#
# See the pam_unix manpage for other options.
-password required pam_unix.so nullok obscure md5
+# Default was:
+# password required pam_unix.so nullok obscure md5
+#
+# LDAP config copied from http://wiki.debian.org/LDAP/PAM, but with use_authtok
+# options removed.
+password sufficient pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass
+password sufficient pam_ldap.so
+password required pam_deny.so
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.