Skip to content

package.use: enable back sssd for pambase#3696

Merged
tormath1 merged 3 commits intomainfrom
tormath1/pam-sssd
Feb 13, 2026
Merged

package.use: enable back sssd for pambase#3696
tormath1 merged 3 commits intomainfrom
tormath1/pam-sssd

Conversation

@tormath1
Copy link
Contributor

@tormath1 tormath1 commented Feb 9, 2026
edited
Loading

This was not creating the system-auth with the 'pam_sss' module. Which makes sssd LDAP authentication to fail.

I amended the patch to move the pam_sss.so call before the pam_faillock.so otherwise it was failing - I think this could be proposed to the upstream.

Related to: flatcar/Flatcar#1985

TODO:

Testing:

 $ cat sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = LDAP

[nss]
[pam]
[ssh]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://127.0.0.1:1389
ldap_search_base = dc=example,dc=org
override_homedir = /home/%u
access_provider = simple

# Bitnami default admin credentials
ldap_bind_dn = cn=admin,dc=example,dc=org
ldap_bind_authtok = adminpassword

# Mapping settings
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_group_object_class = posixGroup
ldap_group_name = cn

ldap_auth_disable_tls_never_use_in_production = True
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
$ docker run --detach --rm --name openldap   --network host   --env LDAP_ADMIN_USERNAME=admin   --env LDAP_ADMIN_PASSWORD=adminpassword   --env LDAP_USERS=customuser   --env LDAP_PASSWORDS=custompassword   --env LDAP_ROOT=dc=example,dc=org   --env LDAP_ADMIN_DN=cn=admin,dc=example,dc=org docker.io/bitnamilegacy/openldap:2.6.10-debian-12-r4

@tormath1
package.use: enable back sssd for pambase
53047f1 
This was not creating the system-auth with the 'pam_sss' module. Which
makes sssd LDAP authentication to fail.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 self-assigned this Feb 9, 2026
@tormath1 tormath1 moved this to ✅ Testing / in Review in Flatcar tactical, release planning, and roadmap Feb 9, 2026
@tormath1
sys-auth/pambase: regen patches
b3a05aa 
This brings a fix to move the pam_sss at the right position. I think
this can be upstreamed.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 mentioned this pull request Feb 10, 2026
Closed
@tormath1
changelog: add entry
24cd546 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 marked this pull request as ready for review February 11, 2026 08:29
@tormath1 tormath1 requested a review from a team as a code owner February 11, 2026 08:29
chewi
chewi approved these changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@chewi chewi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it looks okay, but I honestly don't understand PAM well enough to say whether it's correct. I know it's not @krnowak's favourite subject either, but I'd feel better waiting for him.

I'm a little surprised Gentoo hasn't noticed. The sssd support has been in place for a couple of years now. Perhaps it's due to other differences in our config, but it doesn't seem that way.

@tormath1
Copy link
Contributor Author

tormath1 commented Feb 11, 2026

Well, it looks okay, but I honestly don't understand PAM well enough to say whether it's correct. I know it's not @krnowak's favourite subject either, but I'd feel better waiting for him.

I'm a little surprised Gentoo hasn't noticed. The sssd support has been in place for a couple of years now. Perhaps it's due to other differences in our config, but it doesn't seem that way.

I'm holding this until I get user feedback. I would honestly prefer having this released in alpha / beta before promoting a new stable

@tormath1
Copy link
Contributor Author

tormath1 commented Feb 12, 2026

Well, it looks okay, but I honestly don't understand PAM well enough to say whether it's correct. I know it's not @krnowak's favourite subject either, but I'd feel better waiting for him.
I'm a little surprised Gentoo hasn't noticed. The sssd support has been in place for a couple of years now. Perhaps it's due to other differences in our config, but it doesn't seem that way.

I'm holding this until I get user feedback. I would honestly prefer having this released in alpha / beta before promoting a new stable

@chewi I got this user feedback: flatcar/Flatcar#1985 (comment) - given this + the CI result I think we're good.

But as proposed on Matrix, let's not promote this directly to Stable.

@tormath1 tormath1 merged commit d79e542 into main Feb 13, 2026
4 of 5 checks passed
@github-project-automation github-project-automation bot moved this from ✅ Testing / in Review to Implemented in Flatcar tactical, release planning, and roadmap Feb 13, 2026
@tormath1 tormath1 deleted the tormath1/pam-sssd branch February 13, 2026 08:52
@tormath1
Copy link
Contributor Author

tormath1 commented Feb 13, 2026

Backported to:

  • flatcar-4593
  • flatcar-4547

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chewi chewi chewi approved these changes

Assignees

@tormath1 tormath1

Labels

alpha beta main

Projects

Flatcar tactical, release planning, and roadmap
Status: Implemented

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tormath1 @chewi