I believe that pam_unix doesn't recognise the account as it's stored in ldap - it has no shadow entry, so doesn't prompt for an authtok (ie new password), then pam_ldap fails because it's trying to use the authtok which has not been set:
Enter login(LDAP) password:
passwd: Authentication information cannot be recovered
passwd: password unchanged
Removing the use_authtok therefore also fixes it for me, and also explains why pam_cracklib hides the problem - its higher in the stack and sets the authtok after checking it for strength. Ultimately I guess "try_authtok" would be the right semantic to work in both situations.
I'd like to confirm this bug too with libpam-ldap 184-4.2ubuntu2 on Jaunty. I had the following configuration generated by pam-auth-update:
password [success=2 default=ignore] pam_unix.so obscure sha512
default= die] pam_ldap.so use_authtok try_first_pass
password [success=1 user_unknown=ignore
password requisite pam_deny.so
password required pam_permit.so
I believe that pam_unix doesn't recognise the account as it's stored in ldap - it has no shadow entry, so doesn't prompt for an authtok (ie new password), then pam_ldap fails because it's trying to use the authtok which has not been set:
Enter login(LDAP) password:
passwd: Authentication information cannot be recovered
passwd: password unchanged
Removing the use_authtok therefore also fixes it for me, and also explains why pam_cracklib hides the problem - its higher in the stack and sets the authtok after checking it for strength. Ultimately I guess "try_authtok" would be the right semantic to work in both situations.