Back to igraltist's experiences
The description below take the case to only use authenticate against rsbac.
Read this howto handbook user-managment
and migrating users and groups to rsbac management.
The point 9. is valid for a Debian system. On a Gentoo is the main file to edit '/etc/pam.d/system-auth'.
Content from /etc/pam.d/system-auth
auth required pam_env.so auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so account required pam_unix.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 credit=2 retry=3 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so
To activate the UM, replace all pam_unix.so with pam_rsbac.so.
Attention this should only done when all task for migration are done before.
The follow content allow only to authenticate against rsbac.
auth required pam_env.so auth required pam_rsbac.so auth optional pam_permit.so account required pam_rsbac.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_rsbac.so password optional pam_permit.so session required pam_limits.so session required pam_env.so session required pam_rsbac.so session optional pam_permit.so
To fully switch to RSBAC UM read Switch over.