ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-09-21 20:49:52 +03:00
Code Issues Projects Releases Wiki Activity

Update sssd integration with pam as documented by RedHat

Browse Source
This commit is contained in:
Assassinkin 2017-11-22 18:07:04 +01:00
parent e0779e6aed
commit de67f50351
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
nixos/modules/security/pam.nix
View File

@ -222,6 +222,11 @@ let
password, KDE will prompt separately after login. password, KDE will prompt separately after login.
''; '';
}; };
sssdStrictAccess = mkOption {
default = false;
type = types.bool;
description = "enforce sssd access control";
};
text = mkOption { text = mkOption {
type = types.nullOr types.lines; type = types.nullOr types.lines;
@ -241,11 +246,13 @@ let
text = mkDefault text = mkDefault
('' (''
# Account management. # Account management.
account sufficient pam_unix.so account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
${optionalString use_ldap ${optionalString use_ldap
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.services.sssd.enable ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
"account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
${optionalString config.krb5.enable ${optionalString config.krb5.enable
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}