Updates for Raspberry Pi 12 Bookworm

roles/Password/files/nsswitch.conf

@@ -0,0 +1,19 @@
+# Begin /etc/nsswitch.conf
+
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+
+publickey: files
+
+hosts: files dns myhostname
+networks: files
+
+protocols: files
+services: files
+ethers: files
+rpc: files
+
+netgroup: files
+
+# End /etc/nsswitch.conf

roles/Password/files/pam.d/atd

@@ -0,0 +1,12 @@
+#%PAM-1.0
+
+auth		required	pam_unix.so
+auth		required	pam_env.so
+
+account		required	pam_access.so
+account		required	pam_unix.so
+account		required	pam_time.so
+
+session		required	pam_loginuid.so
+session		required	pam_limits.so
+session		required	pam_unix.so

roles/Password/files/pam.d/chfn

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session         required        pam_unix.so
+password        required        pam_permit.so

roles/Password/files/pam.d/chpasswd

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth

roles/Password/files/pam.d/chsh

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session         required        pam_unix.so
+password        required        pam_permit.so

roles/Password/files/pam.d/crond

@@ -0,0 +1,11 @@
+#
+# The PAM configuration file for the cron daemon
+#
+#
+# Although no PAM authentication is called, auth modules
+# are used for credential setting
+auth       include    system-auth
+account    required   pam_access.so
+account    include    system-auth
+session    required   pam_loginuid.so
+session    include    system-auth

roles/Password/files/pam.d/cups

@@ -0,0 +1,3 @@
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so

roles/Password/files/pam.d/groupmems

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth

roles/Password/files/pam.d/login

@@ -0,0 +1,7 @@
+#%PAM-1.0
+
+auth       requisite    pam_nologin.so
+auth       include      system-local-login
+account    include      system-local-login
+session    include      system-local-login
+password   include      system-local-login

roles/Password/files/pam.d/newusers

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth

roles/Password/files/pam.d/nslcd.conf

@@ -0,0 +1 @@
+UiqiKXIU

roles/Password/files/pam.d/other

@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth      required   pam_deny.so
+auth      required   pam_warn.so
+account   required   pam_deny.so
+account   required   pam_warn.so
+password  required   pam_deny.so
+password  required   pam_warn.so
+session   required   pam_deny.so
+session   required   pam_warn.so

roles/Password/files/pam.d/passwd

@@ -0,0 +1,5 @@
+#%PAM-1.0
+#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+#password	required	pam_unix.so sha512 shadow use_authtok
+password    sufficient  pam_ldap.so
+password	required	pam_unix.so sha512 shadow nullok

roles/Password/files/pam.d/passwd.pacnew

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth

roles/Password/files/pam.d/postgresql

@@ -0,0 +1,3 @@
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so

roles/Password/files/pam.d/remote

@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+auth       required     pam_securetty.so
+auth       requisite    pam_nologin.so
+auth       include      system-remote-login
+account    include      system-remote-login
+session    include      system-remote-login
+password   include      system-remote-login

roles/Password/files/pam.d/rlogin

@@ -0,0 +1,13 @@
+#%PAM-1.0
+# For root login to succeed here with pam_securetty, "rlogin" must be
+# listed in /etc/securetty.
+auth       required     pam_nologin.so
+auth       required     pam_securetty.so
+auth       required     pam_env.so
+auth       sufficient   pam_rhosts.so
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session	   optional     pam_keyinit.so    force revoke
+session    required     pam_loginuid.so
+session    include      system-auth

roles/Password/files/pam.d/rsh

@@ -0,0 +1,11 @@
+#%PAM-1.0
+# For root login to succeed here with pam_securetty, "rsh" must be
+# listed in /etc/securetty.
+auth       required     pam_nologin.so
+auth       required     pam_securetty.so
+auth       required     pam_env.so
+auth       required     pam_rhosts.so
+account    include      system-auth
+session	   optional     pam_keyinit.so    force revoke
+session    required     pam_loginuid.so
+session    include      system-auth

roles/Password/files/pam.d/runuser

@@ -0,0 +1,4 @@
+#%PAM-1.0
+
+auth    sufficient      pam_rootok.so
+session include         system-login

roles/Password/files/pam.d/runuser-l

@@ -0,0 +1,4 @@
+#%PAM-1.0
+
+auth    sufficient      pam_rootok.so
+session include         system-login

roles/Password/files/pam.d/screen

@@ -0,0 +1 @@
+auth		required	pam_unix.so

roles/Password/files/pam.d/sshd

@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-remote-login
+account   include   system-remote-login
+password  include   system-remote-login
+session   include   system-remote-login

roles/Password/files/pam.d/sssd-shadowutils

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     required      pam_permit.so

roles/Password/files/pam.d/su

@@ -0,0 +1,14 @@
+#%PAM-1.0
+auth        sufficient  pam_ldap.so
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+auth		required	pam_unix.so use_first_pass
+
+account     sufficient  pam_ldap.so
+account		required	pam_unix.so
+
+session     sufficient  pam_ldap.so
+session		required	pam_unix.so

roles/Password/files/pam.d/su-l

@@ -0,0 +1,12 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+auth        sufficient  pam_ldap.so
+auth		required	pam_unix.so use_first_pass
+account     sufficient  pam_ldap.so
+account		required	pam_unix.so
+session     sufficient  pam_ldap.so
+session		required	pam_unix.so

roles/Password/files/pam.d/su-l.pacnew

@@ -0,0 +1,10 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth           sufficient      pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth           required        pam_wheel.so use_uid
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session	        required        pam_unix.so
+password        include         system-auth

roles/Password/files/pam.d/su.pacnew

@@ -0,0 +1,10 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth           sufficient      pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth           required        pam_wheel.so use_uid
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session	        required        pam_unix.so
+password        include         system-auth

roles/Password/files/pam.d/sudo

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		include		system-auth
+account		include		system-auth
+session		include		system-auth

roles/Password/files/pam.d/system-auth

@@ -0,0 +1,20 @@
+#%PAM-1.0
+
+auth      sufficient pam_ldap.so
+auth      required  pam_unix.so     try_first_pass nullok
+auth      optional  pam_permit.so
+auth      required  pam_env.so
+
+account   sufficient pam_ldap.so
+account   required  pam_unix.so
+account   optional  pam_permit.so
+account   required  pam_time.so
+
+password  sufficient pam_ldap.so
+password  required  pam_unix.so     try_first_pass nullok sha512 shadow
+password  optional  pam_permit.so
+
+session   required  pam_limits.so
+session   required  pam_unix.so
+session   optional  pam_ldap.so
+session   optional  pam_permit.so

roles/Password/files/pam.d/system-auth.pacnew

@@ -0,0 +1,27 @@
+#%PAM-1.0
+
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the password
+# on locked accounts.
+-auth      [success=2 default=ignore]  pam_systemd_home.so
+auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+
+-account   [success=1 default=ignore]  pam_systemd_home.so
+account    required                    pam_unix.so
+account    optional                    pam_permit.so
+account    required                    pam_time.so
+
+-password  [success=1 default=ignore]  pam_systemd_home.so
+password   required                    pam_unix.so          try_first_pass nullok shadow
+password   optional                    pam_permit.so
+
+-session   optional                    pam_systemd_home.so
+session    required                    pam_limits.so
+session    required                    pam_unix.so
+session    optional                    pam_permit.so

roles/Password/files/pam.d/system-local-login

@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-login
+account   include   system-login
+password  include   system-login
+session   include   system-login

roles/Password/files/pam.d/system-login

@@ -0,0 +1,19 @@
+#%PAM-1.0
+
+auth       required   pam_shells.so
+auth       requisite  pam_nologin.so
+auth       include    system-auth
+
+account    required   pam_access.so
+account    required   pam_nologin.so
+account    include    system-auth
+
+password   include    system-auth
+
+session    optional   pam_loginuid.so
+session    include    system-auth
+session    optional   pam_motd.so          motd=/etc/motd
+session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
+-session   optional   pam_systemd.so
+session    required   pam_env.so
+#session    required   pam_mkhomedir.so skel=/etc/skel umask=0027

roles/Password/files/pam.d/system-login.pacnew

@@ -0,0 +1,20 @@
+#%PAM-1.0
+
+auth       required   pam_shells.so
+auth       requisite  pam_nologin.so
+auth       include    system-auth
+
+account    required   pam_access.so
+account    required   pam_nologin.so
+account    include    system-auth
+
+password   include    system-auth
+
+session    optional   pam_loginuid.so
+session    optional   pam_keyinit.so       force revoke
+session    include    system-auth
+session    optional   pam_motd.so
+session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
+session    optional   pam_umask.so
+-session   optional   pam_systemd.so
+session    required   pam_env.so

roles/Password/files/pam.d/system-remote-login

@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-login
+account   include   system-login
+password  include   system-login
+session   include   system-login

roles/Password/files/pam.d/system-services

@@ -0,0 +1,11 @@
+#%PAM-1.0
+
+auth      sufficient  pam_permit.so
+
+account   include     system-auth
+
+session   optional    pam_loginuid.so
+session   required    pam_limits.so
+session   required    pam_unix.so
+session   optional    pam_permit.so
+session   required    pam_env.so

roles/Password/files/pam.d/systemd-user

@@ -0,0 +1,5 @@
+# Used by systemd --user instances.
+
+account  include system-login
+session  required pam_loginuid.so
+session  include system-login

roles/Password/files/pam.d/vlock

@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth required pam_unix.so
+account required pam_unix.so
+password required pam_unix.so
+session required pam_unix.so

roles/Password/package/ldap-adduser

@@ -52,7 +52,6 @@ if [ "$?" -eq 0 ]; then
         line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
         ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file"
         ldap-resetpass "$username"
-        # Create default home
         cp -r /etc/skel "/home/$username"; chmod 0027 "/home/$username"; chown -R "$username": "/home/$username"
     fi
     rmdir "$lockfile"

roles/Password/package/ldap-resetpass

@@ -7,11 +7,8 @@ if [ -z "$uid" ]; then
     exit 1
 fi
 
-ldappasswd -D 'cn=root,dc=aninix,dc=net' -W "uid=$uid,ou=People,dc=aninix,dc=net"
+ldappasswd -D 'cn=root,dc=aninix,dc=net' -W -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net"
 
-if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
-    (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
-fi
-(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
+#ldapmodify -D 'cn=root,dc=aninix,dc=net' -W -H ldap://127.0.0.1 -f <(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n")
 
 exit $?

roles/Password/templates/nscld.conf.j2

@@ -0,0 +1,80 @@
+# This is the configuration file for the LDAP nameservice
+# switch library's nslcd daemon. It configures the mapping
+# between NSS names (see /etc/nsswitch.conf) and LDAP
+# information in the directory.
+# See the manual page nslcd.conf(5) for more information.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The uri pointing to the LDAP server to use for name lookups.
+# Multiple entries may be specified. The address that is used
+# here should be resolvable without using LDAP (obviously).
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+uri ldap://{{ ldap['server'] }}/
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name of the search base.
+base {{ ldap['orgdn'] }}
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+binddn {{ ldap['binduser'] }},{{ ldap['userou'] }},{{ ldap['orgdn'] }}
+
+# The credentials to bind with.
+# Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
+bindpw {{ secrets['Sora']['bindpassword'] }}
+
+# The distinguished name to perform password modifications by root by.
+rootpwmoddn cn=root,{{ ldap['orgdn'] }}
+
+# The default search scope.
+scope sub
+#filter (&(!(pwdReset=TRUE))(objectClass=person))
+#scope one
+#scope base
+
+# Customize certain database lookups.
+base   group  {{ ldap['groupou'] }},{{ ldap['orgdn'] }}
+base   passwd {{ ldap['userou'] }},{{ ldap['orgdn'] }}
+base   shadow {{ ldap['userou'] }},{{ ldap['orgdn'] }}
+#scope  group  onelevel
+scope  hosts  sub
+
+# Bind/connect timelimit.
+#bind_timelimit 30
+
+# Search timelimit.
+#timelimit 30
+
+# Idle timelimit. nslcd will close connections if the
+# server has not been contacted for the number of seconds.
+#idle_timelimit 3600
+
+# Use StartTLS without verifying the server certificate.
+#ssl start_tls
+#tls_reqcert never
+
+# CA certificates for server certificate verification
+#tls_cacertdir /etc/ssl/certs
+#tls_cacertfile /etc/ssl/ca.cert
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key