Previous post update: the problem appears to be a bug in the pam code itself which allows this kind of behaviour in some cases. The developer thinks it's possible that our system is allowing clients to anonymously bind. Fortunately there's a patch for that. Unfortunately recompiling PAM is close to being the last thing I want to do. Fortunately, there's a new version (v0.7.13 vs. the current v0.7.6) from Natty that installed with no drama. Also fortunately, it works!
I've installed it on carrot to test it in the real world.
I also spent a good deal of time submitting a bug report on Launchpad (Bug #720401).