@%@UCRWARNING=# @%@

@!@
if configRegistry.is_true('auth/faillog', False):
	print 'account	required	pam_tally.so'
@!@

# local unix authentification; don't cache passwords, deny access if account is expired
account [success=done new_authtok_reqd=done acct_expired=bad default=ignore]    pam_unix.so

# remote authentification; if a service
# - fails, we'll fall back to cache authentification
# - is successful, cache the password
# - isn't aware of the user, proceed with the next service
@!@
minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))
pam_krb5='''
account  <action>                         pam_krb5.so minimum_uid=%d''' % (minimum_uid,)
pam_ldap='''
account  <action>                         pam_ldap.so'''
pam_winbind='''
account  <action>                         pam_winbind.so'''
pam_cache='''
account  <action>                         pam_passwdcache.so'''

def pam_section(template, index):
	if index <= 1:
		action='required  '
	else:
		action='sufficient'	
	return template.replace('<action>', action)

methods=filter(lambda(x): x in ['krb5', 'ldap', 'winbind', 'cache'],
	configRegistry['auth/methods'].split(' '))
index = len(methods)

if 'krb5' in methods:
	print pam_section(pam_krb5, index)
	index -= 1
if 'ldap' in methods:
	print pam_section(pam_ldap, index)
	index -= 1
if 'winbind' in methods:
	print pam_section(pam_winbind, index)
	index -= 1
if 'cache' in methods:
	print pam_section(pam_cache, index)
	index -= 1
@!@
