Actually, with "shadow compat ldap" in /etc/nsswitch.conf, I get "*" for the password because the system doesn't have access to the LDAP passwd field. So: pam_unix's "auth" returns failure because it can't verify the password and pam_ldap's auth returns true if the password match. So the fact that in that case pam_unix's "account" returns success is a bug IMHO.
Actually, with "shadow compat ldap" in /etc/nsswitch.conf, I get "*" for the password because the system doesn't have access to the LDAP passwd field. So: pam_unix's "auth" returns failure because it can't verify the password and pam_ldap's auth returns true if the password match. So the fact that in that case pam_unix's "account" returns success is a bug IMHO.