mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-21 20:49:52 +03:00
Update sssd integration with pam as documented by RedHat
This commit is contained in:
parent
e0779e6aed
commit
de67f50351
@ -222,6 +222,11 @@ let
|
|||||||
password, KDE will prompt separately after login.
|
password, KDE will prompt separately after login.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
sssdStrictAccess = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = "enforce sssd access control";
|
||||||
|
};
|
||||||
|
|
||||||
text = mkOption {
|
text = mkOption {
|
||||||
type = types.nullOr types.lines;
|
type = types.nullOr types.lines;
|
||||||
@ -241,11 +246,13 @@ let
|
|||||||
text = mkDefault
|
text = mkDefault
|
||||||
(''
|
(''
|
||||||
# Account management.
|
# Account management.
|
||||||
account sufficient pam_unix.so
|
account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
|
||||||
${optionalString use_ldap
|
${optionalString use_ldap
|
||||||
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
${optionalString config.services.sssd.enable
|
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
|
||||||
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
|
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
|
||||||
|
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
|
||||||
|
"account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
|
||||||
${optionalString config.krb5.enable
|
${optionalString config.krb5.enable
|
||||||
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user