@!@
minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))
pam_krb5 = '''
auth     [success=<succ> new_authtok_reqd=ok \
         user_unknown=<unknown> \
         service_err=<unavail> authinfo_unavail=<unavail> \
         default=<unknown>]                         pam_krb5.so use_first_pass minimum_uid=%d''' % (minimum_uid,)
pam_ldap = '''
auth     [success=<succ> new_authtok_reqd=ok \
         user_unknown=<unknown> \
         service_err=<unavail> authinfo_unavail=<unavail> \
         default=<unknown>]                         pam_ldap.so use_first_pass'''
pam_winbind = '''
auth     [success=<succ> new_authtok_reqd=ok \
         user_unknown=<unknown> \
         service_err=<unavail> authinfo_unavail=<unavail> \
         default=<unknown>]                         pam_winbind.so use_first_pass'''


def pam_section(template, last):
    succ = 'done'
    unavail = 'die'
    fail = 'die'
    unknown = 'die' if last else 'ignore'

    return template.replace('<succ>', succ).replace('<unavail>', unavail).replace('<fail>', fail).replace('<unknown>', unknown)


methods = [x for x in configRegistry['auth/methods'].split(' ') if x in ['krb5', 'ldap', 'winbind']]

# if no other authentication mechanism but unix is active it is required
if not methods:
    print('''# local unix authentication
auth     required                         pam_unix.so''')
else:
    print('''# local unix authentication
auth     sufficient                           pam_unix.so''')

print('''
# remote authentication; if a service
# - is not aware of the user, proceed with the next service''')

if 'krb5' in methods:
    last = 'ldap' not in methods and 'winbind' not in methods
    print(pam_section(pam_krb5, last))
if 'ldap' in methods:
    last = 'winbind' not in methods
    print(pam_section(pam_ldap, last))
if 'winbind' in methods:
    print(pam_section(pam_winbind, True))
@!@
