@%@UCRWARNING=# @%@

auth     requisite                          pam_nologin.so
@!@
if baseConfig.is_true('auth/faillog', False): 
	tally_option='per_user deny=%s' % baseConfig.get('auth/faillog/limit', '5')
	if baseConfig.is_true('auth/faillog/root', False):
		tally_option+=' even_deny_root_account'
	if baseConfig.get('auth/faillog/unlock_time', '0') != '0':
		tally_option+=' unlock_time=%s' % baseConfig.get('auth/faillog/unlock_time')
	if baseConfig.is_true('auth/faillog/lock_global', False):
		print 'auth	[success=1 user_unknown=1 default=bad]	pam_tally.so %s' % tally_option
		print 'auth	[default=die]	pam_runasroot.so program=/usr/lib/univention-pam/lock-user'
	else:
		print 'auth	required	pam_tally.so %s' % tally_option
@!@

# local unix authentification; don't cache passwords
auth     sufficient                         pam_unix.so

# remote authentification; if a service
# - fails, we'll fall back to cache authentification
# - is successful, cache the password
# - isn't aware of the user, proceed with the next service
@!@
minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))
pam_krb5='''
auth	sufficient			pam_krb5.so use_first_pass minimum_uid=%d''' % (minimum_uid,)
pam_ldap='''
auth 	sufficient 			pam_ldap.so use_first_pass'''
pam_winbind=''' 
auth 	sufficient 			pam_winbind.so use_first_pass'''
pam_cache='''
auth     required                         pam_passwdcache.so try_first_pass'''


def pam_section(template, index, last):
	if index <= 0:
		succ='done'
		unavail='die'
		fail='die'
	else:
		succ=str(index-1)
		if succ == '0':
			succ = 'ok'
		fail=str(index)
		unavail=str(index+1)
	if index == 1:
		unknown=str(index)
	elif last == 1:
		unknown='die'
	else:
		unknown='ignore'
		
	return template.replace('<succ>', succ).replace('<unavail>', unavail).\
		replace('<fail>', fail).replace('<unknown>', unknown)

methods=filter(lambda(x): x in ['krb5', 'ldap', 'winbind', 'cache'],
	baseConfig['auth/methods'].split(' '))
if 'cache' in methods:
	methods.remove('cache')
	index = len(methods)
else:
	index = -1

if 'krb5' in methods:
	last=0
	if not 'ldap' in methods and not 'winbind' in methods:
		last=1
	print pam_section(pam_krb5, index, last)
	index -= 1
if 'ldap' in methods:
	last=0
	if not 'winbind' in methods:
		last=1
	print pam_section(pam_ldap, index, last)
	index -= 1
if 'winbind' in methods:
	print pam_section(pam_winbind, index, 1)
	index -= 1

# cache is activated
if index == 0:
	print pam_cache	

# cache_store=['success', 'new_authtok_reqd']
# cache_delete=['auth_err', 'perm_denied', 'cred_err', 'acct_expired', 'authtok_expired']
# cache_auth=['service_err', 'system_err', 'authinfo_unavail']
@!@

auth     required                           pam_env.so
