#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# Default was:
#account	required	pam_unix.so
#
# pam_unix does general checks based on NSS info, so it also works for ldap
# users.
account		required        pam_unix.so

# pam_ldap does additional checks (in particular checking the host ldap
# attribute) but needs to be ignored when it does not know about a user.
account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
                                pam_ldap.so