Browse Source

use sssd for ldap

main
Dustin Frisch 7 days ago
parent
commit
7ca4503bd9
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
  1. 6
      machines/manager/ldap.nix
  2. 8
      shared/secrets.yaml
  3. 114
      shared/users.nix

6
machines/manager/ldap.nix

@ -82,6 +82,12 @@ in
olcRootDN = "cn=root,${baseDN}"; olcRootDN = "cn=root,${baseDN}";
olcRootPW.path = config.sops.secrets."ldap/root/password".path; olcRootPW.path = config.sops.secrets."ldap/root/password".path;
olcDbIndex = [
"uid,uidNumber pres,eq"
"cn,sn pres,eq,sub"
"objectClass eq"
];
olcAccess = [ olcAccess = [
# Custom access rules for userPassword attributes # Custom access rules for userPassword attributes
''{0}to attrs=userPassword ''{0}to attrs=userPassword

8
shared/secrets.yaml

@ -1,6 +1,6 @@
ldap: ldap:
login: login:
password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str]
environment: ENC[AES256_GCM,data:XxLyxQ19J2NVWS3q00ZKxHf8LzfjqRAlDXoCDlNZYDUNIkS16tIw/jbNQI0BauZdP74h,iv:FhSQsdNUEFrQvvVLdtRWvfD76NkUCgDnK481n04SYLk=,tag:1ewfmSk+oYw+RYBsw8/1nQ==,type:str]
beegfs: beegfs:
connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str] connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str]
munge: munge:
@ -137,8 +137,8 @@ sops:
WGl6N09VZmVxMUlFaXUyc0lYelVRWmcK70v8VA7J8hjwqC90TI9FbXDOgl9kKZtW WGl6N09VZmVxMUlFaXUyc0lYelVRWmcK70v8VA7J8hjwqC90TI9FbXDOgl9kKZtW
2vP5vumSQMlq2SulL+cz1oWVE7lvpsqHOQdWRp2Km2Bi6PPxlVmW3Q== 2vP5vumSQMlq2SulL+cz1oWVE7lvpsqHOQdWRp2Km2Bi6PPxlVmW3Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-07T10:50:20Z"
mac: ENC[AES256_GCM,data:84PcC2J2peF6ZyEWH4o8gFw1yopC2o7DN5fg2I1+eUQVRmm8WqJbMkIF2taQeJndliEvsPBg6XXvbtJqdTs2L8o4EkkEwK4whbIosFyuVBuI3NRjjc1qswyYHudZa8CAtXPrVXqtD0q5QOtHwlUdGAyoBCpT8x2ZFaeye+JDuec=,iv:GhvwtEQMZlojwi0KoKUAQeuL53a0EFw1h+ysI9jeMuU=,tag:YJ8iYskhY8r3nDJIYxMusA==,type:str]
lastmodified: "2024-11-28T12:59:58Z"
mac: ENC[AES256_GCM,data:EJh2no9HNdohyvcHbHeYMIIG9j10WaXpYuFkm94Ni6QBnXD9VJnrgIBGMnbQ5SDI5R5GOmZI5D7/6ubaARGZDRxOVIf7CiPnX70YbLfjWp/Y1xgL8coiMf7C5airz254CPwK7jhWBdjbG+CzTh/Gel0+O35GaUEp7Cg2iIGHO58=,iv:MvezhjtKtnTPReTKz+kxsIbcNeYqYl+uM2o8mEA/2ug=,tag:AL4Q1irDu1pvV7mWz9MU6w==,type:str]
pgp: pgp:
- created_at: "2023-11-21T13:44:33Z" - created_at: "2023-11-21T13:44:33Z"
enc: | enc: |
@ -156,4 +156,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3
version: 3.8.1

114
shared/users.nix

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ lib, config, ... }:
with lib; with lib;
@ -19,29 +19,28 @@ in
]; ];
}; };
users.ldap = {
enable = true;
useTLS = true;
server = "ldaps://ldap.${config.networking.domain}/";
base = "ou=users,${baseDN}";
daemon.enable = true;
bind = {
distinguishedName = "cn=login,${baseDN}";
passwordFile = config.sops.secrets."ldap/login/password".path;
security.pam.services = {
sshd = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
}; };
login = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
lightdm = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
systemd-user = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
}; };
users.groups."cluster" = {
gid = 1000; # Fixed, becaused it is used for LDAP users
}; };
security.pam.services."login".makeHomeDir = true;
security.pam.services."sshd".makeHomeDir = true;
security.pam.services."systemd-user".makeHomeDir = true;
security.pam.loginLimits = [ security.pam.loginLimits = [
{ {
@ -52,8 +51,77 @@ in
} }
]; ];
sops.secrets."ldap/login/password" = {
owner = "nslcd";
services.sssd = {
enable = true;
environmentFile = config.sops.secrets."ldap/login/environment".path;
config = ''
[sssd]
config_file_version = 2
services = nss, pam, ssh, ifp
domains = hsfd
debug_level = 8
[nss]
override_homedir = /home/%u
override_shell = /run/current-system/sw/bin/bash
filter_users = root
filter_groups = root
reconnection_retries = 3
[pam]
[domain/hsfd]
id_provider = ldap
access_provider = ldap
auth_provider = ldap
cache_credentials = true
ldap_uri = ldaps://ldap.${config.networking.domain}/
ldap_search_base = ou=users,${baseDN}
ldap_tls_reqcert = demand
ldap_id_use_start_tls = true
ldap_default_bind_dn = cn=login,${baseDN}
ldap_default_authtok_type = password
ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
ldap_access_order = filter
ldap_access_filter = (objectClass=*)
ldap_user_object_class = posixAccount
ldap_user_name = cn
ldap_search_timeout = 10
ldap_network_timeout = 10
ldap_deref_threshold = 0
ignore_group_members = true
subdomain_inherit = ignore_group_members
entry_negative_timeout = 3
override_gid = ${toString config.users.groups."cluster".gid}
cache_credentials = true
min_id = 1000
enumerate = true
'';
};
users.groups."cluster" = {
gid = 1000; # Fixed, becaused it is used for LDAP users
};
sops.secrets."ldap/login/environment" = {
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;
}; };
} }
Loading…
Cancel
Save