I've set up a working ldap server on a Linux box.
Here's my ldap.conf on my NetBSD-current client:

$ cat /usr/pkg/etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=stars, dc=net
URI     ldap://192.168.0.10

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

I can query the directory from my NetBSD client:

$ ldapsearch -x -b "dc=stars,dc=net" "(objectClass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=stars,dc=net> with scope sub
# filter: (objectClass=*)
# requesting: ALL
#

# people, stars.net
dn: ou=people,dc=stars,dc=net
objectClass: organizationalUnit

# group, stars.net
dn: ou=group,dc=stars,dc=net
objectClass: organizationalUnit

[snip]

# guest, People, stars.net
dn: uid=guest,ou=People,dc=stars,dc=net
uid: guest
cn: Guest
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/guest
gecos: Guest

[snip]

# search result
search: 2
result: 0 Success

# numResponses: 77
# numEntries: 76

I built and installed /usr/pkgsrc/security/pam-ldap and
I added the lines with pam_ldap.so to my /etc/pam.d/su 

$ cat /etc/pam.d/su
# $NetBSD: su,v 1.6 2005/04/05 18:23:36 christos Exp $
#
# PAM configuration for the "su" service
#

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            sufficient      pam_ksu.so              no_warn try_first_pass
#auth           sufficient      pam_group.so            no_warn group=rootauth 
root_only authenticate
auth            requisite       pam_group.so            no_warn group=wheel 
root_only fail_safe
auth            sufficient /usr/pkg/lib/security/pam_ldap.so
auth            required        pam_unix.so             no_warn try_first_pass 
nullok

# account
account         sufficient /usr/pkg/lib/security/pam_ldap.so
account         required        pam_login_access.so
account         include         system

# session
session         required        pam_permit.so

But I can't su to the guest account:

$ su - guest
su: unknown login guest

There's no ldap traffic on my network interface.

What did I miss?

Regards,
Thierry.