PAM: auth: pam_unix(dovecot:auth): authentication failure;

I do hate to revive a dead question but given that this is the top search result for "dovecot pam authentication failure ldap", let me add this bit of extra knowledge:

The only thing that I've seen in my testing that updates the shadowAccount attributes is the passwd command when you're modifying the password for a user in LDAP... Most other tools don't care much about the shadowAccount class and it's attributes, and won't touch them. However, I only find that shadowAccount classes need to be added to users if they're going to be logging into the host, since that does care. If you're just doing something like email authentication (Dovecot), then it's not much use. I could be wrong here, but I've yet to see anything other than a host login consult the shadowAccount attributes for anything.

Now, if you're having Dovecot authenticate through PAM (which, I assume you probably are, since Dovecot is querying it and you're changing nsswitch), then please bear in mind that while, yes, PAM will pay attention to those extra attributes, you still need the correct tooling to change them... meaning whatever is changing user passwords also needs to go through PAM. Unpopular opinion as it may be, if you're not requiring host logins, just services like Dovecot or others, there's no need to get PAM involved since it's going to be checking a lot more things that are likely going to be irrelevant. (At best it could enforce other things like, yes, password expirations, but personally I would not enforce things like that when the service you login to has no provision to change a password like that) It's likely easier in the long run to have non-host/shell login services check LDAP themselves, allowing for other things like search filters specific to that service.

However assuming you've set up Dovecot to check LDAP itself, and not rely on PAM, at the end of Dovecot's 10-auth.conf are a list of !include lines for different auth mechanisms, like LDAP, SQL, etc. By default, the file auth-system.conf.ext is included before other mechanisms, like LDAP. What this means is that, since, in my testing, Dovecot checks these in the order they're provided, Dovecot will first attempt to authenticate the user with PAM, and then, if that fails, authenticate with LDAP. Ergo, you'll get a PAM error stating, yes, the authentication failure (as well as the first one indicating what failure it is). If you changed this ordering so the method most likely to succeed (LDAP, one would assume) is queried first, then there would be no need to check with PAM, and, therefore, no error thrown by PAM.

To solve this you could comment out the !include auth-system.conf.ext, but this could potentically cause system users (like root or postmaster) to be considered non-existent if you don't have them set up in LDAP.

My personal solution to this one was to cut that line out and paste it at the bottom, like this:

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-ldap.conf.ext

#!include auth-sql.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

!include auth-system.conf.ext

This means that Dovecot will first consult LDAP, then consult PAM if LDAP gave no results, as far as my testing has shown.

Never really answered my own question before, but I wanted to share in case anyone else ever comes across this. It had to do with saslauthd not installed, configured, and running. Once I did that, error went away.