#%PAM-1.0 -*- mode: conf-space; tab-width: 10 -*-

# Local users don't authenticate with Kanidm
account	[success=1 default=ignore]	pam_localuser.so
# When Kanidm fails, jump straight to the deny line. We already know we're not a local user, so this is fine.
account	[success=3 default=2]	pam_kanidm.so
-account	[success=2 default=ignore]	pam_systemd_home.so
account	[success=1 default=ignore]	pam_unix.so
# If any of the above account lines fail, they'll jump here, which kills the authorization attempt.
account	[default=die]		pam_deny.so
account	optional			pam_permit.so
account	required			pam_time.so