package.use: enable back sssd for pambase

[tormath1]

This was not creating the system-auth with the 'pam_sss' module. Which makes sssd LDAP authentication to fail.

I amended the patch to move the pam_sss.so call before the pam_faillock.so otherwise it was failing - I think this could be proposed to the upstream.

Related to: flatcar/Flatcar#1985

TODO:

• changelog entry
• CI: http://localhost:8080/job/container/job/packages_all_arches/7383/cldsv/

Testing:

 $ cat sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = LDAP

[nss]
[pam]
[ssh]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://127.0.0.1:1389
ldap_search_base = dc=example,dc=org
override_homedir = /home/%u
access_provider = simple

# Bitnami default admin credentials
ldap_bind_dn = cn=admin,dc=example,dc=org
ldap_bind_authtok = adminpassword

# Mapping settings
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_group_object_class = posixGroup
ldap_group_name = cn

ldap_auth_disable_tls_never_use_in_production = True
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
$ docker run --detach --rm --name openldap   --network host   --env LDAP_ADMIN_USERNAME=admin   --env LDAP_ADMIN_PASSWORD=adminpassword   --env LDAP_USERS=customuser   --env LDAP_PASSWORDS=custompassword   --env LDAP_ROOT=dc=example,dc=org   --env LDAP_ADMIN_DN=cn=admin,dc=example,dc=org docker.io/bitnamilegacy/openldap:2.6.10-debian-12-r4

[chewi]

Well, it looks okay, but I honestly don't understand PAM well enough to say whether it's correct. I know it's not @krnowak's favourite subject either, but I'd feel better waiting for him.

I'm a little surprised Gentoo hasn't noticed. The sssd support has been in place for a couple of years now. Perhaps it's due to other differences in our config, but it doesn't seem that way.

[tormath1]

Well, it looks okay, but I honestly don't understand PAM well enough to say whether it's correct. I know it's not @krnowak's favourite subject either, but I'd feel better waiting for him.

I'm a little surprised Gentoo hasn't noticed. The sssd support has been in place for a couple of years now. Perhaps it's due to other differences in our config, but it doesn't seem that way.

I'm holding this until I get user feedback. I would honestly prefer having this released in alpha / beta before promoting a new stable

[tormath1]

Well, it looks okay, but I honestly don't understand PAM well enough to say whether it's correct. I know it's not @krnowak's favourite subject either, but I'd feel better waiting for him.
I'm a little surprised Gentoo hasn't noticed. The sssd support has been in place for a couple of years now. Perhaps it's due to other differences in our config, but it doesn't seem that way.

I'm holding this until I get user feedback. I would honestly prefer having this released in alpha / beta before promoting a new stable

@chewi I got this user feedback: flatcar/Flatcar#1985 (comment) - given this + the CI result I think we're good.

But as proposed on Matrix, let's not promote this directly to Stable.