# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
-auth required pam_unix.so nullok_secure
+#
+# Default was:
+# auth required pam_unix.so nullok_secure
+#
+# LDAP config copied from http://wiki.debian.org/LDAP/PAM
+auth sufficient pam_unix.so nullok_secure
+auth requisite pam_succeed_if.so uid >= 1000 quiet
+auth sufficient pam_ldap.so use_first_pass
+auth required pam_deny.so