diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/ldap.nix | 6 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 9 |
2 files changed, 11 insertions, 4 deletions
diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 7064ef64b4c8..7cbcc39412ea 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -62,6 +62,12 @@ in description = "Whether to enable authentication against an LDAP server."; }; + loginPam = mkOption { + type = types.bool; + default = true; + description = "Whether to include authentication against LDAP in login PAM"; + }; + server = mkOption { example = "ldap://ldap.example.org/"; description = "The URL of the LDAP server."; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 231a1890e0c0..77815cd6dcc1 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -221,7 +221,7 @@ let ('' # Account management. account sufficient pam_unix.so - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} @@ -261,7 +261,7 @@ let "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} ${optionalString config.krb5.enable '' auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass @@ -276,7 +276,7 @@ let "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} ${optionalString cfg.pamMount "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} @@ -296,7 +296,7 @@ let "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} ${optionalString config.security.pam.enableEcryptfs "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "session optional ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "session optional ${pam_krb5}/lib/security/pam_krb5.so"} @@ -322,6 +322,7 @@ let inherit (pkgs) pam_krb5 pam_ccreds; + use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam); pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; # Create a limits.conf(5) file. |