Author: viric
Date: Wed Apr 13 20:48:50 2011
New Revision: 26834
URL: https://svn.nixos.org/websvn/nix/?rev=26834&sc=1
Log:
I change the ldap settings so pam_unix and 'files' always go in front of ldap,
instead of the opposite. Thus, /etc/passwd has priority over ldap.
Modified:
nixos/trunk/modules/config/nsswitch.conf
nixos/trunk/modules/security/pam.nix
Modified: nixos/trunk/modules/config/nsswitch.conf
==============================================================================
--- nixos/trunk/modules/config/nsswitch.conf Wed Apr 13 20:44:17 2011
(r26833)
+++ nixos/trunk/modules/config/nsswitch.conf Wed Apr 13 20:48:50 2011
(r26834)
@@ -1,6 +1,6 @@
-passwd: ldap files
-group: ldap files
-shadow: ldap files
+passwd: files ldap
+group: files ldap
+shadow: files ldap
hosts: files dns
networks: files dns
Modified: nixos/trunk/modules/security/pam.nix
==============================================================================
--- nixos/trunk/modules/security/pam.nix Wed Apr 13 20:44:17 2011
(r26833)
+++ nixos/trunk/modules/security/pam.nix Wed Apr 13 20:48:50 2011
(r26834)
@@ -61,21 +61,21 @@
# module provides the right hooks.
''
# Account management.
+ account sufficient pam_unix.so
${optionalString config.users.ldap.enable
- "account optional ${pam_ldap}/lib/security/pam_ldap.so"}
+ "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
- account required pam_unix.so
# Authentication management.
${optionalString rootOK
"auth sufficient pam_rootok.so"}
${optionalString usbAuth
"auth sufficient ${pam_usb}/lib/security/pam_usb.so"}
- ${optionalString config.users.ldap.enable
- "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
auth sufficient pam_unix.so ${
- optionalString allowNullPassword "nullok"}
+ optionalString allowNullPassword "nullok"} likeauth
+ ${optionalString config.users.ldap.enable
+ "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so
use_first_pass"}
${optionalString config.krb5.enable
''auth [default=ignore success=1 service_err=reset]
${pam_krb5}/lib/security/pam_krb5.so use_first_pass
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so
action=validate use_first_pass
@@ -84,20 +84,20 @@
auth required pam_deny.so
# Password management.
+ password requisite pam_unix.so nullok sha512
${optionalString config.users.ldap.enable
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so
use_first_pass"}
- password requisite pam_unix.so nullok sha512
${optionalString config.services.samba.syncPasswordsByPam
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so
nullok use_authtok try_first_pass"}
# Session management.
+ session required pam_unix.so
${optionalString config.users.ldap.enable
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
- session required pam_unix.so
${optionalString ownDevices
"session optional
${pkgs.consolekit}/lib/security/pam_ck_connector.so"}
${optionalString forwardXAuth
_______________________________________________
nix-commits mailing list
[email protected]
http://mail.cs.uu.nl/mailman/listinfo/nix-commits
