>>>>> "Brian" == Brian May <bam@debian.org> writes: Brian> 1. So if pam_ldap ever fails it will drop back to pam_unix. 2nd thoughts: putting pam_unix last was probably a bad idea. It means that if the user's LDAP account has expired (for instance), they see a confusing error "no account information available" from pam_unix, instead of the sane "account has expired" error from pam_ldap. -- Brian May <bam@debian.org>