arch openldap 身份验证失败

我设置了 openldap，一切看起来都很好，但我无法设置身份验证，

#getent shadow | grep user                         
user:*:::::::
tuser:*:::::::
tuser2:*:::::::

#getent passwd | grep user
git:!:999:999:git daemon user:/:/bin/bash
user:x:10000:2000:Test User:/home/user/:/bin/zsh
tuser:x:10000:2000:Test User:/home/user/:/bin/zsh
tuser2:x:10002:2000:Test User:/home/tuser2/:/bin/zsh

我可以以 root 用户身份登录

#su - tuser2
su: warning: cannot change directory to /home/tuser2/: No such file or directory
10:24 tuser2@juliet:/root

我无法通过 ssh 登录，而且 passwd 也不起作用

#ldapwhoami -h 192.168.10.156 -D "uid=user,ou=People,dc=xcl,dc=ie"
ldap_bind: Server is unwilling to perform (53)
    additional info: unauthenticated bind (DN with no password) disallowed
10:30 root@juliet:~
#ldapwhoami -h 192.168.10.156 -D "uid=user,ou=People,dc=xcl,dc=ie" -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

我输入的密码是正确的

/etc/openldap/slapd.conf 对 dn.base="" 的访问权限 * 可读 对 dn.base="cn=Subschema" 的访问权限 * 可读 自我访问 用户可写 匿名可读

access to *
  by dn="uid=root,ou=Roles,dc=xcl,dc=ie" write
  by users read
  by anonymous auth
access to attrs=userPassword,gecos,description,loginShell
  by self write

access to attrs="userPassword"
  by dn="uid=root,ou=Roles,dc=xcl,dc=ie" write
  by anonymous auth
  by self write
  by * none
access to *
  by dn="uid=root,ou=Roles,dc=xcl,dc=ie" write
  by dn="uid=achmiel,ou=People,dc=xcl,dc=ie" write
  by * search

access to attrs=userPassword
  by self =w
  by anonymous auth
access to *
  by self write
  by users read

database        hdb
suffix          "dc=xcl,dc=ie"
rootdn          "cn=root,dc=xcl,dc=ie"
rootpw          "{SSHA}AM14+..."

该配置文件 /etc/openldap/ldap.conf 的某些部分如下：

BASE dc=xcl,dc=ie
URI ldap://192.168.10.156/
TLS_REQCERT  allow
TIMELIMIT    2

所以我的问题是，我遗漏了什么，为什么 ldap 不允许我使用密码登录？