From bed728babe3c1a7bfbf2a613f73533ec022616e4 Mon Sep 17 00:00:00 2001
From: Kim Covil <kim.covil@transficc.com>
Date: Fri, 10 Jun 2022 16:00:33 +0100
Subject: [PATCH] [Kim] #2554 fix pam ldaps config

---
 src/etc/pam.d/common-account-ldaps                | 8 --------
 src/etc/pam.d/common-auth-ldaps                   | 7 +------
 src/etc/pam.d/common-session-noninteractive-ldaps | 7 -------
 3 files changed, 1 insertion(+), 21 deletions(-)

diff --git a/src/etc/pam.d/common-account-ldaps b/src/etc/pam.d/common-account-ldaps
index 0a3534a257..58949ddeef 100644
--- a/src/etc/pam.d/common-account-ldaps
+++ b/src/etc/pam.d/common-account-ldaps
@@ -1,12 +1,4 @@
-# here are the per-package modules (the "Primary" block)
-account [success=ok default=1]    pam_localuser.so 
 account [success=1 new_authtok_reqd=done default=ignore]      pam_unix.so 
-# here's the fallback if no module succeeds
 account requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
 account required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
 account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000
-# end of pam-auth-update config
diff --git a/src/etc/pam.d/common-auth-ldaps b/src/etc/pam.d/common-auth-ldaps
index dd684ecb9a..1cda9e50ef 100644
--- a/src/etc/pam.d/common-auth-ldaps
+++ b/src/etc/pam.d/common-auth-ldaps
@@ -1,12 +1,7 @@
-# here are the per-package modules (the "Primary" block)
-auth    [success=ok default=1]    pam_localuser.so 
+auth    required                      pam_group.so 
 auth    [success=2 default=ignore]    pam_unix.so nullok
 auth    [success=1 default=ignore]    pam_ldap.so minimum_uid=1000 use_first_pass
 # here's the fallback if no module succeeds
 auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
 auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
 auth    optional                        pam_cap.so 
diff --git a/src/etc/pam.d/common-session-noninteractive-ldaps b/src/etc/pam.d/common-session-noninteractive-ldaps
index 09c3ae0c81..138a8dd870 100644
--- a/src/etc/pam.d/common-session-noninteractive-ldaps
+++ b/src/etc/pam.d/common-session-noninteractive-ldaps
@@ -1,13 +1,6 @@
-# here are the per-package modules (the "Primary" block)
 session [default=1]                     pam_permit.so
-# here's the fallback if no module succeeds
 session requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
 session required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
 session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
 session required        pam_unix.so 
 session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
-# end of pam-auth-update config