2 files changed, 22 insertions, 0 deletions

diff --git a/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-auth b/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-auth
new file mode 100644
index 0000000000..c79219f24d
--- /dev/null
+++ b/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-auth
@@ -0,0 +1,21 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+
+# here are the per-package modules (the "Primary" block)
+auth	[success=ok user_unknown=ignore default=2]	pam_tally2.so deny=5 unlock_time=0
+# Try for local user first, and then try for ldap
+auth	[success=2 default=ignore]	pam_unix.so quiet
+-auth    [success=1 default=ignore]  	pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
diff --git a/meta-ampere/meta-common/recipes-extended/pam/libpam_%.bbappend b/meta-ampere/meta-common/recipes-extended/pam/libpam_%.bbappend
index 4ede0332eb..ad820d162f 100644
--- a/meta-ampere/meta-common/recipes-extended/pam/libpam_%.bbappend
+++ b/meta-ampere/meta-common/recipes-extended/pam/libpam_%.bbappend
@@ -1,4 +1,5 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 
 SRC_URI += " file://pam.d/common-password \
+	     file://pam.d/common-auth \
             "