Don't force Auth-Type Ldap.
 
But you will have to use two sql instances - one to store reply info and one to store backup passwords. You can't store passwords in sql (used for reply attributes) and ldap as well.
authorize {
...
sql_reply
ldap
if (notfound | fail) {
    sql_bkp_pass
}
...
}
 

Ah, thank you very much. I think I understand now. Will experiment with that when I get back to work on Tuesday.


Many thanks,
Justin Steward