From 7ca4503bd9d23153a1c8b0cbdd4e6012be94068d Mon Sep 17 00:00:00 2001 From: Dustin Frisch Date: Thu, 28 Nov 2024 14:27:48 +0100 Subject: [PATCH] use sssd for ldap --- machines/manager/ldap.nix | 6 ++ shared/secrets.yaml | 8 +-- shared/users.nix | 116 ++++++++++++++++++++++++++++++-------- 3 files changed, 102 insertions(+), 28 deletions(-) diff --git a/machines/manager/ldap.nix b/machines/manager/ldap.nix index 5888580..55ff8d8 100644 --- a/machines/manager/ldap.nix +++ b/machines/manager/ldap.nix @@ -82,6 +82,12 @@ in olcRootDN = "cn=root,${baseDN}"; olcRootPW.path = config.sops.secrets."ldap/root/password".path; + olcDbIndex = [ + "uid,uidNumber pres,eq" + "cn,sn pres,eq,sub" + "objectClass eq" + ]; + olcAccess = [ # Custom access rules for userPassword attributes ''{0}to attrs=userPassword diff --git a/shared/secrets.yaml b/shared/secrets.yaml index 17a8dfb..c0d794a 100644 --- a/shared/secrets.yaml +++ b/shared/secrets.yaml @@ -1,6 +1,6 @@ ldap: login: - password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str] + environment: ENC[AES256_GCM,data:XxLyxQ19J2NVWS3q00ZKxHf8LzfjqRAlDXoCDlNZYDUNIkS16tIw/jbNQI0BauZdP74h,iv:FhSQsdNUEFrQvvVLdtRWvfD76NkUCgDnK481n04SYLk=,tag:1ewfmSk+oYw+RYBsw8/1nQ==,type:str] beegfs: connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str] munge: @@ -137,8 +137,8 @@ sops: WGl6N09VZmVxMUlFaXUyc0lYelVRWmcK70v8VA7J8hjwqC90TI9FbXDOgl9kKZtW 2vP5vumSQMlq2SulL+cz1oWVE7lvpsqHOQdWRp2Km2Bi6PPxlVmW3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-07T10:50:20Z" - mac: ENC[AES256_GCM,data:84PcC2J2peF6ZyEWH4o8gFw1yopC2o7DN5fg2I1+eUQVRmm8WqJbMkIF2taQeJndliEvsPBg6XXvbtJqdTs2L8o4EkkEwK4whbIosFyuVBuI3NRjjc1qswyYHudZa8CAtXPrVXqtD0q5QOtHwlUdGAyoBCpT8x2ZFaeye+JDuec=,iv:GhvwtEQMZlojwi0KoKUAQeuL53a0EFw1h+ysI9jeMuU=,tag:YJ8iYskhY8r3nDJIYxMusA==,type:str] + lastmodified: "2024-11-28T12:59:58Z" + mac: ENC[AES256_GCM,data:EJh2no9HNdohyvcHbHeYMIIG9j10WaXpYuFkm94Ni6QBnXD9VJnrgIBGMnbQ5SDI5R5GOmZI5D7/6ubaARGZDRxOVIf7CiPnX70YbLfjWp/Y1xgL8coiMf7C5airz254CPwK7jhWBdjbG+CzTh/Gel0+O35GaUEp7Cg2iIGHO58=,iv:MvezhjtKtnTPReTKz+kxsIbcNeYqYl+uM2o8mEA/2ug=,tag:AL4Q1irDu1pvV7mWz9MU6w==,type:str] pgp: - created_at: "2023-11-21T13:44:33Z" enc: | @@ -156,4 +156,4 @@ sops: -----END PGP MESSAGE----- fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/shared/users.nix b/shared/users.nix index 8f32a3e..8cbf895 100644 --- a/shared/users.nix +++ b/shared/users.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, ... }: +{ lib, config, ... }: with lib; @@ -19,30 +19,29 @@ in ]; }; - users.ldap = { - enable = true; - - useTLS = true; - - server = "ldaps://ldap.${config.networking.domain}/"; - base = "ou=users,${baseDN}"; - - daemon.enable = true; - - bind = { - distinguishedName = "cn=login,${baseDN}"; - passwordFile = config.sops.secrets."ldap/login/password".path; + security.pam.services = { + sshd = { + makeHomeDir = true; + sssdStrictAccess = true; + unixAuth = lib.mkForce true; + }; + login = { + makeHomeDir = true; + sssdStrictAccess = true; + unixAuth = lib.mkForce true; + }; + lightdm = { + makeHomeDir = true; + sssdStrictAccess = true; + unixAuth = lib.mkForce true; + }; + systemd-user = { + makeHomeDir = true; + sssdStrictAccess = true; + unixAuth = lib.mkForce true; }; }; - users.groups."cluster" = { - gid = 1000; # Fixed, becaused it is used for LDAP users - }; - - security.pam.services."login".makeHomeDir = true; - security.pam.services."sshd".makeHomeDir = true; - security.pam.services."systemd-user".makeHomeDir = true; - security.pam.loginLimits = [ { domain = "@cluster"; @@ -52,8 +51,77 @@ in } ]; - sops.secrets."ldap/login/password" = { - owner = "nslcd"; + services.sssd = { + enable = true; + + environmentFile = config.sops.secrets."ldap/login/environment".path; + + config = '' + [sssd] + config_file_version = 2 + services = nss, pam, ssh, ifp + domains = hsfd + + debug_level = 8 + + [nss] + override_homedir = /home/%u + override_shell = /run/current-system/sw/bin/bash + + filter_users = root + filter_groups = root + + reconnection_retries = 3 + + [pam] + + [domain/hsfd] + id_provider = ldap + access_provider = ldap + auth_provider = ldap + + cache_credentials = true + + ldap_uri = ldaps://ldap.${config.networking.domain}/ + ldap_search_base = ou=users,${baseDN} + + ldap_tls_reqcert = demand + ldap_id_use_start_tls = true + + ldap_default_bind_dn = cn=login,${baseDN} + ldap_default_authtok_type = password + ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK + + ldap_access_order = filter + ldap_access_filter = (objectClass=*) + + ldap_user_object_class = posixAccount + ldap_user_name = cn + + ldap_search_timeout = 10 + ldap_network_timeout = 10 + + ldap_deref_threshold = 0 + + ignore_group_members = true + subdomain_inherit = ignore_group_members + + entry_negative_timeout = 3 + + override_gid = ${toString config.users.groups."cluster".gid} + + cache_credentials = true + + min_id = 1000 + enumerate = true + ''; + }; + + users.groups."cluster" = { + gid = 1000; # Fixed, becaused it is used for LDAP users + }; + + sops.secrets."ldap/login/environment" = { sopsFile = ./secrets.yaml; }; }