I was finally able to get Fedora Core 4 to authenticate against Zimbra's LDAP. The problem was that the permissions in /opt/zimbra/conf/slapd.conf.in blocked access to the newly added posixAccount attributes, for anyone except admin users.
There are two ways to solve this. You could change /etc/ldap.conf so that it connects up as an admin LDAP user who does have access, or you can change /opt/zimbra/conf/slapd.conf.in so that anonymous users (or the user you've set up PAM to bind as) can view the attributes. I decided to change slapd.conf since I already had to edit it to add nis.schema. I added the following:
I haven't experimented with this thoroughly yet, but this was enough to let my user connect. It may be that you only need to provide access to some of these, possibly just uidNumber, gidNumber, and homeDirectory.
access to attrs=uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass
by * read
So, now that I can authenticate against the Zimbra LDAP server, I need to see about automating the task of adding posix attributes and posix group memberships for users after I create them.