Skip to content

package.use: enable back sssd for pambase #3696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tormath1 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

package.use: enable back sssd for pambase #3696

tormath1 wants to merge 3 commits into from
+25 −9

Conversation

@tormath1
Copy link
Contributor

@tormath1 tormath1 commented Feb 9, 2026
edited
Loading

This was not creating the system-auth with the 'pam_sss' module. Which makes sssd LDAP authentication to fail.

I amended the patch to move the pam_sss.so call before the pam_faillock.so otherwise it was failing - I think this could be proposed to the upstream.

Related to: flatcar/Flatcar#1985

TODO:

Testing:

 $ cat sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = LDAP

[nss]
[pam]
[ssh]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://127.0.0.1:1389
ldap_search_base = dc=example,dc=org
override_homedir = /home/%u
access_provider = simple

# Bitnami default admin credentials
ldap_bind_dn = cn=admin,dc=example,dc=org
ldap_bind_authtok = adminpassword

# Mapping settings
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_group_object_class = posixGroup
ldap_group_name = cn

ldap_auth_disable_tls_never_use_in_production = True
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
$ docker run --detach --rm --name openldap   --network host   --env LDAP_ADMIN_USERNAME=admin   --env LDAP_ADMIN_PASSWORD=adminpassword   --env LDAP_USERS=customuser   --env LDAP_PASSWORDS=custompassword   --env LDAP_ROOT=dc=example,dc=org   --env LDAP_ADMIN_DN=cn=admin,dc=example,dc=org docker.io/bitnamilegacy/openldap:2.6.10-debian-12-r4

@tormath1
package.use: enable back sssd for pambase
53047f1 
This was not creating the system-auth with the 'pam_sss' module. Which
makes sssd LDAP authentication to fail.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 self-assigned this Feb 9, 2026
@tormath1 tormath1 moved this to ✅ Testing / in Review in Flatcar tactical, release planning, and roadmap Feb 9, 2026
@tormath1
sys-auth/pambase: regen patches
b3a05aa 
This brings a fix to move the pam_sss at the right position. I think
this can be upstreamed.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 mentioned this pull request Feb 10, 2026
Open
@tormath1
changelog: add entry
24cd546 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 marked this pull request as ready for review February 11, 2026 08:29
@tormath1 tormath1 requested a review from a team as a code owner February 11, 2026 08:29
chewi
chewi approved these changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@chewi chewi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it looks okay, but I honestly don't understand PAM well enough to say whether it's correct. I know it's not @krnowak's favourite subject either, but I'd feel better waiting for him.

I'm a little surprised Gentoo hasn't noticed. The sssd support has been in place for a couple of years now. Perhaps it's due to other differences in our config, but it doesn't seem that way.

@tormath1
Copy link
Contributor Author

tormath1 commented Feb 11, 2026

Well, it looks okay, but I honestly don't understand PAM well enough to say whether it's correct. I know it's not @krnowak's favourite subject either, but I'd feel better waiting for him.

I'm a little surprised Gentoo hasn't noticed. The sssd support has been in place for a couple of years now. Perhaps it's due to other differences in our config, but it doesn't seem that way.

I'm holding this until I get user feedback. I would honestly prefer having this released in alpha / beta before promoting a new stable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chewi chewi chewi approved these changes

Assignees

@tormath1 tormath1

Labels

alpha beta main

Projects

Flatcar tactical, release planning, and roadmap
Status: Testing / in Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tormath1 @chewi