tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

Merge pull request #230857 from s1341/bugfix_pam_sssd

nixos/pam: Allow password changing via sssd

authored by Ryan Lahfa and committed by GitHub fe7b996d 84b4373d

+78 -6
unified split
+1 -1
nixos/modules/security/pam.nix
··· 638 password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf 639 '' + 640 optionalString config.services.sssd.enable '' 641 - password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok 642 '' + 643 optionalString config.security.pam.krb5.enable '' 644 password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
··· 638 password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf 639 '' + 640 optionalString config.services.sssd.enable '' 641 + password sufficient ${pkgs.sssd}/lib/security/pam_sss.so 642 '' + 643 optionalString config.security.pam.krb5.enable '' 644 password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
+76 -4
nixos/tests/sssd-ldap.nix
··· 6 ldapRootPassword = "foobar"; 7 8 testUser = "alice"; 9 - in import ./make-test-python.nix ({pkgs, ...}: { 10 name = "sssd-ldap"; 11 12 meta = with pkgs.lib.maintainers; { 13 - maintainers = [ bbigras ]; 14 }; 15 16 nodes.machine = { pkgs, ... }: { 17 services.openldap = { 18 enable = true; 19 settings = { 20 children = { 21 "cn=schema".includes = [ 22 "${pkgs.openldap}/etc/schema/core.ldif" ··· 32 olcSuffix = dbSuffix; 33 olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; 34 olcRootPW = ldapRootPassword; 35 }; 36 }; 37 }; ··· 55 dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} 56 objectClass: person 57 objectClass: posixAccount 58 - # userPassword: somePasswordHash 59 homeDirectory: /home/${testUser} 60 uidNumber: 1234 61 gidNumber: 1234 ··· 78 [domain/${dbDomain}] 79 auth_provider = ldap 80 id_provider = ldap 81 - ldap_uri = ldap://127.0.0.1:389 82 ldap_search_base = ${dbSuffix} 83 ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} 84 ldap_default_authtok_type = password ··· 97 else: 98 machine.wait_for_console_text("Backend is online") 99 machine.succeed("getent passwd ${testUser}") 100 ''; 101 })
··· 6 ldapRootPassword = "foobar"; 7 8 testUser = "alice"; 9 + testPassword = "foobar"; 10 + testNewPassword = "barfoo"; 11 + in 12 + import ./make-test-python.nix ({ pkgs, ... }: { 13 name = "sssd-ldap"; 14 15 meta = with pkgs.lib.maintainers; { 16 + maintainers = [ bbigras s1341 ]; 17 }; 18 19 nodes.machine = { pkgs, ... }: { 20 + security.pam.services.systemd-user.makeHomeDir = true; 21 + environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem; 22 + environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem; 23 services.openldap = { 24 enable = true; 25 + urlList = [ "ldap:///" "ldaps:///" ]; 26 settings = { 27 + attrs = { 28 + olcTLSCACertificateFile = "/etc/cert.pem"; 29 + olcTLSCertificateFile = "/etc/cert.pem"; 30 + olcTLSCertificateKeyFile = "/etc/key.pem"; 31 + olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; 32 + olcTLSCRLCheck = "none"; 33 + olcTLSVerifyClient = "never"; 34 + olcTLSProtocolMin = "3.1"; 35 + }; 36 children = { 37 "cn=schema".includes = [ 38 "${pkgs.openldap}/etc/schema/core.ldif" ··· 48 olcSuffix = dbSuffix; 49 olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; 50 olcRootPW = ldapRootPassword; 51 + olcAccess = [ 52 + /* 53 + custom access rules for userPassword attributes 54 + */ 55 + '' 56 + {0}to attrs=userPassword 57 + by self write 58 + by anonymous auth 59 + by * none'' 60 + 61 + /* 62 + allow read on anything else 63 + */ 64 + '' 65 + {1}to * 66 + by * read'' 67 + ]; 68 }; 69 }; 70 }; ··· 88 dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} 89 objectClass: person 90 objectClass: posixAccount 91 + userPassword: ${testPassword} 92 homeDirectory: /home/${testUser} 93 uidNumber: 1234 94 gidNumber: 1234 ··· 111 [domain/${dbDomain}] 112 auth_provider = ldap 113 id_provider = ldap 114 + ldap_uri = ldaps://127.0.0.1:636 115 + ldap_tls_reqcert = allow 116 + ldap_tls_cacert = /etc/cert.pem 117 ldap_search_base = ${dbSuffix} 118 ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} 119 ldap_default_authtok_type = password ··· 132 else: 133 machine.wait_for_console_text("Backend is online") 134 machine.succeed("getent passwd ${testUser}") 135 + 136 + with subtest("Log in as ${testUser}"): 137 + machine.wait_until_tty_matches("1", "login: ") 138 + machine.send_chars("${testUser}\n") 139 + machine.wait_until_tty_matches("1", "login: ${testUser}") 140 + machine.wait_until_succeeds("pgrep login") 141 + machine.wait_until_tty_matches("1", "Password: ") 142 + machine.send_chars("${testPassword}\n") 143 + machine.wait_until_succeeds("pgrep -u ${testUser} bash") 144 + machine.send_chars("touch done\n") 145 + machine.wait_for_file("/home/${testUser}/done") 146 + 147 + with subtest("Change ${testUser}'s password"): 148 + machine.send_chars("passwd\n") 149 + machine.wait_until_tty_matches("1", "Current Password: ") 150 + machine.send_chars("${testPassword}\n") 151 + machine.wait_until_tty_matches("1", "New Password: ") 152 + machine.send_chars("${testNewPassword}\n") 153 + machine.wait_until_tty_matches("1", "Reenter new Password: ") 154 + machine.send_chars("${testNewPassword}\n") 155 + machine.wait_until_tty_matches("1", "passwd: password updated successfully") 156 + 157 + with subtest("Log in as ${testUser} with new password in virtual console 2"): 158 + machine.send_key("alt-f2") 159 + machine.wait_until_succeeds("[ $(fgconsole) = 2 ]") 160 + machine.wait_for_unit("getty@tty2.service") 161 + machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") 162 + 163 + machine.wait_until_tty_matches("2", "login: ") 164 + machine.send_chars("${testUser}\n") 165 + machine.wait_until_tty_matches("2", "login: ${testUser}") 166 + machine.wait_until_succeeds("pgrep login") 167 + machine.wait_until_tty_matches("2", "Password: ") 168 + machine.send_chars("${testNewPassword}\n") 169 + machine.wait_until_succeeds("pgrep -u ${testUser} bash") 170 + machine.send_chars("touch done2\n") 171 + machine.wait_for_file("/home/${testUser}/done2") 172 ''; 173 })
+1 -1
pkgs/os-specific/linux/pam/default.nix
··· 44 doCheck = false; # fails 45 46 passthru.tests = { 47 - inherit (nixosTests) pam-oath-login pam-u2f shadow; 48 }; 49 50 meta = with lib; {
··· 44 doCheck = false; # fails 45 46 passthru.tests = { 47 + inherit (nixosTests) pam-oath-login pam-u2f shadow sssd-ldap; 48 }; 49 50 meta = with lib; {