+auth sufficient pam_unix.so
+@include common-auth
+
+# This is required instead of sufficient, since pam_unix mostly does checks
+# based on NSS, so this will also work for ldap users.
+account required pam_unix.so
+# We use a custom control spec so we won't fail on user_unknown special
+account [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so
+
+
+@include common-session
+