# /etc/pam.d/common-ldap - settings for ldap
# 
# This file setups up auth for ldap users, but account, session and password
# for all users.
#
# This file is included from other service-specific PAM config files and
# contains the modules needed to get ldap users for all four sections.


# Do authentication for LDAP users
auth    required        pam_ldap.so

# pam_unix does general checks based on NSS info, so it also works for ldap
# users.
account required        pam_unix.so

# pam_ldap does additional checks (in particular checking the host ldap
# attribute) but needs to be ignored when it does not know about a user.
account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
                                pam_ldap.so


password    sufficient    pam_unix.so obscure sha512
password    sufficient    pam_ldap.so
password    required      pam_deny.so

# Set resource limits from /etc/security/limits.conf
session     required      pam_limits.so

# Write logins to syslog
session     required      pam_unix.so

# Tell pam_ldap about sessions as well, though it does not currently do
# anything.
session     required      pam_ldap.so

#session     required      pam_mkhomedir.so skel=/etc/skel umask=0022