OpenLDAP + User Authentication + Laptop = ?

[Rich West <Rich.West@wesmo.com>]

I am hoping this is the right list for this.. if not, please accept my apologies.

I have an OpenLDAP 2.0.27 server running and providing user/password/group
information to all clients.  It has been running wonderfully.  The user
authentication via NSS_ldap and PAM_LDAP has also worked out rather well!

The problem I am seeing is with a laptop user (Previously running RH 7.2/7.3 and
now up at 8.0)... They can authenticate without any problems provided they are
connected to the network.

IF they are not connected to the network, they cannot log in to the system at
all.  They cannot even log in as root (which is, obviously, local to the machine).

This was tried with both the Redhat 8.0 XDM interface, as well as the console
login with the same result.

As with many of the PAM setups now-a-days, RH used the pam_stack.so to pass
things off to the system-auth PAM file.  Our default system-auth file, which
works for connected users, turns out to look exactly like the one from
http://www.mandrakesecure.net/en/docs/ldap-auth.php, and, actually, it is the
same as the default install from RH 8.0

Of course, reverting the system-auth file back to one without any references to
LDAP fixes this problem, but once the user is connected back up to the network,
they obviously cannot authenticate against the LDAP server because of the
removal of the references from their system-auth file.

I know this _should_ be able to be made to work, but I am at a loss as to what
to do or try next (I've tried, unsuccessfully, several modifications to the
system-auth file).

Anyone have any ideas?

Thanks!
-Rich