forked from mirrors/nixpkgs
Merge pull request #31969 from Assassinkin/master
Update sssd integration with pam as documented by RedHat
This commit is contained in:
commit
aeff4242db
|
@ -234,6 +234,11 @@ let
|
||||||
password, KDE will prompt separately after login.
|
password, KDE will prompt separately after login.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
sssdStrictAccess = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = "enforce sssd access control";
|
||||||
|
};
|
||||||
|
|
||||||
enableGnomeKeyring = mkOption {
|
enableGnomeKeyring = mkOption {
|
||||||
default = false;
|
default = false;
|
||||||
|
@ -264,11 +269,13 @@ let
|
||||||
text = mkDefault
|
text = mkDefault
|
||||||
(''
|
(''
|
||||||
# Account management.
|
# Account management.
|
||||||
account sufficient pam_unix.so
|
account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
|
||||||
${optionalString use_ldap
|
${optionalString use_ldap
|
||||||
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
${optionalString config.services.sssd.enable
|
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
|
||||||
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
|
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
|
||||||
|
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
|
||||||
|
"account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
|
||||||
${optionalString config.krb5.enable
|
${optionalString config.krb5.enable
|
||||||
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue