mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: PAM on Debian, enable use_first_pass by default (#3326)

Browse source 
Since we use Debian's PAM autoconf, pam_unix isn't disabled and remains active.
This means pam_unix triggers first and pam_kanidm should use the password it already tried to match to a local user.

This change also moves the postinst hook for PAM config correctly to the libpam-kanidm package,
since that's the one that delivers the config that needs a reinstall!
This commit is contained in:
Jinna Kiisuo 2025-01-01 00:40:14 +02:00 committed by William Brown
parent 3ce4e0ff87
commit 3f47d7f008
4 changed files with 32 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
unix_integration/pam_kanidm/Cargo.toml
View file

@ -35,6 +35,7 @@ maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
depends = ["libc6", "libpam0g"] depends = ["libc6", "libpam0g"]
section = "network" section = "network"
priority = "optional" priority = "optional"
maintainer-scripts = "debian/"
assets = [ assets = [
# Empty on purpose # Empty on purpose
] ]

2
unix_integration/pam_kanidm/debian/kanidm.pam
View file

@ -4,7 +4,7 @@ Priority: 128
Auth-Type: Primary Auth-Type: Primary
Auth: Auth:
[success=end new_authtok_reqd=done default=ignore] pam_kanidm.so ignore_unknown_user [success=end new_authtok_reqd=done default=ignore] pam_kanidm.so ignore_unknown_user use_first_pass
Account-Type: Primary Account-Type: Primary
Account: Account:

29
unix_integration/pam_kanidm/debian/postinst Normal file
View file

@ -0,0 +1,29 @@
#!/bin/sh
# postinst script for libpam-kanidm
#
# see: dh_installdeb(1)
set -e
case "$1" in
configure)
echo "Updating PAM configuration"
pam-auth-update --package
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0

3
unix_integration/resolver/debian/postinst
View file

@ -8,13 +8,12 @@ set -e
case "$1" in case "$1" in
configure) configure)
pam-auth-update --package
echo "=============================" echo "============================="
echo "Thanks for installing Kanidm!" echo "Thanks for installing Kanidm!"
echo "=============================" echo "============================="
echo "Please ensure you modify the configuration files at /etc/kanidm/unixd and /etc/kanidm/config" echo "Please ensure you modify the configuration files at /etc/kanidm/unixd and /etc/kanidm/config"
echo "Full examples are in /usr/share/kanidm-unixd/" echo "Full examples are in /usr/share/kanidm-unixd/"
echo "To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html" echo "PAM has already been autoconfigured by the libpam-kanidm package. To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html"
;; ;;
abort-upgrade|abort-remove|abort-deconfigure) abort-upgrade|abort-remove|abort-deconfigure)