# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
-account required pam_unix.so
+# Default was:
+#account required pam_unix.so
+#
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account required pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+ pam_ldap.so