#%PAM-1.0
auth     sufficient	pam_tcb.so shadow fork prefix=$2a$ count=8 nullok use_first_pass
auth     requisite	pam_succeed_if.so uid >= 500 quiet
auth     required	pam_ldap.so use_first_pass

password sufficient	pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 nullok write_to=tcb
password requisite	pam_succeed_if.so uid >= 500 quiet
password required	pam_ldap.so use_authtok
