openvpn-auth-pam.so, pam_ldap

Hello @all,
I'm new to this list, so thanks to everyone in advance.
I set up OpenVPN-2.0.7 with pam_ldap-183 on gentoo-2006.1 with 2.6 Kernel.
VPN-Users are stored on LDAP-Server on another machine.
when I try to connect from a client with user MYNAME

openvpn-logs says:
PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
TLS Auth Error: Auth Username/Password verification failed for peer
SENT CONTROL [INVPN]: 'AUTH_FAILED' (status=1)

I tried to debug every komponent, read man pages...but couldn't find the failure. So I hope someone could help me to find the problem. I tried to put as little text as possible and only the relevant, anyway it looks much.

Below Logs and .confs:
CONFs:
/etc/pam.d/openvpn:
auth sufficient pam_ldap.so config=/etc/openvpn/pam_ldap.conf debug
-------------------------------------------------
/etc/openvpn/pam_ldap.conf:
base dc=hs-furt***gen,dc=de
uri ldaps://sure.the.right.uri:666/
ldap_version 3
#pam_login_attribute=uid #is default
ssl on
debug 8 #guessed. found nothing in mapages.
logdir /var/log/pam_ldap.log
-------------------------------------------------
openvpn.conf (server, only relevants)
#username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
verb 4

LOGS:
slapd (loglevel 256):
slapd[7]: conn=2 op=0 BIND dn="" method=128
slapd[7]: conn=2 op=0 RESULT tag=97 err=0 text=
slapd[6]: conn=2 op=1 SRCH base="dc=hs-furt***gen,dc=de" scope=2 deref=0 filter="(uid=MYNAME)"
slapd[6]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[3]: conn=2 op=2 BIND dn="uid=MYNAME,ou=I******e,dc=i******k,dc=hs-furt***gen,dc=de" method=128
slapd[3]: conn=2 op=2 BIND dn="uid=MYNAME,ou=I******e,dc=i******k,dc=hs-furt***gen,dc=de" mech=SIMPLE ssf=0
slapd[3]: conn=2 op=2 RESULT tag=97 err=0 text=
slapd[8]: conn=2 op=3 BIND anonymous mech=implicit ssf=0
slapd[8]: conn=2 op=3 BIND dn="" method=128
slapd[8]: conn=2 op=3 RESULT tag=97 err=0 text=
slapd[8]: conn=2 op=4 UNBIND
slapd[8]: conn=2 fd=148 closed
-------------------------------------------------
openvpn: look above.
-------------------------------------------------
pam_ldap: manpage sais that debug-directive in /etc/pam.d/openvpn is ignored. the other debug-directive in pam_ldap.conf does null output.

It looks like ldap-binding is successfull (RESULT err=0). Anyway, pam_ldap sais no.
I greatly appreciate any help.
Andi

I got pam_ldap working with perl Authen::PAM on the same machine for testing
purposes.
still don't know why it doesn't work from openvpn.
perhaps openvpn conf-directives are "order-dependent"/not in the right
order?!?
i put the 'plugin'-directive to another place in the openvpn.conf-file and
got strange 'time-out' messages from pam_ldap...

Andi
--
View this message in context: http://www.nabble.com/openvpn-auth-pam.so%2C-pam_ldap-tf3532311.html#a9922623
Sent from the PAM LDAP mailing list archive at Nabble.com.

I got it. :))
the line:
account sufficient pam_ldap.so config=/etc/openvpn/pam_ldap.conf
was needed in /etc/pam.d/openvpn.
I can't explain why...I only need authentication...why does pam need this directive?
can someone explain that?