I change the ldap settings so pam_unix and 'files' always go in front of ldap,

instead of the opposite. Thus, /etc/passwd has priority over ldap. svn path=/nixos/trunk/; revision=26834
2024-11-25 00:12:56 +00:00 · 2011-04-13 20:48:50 +00:00 · 2011-04-13 20:48:50 +00:00 · 84bea7a351
commit 84bea7a351
parent d8a702f59f
2 changed files with 10 additions and 10 deletions
--- a/modules/config/nsswitch.conf
+++ b/modules/config/nsswitch.conf
@ -1,6 +1,6 @@
-passwd:         ldap files
-group:          ldap files
-shadow:         ldap files
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap

 hosts:          files dns
 networks:       files dns
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -61,21 +61,21 @@ let
        # module provides the right hooks.
        ''
          # Account management.
+          account sufficient pam_unix.so
          ${optionalString config.users.ldap.enable
-              "account optional ${pam_ldap}/lib/security/pam_ldap.so"}
+              "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
          ${optionalString config.krb5.enable
              "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
-          account required pam_unix.so

          # Authentication management.
          ${optionalString rootOK
              "auth sufficient pam_rootok.so"}
          ${optionalString usbAuth
              "auth sufficient ${pam_usb}/lib/security/pam_usb.so"}
-          ${optionalString config.users.ldap.enable
-              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
          auth sufficient pam_unix.so ${
-            optionalString allowNullPassword "nullok"}
+            optionalString allowNullPassword "nullok"} likeauth
+          ${optionalString config.users.ldap.enable
+              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
          ${optionalString config.krb5.enable
 ''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
 auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
@ -84,20 +84,20 @@ auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_
          auth required   pam_deny.so

          # Password management.
+          password requisite pam_unix.so nullok sha512
          ${optionalString config.users.ldap.enable
              "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
          ${optionalString config.krb5.enable
              "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
-          password requisite pam_unix.so nullok sha512
          ${optionalString config.services.samba.syncPasswordsByPam
              "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}

          # Session management.
+          session required pam_unix.so
          ${optionalString config.users.ldap.enable
              "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
          ${optionalString config.krb5.enable
              "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
-          session required pam_unix.so
          ${optionalString ownDevices
              "session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"}
          ${optionalString forwardXAuth