search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.22k stars 13.5k forks source link

PAM-LDAP login does not permit `passwd` #49161

Open naominitel opened 5 years ago

naominitel commented 5 years ago

I set-up a machine with PAM login against an LDAP server. Authentication by SSH works as expected : 

            users.ldap = {
                enable = true;
                daemon.enable = true;

                server = "...";
                base = "...";

                daemon.extraConfig = ''
                    tls_cacert  /ldap/cacert.pem
                '';
            };

However a user trying to change their own password with passwd will get the following error:

passwd: User not known to the underlying authentication module
passwd: password unchanged

The generated /etc/pam.d/passwd which handles PAM options for the passwd tool contains the following options:

password requisite pam_unix.so nullok sha512
password sufficient /nix/store/snfwsiqw20bmj80bif26fjpk2rzs878p-nss-pam-ldapd-0.9.7/lib/security/pam_ldap.so

The requisite pam_unix module in the password section seems to be blocking the whole chain since the user does not exist in the standard /etc/passwd file and prevents to use the following LDAP line.

It seems to be coming from that file:

https://github.com/NixOS/nixpkgs/blob/4c5b6d6e53556bb98e243e3c8bbda419a9863a96/nixos/modules/security/pam.nix#L341

I'm no expert in PAM and I'm not sure what the proper fix would be (turning the requisite into a sufficient or changing the order?) but the actual configuration sounds just wrong, the LDAP pass will only be attempted if the pam_unix pass succeeds firsts. This makes little sense.

See: https://wiki.archlinux.org/index.php/LDAP_authentication#PAM_Configuration

Edit: As a temporary workaround, I manually edited the /etc/pam.d/passwd file to comment out the requisite pam_unix.so line I was able to change my LDAP password as expected. This is a bad fix though since it will be overwritten at every nixos-rebuild.

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.