I've recently setup my server to work with a remote Active Directory using Secure LDAP. (i.e. users defined in the AD can login to my server)

As part of my testing, I've found out that when I intentionally corrupt the certificate (issued by the LDAP server and located on my server), I am still able to login in to my server.

Looking into my server's /etc/pam.d/password-auth-ac configuration file, I've discovered that it only uses pam_krb5.so and not pam_ldap.so.

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass          <----
auth        required      pam_deny.so

When adding pam_ldap.so after the pam_krb5.so, I could no longer login to the server when the certificate was corrupted.

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass          <----
auth        sufficient    pam_ldap.so use_first_pass          <----
auth        required      pam_deny.so

So finally, my question is why the pam_krb5 wasn't enough for detecting the corrupted certificate? And eventually what are the differences between pam_ldap and pam_krb5?

Thanks