blob: c6496ba8713fc7fc802602578b0745b0d8f74b85 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
auth required pam_env.so
# this part is here if the module don't exist
# basically, the idea is to copy the exact detail of sufficient,
# and add abort=ignore
auth [abort=ignore success=done new_authtok_reqd=done default=ignore] pam_tcb.so shadow fork nullok prefix=$2a$ count=8
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account sufficient pam_localuser.so
# not sure if the following bring something useful
account required pam_ldap.so
<%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%>
<%- if allowed_access_classes -%>
<%- allowed_access_classes.each { |ldap_group| -%>
account sufficient pam_succeed_if.so quiet user ingroup <%= @ldap_group %>
<%- } -%>
<%- end -%>
account required pam_deny.so
password required pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 dcredit=0 ucredit=0 ucredit=0
# TODO check this part too
password sufficient pam_tcb.so use_authtok shadow write_to=shadow fork nullok prefix=$2a$ count=8 abort=ignore
password sufficient pam_ldap.so use_authtok
password sufficient pam_unix.so use_authtok nullok md5 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
# optional if there is a problem when creating the account
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
|
