authlogin: add tunable for nsswitch domains to connect to kanidm-unixd

Signed-off-by: Kenton Groombridge <[email protected]>
0xC0ncord · Aug 10, 2024 · d7bbbef · d7bbbef
1 parent 37d90b6
commit d7bbbef
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
@@ -12,6 +12,13 @@ policy_module(authlogin)
 ## </desc>
 gen_tunable(authlogin_pam, true)
 
+## <desc>
+## <p>
+## Allow users to resolve user passwd entries directly from kanidm.
+## </p>
+## </desc>
+gen_tunable(authlogin_nsswitch_use_kanidm, false)
+
 ## <desc>
 ## <p>
 ## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
@@ -478,6 +485,13 @@ ifdef(`init_systemd', `
 	systemd_stream_connect_userdb(nsswitch_domain)
 ')
 
+optional_policy(`
+	tunable_policy(`authlogin_nsswitch_use_kanidm',`
+		kanidm_read_config(nsswitch_domain)
+		kanidm_unixd_stream_connect(nsswitch_domain)
+	')
+')
+
 tunable_policy(`authlogin_nsswitch_use_ldap',`
 	miscfiles_read_generic_certs(nsswitch_domain)
 	sysnet_use_ldap(nsswitch_domain)