@%@UCRWARNING=# @%@

password requisite         pam_pwquality.so
@!@
PAM = [
    ('unix', 'password %(action)s  pam_unix.so obscure yescrypt try_first_pass use_authtok'),
    ('krb5', 'password %(action)s  pam_krb5.so try_first_pass use_authtok minimum_uid=%(krb5_minimum_uid)d %(ticket_after_pwchange)s'),
    # ('ldap', 'password %(action)s  pam_sss.so try_first_pass use_authtok'),
    ('winbind', 'password %(action)s  pam_winbind.so try_first_pass use_authtok'),
]

krb5_minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))
ticket_after_pwchange = 'ticket_after_pwchange' if configRegistry.is_true('pam/krb5/ticket_after_pwchange') else ''
methods = set(configRegistry.get('auth/methods', '').split(' '))
methods.add('unix')
pam = [template for method, template in PAM if method in methods]
for i, template in enumerate(pam):
    print(template.strip() % {
        'action': '[success=%d default=ignore]' % (len(pam) - i),
        'krb5_minimum_uid': krb5_minimum_uid,
        'ticket_after_pwchange': ticket_after_pwchange,
    })
@!@
# here's the fallback if no module succeeds
password requisite          pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required          pam_permit.so
