pam: Add complete configuration.

[matthijs/servers/tika.git] / etc / pam.d / common-account

diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account
new file mode 100644 (file)
index 0000000..cc1157f
--- /dev/null
+++ b/etc/pam.d/common-account
@@ -0,0 +1,17 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files.
+
+# pam_unix does general checks based on NSS info, so it also works for both
+# local and ldap users.
+account                required        pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute). Passing minimum_uid makes it work only for non-local users
+# (checking this based on the uid is not really elegant, but there is no
+# perfect way to do this anyway). We pass ignore_unknown_user to make the
+# module return 'ignore' instead of 'user_unknown' for local users, which gets
+# handled by 'required' properly (without having to specify a verbose custom
+# thing).
+account                required        pam_ldap.so ignore_unknown_user minimum_uid=1000