# Default was:
#account required pam_unix.so
#
-# LDAP config based on from http://wiki.debian.org/LDAP/PAM
-account required pam_ldap.so
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account required pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+ pam_ldap.so
# The PAM configuration file for the cron daemon
#
+# cron uses pam_set_cred so it needs a working auth section. It does not do
+# any other real authentication.
auth sufficient pam_unix.so
-@include common-auth
-# This is required instead of sufficient, since pam_unix mostly does checks
-# based on NSS, so this will also work for ldap users.
-account required pam_unix.so
-# We use a custom control spec so we won't fail on user_unknown special
-account [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so
+@include common-auth
+@include common-account
@include common-session
#
# We deny any pam calls not explicitely allowed elsewhere.
-auth required pam_deny
-account required pam_deny
-session required pam_deny
-password required pam_deny
+auth required pam_deny.so
+account required pam_deny.so
+session required pam_deny.so
+password required pam_deny.so
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
+@include common-account
+@include common-session