auth required pam_env.so # this part is here if the module don't exist # basically, the idea is to copy the exact detail of sufficient, # and add abort=ignore auth [abort=ignore success=done new_authtok_reqd=done default=ignore] pam_tcb.so shadow fork nullok prefix=$2a$ count=8 auth sufficient pam_unix.so likeauth nullok try_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account sufficient pam_localuser.so # not sure if the following bring something useful account required pam_ldap.so <%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%> <%- if allowed_access_classes -%> <%- allowed_access_classes.each { |ldap_group| -%> account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %> <%- } -%> <%- end -%> account required pam_deny.so password required pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 dcredit=0 ucredit=0 ucredit=0 # TODO check this part too password sufficient pam_tcb.so use_authtok shadow write_to=shadow fork nullok prefix=$2a$ count=8 abort=ignore password sufficient pam_ldap.so use_authtok password sufficient pam_unix.so use_authtok nullok md5 shadow password required pam_deny.so session optional pam_keyinit.so revoke # optional if there is a problem when creating the account session optional pam_mkhomedir.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so