-# This is required instead of sufficient, since pam_unix mostly does checks
-# based on NSS, so this will also work for ldap users.
-account required pam_unix.so
-# We use a custom control spec so we won't fail on user_unknown special
-account [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so