From de67f50351b4e35155b40c341452abbd078ede9a Mon Sep 17 00:00:00 2001 From: Assassinkin Date: Wed, 22 Nov 2017 18:07:04 +0100 Subject: [PATCH] Update sssd integration with pam as documented by RedHat --- nixos/modules/security/pam.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 2d6713311a45..e3bbcad12026 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -222,6 +222,11 @@ let password, KDE will prompt separately after login. ''; }; + sssdStrictAccess = mkOption { + default = false; + type = types.bool; + description = "enforce sssd access control"; + }; text = mkOption { type = types.nullOr types.lines; @@ -241,11 +246,13 @@ let text = mkDefault ('' # Account management. - account sufficient pam_unix.so + account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} - ${optionalString config.services.sssd.enable + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) + "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}