LDAPでsshログインするときのCentOS6用設定とCentOS7用設定の差分

ldap_centos6_7.diff

--- modules/ldap/files/password-auth-ac
+++ modules/ldap/files/password-auth-ac
@@ -3,24 +3,25 @@
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
-auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient    pam_ldap.so use_first_pass
 auth        required      pam_deny.so

 account     required      pam_unix.so broken_shadow
 account     sufficient    pam_localuser.so
-account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
 account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 account     required      pam_permit.so

-password    requisite     pam_cracklib.so try_first_pass retry=3 type=
-password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_ldap.so use_authtok
 password    required      pam_deny.so

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
+-session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session     optional      pam_ldap.so
diff --git modules/ldap/files/system-auth-ac modules/ldap/files/system-auth-ac
index b6c3e54..d54770f 100644
--- modules/ldap/files/system-auth-ac
+++ modules/ldap/files/system-auth-ac
@@ -3,24 +3,25 @@
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
-auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient    pam_ldap.so use_first_pass
 auth        required      pam_deny.so

 account     required      pam_unix.so broken_shadow
 account     sufficient    pam_localuser.so
-account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
 account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 account     required      pam_permit.so

-password    requisite     pam_cracklib.so try_first_pass retry=3 type=
-password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_ldap.so use_authtok
 password    required      pam_deny.so

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
+-session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session     optional      pam_ldap.so

pam_succeed_if.so の部分はそんなに関係無いと思うけど