diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index ed62c51ce9b6..61f185f9bc00 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -331,17 +331,29 @@ The pam_unix account module is now loaded with its control field set to required instead of - sufficient, so that later pam account modules that + sufficient, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to pam_unix. The LDAP and SSSD NixOS modules already add their NSS modules when - enabled. In case your setup breaks due to some later pam account module + enabled. In case your setup breaks due to some later PAM account module previosuly shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting .text]]>. + + + + The pam_unix password module is now loaded with its + control field set to sufficient instead of + required, so that password managed only + by later PAM password modules are being executed. + Previously, for example, changing an LDAP account's password through PAM + was not possible: the whole password module verification + was exited prematurely by pam_unix, + preventing pam_ldap to manage the password as it should. + diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 0693e896f715..f65a3fc50d54 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -38,6 +38,8 @@ let bind_timelimit ${toString cfg.bind.timeLimit} ${optionalString (cfg.bind.distinguishedName != "") "binddn ${cfg.bind.distinguishedName}" } + ${optionalString (cfg.daemon.rootpwmoddn != "") + "rootpwmoddn ${cfg.daemon.rootpwmoddn}" } ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig } ''; }; @@ -126,6 +128,26 @@ in the end of the nslcd configuration file (nslcd.conf). '' ; } ; + + rootpwmoddn = mkOption { + default = ""; + example = "cn=admin,dc=example,dc=com"; + type = types.str; + description = '' + The distinguished name to use to bind to the LDAP server + when the root user tries to modify a user's password. + ''; + }; + + rootpwmodpw = mkOption { + default = ""; + example = "/run/keys/nslcd.rootpwmodpw"; + type = types.str; + description = '' + The path to a file containing the credentials with which + to bind to the LDAP server if the root user tries to change a user's password + ''; + }; }; bind = { @@ -203,9 +225,11 @@ in system.activationScripts = mkIf insertLdapPassword { ldap = stringAfter [ "etc" "groups" "users" ] '' if test -f "${cfg.bind.password}" ; then - echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw - mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf - chmod 600 /etc/ldap.conf + umask 0077 + conf="$(mktemp)" + printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" | + cat ${ldapConfig.source} - >"$conf" + mv -fT "$conf" /etc/ldap.conf fi ''; }; @@ -232,21 +256,31 @@ in wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -p /run/nslcd - rm -f /run/nslcd/nslcd.pid; - chown nslcd.nslcd /run/nslcd - ${optionalString (cfg.bind.distinguishedName != "") '' - if test -s "${cfg.bind.password}" ; then - ln -sfT "${cfg.bind.password}" /run/nslcd/bindpw - fi - ''} + umask 0077 + conf="$(mktemp)" + { + cat ${nslcdConfig.source} + test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' || + printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')" + test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' || + printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')" + } >"$conf" + mv -fT "$conf" /etc/nslcd.conf ''; + # NOTE: because one cannot pass a custom config path to `nslcd` + # (which is only able to use `/etc/nslcd.conf`) + # changes in `nslcdConfig` won't change `serviceConfig`, + # and thus won't restart `nslcd`. + # Therefore `restartTriggers` is used on `/etc/nslcd.conf`. + restartTriggers = [ nslcdConfig.source ]; + serviceConfig = { ExecStart = "${nss_pam_ldapd}/sbin/nslcd"; Type = "forking"; PIDFile = "/run/nslcd/nslcd.pid"; Restart = "always"; + RuntimeDirectory = [ "nslcd" ]; }; }; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 4631ba848a76..206b529ed680 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -370,7 +370,7 @@ let auth required pam_deny.so # Password management. - password requisite pam_unix.so nullok sha512 + password sufficient pam_unix.so nullok sha512 ${optionalString config.security.pam.enableEcryptfs "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} ${optionalString cfg.pamMount diff --git a/nixos/tests/ldap.nix b/nixos/tests/ldap.nix index 035a81924174..b3fd42e75886 100644 --- a/nixos/tests/ldap.nix +++ b/nixos/tests/ldap.nix @@ -1,41 +1,23 @@ import ./make-test.nix ({ pkgs, lib, ...} : let + unlines = lib.concatStringsSep "\n"; + unlinesAttrs = f: as: unlines (lib.mapAttrsToList f as); + dbDomain = "example.com"; dbSuffix = "dc=example,dc=com"; - dbPath = "/var/db/openldap"; dbAdminDn = "cn=admin,${dbSuffix}"; - dbAdminPwd = "test"; - serverUri = "ldap:///"; + dbAdminPwd = "admin-password"; + # NOTE: slappasswd -h "{SSHA}" -s '${dbAdminPwd}' + dbAdminPwdHash = "{SSHA}i7FopSzkFQMrHzDMB1vrtkI0rBnwouP8"; ldapUser = "test-ldap-user"; ldapUserId = 10000; - ldapUserPwd = "test"; + ldapUserPwd = "user-password"; + # NOTE: slappasswd -h "{SSHA}" -s '${ldapUserPwd}' + ldapUserPwdHash = "{SSHA}v12XICMZNGT6r2KJ26rIkN8Vvvp4QX6i"; ldapGroup = "test-ldap-group"; ldapGroupId = 10000; - setupLdif = pkgs.writeText "test-ldap.ldif" '' - dn: ${dbSuffix} - dc: ${with lib; let dc = head (splitString "," dbSuffix); dcName = head (tail (splitString "=" dc)); in dcName} - o: ${dbSuffix} - objectclass: top - objectclass: dcObject - objectclass: organization - dn: cn=${ldapUser},${dbSuffix} - sn: ${ldapUser} - objectClass: person - objectClass: posixAccount - uid: ${ldapUser} - uidNumber: ${toString ldapUserId} - gidNumber: ${toString ldapGroupId} - homeDirectory: /home/${ldapUser} - loginShell: /bin/sh - userPassword: ${ldapUserPwd} - - dn: cn=${ldapGroup},${dbSuffix} - objectClass: posixGroup - gidNumber: ${toString ldapGroupId} - memberUid: ${ldapUser} - ''; mkClient = useDaemon: { lib, ... }: { @@ -43,13 +25,24 @@ let virtualisation.vlans = [ 1 ]; security.pam.services.su.rootOK = lib.mkForce false; users.ldap.enable = true; - users.ldap.daemon.enable = useDaemon; + users.ldap.daemon = { + enable = useDaemon; + rootpwmoddn = "cn=admin,${dbSuffix}"; + rootpwmodpw = "/etc/nslcd.rootpwmodpw"; + }; + # NOTE: password stored in clear in Nix's store, but this is a test. + environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd; users.ldap.loginPam = true; users.ldap.nsswitch = true; users.ldap.server = "ldap://server"; - users.ldap.base = "${dbSuffix}"; + users.ldap.base = "ou=posix,${dbSuffix}"; + users.ldap.bind = { + distinguishedName = "cn=admin,${dbSuffix}"; + password = "/etc/ldap/bind.password"; + }; + # NOTE: password stored in clear in Nix's store, but this is a test. + environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd; }; - in { @@ -61,28 +54,237 @@ in nodes = { server = - { pkgs, ... }: + { pkgs, config, ... }: + let + inherit (config.services) openldap; + + slapdConfig = pkgs.writeText "cn=config.ldif" ('' + dn: cn=config + objectClass: olcGlobal + #olcPidFile: /run/slapd/slapd.pid + # List of arguments that were passed to the server + #olcArgsFile: /run/slapd/slapd.args + # Read slapd-config(5) for possible values + olcLogLevel: none + # The tool-threads parameter sets the actual amount of CPU's + # that is used for indexing. + olcToolThreads: 1 + + dn: olcDatabase={-1}frontend,cn=config + objectClass: olcDatabaseConfig + objectClass: olcFrontendConfig + # The maximum number of entries that is returned for a search operation + olcSizeLimit: 500 + # Allow unlimited access to local connection from the local root user + olcAccess: to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by * break + # Allow unauthenticated read access for schema and base DN autodiscovery + olcAccess: to dn.exact="" + by * read + olcAccess: to dn.base="cn=Subschema" + by * read + + dn: olcDatabase=config,cn=config + objectClass: olcDatabaseConfig + olcRootDN: cn=admin,cn=config + #olcRootPW: + # NOTE: access to cn=config, system root can be manager + # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://) + olcAccess: to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage + by * break + + dn: cn=schema,cn=config + objectClass: olcSchemaConfig + + include: file://${pkgs.openldap}/etc/schema/core.ldif + include: file://${pkgs.openldap}/etc/schema/cosine.ldif + include: file://${pkgs.openldap}/etc/schema/nis.ldif + include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif + + dn: cn=module{0},cn=config + objectClass: olcModuleList + # Where the dynamically loaded modules are stored + #olcModulePath: /usr/lib/ldap + olcModuleLoad: back_mdb + + '' + + unlinesAttrs (olcSuffix: {conf, ...}: + "include: file://" + pkgs.writeText "config.ldif" conf + ) slapdDatabases + ); + + slapdDatabases = { + "${dbSuffix}" = { + conf = '' + dn: olcBackend={1}mdb,cn=config + objectClass: olcBackendConfig + + dn: olcDatabase={1}mdb,cn=config + olcSuffix: ${dbSuffix} + olcDbDirectory: ${openldap.dataDir}/${dbSuffix} + objectClass: olcDatabaseConfig + objectClass: olcMdbConfig + # NOTE: checkpoint the database periodically in case of system failure + # and to speed up slapd shutdown. + olcDbCheckpoint: 512 30 + # Database max size is 1G + olcDbMaxSize: 1073741824 + olcLastMod: TRUE + # NOTE: database superuser. Needed for syncrepl, + # and used to auth as admin through a TCP connection. + olcRootDN: cn=admin,${dbSuffix} + olcRootPW: ${dbAdminPwdHash} + # + olcDbIndex: objectClass eq + olcDbIndex: cn,uid eq + olcDbIndex: uidNumber,gidNumber eq + olcDbIndex: member,memberUid eq + # + olcAccess: to attrs=userPassword + by self write + by anonymous auth + by dn="cn=admin,${dbSuffix}" write + by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write + by * none + olcAccess: to attrs=shadowLastChange + by self write + by dn="cn=admin,${dbSuffix}" write + by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write + by * none + olcAccess: to dn.sub="ou=posix,${dbSuffix}" + by self read + by dn="cn=admin,${dbSuffix}" read + by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read + olcAccess: to * + by self read + by * none + ''; + data = '' + dn: ${dbSuffix} + objectClass: top + objectClass: dcObject + objectClass: organization + o: ${dbDomain} + + dn: cn=admin,${dbSuffix} + objectClass: simpleSecurityObject + objectClass: organizationalRole + description: ${dbDomain} LDAP administrator + roleOccupant: ${dbSuffix} + userPassword: ${ldapUserPwdHash} + + dn: ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit + + dn: ou=accounts,ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit + + dn: ou=groups,ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit + '' + + lib.concatMapStrings posixAccount [ + { uid=ldapUser; uidNumber=ldapUserId; gidNumber=ldapGroupId; userPassword=ldapUserPwdHash; } + ] + + lib.concatMapStrings posixGroup [ + { gid=ldapGroup; gidNumber=ldapGroupId; members=[]; } + ]; + }; + }; + + # NOTE: create a user account using the posixAccount objectClass. + posixAccount = + { uid + , uidNumber ? null + , gidNumber ? null + , cn ? "" + , sn ? "" + , userPassword ? "" + , loginShell ? "/bin/sh" + }: '' + + dn: uid=${uid},ou=accounts,ou=posix,${dbSuffix} + objectClass: person + objectClass: posixAccount + objectClass: shadowAccount + cn: ${cn} + gecos: + ${if gidNumber == null then "#" else "gidNumber: ${toString gidNumber}"} + homeDirectory: /home/${uid} + loginShell: ${loginShell} + sn: ${sn} + ${if uidNumber == null then "#" else "uidNumber: ${toString uidNumber}"} + ${if userPassword == "" then "#" else "userPassword: ${userPassword}"} + ''; + + # NOTE: create a group using the posixGroup objectClass. + posixGroup = + { gid + , gidNumber + , members + }: '' + + dn: cn=${gid},ou=groups,ou=posix,${dbSuffix} + objectClass: top + objectClass: posixGroup + gidNumber: ${toString gidNumber} + ${lib.concatMapStrings (member: "memberUid: ${member}\n") members} + ''; + in { virtualisation.memorySize = 256; virtualisation.vlans = [ 1 ]; networking.firewall.allowedTCPPorts = [ 389 ]; services.openldap.enable = true; - services.openldap.dataDir = dbPath; + services.openldap.dataDir = "/var/db/openldap"; + services.openldap.configDir = "/var/db/slapd"; services.openldap.urlList = [ - serverUri + "ldap:///" + "ldapi:///" ]; - services.openldap.extraConfig = '' - include ${pkgs.openldap.out}/etc/schema/core.schema - include ${pkgs.openldap.out}/etc/schema/cosine.schema - include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema - include ${pkgs.openldap.out}/etc/schema/nis.schema - - database mdb - suffix ${dbSuffix} - rootdn ${dbAdminDn} - rootpw ${dbAdminPwd} - directory ${dbPath} - ''; + systemd.services.openldap = { + preStart = '' + set -e + # NOTE: slapd's config is always re-initialized. + rm -rf "${openldap.configDir}"/cn=config \ + "${openldap.configDir}"/cn=config.ldif + install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}" + # NOTE: olcDbDirectory must be created before adding the config. + '' + + unlinesAttrs (olcSuffix: {data, ...}: '' + # NOTE: database is always re-initialized. + rm -rf "${openldap.dataDir}/${olcSuffix}" + install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" \ + "${openldap.dataDir}/${olcSuffix}" + '') slapdDatabases + + '' + # NOTE: slapd is supposed to be stopped while in preStart, + # hence slap* commands can safely be used. + umask 0077 + ${pkgs.openldap}/bin/slapadd -n 0 \ + -F "${openldap.configDir}" \ + -l ${slapdConfig} + chown -R "${openldap.user}:${openldap.group}" "${openldap.configDir}" + # NOTE: slapadd(8): To populate the config database slapd-config(5), + # use -n 0 as it is always the first database. + # It must physically exist on the filesystem prior to this, however. + '' + + unlinesAttrs (olcSuffix: {data, ...}: '' + # NOTE: load database ${olcSuffix} + # (as root to avoid depending on sudo or chpst) + ${pkgs.openldap}/bin/slapadd \ + -F "${openldap.configDir}" \ + -l ${pkgs.writeText "data.ldif" data} + '' + '' + # NOTE: redundant with default openldap's preStart, but do not harm. + chown -R "${openldap.user}:${openldap.group}" \ + "${openldap.dataDir}/${olcSuffix}" + '') slapdDatabases; + }; }; client1 = mkClient true; # use nss_pam_ldapd @@ -91,15 +293,91 @@ in }; testScript = '' - startAll; + $server->start; $server->waitForUnit("default.target"); + + subtest "slapd", sub { + subtest "auth as database admin with SASL and check a POSIX account", sub { + $server->succeed(join ' ', 'test', + '"$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL', + '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ', + '-s base uidNumber |', + 'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ', + ')" -eq ${toString ldapUserId}'); + }; + subtest "auth as database admin with password and check a POSIX account", sub { + $server->succeed(join ' ', 'test', + '"$(ldapsearch -LLL -H ldap://server', + '-D \'cn=admin,${dbSuffix}\' -w \'${dbAdminPwd}\' ', + '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ', + '-s base uidNumber |', + 'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ', + ')" -eq ${toString ldapUserId}'); + }; + }; + + $client1->start; $client1->waitForUnit("default.target"); + + subtest "password", sub { + subtest "su with password to a POSIX account", sub { + $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', + 'spawn su "${ldapUser}"', + 'expect "Password:"', + 'send "${ldapUserPwd}\n"', + 'expect "*"', + 'send "whoami\n"', + 'expect -ex "${ldapUser}" {exit}', + 'exit 1' . "'"); + }; + subtest "change password of a POSIX account as root", sub { + $client1->succeed("chpasswd <<<'${ldapUser}:new-password'"); + $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', + 'spawn su "${ldapUser}"', + 'expect "Password:"', + 'send "new-password\n"', + 'expect "*"', + 'send "whoami\n"', + 'expect -ex "${ldapUser}" {exit}', + 'exit 1' . "'"); + $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' '); + }; + subtest "change password of a POSIX account from itself", sub { + $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' '); + $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', + 'spawn su --login ${ldapUser} -c passwd', + 'expect "Password: "', + 'send "${ldapUserPwd}\n"', + 'expect "(current) UNIX password: "', + 'send "${ldapUserPwd}\n"', + 'expect "New password: "', + 'send "new-password\n"', + 'expect "Retype new password: "', + 'send "new-password\n"', + 'expect "passwd: password updated successfully" {exit}', + 'exit 1' . "'"); + $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', + 'spawn su "${ldapUser}"', + 'expect "Password:"', + 'send "${ldapUserPwd}\n"', + 'expect "su: Authentication failure" {exit}', + 'exit 1' . "'"); + $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', + 'spawn su "${ldapUser}"', + 'expect "Password:"', + 'send "new-password\n"', + 'expect "*"', + 'send "whoami\n"', + 'expect -ex "${ldapUser}" {exit}', + 'exit 1' . "'"); + $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' '); + }; + }; + + $client2->start; $client2->waitForUnit("default.target"); - $server->succeed("ldapadd -D '${dbAdminDn}' -w ${dbAdminPwd} -H ${serverUri} -f '${setupLdif}'"); - - # NSS tests - subtest "nss", sub { + subtest "NSS", sub { $client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); $client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); $client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); @@ -110,8 +388,7 @@ in $client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); }; - # PAM tests - subtest "pam", sub { + subtest "PAM", sub { $client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); $client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); };