#%PAM-1.0
#
auth    required pam_env.so
auth    [success=ignore default=1] pam_localuser.so
auth    [success=done new_authtok_reqd=done default=die]  pam_unix.so likeauth nullok shadow
auth    [authinfo_unavail=1 success=ignore default=2] pam_ldap.so
auth    [default=done] pam_ccreds.so action=store use_first_pass
auth    [success=done default=die] pam_ccreds.so action=validate use_first_pass
auth    [default=ignore] pam_echo.so Delete cached password
auth    [default=bad] pam_ccreds.so action=update
auth    required    pam_deny.so

account [authinfo_unavail=ignore user_unknown=ignore default=done] pam_unix.so
account sufficient pam_localuser.so
account [success=ignore default=1] pam_succeed_if.so uid > 10000
account [authinfo_unavail=ignore default=done] pam_ldap.so
account sufficient pam_permit.so

password    required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password    sufficient pam_unix.so nullok use_authtok shadow md5 try_first_pass
password    sufficient pam_ldap.so use_authtok use_first_pass
password    required pam_deny.so

session required    pam_limits.so
session required    pam_unix.so
session required    pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional    pam_ldap.so

