You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
110 lines
2.2 KiB
110 lines
2.2 KiB
{ pkgs, lib, config, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
baseDN = concatMapStringsSep ","
|
|
(part: "dc=${part}")
|
|
(splitString "." "informatik.hs-fulda.de");
|
|
|
|
in
|
|
{
|
|
security.pam.services = {
|
|
sshd = {
|
|
makeHomeDir = true;
|
|
sssdStrictAccess = true;
|
|
unixAuth = lib.mkForce true;
|
|
};
|
|
login = {
|
|
makeHomeDir = true;
|
|
sssdStrictAccess = true;
|
|
unixAuth = lib.mkForce true;
|
|
};
|
|
lightdm = {
|
|
makeHomeDir = true;
|
|
sssdStrictAccess = true;
|
|
unixAuth = lib.mkForce true;
|
|
};
|
|
systemd-user = {
|
|
makeHomeDir = true;
|
|
sssdStrictAccess = true;
|
|
unixAuth = lib.mkForce true;
|
|
};
|
|
};
|
|
|
|
services.sssd = {
|
|
enable = true;
|
|
config = ''
|
|
[sssd]
|
|
config_file_version = 2
|
|
services = nss, pam, ssh, ifp
|
|
domains = hsfd
|
|
|
|
debug_level = 8
|
|
|
|
[nss]
|
|
override_homedir = /home/%u
|
|
override_shell = /run/current-system/sw/bin/bash
|
|
|
|
filter_users = root
|
|
filter_groups = root
|
|
|
|
reconnection_retries = 3
|
|
|
|
[pam]
|
|
|
|
[domain/hsfd]
|
|
id_provider = ldap
|
|
access_provider = ldap
|
|
auth_provider = ldap
|
|
|
|
cache_credentials = true
|
|
|
|
# TODO: ldap_uri = ldaps://ldap${config.networking.domain}/
|
|
ldap_uri = ldaps://ldap-linuxlab.informatik.hs-fulda.de/
|
|
ldap_search_base = ou=users,${baseDN}
|
|
|
|
ldap_tls_reqcert = demand
|
|
ldap_id_use_start_tls = true
|
|
|
|
ldap_default_bind_dn = cn=login,dc=informatik,dc=hs-fulda,dc=de
|
|
ldap_default_authtok_type = password
|
|
ldap_default_authtok = TXyk&6G?Ta/B[DZ2^g'KmpUw
|
|
|
|
ldap_access_order = filter
|
|
ldap_access_filter = (objectClass=*)
|
|
|
|
ldap_user_object_class = posixAccount
|
|
ldap_user_name = cn
|
|
|
|
ldap_search_timeout = 10
|
|
ldap_network_timeout = 10
|
|
|
|
ldap_deref_threshold = 0
|
|
|
|
ignore_group_members = true
|
|
subdomain_inherit = ignore_group_members
|
|
|
|
entry_negative_timeout = 3
|
|
|
|
override_gid = ${toString config.users.groups."users".gid}
|
|
|
|
cache_credentials = true
|
|
|
|
min_id = 1000
|
|
enumerate = false
|
|
'';
|
|
};
|
|
|
|
users.users."root".packages = with pkgs; [
|
|
sss-cli
|
|
];
|
|
|
|
services.envfs.enable = true;
|
|
|
|
#sops.secrets."ldap/login/password" = {
|
|
# owner = "nslcd";
|
|
# sopsFile = ./secrets.yaml;
|
|
#};
|
|
}
|
|
|