Fix pam scripts (ldap -> sss)

6 files changed, 9 insertions, 11 deletions

diff --git a/data/ad/common-account b/data/ad/common-account
index a72effc..5de6729 100644
--- a/data/ad/common-account
+++ b/data/ad/common-account
@@ -1,5 +1,5 @@
 account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so
-account	[success=1 default=ignore]	pam_ldap.so
+account	[success=1 default=ignore]	pam_sss.so use_first_pass
 # here's the fallback if no module succeeds
 account	requisite			pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/data/ad/common-auth b/data/ad/common-auth
index 952b3e2..2fb9810 100644
--- a/data/ad/common-auth
+++ b/data/ad/common-auth
@@ -1,5 +1,5 @@
 auth	[success=2 default=ignore]	pam_unix.so nullok_secure
-auth	[success=1 default=ignore]	pam_ldap.so use_first_pass
+auth	[success=1 default=ignore]	pam_sss.so use_first_pass
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so
 auth	optional			pam_script.so expose=1
diff --git a/data/ad/common-password b/data/ad/common-password
index a510306..9362eac 100644
--- a/data/ad/common-password
+++ b/data/ad/common-password
@@ -1,5 +1,4 @@
-password	[success=2 default=ignore]	pam_unix.so obscure sha512
-password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
+password	[success=1 default=ignore]	pam_unix.so obscure sha512
 # here's the fallback if no module succeeds
 password	requisite			pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/data/ad/common-session b/data/ad/common-session
index 992bd9d..f5651a9 100644
--- a/data/ad/common-session
+++ b/data/ad/common-session
@@ -14,7 +14,7 @@ session required       pam_systemd.so
 session optional        pam_env.so readenv=1
 session optional        pam_env.so readenv=1 envfile=/etc/default/locale
 # and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so
-session	optional			pam_ldap.so
-session sufficient			pam_script.so
+session	[success=1]    pam_unix.so
+session	[success=ok]   pam_sss.so
+session sufficient      pam_script.so
 
diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive
index d984b1d..36b573c 100644
--- a/data/ad/common-session-noninteractive
+++ b/data/ad/common-session-noninteractive
@@ -11,6 +11,6 @@ session	required			pam_permit.so
 # See "man pam_umask".
 session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so
-session	optional			pam_ldap.so
+session	sufficient       pam_unix.so
+session	sufficient       pam_sss.so
 
diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template
index 90b25ed..93dbc3f 100644
--- a/data/ad/sssd.conf.template
+++ b/data/ad/sssd.conf.template
@@ -6,14 +6,13 @@ domains = LDAP
 filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
 [pam]
 [domain/LDAP]
+filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
 id_provider = ldap
 auth_provider = ldap
 ldap_tls_reqcert = demand
 ldap_tls_cacert = %CACERT%
 ldap_schema = rfc2307
 ldap_uri = %URI%
-ldap_group_search_base = %SEARCHBASE%
-ldap_user_search_base = %SEARCHBASE%
 ldap_search_base = %SEARCHBASE%
 cache_credentials = true