# -*- mode: python; coding: utf-8 -*-

include("pam")

header("""
/etc/pam.d/common-session - session-related modules common to all services

This file is included from other service-specific PAM config files,
and should contain a list of modules that define tasks to be performed
at the start and end of sessions of *any* kind (both interactive and
non-interactive).

As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules.  See
pam-auth-update(8) for details.
""")

if True: # TODO get rid of @
    @# here are the per-package modules (the "Primary" block)
    @session        [default=1]                     pam_permit.so
    @# here's the fallback if no module succeeds
    @session requisite                       pam_deny.so
    @# prime the stack with a positive return value if there isn't one already;
    @# this avoids us returning an error just because nothing sets a success code
    @# since the modules above will each just jump around
    @session required                        pam_permit.so
    @# and here are more per-package modules (the "Additional" block)
    @session        required                        pam_unix.so 
    if has('ldap'):
        out("session        [success=ok default=ignore]     %s minimum_uid=500" % (pam_module,))
    if has("jessie"):
        out("session        optional                        pam_systemd.so")
    if has("vo"):
        out("session        optional                        pam_ck_connector.so nox11")
    @# end of pam-auth-update config