* Support LDAP authentication.

* Factor out the common parts of the PAM config files.

svn path=/nixos/trunk/; revision=7694

system/etc.nix

@@ -75,7 +75,7 @@ import ../helpers/make-etc.nix {
     (program:
       { source = pkgs.substituteAll {
           src = ./etc/pam.d + ("/" + program);
-          inherit (pkgs) pam_unix2;
+          inherit (pkgs) pam_unix2 pam_ldap;
         };
         target = "pam.d/" + program;
       }
@@ -88,6 +88,10 @@ import ../helpers/make-etc.nix {
       "shadow"
       "sshd"
       "useradd"
+      "common-auth"
+      "common-account"
+      "common-password"
+      "common-session"
     ]
   );
 }

system/etc/pam.d/common-account

@@ -0,0 +1,2 @@
+account  optional       @pam_ldap@/lib/security/pam_ldap.so 
+account  required       @pam_unix2@/lib/security/pam_unix2.so

system/etc/pam.d/common-auth

@@ -0,0 +1,3 @@
+auth     sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+auth     sufficient     @pam_unix2@/lib/security/pam_unix2.so
+auth     required       pam_deny.so

system/etc/pam.d/common-password

@@ -0,0 +1,2 @@
+password sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+password sufficient     @pam_unix2@/lib/security/pam_unix2.so nullok

system/etc/pam.d/common-session

@@ -0,0 +1,2 @@
+auth     optional       @pam_ldap@/lib/security/pam_ldap.so 
+session  required       @pam_unix2@/lib/security/pam_unix2.so

system/etc/pam.d/login

@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so nullok
+auth     include        common-auth
-account  required       @pam_unix2@/lib/security/pam_unix2.so
+account  include        common-account
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
+password include        common-password
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+session  include        common-session

system/etc/pam.d/passwd

@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
-account  required       @pam_unix2@/lib/security/pam_unix2.so
+account  include        common-account
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
+password include        common-password
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+session  include        common-session

system/etc/pam.d/sshd

@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
-account  required       @pam_unix2@/lib/security/pam_unix2.so
+account  include        common-account
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
+password include        common-password
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+session  include        common-session

system/etc/pam.d/su

@@ -1,5 +1,5 @@
 auth     sufficient     pam_rootok.so
-auth     required       @pam_unix2@/lib/security/pam_unix2.so nullok
+auth     include        common-auth
-account  required       @pam_unix2@/lib/security/pam_unix2.so
+account  include        common-account
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
+password include        common-password
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+session  include        common-session

system/etc/profile.sh

@@ -17,8 +17,8 @@ fi
 # Set up the per-user profile.
 NIX_USER_PROFILE_DIR=/nix/var/nix/profiles/per-user/$USER
 mkdir -m 0755 -p $NIX_USER_PROFILE_DIR
-if test "$(stat --printf '%U' $NIX_USER_PROFILE_DIR)" != "$USER"; then
+if test "$(stat --printf '%u' $NIX_USER_PROFILE_DIR)" != "$(id -u)"; then
-    echo "WARNING: bad ownership on $_NIX_PROFILE_DIR" >&2
+    echo "WARNING: bad ownership on $NIX_USER_PROFILE_DIR" >&2
 fi
 
 if ! test -L $HOME/.nix-profile; then