diff --git a/Python/etc/pam.d/common-account b/Python/etc/pam.d/common-account
index 8b151f0..ae59939 100644
--- a/Python/etc/pam.d/common-account
+++ b/Python/etc/pam.d/common-account
@@ -25,7 +25,7 @@ if not has('wheezy'):
 
 else:
     @# here are the per-package modules (the "Primary" block)
-    @account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so use_first_pass
+    @account        [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so use_first_pass
     @# here's the fallback if no module succeeds
     @account requisite                       pam_deny.so
     @# prime the stack with a positive return value if there isn't one already;
@@ -34,5 +34,5 @@ else:
     @account required                        pam_permit.so
     @# and here are more per-package modules (the "Additional" block)
     if has("ldap"):
-        print "account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        %s minimum_uid=1000" % pam_module
+        print "account        [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        %s minimum_uid=1000" % pam_module
     @# end of pam-auth-update config
diff --git a/Python/etc/pam.d/common-auth b/Python/etc/pam.d/common-auth
index b51fc8f..ec6c832 100644
--- a/Python/etc/pam.d/common-auth
+++ b/Python/etc/pam.d/common-auth
@@ -25,8 +25,10 @@ if not has('wheezy'):
 else:
     @# here are the per-package modules (the "Primary" block)
     if has('ldap'):
-        print "auth    [success=2 default=ignore]      %s minimum_uid=1000" % pam_module
-    @auth    [success=1 default=ignore]      pam_unix.so nullok_secure
+        print "auth   [success=2 default=ignore]      pam_unix.so nullok_secure"
+        print "auth   [success=1 default=ignore]      %s minimum_uid=1000 use_first_pass" % pam_module
+    else:
+        print "auth   [success=1 default=ignore]      pam_unix.so nullok_secure"
     @# here's the fallback if no module succeeds
     @auth    requisite                       pam_deny.so
     @# prime the stack with a positive return value if there isn't one already;
diff --git a/Python/etc/pam.d/common-password b/Python/etc/pam.d/common-password
index 16e004f..ce0c232 100644
--- a/Python/etc/pam.d/common-password
+++ b/Python/etc/pam.d/common-password
@@ -42,13 +42,17 @@ pam-auth-update(8) for details.
 @# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
 
 if not has('wheezy'):
-    print "password   sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
+    if has('ldap'):
+        print "password   sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
     print "password   required   pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
 
 else:
     @# here are the per-package modules (the "Primary" block)
-    @password        [success=2 default=ignore]      pam_unix.so  nullok obscure sha512 min=4 max=8 md5 try_first_pass
-    print "password        [success=1 default=ignore]      %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
+    if has('ldap'):
+        @password       [success=2 default=ignore]      pam_unix.so  nullok obscure sha512 min=4 max=8 md5 try_first_pass
+        print "password       [success=1 default=ignore]      %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
+    else:
+        @password       [success=1 default=ignore]      pam_unix.so  nullok obscure sha512 min=4 max=8 md5 try_first_pass
     @# here's the fallback if no module succeeds
     @password        requisite                       pam_deny.so
     @# prime the stack with a positive return value if there isn't one already;
diff --git a/Python/etc/pam.d/common-session b/Python/etc/pam.d/common-session
index a1f23e6..5bfb6ff 100644
--- a/Python/etc/pam.d/common-session
+++ b/Python/etc/pam.d/common-session
@@ -24,7 +24,7 @@ if not has('wheezy'):
 
 else:
     @# here are the per-package modules (the "Primary" block)
-    @session [default=1]                     pam_permit.so
+    @session        [default=1]                     pam_permit.so
     @# here's the fallback if no module succeeds
     @session requisite                       pam_deny.so
     @# prime the stack with a positive return value if there isn't one already;
@@ -32,7 +32,7 @@ else:
     @# since the modules above will each just jump around
     @session required                        pam_permit.so
     @# and here are more per-package modules (the "Additional" block)
-    @session required                        pam_unix.so 
+    @session        required                        pam_unix.so 
     if has('ldap'):
-        print "session [success=ok default=ignore]     %s minimum_uid=1000" % pam_module
+        print "session        [success=ok default=ignore]     %s minimum_uid=1000" % pam_module
     @# end of pam-auth-update config