LDAP PAM client error "cannot find name for user ID"
I figured out the problem. I had set up the ldap client using the Ubuntu's ldap-auth-config package. One of the questions asks "Does the database require login?":
If you answer "No" to this, then the ldap client will bind anonymously (after authentication) in order to get user/group information. At first this seemed odd to me that just anyone can see user info, but then it occurred to me that this is analogous to how /etc/passwd and /etc/group work, which are world-readable.
My ACLs were preventing this, because I didn't want to allow anonymous connections to enumerate the users in my directory. So to fix this, I added a system user:
dn: cn=auth,ou=system,dc=example,dc=org
cn: auth
objectclass: organizationalRole
objectclass: top
objectclass: simpleSecurityObject
userpassword: {SHA}---redacted----=
Then I added the following ACLs:
#
# System user "auth" can access user/group attrs needed by pam / nss
olcAccess: {4}to dn.subtree="ou=users,dc=example,dc=org"
attrs=entry,uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass
by dn.exact="cn=auth,ou=system,dc=example,dc=org" read
by self read
by * search
olcAccess: {5}to dn.subtree="ou=groups,dc=example,dc=org"
attrs=entry,cn,gidNumber,memberUid,objectClass
by dn.exact="cn=auth,ou=system,dc=example,dc=org" read
#
# Allow users to read any data on their own entries
olcAccess: {6}to *
by self read
by * search
Finally, I ran sudo dpkg-reconfigure ldap-auth-config, and when prompted for "Does the database require login?", I answered yes. At the question where it asks for the "Unprivileged user", I supplied the new system user I created:
Note that this still makes user accounts potentially enumerable by any user authenticated on the linux system, since that password is stored plaintext in /etc/ldap.conf, but that is no less secure than how /etc/passwd and /etc/group work.