I just learned that it is possible to perform cascading failing authenthication. In that way it is possible to use different passwords, for example password with ldap or passwords with the shadow file. When a user logs in with his local password, the configured system would first try to log in with the ldap password for instance, which would fail, then the pam module for the local shadow file would be used.
I discovered this when reading about barada (see sourceforge page). This project offers the possibility of creating a nice remote password mechanism where a token can be obtained from a telephone app, for instance an android. It uses the HOTP protocol described in this RFC.
