#!/bin/bash
main () {
	setup_var
	setup_ucr ldap krb5 unix cache winbind
	gen_common

	check account '[success=done new_authtok_reqd=done acct_expired=bad default=ignore]' pam_unix.so
	check account 'sufficient' pam_krb5.so
	check account 'sufficient' pam_sss.so
	check account 'sufficient' pam_winbind.so

	check auth 'requisite' pam_nologin.so
	check auth 'sufficient' pam_unix.so
	check auth '[success=2 new_authtok_reqd=ok user_unknown=ignore service_err=3 authinfo_unavail=3 default=ignore]' pam_krb5.so 'use_first_pass'
	check auth '[success=1 new_authtok_reqd=ok user_unknown=ignore service_err=2 authinfo_unavail=2 default=ignore]' pam_sss.so 'use_first_pass'
	check auth '[success=ok new_authtok_reqd=ok user_unknown=die service_err=1 authinfo_unavail=1 default=die]' pam_winbind.so use_first_pass
	check auth 'required' pam_env.so

	check session 'required' pam_unix.so
	check session 'optional' pam_winbind.so
	check session 'optional' pam_krb5.so
	check session 'required' pam_limits.so

	check password 'requisite' pam_pwquality.so
	check password '[success=3 default=ignore]' pam_unix.so 'obscure sha512 try_first_pass use_authtok'
	check password '[success=2 default=ignore]' pam_krb5.so 'try_first_pass use_authtok'
	check password '[success=1 default=ignore]' pam_winbind.so 'try_first_pass use_authtok'
	check password 'requisite' pam_deny.so
	check password 'required' pam_permit.so
}
. "${0%/*}/common.sh" || exit 1
