Adding pam_ldap.so by masking pam load errors

Absence of ldap distro feature will not generate pam_ldap.so because
of which we might see some unwanted error messages regarding the
failure in opening the pam_ldap.so in journalctl incase if pam_ldap
is present in PAM Configuration.

This commit would:

- Leverage '-' option before the 'type' in pam configuration, by which
  the PAM library will not log any errors in the syslog if it is not
  able to load the module beacause it is missing in the system.By using
  this we don't need two pam configuration files for ldap and unix.
- Leverages ignore_unknown_user &  ignore_authinfo_unavail options of
  pam_ldap.so, which forces the PAM framework to ignore pam_ldap incase
  if the user is not present in LDAP server or if the client cannot
  connect to LDAP Server.

(From meta-phosphor rev: 2c7efc937785a76e35a06b6807e12765ad40d99d)

Change-Id: Ic1044989ccae4e6e442de9865cf00cea33f75262
Signed-off-by: manojkiraneda <manojkiran.eda@gmail.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
index 4ac58fb..7bebd9a 100644
--- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
+++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
@@ -8,8 +8,10 @@
 # traditional Unix authentication mechanisms.
 
 # here are the per-package modules (the "Primary" block)
-auth	[success=ok default=1]	pam_tally2.so deny=0 unlock_time=0
-auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	[success=ok default=2]	pam_tally2.so deny=0 unlock_time=0
+# Try for local user first, and then try for ldap
+auth	[success=2 default=ignore]	pam_unix.so nullok_secure
+-auth    [success=1 default=ignore]  	pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so
 # prime the stack with a positive return value if there isn't one already;