@!@
from univention.lib.misc import getLDAPServersCommaList

krb5_minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))

auth = "auth     optional        pam_univentionmailcyrus.so"
auth += " ldap_host=%s" % getLDAPServersCommaList(configRegistry)
auth += " ldap_base=%s" % configRegistry.get("ldap/base")
auth += " from_attr=mailPrimaryAddress to_attr=uid"
auth += " binddn=%s " % configRegistry.get("ldap/hostdn")
auth += " pwfile=/etc/machine.secret"
auth += " ldap_port=%s" % configRegistry.get("ldap/server/port", "7389")
print(auth)
print(f'''
auth     sufficient      pam_sss.so
auth     required        pam_krb5.so use_first_pass defer_pwchange minimum_uid={krb5_minimum_uid}

account  sufficient      pam_unix.so
account  required        pam_sss.so
''')
@!@
