diff options
| author | Markus Mueller <john.subscriber@markus.institute> | 2016-07-18 13:20:21 +0000 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-08-23 21:12:51 +0200 |
| commit | e04c3506eb24eb6e08d0938cc469aa140b4ea165 (patch) | |
| tree | 14c8cafa9f60ba214919fa0579b107de0c606e02 | |
| parent | 415e1983ca650777d476d39de1db61a9e9877621 (diff) | |
| download | nixlib-e04c3506eb24eb6e08d0938cc469aa140b4ea165.tar nixlib-e04c3506eb24eb6e08d0938cc469aa140b4ea165.tar.gz nixlib-e04c3506eb24eb6e08d0938cc469aa140b4ea165.tar.bz2 nixlib-e04c3506eb24eb6e08d0938cc469aa140b4ea165.tar.lz nixlib-e04c3506eb24eb6e08d0938cc469aa140b4ea165.tar.xz nixlib-e04c3506eb24eb6e08d0938cc469aa140b4ea165.tar.zst nixlib-e04c3506eb24eb6e08d0938cc469aa140b4ea165.zip | |
ldap: Add option for login PAM integration
| -rw-r--r-- | nixos/modules/config/ldap.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 9 |
2 files changed, 11 insertions, 4 deletions
diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 7064ef64b4c8..7cbcc39412ea 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -62,6 +62,12 @@ in description = "Whether to enable authentication against an LDAP server."; }; + loginPam = mkOption { + type = types.bool; + default = true; + description = "Whether to include authentication against LDAP in login PAM"; + }; + server = mkOption { example = "ldap://ldap.example.org/"; description = "The URL of the LDAP server."; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 231a1890e0c0..77815cd6dcc1 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -221,7 +221,7 @@ let ('' # Account management. account sufficient pam_unix.so - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} @@ -261,7 +261,7 @@ let "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} ${optionalString config.krb5.enable '' auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass @@ -276,7 +276,7 @@ let "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} ${optionalString cfg.pamMount "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} @@ -296,7 +296,7 @@ let "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} ${optionalString config.security.pam.enableEcryptfs "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "session optional ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "session optional ${pam_krb5}/lib/security/pam_krb5.so"} @@ -322,6 +322,7 @@ let inherit (pkgs) pam_krb5 pam_ccreds; + use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam); pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; # Create a limits.conf(5) file. |