Comment 4 for bug 604593

Thank you for reporting this issue and helping to improve Ubuntu.

This is not a bug in pam_unix, which is deliberately configured such that a successful authorization return from either pam_unix *or* another stacked module is sufficient to permit a login. If pam_ldap access checks should always be enforced *in addition* to pam_unix, then pam_ldap's pam-auth-update profile should declare itself Account-Type: additional.

This appears to be the same as Debian bug #583483.