Comment 5 for bug 329067

I'd like to confirm this bug too with libpam-ldap 184-4.2ubuntu2 on Jaunty. I had the following configuration generated by pam-auth-update:

password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore
                  default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so

I believe that pam_unix doesn't recognise the account as it's stored in ldap - it has no shadow entry, so doesn't prompt for an authtok (ie new password), then pam_ldap fails because it's trying to use the authtok which has not been set:

Enter login(LDAP) password:
passwd: Authentication information cannot be recovered
passwd: password unchanged

Removing the use_authtok therefore also fixes it for me, and also explains why pam_cracklib hides the problem - its higher in the stack and sets the authtok after checking it for strength. Ultimately I guess "try_authtok" would be the right semantic to work in both situations.