pam.d/sshd
auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass auth sufficient pam_unix.so no_warn try_first_pass
account required pam_nologin.so account required pam_login_access.so account optional pam_unix.so account optional /usr/local/lib/pam_ldap.so
session required pam_permit.so session optional /usr/local/lib/pam_ldap.so
password sufficient /usr/local/lib/pam_ldap.so no_warn use_athtok use_first_pass password sufficient pam_unix.so no_warn try_first_pass
This is more of a pam config problem than openldap related... but your account section probably needs either ldap or unix to be required/sufficient rather than optional. As it is now it will check that there is no nologin file, and then check through your pam login.access file, it will check that the user exists in passwd or ldap but wont fail if it isnt, just that it meets criteria set in the access file, which might be setup to allow anything in. Also, your auth section is setup such that if opie succeeds, you are auth'd, it wont bother to check ldap or unix because if it fails, it will return failure immedaitely (that's what requisite does). Id be careful with the use of "optional" in pamconfig, espcially around the auth and account sections. I would reserve its use for session (if anywhere), as its more of a "try it, if it works Ok, if not, so what" rule, good for homedir creation or displaying motd (so if it fails, you still get in, since its not critical you see motd or have a homedir, but nice if it does work).
-T