@%@UCRWARNING=# @%@

auth     sufficient                         pam_unix.so
@!@
methods = configRegistry.get('auth/methods','').split(' ')

if configRegistry.is_true( 'auth/passwdcache', False ):
	if 'krb5' in methods:
		print 'auth     [success=1 new_authtok_reqd=ok user_unknown=ignore service_err=ignore authinfo_unavail=ignore auth_err=die default=ignore]                         pam_krb5.so use_first_pass'
	print 'auth     [success=ok new_authtok_reqd=ok          user_unknown=die          service_err=1 authinfo_unavail=1          default=die]                         pam_ldap.so use_first_pass'

	user = configRegistry.get( 'auth/passwdcache/max_user', '3' ).strip( '"' )

	print '''
# cache password (on successful authentification)
auth     [success=done new_authtok_reqd=ok          ignore=ignore default=bad]         pam_passwdcache.so try_first_pass insert max_user=%(user)s
# remove password from cache (on failed authentification)
# auth     required                           pam_passwdcache.so try_first_pass delete max_user=%(user)s
# authenticate against cache (if a service fails)
auth     required                         pam_passwdcache.so try_first_pass
''' % { 'user' : user }
else:
	if 'krb5' in methods:
		print 'auth     sufficient                         pam_krb5.so use_first_pass'
	print 'auth     required                           pam_ldap.so use_first_pass'
@!@

account  sufficient             pam_unix.so
@!@
methods = configRegistry.get('auth/methods','').split(' ')
if 'krb5' in methods:
	print 'account  sufficient             pam_krb5.so'
@!@account  required               pam_ldap.so

session    required   pam_unix.so

password requisite  pam_cracklib.so
password sufficient pam_unix.so nullok obscure md5 minlen=4 use_first_pass use_authtok
password required pam_krb5.so use_first_pass use_authtok
