Improving integration of nslcd, PAM and openldap.
#53762
Conversation
| Previously, for example, changing an LDAP account's password through PAM | ||
| was not possible: the whole password module verification | ||
| was exited prematurely by <literal>pam_unix</literal>, | ||
| preventing <literal>pam_ldap</literal> to manage the password as it should. |
There was a problem hiding this comment.
We should also mention that (and why) we load password required pam_deny.so at the end.
There was a problem hiding this comment.
I've put that pam_deny by precaution, since I've seen it a few line above in auth required pam_deny.so and in Debian's /etc/pam.d/common-password with the comment: "here's the fallback if no module succeeds". But Debian seems to need that pam_deny because it is using some jumping over modules with [success=N, …] generated controls, cf. pam.conf(5):
N (an unsigned integer)
equivalent to ok with the side effect of jumping over the next N modules in the stack.
As far as I can test, appending password required pam_deny.so is not needed in current NixOS PAM config: both with or without it, giving a wrong LDAP password gives an authentication failure as expected; but I am no PAM expert.
| dn: olcDatabase=config,cn=config | ||
| objectClass: olcDatabaseConfig | ||
| olcRootDN: cn=admin,cn=config | ||
| #olcRootPW: |
|
@Mic92 can take a look at the ldap-specific bits itself, as written in #46792 (review) ? |
nixos/modules/config/ldap.nix
Outdated
| test -z "${cfg.bind.distinguishedName}" -o ! -f "${cfg.bind.password}" || | ||
| printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" | ||
| test -z "${cfg.daemon.rootpwmoddn}" -o ! -f "${cfg.daemon.rootpwmodpw}" || | ||
| printf 'rootpwmodpw %s\n' "$(cat ${cfg.daemon.rootpwmodpw})" |
There was a problem hiding this comment.
I've pushed a change quoting ${cfg.bind.password} and ${cfg.daemon.rootpwmodpw} in the cat since here someone could be using (very unwise) paths with spaces. What kind of escaping do you have in mind?
NOTE: slapd.conf is deprecated, hence use cn=config.
|
@GrahamcOfBorg build nixosTests.ldap |
|
built and verified locally. I guess improving some escaping can be done in a followup PR if needed, but no need t delay this further. |
|
This appears to have broken the ldap test. Was that intentional? |
|
eb90d97 looks like the culprit |
Motivation for this change
Restart
nslcdservice when its configuration is modified by Nix.And change PAM config to enable LDAP password changing through
nslcd.Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)