From 576aaf1c9104bdec441c8565bf24f35731c93f82 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Sun, 13 Sep 2015 17:50:05 +0200
Subject: Fix pam scripts (ldap -> sss)

---
 data/ad/common-account                | 2 +-
 data/ad/common-auth                   | 2 +-
 data/ad/common-password               | 3 +--
 data/ad/common-session                | 6 +++---
 data/ad/common-session-noninteractive | 4 ++--
 data/ad/sssd.conf.template            | 3 +--
 6 files changed, 9 insertions(+), 11 deletions(-)

(limited to 'data')

diff --git a/data/ad/common-account b/data/ad/common-account
index a72effc..5de6729 100644
--- a/data/ad/common-account
+++ b/data/ad/common-account
@@ -1,5 +1,5 @@
 account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so
-account	[success=1 default=ignore]	pam_ldap.so
+account	[success=1 default=ignore]	pam_sss.so use_first_pass
 # here's the fallback if no module succeeds
 account	requisite			pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/data/ad/common-auth b/data/ad/common-auth
index 952b3e2..2fb9810 100644
--- a/data/ad/common-auth
+++ b/data/ad/common-auth
@@ -1,5 +1,5 @@
 auth	[success=2 default=ignore]	pam_unix.so nullok_secure
-auth	[success=1 default=ignore]	pam_ldap.so use_first_pass
+auth	[success=1 default=ignore]	pam_sss.so use_first_pass
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so
 auth	optional			pam_script.so expose=1
diff --git a/data/ad/common-password b/data/ad/common-password
index a510306..9362eac 100644
--- a/data/ad/common-password
+++ b/data/ad/common-password
@@ -1,5 +1,4 @@
-password	[success=2 default=ignore]	pam_unix.so obscure sha512
-password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok try_first_pass
+password	[success=1 default=ignore]	pam_unix.so obscure sha512
 # here's the fallback if no module succeeds
 password	requisite			pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/data/ad/common-session b/data/ad/common-session
index 992bd9d..f5651a9 100644
--- a/data/ad/common-session
+++ b/data/ad/common-session
@@ -14,7 +14,7 @@ session required       pam_systemd.so
 session optional        pam_env.so readenv=1
 session optional        pam_env.so readenv=1 envfile=/etc/default/locale
 # and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so
-session	optional			pam_ldap.so
-session sufficient			pam_script.so
+session	[success=1]    pam_unix.so
+session	[success=ok]   pam_sss.so
+session sufficient      pam_script.so
 
diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive
index d984b1d..36b573c 100644
--- a/data/ad/common-session-noninteractive
+++ b/data/ad/common-session-noninteractive
@@ -11,6 +11,6 @@ session	required			pam_permit.so
 # See "man pam_umask".
 session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so
-session	optional			pam_ldap.so
+session	sufficient       pam_unix.so
+session	sufficient       pam_sss.so
 
diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template
index 90b25ed..93dbc3f 100644
--- a/data/ad/sssd.conf.template
+++ b/data/ad/sssd.conf.template
@@ -6,14 +6,13 @@ domains = LDAP
 filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
 [pam]
 [domain/LDAP]
+filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo
 id_provider = ldap
 auth_provider = ldap
 ldap_tls_reqcert = demand
 ldap_tls_cacert = %CACERT%
 ldap_schema = rfc2307
 ldap_uri = %URI%
-ldap_group_search_base = %SEARCHBASE%
-ldap_user_search_base = %SEARCHBASE%
 ldap_search_base = %SEARCHBASE%
 cache_credentials = true
 
-- 
cgit v1.2.3-55-g7522