Phew! I "beat it into submission"
LDAP was not the problem.
I discovered that the UID for each failing userid was less than 500.
/etc/pam.d/system-auth-ac introduced by authconfig-5.3.12-2.el5 implements this control. Changing /etc/pam.d/system-auth-ac to lower the value to, in my case, 100 corrects the login problem.
Now, I wonder, what are the ramifications of having/allowing general-puurpose users with UIDs less than the distributed convention of 500?