[CentOS] Active Directory, sssd and pam_cracklib?

Thu Mar 13 11:26:57 UTC 2014
James Pearson <james-p at moving-picture.com>

I'm in the process of testing out sssd on a CentOS 6 install using 
Active Directory for user authentication via sssd

All appears to be working fine - however, when I change a user password 
using 'passwd' (or at login when the account has expired etc), it 
appears pam_cracklib is being over-zealous with the new password 
requirements

Active Directory is set up with a password policy - but pam_cracklib 
(and may be other PAM modules?) have stronger password policies

So, I would like passwd to use the AD password requirements - and ignore 
any pam_cracklib requirements

The password settings in the system-auth and password-auth PAM config 
files are (as generated by authconfig):

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

If I comment out the pam_cracklib line (and remove 'use_authtok' from 
the other lines) - it appears to do what I want - but doesn't seem 
'correct' to me - i.e. what would happen if there were any local users 
defined on the system?

Does anyone have any suggestions on how PAM should be configured to 
allow password changes to 'honour' the Active Directory password policy 
requirements - but still impose requirements on non-AD users?

Thanks

James Pearson