Description of problem:
pam_pkcs11 uses a mapper interface to map the certificate to a unix user.
for Fedora, the default order should be:
cn - maps a cn value to a user id based on a mapping file cn_map. Basic fallback
uid - maps the unix user based on the uid attribute of the DN.
pwent - used the password file to map the cn to a user id.
cn is basically a user configurable override for a given cert.
uid is a TPS override for a given user.
pwent is for environments with NIS or ldap password entries.
*** Bug 201377 has been marked as a duplicate of this bug. ***
Fixed in pam_pkcs11-0.5.3-15
I can confirm that the order is now correct in RHEL 5 beta 2 milestone 3 (
candidate 20060921.0 ) on both x84_64 and i396
I will verify this bug is fixed once we have a stable candidate that 
installs and  in which the pam stack preventing smart card login does not
require a workaround ( bug#207410 )
VERIFIED fixed against candidate RHEL5-Client-20061006.2
$ rpm -qa | grep pam_pkcs11
Closing out as included in latest RHEL5 builds (20061111.0)