#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration file for authenticating users through Kerberos as a
# first choice, LDAP as a second choice, and then Unix password-based login 
# only if both Kerberos and LDAP authentication fails.  Account management
# is done using the same ordering as well: Kerberos, LDAP, Unix.
#
# Authentication management
#
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login	auth required		pam_dial_auth.so.1
login   auth sufficient         pam_krb5.so.1
login   auth binding		pam_unix_auth.so.1 server_policy
login   auth sufficient         pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite          pam_authtok_get.so.1
rlogin	auth required           pam_dhkeys.so.1
rlogin	auth required           pam_unix_cred.so.1
rlogin	auth sufficient         pam_krb5.so.1
rlogin	auth binding		pam_unix_auth.so.1 server_policy
rlogin	auth sufficient         pam_ldap.so.1
#
# Kerberized rlogin service
#
krlogin	auth required		pam_unix_cred.so.1
krlogin	auth required		pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth)
#  
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_cred.so.1
#
# Kerberized rsh service
#   
krsh	auth required		pam_unix_cred.so.1
krsh	auth required		pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet	auth required		pam_unix_cred.so.1
ktelnet	auth required		pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#  
ppp	auth requisite          pam_authtok_get.so.1
ppp	auth required           pam_dhkeys.so.1
ppp	auth required           pam_unix_cred.so.1
ppp	auth required		pam_dial_auth.so.1
ppp	auth sufficient         pam_krb5.so.1
ppp	auth binding		pam_unix_auth.so.1 server_policy
ppp	auth sufficient         pam_ldap.so.1
#
# GDM Autologin (explicit because of pam_allow).  These need to be
# here as there is no mechanism for packages to amend pam.conf as
# they are installed.
#
gdm-autologin auth  required	pam_unix_cred.so.1
gdm-autologin auth  sufficient	pam_allow.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth binding		pam_unix_auth.so.1 server_policy
other   auth sufficient         pam_ldap.so.1
#
# Account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1 server_policy
other	account required	pam_tsol_account.so.1
other   account sufficient	pam_krb5.so.1
other   account sufficient	pam_ldap.so.1
#
# Password management (authentication)
#
passwd	auth	binding		pam_passwd_auth.so.1 server_policy
passwd	auth	sufficient	pam_ldap.so.1
#
# Password management (updates)
#
other   password include	pam_authtok_common
other   password required	pam_authtok_store.so.1 server_policy
other   password optional	pam_krb5.so.1
#
# Session management
#
other   session required        pam_unix_session.so.1
#
# Account management for Trusted Extensions (TX)
# These entries are required for TX environments since these services
# run in the Trusted Path and pam_tsol_account(5) isn't applicable to
# PAM sessions which run in the Trusted Path.
#
gdm		account	requisite	pam_roles.so.1
gdm		account	required	pam_unix_account.so.1 server_policy
gdm		account sufficient	pam_krb5.so.1
gdm		account sufficient	pam_ldap.so.1
xscreensaver	account	requisite	pam_roles.so.1
xscreensaver	account	required	pam_unix_account.so.1 server_policy
xscreensaver	account sufficient	pam_krb5.so.1
xscreensaver	account sufficient	pam_ldap.so.1
passwd		account	requisite	pam_roles.so.1
passwd		account	required	pam_unix_account.so.1 server_policy
passwd		account sufficient	pam_krb5.so.1
passwd		account sufficient	pam_ldap.so.1
dtpasswd	account	requisite	pam_roles.so.1
dtpasswd	account	required	pam_unix_account.so.1 server_policy
dtpasswd	account sufficient	pam_krb5.so.1
dtpasswd	account sufficient	pam_ldap.so.1
tsoljds-tstripe	account	requisite	pam_roles.so.1
tsoljds-tstripe	account	required	pam_unix_account.so.1 server_policy
tsoljds-tstripe	account sufficient	pam_krb5.so.1
tsoljds-tstripe	account sufficient	pam_ldap.so.1