Authentication failure on successful login when using LDAP authentication

Binary package hint: libpam-ldap

I've configured LDAP authentication for my ubuntu 9.10 clients using the following (recommended?) method:

# /usr/sbin/auth-client-config -p lac_ldap -t nss
# echo libpam-runtime libpam-runtime/profiles multiselect unix, ldap, consolekit | /usr/bin/debconf-set-selections
# /usr/sbin/pam-auth-update --package

Now LDAP authentication works fine, but I see authentication failures like the following in my logs:

Apr 13 15:35:38 example01 sshd[15860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=mikec
Apr 13 15:35:38 example01 sshd[15860]: Accepted password for mikec from 1.2.3.4 port 49507 ssh2
Apr 13 15:35:38 example01 sshd[15860]: pam_unix(sshd:session): session opened for user mikec by (uid=0)

As you can see, a failure message is always logged even though authentication was successful. Is this the expected behavior?

I'm not a PAM expert, so I don't completely understand what's happening in /etc/pam.d/common-auth, but since this only occurs for LDAP users, my hunch is that local auth is attempted first (which fails and logs the above error message), then LDAP auth is attempted and succeeds. If that's the case, is there a way to suppress the failure from the local auth attempt? This is important for packages like fail2ban which rely on these log messages. At the moment, it's possible to get locked out of a machine by having too many *successful* logins.