kanidm/unix_integration/pam_kanidm/debian/kanidm.pam

Name: Kanidm Authentication
Default: yes
Priority: 128

Auth-Type: Primary
Auth:
  [success=end new_authtok_reqd=done default=ignore]    pam_kanidm.so ignore_unknown_user use_first_pass

Account-Type: Primary
Account:
  [success=end new_authtok_reqd=done default=ignore]    pam_kanidm.so ignore_unknown_user

Session-Type: Additional
Session:
  optional      pam_kanidm.so

Password-Type: Additional
Password:
  optional      pam_kanidm.so