I know I'm really close to getting this to work...Can anybody tell me what I'm missing? I've read over a half dozen FAQs/HOWTOs/etc but can't seem to find the missing piece of the puzzle.

My test account is a member of CN=Administrators,CN=Builtin,DC=mycompany,DC=com

The logs show that pam is finding my userDN after I enter my login information, but it's coming up with invalid credentials. I've verified that the password is correct by logging in to AD with that same password.

getent passwd does not return any AD users
getent shadow returns ~1000 users (there are 9000 users in AD)
getent group does not return any AD groups

Here's my output from /var/log/messages and /var/log/secure:

==> /var/log/messages <==
Aug 1 09:19:23 LINUXHOST sshd(pam_unix)[5220]: check pass; user unknown
Aug 1 09:19:23 LINUXHOST sshd(pam_unix)[5220]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=linuxhost
Aug 1 09:19:23 LINUXHOST sshd[5220]: pam_ldap: error trying to bind as user "CN=User\, Test,OU=IT,OU=mycompanyOU,DC=mycompany,DC=com" (Invalid credentials)

==> /var/log/secure <==
Aug 1 13:19:20 LINUXHOST sshd[5221]: Failed gssapi-with-mic for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 09:19:25 LINUXHOST sshd[5220]: Failed password for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 13:19:25 LIUNXHOST sshd[5221]: Failed password for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 13:19:27 LINUXHOST sshd[5221]: Connection closed by ::ffff:127.0.0.1


Here is /etc/ldap.conf:
base dc=mycompany,dc=com
uri ldap://myadcontroller:389
ldap_version 3
binddn cn=ldapquery,ou=IT,dc=mycompany,dc=com
bindpw myrealldapquerypassword
nss_base_passwd dc=mycompany,dc=com?sub
nss_base_shadow dc=mycompany,dc=com?sub
nss_base_group dc=mycompany,dc=com?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
pam_groupdn CN=Administrators,CN=Builtin,DC=mycompany,DC=com
host myadcontroller.windstream.com
scope sub
ssl no
tls_cacertdir /etc/openldap/cacerts

And here is /etc/openldap/ldap.conf:
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT 12000
TIMELIMIT 150
#DEREF never
BASE dc=mycompany,dc=com
HOST myadcontroller.mycompany.com
URI ldap://myadcontroller.mycompany.com
TLS_CACERTDIR /etc/openldap/cacerts

Add the 'ldap' to the /etc/nsswitch.conf file:

password: files ldap
shadow: files ldap
group: files ldap

Nuts, I knew I was forgetting to include a file.

here is /etc/nss_switch.conf:

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files ldap nis dns
hosts: files dns

# Example - obey only what ldap tells us...
#services: ldap [NOTFOUND=return] files
#networks: ldap [NOTFOUND=return] files
#protocols: ldap [NOTFOUND=return] files
#rpc: ldap [NOTFOUND=return] files
#ethers: ldap [NOTFOUND=return] files

bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files

Rinse and repeat all your steps and document what you are doing so you can trace your steps.

Okay I've repeated everything, and the problem still exists. What next?