#%PAM-1.0

# We have a common auth and account section, since we don't need to check the
# "host" attribute, but the "mailHost" attribute. It would be sufficient to
# use a custom account section, but pam_ldap only loads its config once, so we
# can't use a different config for just the accoun section.

# These are just taken from common-{auth,account}, but with the config=
# parameter added.
auth    required        pam_ldap.so config=/etc/pam_ldap_dovecot.conf

# pam_unix does general checks based on NSS info, so it also works for ldap
# users.
account		required        pam_unix.so

# pam_ldap does additional checks (in particular checking the host ldap
# attribute) but needs to be ignored when it does not know about a user.
# We point the module to an alternative configuration file.
account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
                                pam_ldap.so config=/etc/pam_ldap_dovecot.conf

@include common-session