diff options
author | Simon Rettberg | 2015-09-13 17:50:05 +0200 |
---|---|---|
committer | Simon Rettberg | 2015-09-13 17:50:05 +0200 |
commit | 576aaf1c9104bdec441c8565bf24f35731c93f82 (patch) | |
tree | 3412ef89362a7852279099a3c36197936863defe | |
parent | Refine mount script, updater backup/restore to handle new dozmod db (diff) | |
download | tmlite-bwlp-576aaf1c9104bdec441c8565bf24f35731c93f82.tar.gz tmlite-bwlp-576aaf1c9104bdec441c8565bf24f35731c93f82.tar.xz tmlite-bwlp-576aaf1c9104bdec441c8565bf24f35731c93f82.zip |
Fix pam scripts (ldap -> sss)
-rw-r--r-- | data/ad/common-account | 2 | ||||
-rw-r--r-- | data/ad/common-auth | 2 | ||||
-rw-r--r-- | data/ad/common-password | 3 | ||||
-rw-r--r-- | data/ad/common-session | 6 | ||||
-rw-r--r-- | data/ad/common-session-noninteractive | 4 | ||||
-rw-r--r-- | data/ad/sssd.conf.template | 3 |
6 files changed, 9 insertions, 11 deletions
diff --git a/data/ad/common-account b/data/ad/common-account index a72effc..5de6729 100644 --- a/data/ad/common-account +++ b/data/ad/common-account @@ -1,5 +1,5 @@ account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=1 default=ignore] pam_ldap.so +account [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; diff --git a/data/ad/common-auth b/data/ad/common-auth index 952b3e2..2fb9810 100644 --- a/data/ad/common-auth +++ b/data/ad/common-auth @@ -1,5 +1,5 @@ auth [success=2 default=ignore] pam_unix.so nullok_secure -auth [success=1 default=ignore] pam_ldap.so use_first_pass +auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so auth optional pam_script.so expose=1 diff --git a/data/ad/common-password b/data/ad/common-password index a510306..9362eac 100644 --- a/data/ad/common-password +++ b/data/ad/common-password @@ -1,5 +1,4 @@ -password [success=2 default=ignore] pam_unix.so obscure sha512 -password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass +password [success=1 default=ignore] pam_unix.so obscure sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; diff --git a/data/ad/common-session b/data/ad/common-session index 992bd9d..f5651a9 100644 --- a/data/ad/common-session +++ b/data/ad/common-session @@ -14,7 +14,7 @@ session required pam_systemd.so session optional pam_env.so readenv=1 session optional pam_env.so readenv=1 envfile=/etc/default/locale # and here are more per-package modules (the "Additional" block) -session required pam_unix.so -session optional pam_ldap.so -session sufficient pam_script.so +session [success=1] pam_unix.so +session [success=ok] pam_sss.so +session sufficient pam_script.so diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive index d984b1d..36b573c 100644 --- a/data/ad/common-session-noninteractive +++ b/data/ad/common-session-noninteractive @@ -11,6 +11,6 @@ session required pam_permit.so # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) -session required pam_unix.so -session optional pam_ldap.so +session sufficient pam_unix.so +session sufficient pam_sss.so diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template index 90b25ed..93dbc3f 100644 --- a/data/ad/sssd.conf.template +++ b/data/ad/sssd.conf.template @@ -6,14 +6,13 @@ domains = LDAP filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo [pam] [domain/LDAP] +filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo id_provider = ldap auth_provider = ldap ldap_tls_reqcert = demand ldap_tls_cacert = %CACERT% ldap_schema = rfc2307 ldap_uri = %URI% -ldap_group_search_base = %SEARCHBASE% -ldap_user_search_base = %SEARCHBASE% ldap_search_base = %SEARCHBASE% cache_credentials = true |