Can log in with either local(shadow) or ldap password

[Orion Poplawski]

On our laptops we have local users defined in /etc/shadow for offline use.  We
also authenticate against and LDAP server.  Interestingly, when on the network a
user can log in with either the local or ldap password.  I would have expected
only the local password to work.  I believe this was the case when we used NIS
instead of LDAP.

system-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

/etc/nsswitch.conf
shadow:     files ldap

- Orion