fail if it isnt, just that it meets criteria set in the access file, which might be setup to allow anything in. Also, your auth section is setup such that if opie succeeds, you are auth'd, it wont bother to check ldap or unix because if it fails, it will return failure immedaitely (that's what requisite does). Id be careful with the use of "optional" in pamconfig, espcially around the auth and account sections. I would reserve its use for session (if anywhere), as its more of a "try it, if it works Ok, if not, so what" rule, good for homedir creation or displaying motd (so if it fails, you still get in, since its not critical you see motd or have a homedir, but nice if it does work).
-T
Thank you for this, I will definitely take your advice, and go over pam more throughly, as it was one of my weaker areas of understanding.
Your help is appreciated
William