Comment 7 for bug 682662

It seems to be impossible to manage some pam auth settings non-interactively due to this bug.

For example, I want to fetch user/group info from LDAP on a server so I install 'libnss-ldap'. This automatically enables ldap authentication in PAM (this already seems like a bad idea) which I don't want, I just want the user/group info available. My first attempt to avoid this is just edit /etc/pam.d/common-auth to not use ldap. However, this manual edit will get silently reverted anytime the libnss-ldap package gets updated (or pam-auth-update gets run for some other reason).

Ok, so I research pam-auth-update which claims that "Debconf is the correct interface to use for management of PAM config files" (https://wiki.ubuntu.com/PAMConfigFrameworkSpec). Ok so I use debconf-setselections to remove "ldap" from "libpam-runtime/profiles". I try running "dpkg-reconfigure libnss-ldap" and it completely wipes my manual debconf settings and re-enables ldap authentication!

There has to be __some__ way to avoid this behavior and not have it silently re-enabled behind my back.