config-files/pam-config/files/system-auth.pamd

#%PAM-1.0
auth        requisite     pam_access.so
auth        requisite     pam_tally2.so deny=5 lock_time=3 unlock_time=300 audit
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

################# StarlingX Cloud Password Rules ######################
# Enforce a password containing atleast 1 lower case, 1 upper case,   #
# 1 digit and 1 special character. Such a password will have a        #
# minimum length of 7 characters. A user may not re-use the last most #
# recent password and every password must differ from its previous    #
# one by at least 3 characters                                        #
# - Added enforce_for_root for pam_pwquality.so                       #
#######################################################################

password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
password    requisite     pam_pwhistory.so use_authtok enforce_for_root remember=2

password    [success=2 default=ignore]      pam_unix.so sha512 shadow try_first_pass use_authtok
password    [success=1 default=ignore]      pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so