diff options
author | Matthew Justin Bauer <mjbauer95@gmail.com> | 2018-04-21 14:36:47 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-04-21 14:36:47 -0500 |
commit | aeff4242dbf14a1ae86119340ce4c8e438ea18e5 (patch) | |
tree | 056c4c2edd21a90e7c9bcebd470f63213d5f944b /nixos/modules/security/pam.nix | |
parent | d6ab16561de80ccb6d6e6be3abafee647936065e (diff) | |
parent | de67f50351b4e35155b40c341452abbd078ede9a (diff) | |
download | nixlib-aeff4242dbf14a1ae86119340ce4c8e438ea18e5.tar nixlib-aeff4242dbf14a1ae86119340ce4c8e438ea18e5.tar.gz nixlib-aeff4242dbf14a1ae86119340ce4c8e438ea18e5.tar.bz2 nixlib-aeff4242dbf14a1ae86119340ce4c8e438ea18e5.tar.lz nixlib-aeff4242dbf14a1ae86119340ce4c8e438ea18e5.tar.xz nixlib-aeff4242dbf14a1ae86119340ce4c8e438ea18e5.tar.zst nixlib-aeff4242dbf14a1ae86119340ce4c8e438ea18e5.zip |
Merge pull request #31969 from Assassinkin/master
Update sssd integration with pam as documented by RedHat
Diffstat (limited to 'nixos/modules/security/pam.nix')
-rw-r--r-- | nixos/modules/security/pam.nix | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index f2bdfcf885ee..48998285d89d 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -234,6 +234,11 @@ let password, KDE will prompt separately after login. ''; }; + sssdStrictAccess = mkOption { + default = false; + type = types.bool; + description = "enforce sssd access control"; + }; enableGnomeKeyring = mkOption { default = false; @@ -264,11 +269,13 @@ let text = mkDefault ('' # Account management. - account sufficient pam_unix.so + account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} - ${optionalString config.services.sssd.enable + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) + "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} |