I have installed the ldapns.schema in my ubuntu 10.04 ldap server to enable host based authentication/filtering.  I have some ubuntu 10.10 ldap clients that requires filtering.  All my ldap users have passwords in crypt format that I have converted to an ldif file using the PADL migration.pl scripts.  After importing them into my ldap server, the pam filtering wasn't working; however, when I changed the passwords from crypt to clear or md5 or sha1, filtering worked fine.  The question is how can I get filtering to work with {CRYPT} password hashing? 

cat /etc/ldap.conf | grep -v ^# | grep -v ^$
base dc=web,dc=net
uri ldap://10.112.18.2
ldap_version 3
rootbinddn cn=admin,dc=web,dc=net
bind_policy soft
pam_filter |(host=webdev120)(host=\*)
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data
   
cat common-auth | grep -v ^# | grep -v ^$
auth    [success=2 default=ignore]    pam_unix.so nullok_secure
auth    [success=1 default=ignore]    pam_ldap.so use_first_pass
auth    requisite            pam_deny.so
auth    required            pam_permit.so

cat common-account | grep -v ^# | grep -v ^$
account    [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so
account    [success=1 default=ignore]    pam_ldap.so
account    requisite            pam_deny.so
account    required            pam_permit.so

cat common-password | grep -v ^# | grep -v ^$
password    [success=2 default=ignore]    pam_unix.so obscure sha512
password    [success=1 user_unknown=ignore default=die]    pam_ldap.so use_authtok try_first_pass
password    requisite            pam_deny.so
password    required            pam_permit.so