@%@UCRWARNING=# @%@

password	requisite	pam_cracklib.so
@!@
PAM = [
    ('unix', 'password	%(action)s	pam_unix.so obscure sha512 try_first_pass use_authtok'),
    ('krb5', 'password	%(action)s	pam_krb5.so try_first_pass use_authtok minimum_uid=%(minimum_uid)d %(ticket_after_pwchange)s'),
    #('ldap',    'password	%(action)s	pam_ldap.so try_first_pass use_authtok'),
    ('winbind', 'password	%(action)s	pam_winbind.so try_first_pass use_authtok'),
]

minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))
ticket_after_pwchange = 'ticket_after_pwchange' if configRegistry.is_true('pam/krb5/ticket_after_pwchange') else ''
methods = set(configRegistry.get('auth/methods', '').split(' '))
methods.add('unix')
pam = [template for method, template in PAM if method in methods]
for i, template in enumerate(pam):
    print(template % {
        'action': '[success=%d default=ignore]' % (len(pam) - i),
        'minimum_uid': minimum_uid,
        'ticket_after_pwchange': ticket_after_pwchange,
    })
@!@
# here's the fallback if no module succeeds
password	requisite	pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password	required	pam_permit.so
