If you are using pam_ldap without password management support, follow the sample pam.conf file in Example pam.conf File for pam_ldap. Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file. For details, see pam.conf(4).
If you need to configure pam_ldap for password management support, copy the sample pam.conf file in Example pam_conf file for pam_ldap Configured for Password Management. Then, add the lines that contain pam_ldap.so.1 to the client's/etc/pam.conf file. In addition, if any PAM module in the sample pam.conf file specifies the binding control flag and the server_policy option, use the same flag and option for the corresponding module in the client's /etc/pam.conf file. Also, add the server_policy option to the line that contains the service module pam_authtok_store.so.1.
The binding control flag
Using the binding control flag allows a local password override of a remote (LDAP) password. For example, if a user account is found on both the local files and the LDAP namespace, the password associated with the local account takes precedence over the remote password. Thus, if the local password expires, authentication fails even if the remote LDAP password is still valid.
The server_policy option
The server_policy option instructs pam_unix to ignore a user found in the LDAP namespace and to allow pam_ldap to perform authentication or account validation. In the case of pam_authtok_store.so.1, a new password is passed to the LDAP server without encryption. The password is thereby stored in the directory according to the password encryption scheme configured on the server. For more information, see pam.conf(4) and pam_ldap(5).