Hey Buchan, Thanks alot for your help... it make sense now....during the configuration process , I modified the NSS service to consult the OpenLDAP server by adding the following lines in the /etc/nsswitch.conf file passwd: files ldap shadow: files ldap group: files ldap So ldap server is called for NSS lookup regardless of what authentication mechanism is used. got it Again, thanks alot ~Hamid ----- Original Message ---- From: Buchan Milne <bgmilne(a)staff.telkomsa.net&gt; To: openldap-technical(a)openldap.org Cc: Hamidreza Hamedtoolloei <hamedtoolloei(a)yahoo.com&gt; Sent: Tuesday, February 26, 2008 1:13:56 AM Subject: Re: using LDAP as central authentication unit On Monday 25 February 2008 20:52:08 Hamidreza Hamedtoolloei wrote: so if a user is in both /etc/passwd and ldap, linux authentication is used. However, if a user is ONLY in ldap directory, linux authentication fails and ldap is called. Analysing the case that a user is only in the etc/passwd: In this case, there are some activities in the ldap site which I dont understand. If a user is only in etc/passwd and pam.d/system.auth file says call ldap only if linux fails, then why ldap is called when linux authentication is successful? Because, this is NOT PAM. It is a NSS lookup. For example, when you type 'ls', the filesystem returns the uid that owns the files. To show the username of the owner, the c library invokes a function from nss, to look up the username. This has nothing to do with pam. In a similar way, group memberships have nothing (much) to do with PAM, but with nss. You say this is expected... but if I understood the pam.d/system.auth file correctly, ldap should not be called if a user is only in etc/passwd We can't tell, as you haven't provided your /etc/nsswitch.conf file, and none of the queries from your log look like pam_ldap, they look more like nss_ldap ... Regards, Buchan ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs