From 07506308d6b7e03944c96e84c4010a4fcbf46944 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 16 Jan 2007 13:30:59 +0000
Subject: [PATCH] * Support LDAP authentication. * Factor out the common parts
 of the PAM config files.

svn path=/nixos/trunk/; revision=7694
---
 system/etc.nix                   | 6 +++++-
 system/etc/pam.d/common-account  | 2 ++
 system/etc/pam.d/common-auth     | 3 +++
 system/etc/pam.d/common-password | 2 ++
 system/etc/pam.d/common-session  | 2 ++
 system/etc/pam.d/login           | 8 ++++----
 system/etc/pam.d/passwd          | 8 ++++----
 system/etc/pam.d/sshd            | 8 ++++----
 system/etc/pam.d/su              | 8 ++++----
 system/etc/profile.sh            | 4 ++--
 10 files changed, 32 insertions(+), 19 deletions(-)
 create mode 100644 system/etc/pam.d/common-account
 create mode 100644 system/etc/pam.d/common-auth
 create mode 100644 system/etc/pam.d/common-password
 create mode 100644 system/etc/pam.d/common-session

diff --git a/system/etc.nix b/system/etc.nix
index 17ace6e1f99c..a850a19398b1 100644
--- a/system/etc.nix
+++ b/system/etc.nix
@@ -75,7 +75,7 @@ import ../helpers/make-etc.nix {
     (program:
       { source = pkgs.substituteAll {
           src = ./etc/pam.d + ("/" + program);
-          inherit (pkgs) pam_unix2;
+          inherit (pkgs) pam_unix2 pam_ldap;
         };
         target = "pam.d/" + program;
       }
@@ -88,6 +88,10 @@ import ../helpers/make-etc.nix {
       "shadow"
       "sshd"
       "useradd"
+      "common-auth"
+      "common-account"
+      "common-password"
+      "common-session"
     ]
   );
 }
\ No newline at end of file
diff --git a/system/etc/pam.d/common-account b/system/etc/pam.d/common-account
new file mode 100644
index 000000000000..50d0a58134ff
--- /dev/null
+++ b/system/etc/pam.d/common-account
@@ -0,0 +1,2 @@
+account  optional       @pam_ldap@/lib/security/pam_ldap.so 
+account  required       @pam_unix2@/lib/security/pam_unix2.so
diff --git a/system/etc/pam.d/common-auth b/system/etc/pam.d/common-auth
new file mode 100644
index 000000000000..ec5d5d889a5e
--- /dev/null
+++ b/system/etc/pam.d/common-auth
@@ -0,0 +1,3 @@
+auth     sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+auth     sufficient     @pam_unix2@/lib/security/pam_unix2.so
+auth     required       pam_deny.so
diff --git a/system/etc/pam.d/common-password b/system/etc/pam.d/common-password
new file mode 100644
index 000000000000..f0ec89f12914
--- /dev/null
+++ b/system/etc/pam.d/common-password
@@ -0,0 +1,2 @@
+password sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+password sufficient     @pam_unix2@/lib/security/pam_unix2.so nullok
diff --git a/system/etc/pam.d/common-session b/system/etc/pam.d/common-session
new file mode 100644
index 000000000000..434fe930f77e
--- /dev/null
+++ b/system/etc/pam.d/common-session
@@ -0,0 +1,2 @@
+auth     optional       @pam_ldap@/lib/security/pam_ldap.so 
+session  required       @pam_unix2@/lib/security/pam_unix2.so
diff --git a/system/etc/pam.d/login b/system/etc/pam.d/login
index 83c1bcd2f346..c3fad16bbef3 100644
--- a/system/etc/pam.d/login
+++ b/system/etc/pam.d/login
@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so nullok
-account  required       @pam_unix2@/lib/security/pam_unix2.so
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  include        common-session
diff --git a/system/etc/pam.d/passwd b/system/etc/pam.d/passwd
index d3463aab5ae6..c3fad16bbef3 100644
--- a/system/etc/pam.d/passwd
+++ b/system/etc/pam.d/passwd
@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so
-account  required       @pam_unix2@/lib/security/pam_unix2.so
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  include        common-session
diff --git a/system/etc/pam.d/sshd b/system/etc/pam.d/sshd
index d3463aab5ae6..c3fad16bbef3 100644
--- a/system/etc/pam.d/sshd
+++ b/system/etc/pam.d/sshd
@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so
-account  required       @pam_unix2@/lib/security/pam_unix2.so
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  include        common-session
diff --git a/system/etc/pam.d/su b/system/etc/pam.d/su
index 3807b8a3d278..5fbdc16359a9 100644
--- a/system/etc/pam.d/su
+++ b/system/etc/pam.d/su
@@ -1,5 +1,5 @@
 auth     sufficient     pam_rootok.so
-auth     required       @pam_unix2@/lib/security/pam_unix2.so nullok
-account  required       @pam_unix2@/lib/security/pam_unix2.so
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  include        common-session
diff --git a/system/etc/profile.sh b/system/etc/profile.sh
index 039fe34a7945..18f81f58c781 100644
--- a/system/etc/profile.sh
+++ b/system/etc/profile.sh
@@ -17,8 +17,8 @@ fi
 # Set up the per-user profile.
 NIX_USER_PROFILE_DIR=/nix/var/nix/profiles/per-user/$USER
 mkdir -m 0755 -p $NIX_USER_PROFILE_DIR
-if test "$(stat --printf '%U' $NIX_USER_PROFILE_DIR)" != "$USER"; then
-    echo "WARNING: bad ownership on $_NIX_PROFILE_DIR" >&2
+if test "$(stat --printf '%u' $NIX_USER_PROFILE_DIR)" != "$(id -u)"; then
+    echo "WARNING: bad ownership on $NIX_USER_PROFILE_DIR" >&2
 fi
 
 if ! test -L $HOME/.nix-profile; then