{ pkgs, lib, config, ... }: with lib; let baseDN = concatMapStringsSep "," (part: "dc=${part}") (splitString "." "informatik.hs-fulda.de"); in { security.pam.services = { sshd = { makeHomeDir = true; sssdStrictAccess = true; unixAuth = lib.mkForce true; }; login = { makeHomeDir = true; sssdStrictAccess = true; unixAuth = lib.mkForce true; }; lightdm = { makeHomeDir = true; sssdStrictAccess = true; unixAuth = lib.mkForce true; }; systemd-user = { makeHomeDir = true; sssdStrictAccess = true; unixAuth = lib.mkForce true; }; }; services.sssd = { enable = true; config = '' [sssd] config_file_version = 2 services = nss, pam, ssh, ifp domains = hsfd debug_level = 8 [nss] override_homedir = /home/%u override_shell = /run/current-system/sw/bin/bash filter_users = root filter_groups = root reconnection_retries = 3 [pam] [domain/hsfd] id_provider = ldap access_provider = ldap auth_provider = ldap cache_credentials = true # TODO: ldap_uri = ldaps://ldap${config.networking.domain}/ ldap_uri = ldaps://ldap-linuxlab.informatik.hs-fulda.de/ ldap_search_base = ou=users,${baseDN} ldap_tls_reqcert = demand ldap_id_use_start_tls = true ldap_default_bind_dn = cn=login,dc=informatik,dc=hs-fulda,dc=de ldap_default_authtok_type = password ldap_default_authtok = TXyk&6G?Ta/B[DZ2^g'KmpUw ldap_access_order = filter ldap_access_filter = (objectClass=*) ldap_user_object_class = posixAccount ldap_user_name = cn ldap_search_timeout = 10 ldap_network_timeout = 10 ldap_deref_threshold = 0 ignore_group_members = true subdomain_inherit = ignore_group_members entry_negative_timeout = 3 override_gid = ${toString config.users.groups."users".gid} cache_credentials = true min_id = 1000 enumerate = false ''; }; users.users."root".packages = with pkgs; [ sss-cli ]; services.envfs.enable = true; #sops.secrets."ldap/login/password" = { # owner = "nslcd"; # sopsFile = ./secrets.yaml; #}; }