@%@UCRWARNING=# @%@

password	requisite	pam_cracklib.so
@!@
PAM = [
	('unix',    'password	%(action)s	pam_unix.so nullok obscure md5 min=4 max=32 try_first_pass use_authtok'),
	('krb5',    'password	%(action)s	pam_krb5.so try_first_pass use_authtok minimum_uid=%(minimum_uid)d'),
	#('ldap',    'password	%(action)s	pam_ldap.so try_first_pass use_authtok'),
	('winbind', 'password	%(action)s	pam_winbind.so try_first_pass use_authtok'),
]

minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))
methods = set(configRegistry.get('auth/methods', '').split(' '))
methods.add('unix')
pam = [template for method, template in PAM if method in methods]
for i, template in enumerate(pam):
	print template % {
		'action': '[success=%d default=ignore]' % (len(pam) - i),
		'minimum_uid': minimum_uid,
	}
@!@
# here's the fallback if no module succeeds
password	requisite	pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password	required	pam_permit.so
