account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 100 quiet
{
    my $status = $ldap{Authentication} || 'disabled';
    return unless $status eq 'enabled';
    $OUT .= "account     [default=bad success=ok user_unknown=ignore]      pam_ldap.so";
}
account     required      pam_permit.so
{
    my $status = $pam_faillock{status} || 'disabled';
    return unless $status eq 'enabled';
    # if you drop this call to pam_faillock.so the lock will be done also
    # on non-consecutive authentication failures
    $OUT .= "account     required      pam_faillock.so";
}
