#%PAM-1.0

auth    required    pam_faillock.so preauth
auth    sufficient  pam_kanidm.so
-auth   [success=2 default=ignore]  pam_systemd_home.so
auth    [success=1 default=bad] pam_unix.so try_first_pass
auth    [default=die]   pam_faillock.so authfail
auth    optional    pam_permit.so
auth    required    pam_env.so
auth    required    pam_faillock.so authsucc

account sufficient  pam_kanidm.so
-account    [success=1 default=ignore]  pam_systemd_home.so
account required    pam_unix.so
account optional    pam_permit.so
account required    pam_time.so

password    sufficient  pam_kanidm.so
-password   [success=1 default=ignore]  pam_systemd_home.so
password    required    pam_unix.so try_first_pass shadow
password    optional    pam_permit.so

-session    optional    pam_systemd_home.so
session required    pam_limits.so
session required    pam_unix.so
session optional    pam_kanidm.so
session optional    pam_permit.so