#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

################# StarlingX Cloud Password Rules #######################
# Enforce a password containing atleast 1 lower case, 1 upper case,   #
# 1 digit and 1 special character. Such a password will have a        #
# minimum length of 7 characters. A user may not re-use the last most #
# recent password and every password must differ from its previous    #
# one by atleast 3 characters                                         # 
# - Added enforce_for_root for pam_pwquality.so             #
#######################################################################

password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
password    requisite     pam_pwhistory.so use_authtok enforce_for_root remember=2

password    [success=2 default=ignore]      pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    [success=1 default=ignore]      pam_ldap.so use_authtok

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so