Password hardening using PAM

Hi

We have a requirement to validate/enforce password policy by the group to which the user belongs.

The obvious way to do this seems to be to use PAM but I can not find anything that illustrates the syntax required.

In detail we have split users into three groups each one having a specific length and complexity requirement. We have looked into the requirement and come up with what we thought was the correct syntax but we get the standard Authentication token manipulation error.

The syntax we tried was:

password [success=4 default=ignore] pam_succeed_if.so user ingroup wheel
password [success=8 default=ignore] pam_succeed_if.so user ingroup generic
password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 maxrepeat=1 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

password requisite pam_cracklib.so try_first_pass retry=3 minlen=16 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 maxrepeat=1 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass # use_authtok
password required pam_deny.so

password requisite pam_cracklib.so try_first_pass retry=3 minlen=24 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 maxrepeat=1 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass # use_authtok
password required pam_deny.so

I'm guessing its something quite simple but I have been unable to find it :(

Any suggestions would be greatly appreciated.

Greg