Open naominitel opened 5 years ago
Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
I set-up a machine with PAM login against an LDAP server. Authentication by SSH works as expected :
However a user trying to change their own password with
passwd
will get the following error:The generated
/etc/pam.d/passwd
which handles PAM options for thepasswd
tool contains the following options:The
requisite pam_unix
module in thepassword
section seems to be blocking the whole chain since the user does not exist in the standard/etc/passwd
file and prevents to use the following LDAP line.It seems to be coming from that file:
https://github.com/NixOS/nixpkgs/blob/4c5b6d6e53556bb98e243e3c8bbda419a9863a96/nixos/modules/security/pam.nix#L341
I'm no expert in PAM and I'm not sure what the proper fix would be (turning the
requisite
into asufficient
or changing the order?) but the actual configuration sounds just wrong, the LDAP pass will only be attempted if thepam_unix
pass succeeds firsts. This makes little sense.See: https://wiki.archlinux.org/index.php/LDAP_authentication#PAM_Configuration
Edit: As a temporary workaround, I manually edited the
/etc/pam.d/passwd
file to comment out therequisite pam_unix.so
line I was able to change my LDAP password as expected. This is a bad fix though since it will be overwritten at everynixos-rebuild
.