Skip to content

Commit

Permalink
Merge pull request #31969 from Assassinkin/master
Browse files Browse the repository at this point in the history 
Update sssd integration with pam as documented by RedHat
  • Loading branch information
@matthewbauer
matthewbauer committed Apr 21, 2018
2 parents d6ab165 + de67f50 commit aeff424
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions nixos/modules/security/pam.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,11 @@ let
password, KDE will prompt separately after login.
'';
};
sssdStrictAccess = mkOption {
default = false;
type = types.bool;
description = "enforce sssd access control";
};

enableGnomeKeyring = mkOption {
default = false;
Expand Down Expand Up @@ -264,11 +269,13 @@ let
text = mkDefault
(''
# Account management.
account sufficient pam_unix.so
account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
${optionalString use_ldap
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.services.sssd.enable
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
"account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
${optionalString config.krb5.enable
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
Expand Down

0 comments on commit aeff424

Please sign in to comment.