New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving integration of nslcd
, PAM and openldap
.
#53762
Conversation
Previously, for example, changing an LDAP account's password through PAM | ||
was not possible: the whole password module verification | ||
was exited prematurely by <literal>pam_unix</literal>, | ||
preventing <literal>pam_ldap</literal> to manage the password as it should. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also mention that (and why) we load password required pam_deny.so
at the end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've put that pam_deny
by precaution, since I've seen it a few line above in auth required pam_deny.so
and in Debian's /etc/pam.d/common-password
with the comment: "here's the fallback if no module succeeds". But Debian seems to need that pam_deny
because it is using some jumping over modules with [success=N, …]
generated controls, cf. pam.conf(5)
:
N (an unsigned integer)
equivalent to ok with the side effect of jumping over the next N modules in the stack.
As far as I can test, appending password required pam_deny.so
is not needed in current NixOS PAM config: both with or without it, giving a wrong LDAP password gives an authentication failure as expected; but I am no PAM expert.
dn: olcDatabase=config,cn=config | ||
objectClass: olcDatabaseConfig | ||
olcRootDN: cn=admin,cn=config | ||
#olcRootPW: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
trailing whitespace.
@Mic92 can take a look at the ldap-specific bits itself, as written in #46792 (review) ? |
nixos/modules/config/ldap.nix
Outdated
test -z "${cfg.bind.distinguishedName}" -o ! -f "${cfg.bind.password}" || | ||
printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" | ||
test -z "${cfg.daemon.rootpwmoddn}" -o ! -f "${cfg.daemon.rootpwmodpw}" || | ||
printf 'rootpwmodpw %s\n' "$(cat ${cfg.daemon.rootpwmodpw})" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need any escaping?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've pushed a change quoting ${cfg.bind.password}
and ${cfg.daemon.rootpwmodpw}
in the cat
since here someone could be using (very unwise) paths with spaces. What kind of escaping do you have in mind?
NOTE: slapd.conf is deprecated, hence use cn=config.
@GrahamcOfBorg build nixosTests.ldap |
built and verified locally. I guess improving some escaping can be done in a followup PR if needed, but no need t delay this further. |
This appears to have broken the ldap test. Was that intentional? |
eb90d97 looks like the culprit |
Motivation for this change
Restart
nslcd
service when its configuration is modified by Nix.And change PAM config to enable LDAP password changing through
nslcd
.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)