@%@UCRWARNING=# @%@

@!@
if configRegistry.is_true('auth/faillog', False):
    print('account	required	pam_tally.so')
@!@

# local unix authentication; deny access if account is expired
account [success=done new_authtok_reqd=done acct_expired=bad default=ignore]    pam_unix.so

# remote authentication; if a service
# - isn't aware of the user, proceed with the next service
@!@
minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))
pam_krb5 = '''
account  <action>                         pam_krb5.so minimum_uid=%d''' % (minimum_uid,)
pam_ldap = '''
account  <action>                         pam_ldap.so'''
pam_winbind = '''
account  <action>                         pam_winbind.so'''


def pam_section(template, index):
    action = 'required  ' if index <= 1 else 'sufficient'
    return template.replace('<action>', action)


methods = set(configRegistry['auth/methods'].split(' ')) & {'krb5', 'ldap', 'winbind'}
index = len(methods)

if 'krb5' in methods:
    print(pam_section(pam_krb5, index))
    index -= 1
if 'ldap' in methods:
    print(pam_section(pam_ldap, index))
    index -= 1
if 'winbind' in methods:
    print(pam_section(pam_winbind, index))
@!@
