LDAP and linux with active directory

am i the only person who posts here? yeesh.

okay, so i have a centOS 5 box that needs to get its authentication from active directory. i'm doing this through LDAP. the domain controller is a win2k3 box with services for unix 3.5. i have everything configured in a way that seems sane, i run getent passwd and i get nothing but local results back. my domain controller shows that it has been -queried- in some way, apparently successfully, but there is no evidence on the client that any interaction with ldap actually took place.

i can get ldapsearch to work as follows:

ldapsearch -x -D CN=username,CN=Users,DC=domain,DC=com -w password

...and then i have this in /etc/ldap.conf:

uri ldap://ip.address.of.ldap.server/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
sasl_secprops maxssf=0
binddn CN=username,CN=Users,DC=domain,DC=com
bindpw password

...as well as a bunch of stuff that supposedly maps the appropriate nss attributes to the whosits that was commented out and listed very explicitly as "do this if you're using sfu 3.5" in ldap.conf itself:

# Services for UNIX 3.5 mappings
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad
nss_base_passwd OU=Users,DC=domain,DC=com
nss_base_shadow OU=Users,DC=domain,DC=com
nss_base_group OU=Users,DC=domain,DC=com

any thoughts?