In your pam auth section:

auth [success=1 default=ignore] pam_unix.so 
auth    required    pam_ldap.so use_first_pass
auth    required    pam_permit.so

In your ldap.conf (for the pam/nss stack):

bind_policy soft