use sssd for ldap

6 days ago · 7ca4503bd9
3 changed files with 102 additions and 28 deletions
--- a/machines/manager/ldap.nix
+++ b/machines/manager/ldap.nix
@ -82,6 +82,12 @@ in
            olcRootDN = "cn=root,${baseDN}";
            olcRootPW.path = config.sops.secrets."ldap/root/password".path;

+            olcDbIndex = [
+              "uid,uidNumber pres,eq"
+              "cn,sn pres,eq,sub"
+              "objectClass eq"
+            ];
+
            olcAccess = [
              # Custom access rules for userPassword attributes
              ''{0}to attrs=userPassword
--- a/shared/secrets.yaml
+++ b/shared/secrets.yaml
@ -1,6 +1,6 @@
 ldap:
    login:
-        password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str]
+        environment: ENC[AES256_GCM,data:XxLyxQ19J2NVWS3q00ZKxHf8LzfjqRAlDXoCDlNZYDUNIkS16tIw/jbNQI0BauZdP74h,iv:FhSQsdNUEFrQvvVLdtRWvfD76NkUCgDnK481n04SYLk=,tag:1ewfmSk+oYw+RYBsw8/1nQ==,type:str]
 beegfs:
    connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str]
 munge:
@ -137,8 +137,8 @@ sops:
            WGl6N09VZmVxMUlFaXUyc0lYelVRWmcK70v8VA7J8hjwqC90TI9FbXDOgl9kKZtW
            2vP5vumSQMlq2SulL+cz1oWVE7lvpsqHOQdWRp2Km2Bi6PPxlVmW3Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-07T10:50:20Z"
-    mac: ENC[AES256_GCM,data:84PcC2J2peF6ZyEWH4o8gFw1yopC2o7DN5fg2I1+eUQVRmm8WqJbMkIF2taQeJndliEvsPBg6XXvbtJqdTs2L8o4EkkEwK4whbIosFyuVBuI3NRjjc1qswyYHudZa8CAtXPrVXqtD0q5QOtHwlUdGAyoBCpT8x2ZFaeye+JDuec=,iv:GhvwtEQMZlojwi0KoKUAQeuL53a0EFw1h+ysI9jeMuU=,tag:YJ8iYskhY8r3nDJIYxMusA==,type:str]
+    lastmodified: "2024-11-28T12:59:58Z"
+    mac: ENC[AES256_GCM,data:EJh2no9HNdohyvcHbHeYMIIG9j10WaXpYuFkm94Ni6QBnXD9VJnrgIBGMnbQ5SDI5R5GOmZI5D7/6ubaARGZDRxOVIf7CiPnX70YbLfjWp/Y1xgL8coiMf7C5airz254CPwK7jhWBdjbG+CzTh/Gel0+O35GaUEp7Cg2iIGHO58=,iv:MvezhjtKtnTPReTKz+kxsIbcNeYqYl+uM2o8mEA/2ug=,tag:AL4Q1irDu1pvV7mWz9MU6w==,type:str]
    pgp:
        - created_at: "2023-11-21T13:44:33Z"
          enc: |
@ -156,4 +156,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/shared/users.nix
+++ b/shared/users.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ lib, config, ... }:

 with lib;

@ -19,30 +19,29 @@ in
    ];
  };

-  users.ldap = {
-    enable = true;
-
-    useTLS = true;
-
-    server = "ldaps://ldap.${config.networking.domain}/";
-    base = "ou=users,${baseDN}";
-
-    daemon.enable = true;
-
-    bind = {
-      distinguishedName = "cn=login,${baseDN}";
-      passwordFile = config.sops.secrets."ldap/login/password".path;
+  security.pam.services = {
+    sshd = {
+      makeHomeDir = true;
+      sssdStrictAccess = true;
+      unixAuth = lib.mkForce true;
+    };
+    login = {
+      makeHomeDir = true;
+      sssdStrictAccess = true;
+      unixAuth = lib.mkForce true;
+    };
+    lightdm = {
+      makeHomeDir = true;
+      sssdStrictAccess = true;
+      unixAuth = lib.mkForce true;
+    };
+    systemd-user = {
+      makeHomeDir = true;
+      sssdStrictAccess = true;
+      unixAuth = lib.mkForce true;
    };
  };

-  users.groups."cluster" = {
-    gid = 1000; # Fixed, becaused it is used for LDAP users
-  };
-
-  security.pam.services."login".makeHomeDir = true;
-  security.pam.services."sshd".makeHomeDir = true;
-  security.pam.services."systemd-user".makeHomeDir = true;
-
  security.pam.loginLimits = [
    {
      domain = "@cluster";
@ -52,8 +51,77 @@ in
    }
  ];

-  sops.secrets."ldap/login/password" = {
-    owner = "nslcd";
+  services.sssd = {
+    enable = true;
+
+    environmentFile = config.sops.secrets."ldap/login/environment".path;
+
+    config = ''
+      [sssd]
+      config_file_version = 2
+      services = nss, pam, ssh, ifp
+      domains = hsfd
+
+      debug_level = 8
+
+      [nss]
+      override_homedir = /home/%u
+      override_shell = /run/current-system/sw/bin/bash
+
+      filter_users = root
+      filter_groups = root
+
+      reconnection_retries = 3
+  
+      [pam]
+  
+      [domain/hsfd]
+      id_provider = ldap
+      access_provider = ldap
+      auth_provider = ldap
+
+      cache_credentials = true
+
+      ldap_uri = ldaps://ldap.${config.networking.domain}/
+      ldap_search_base = ou=users,${baseDN}
+
+      ldap_tls_reqcert = demand
+      ldap_id_use_start_tls = true
+
+      ldap_default_bind_dn = cn=login,${baseDN}
+      ldap_default_authtok_type = password
+      ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
+
+      ldap_access_order = filter
+      ldap_access_filter = (objectClass=*)
+
+      ldap_user_object_class = posixAccount
+      ldap_user_name = cn
+
+      ldap_search_timeout = 10
+      ldap_network_timeout = 10
+
+      ldap_deref_threshold = 0
+
+      ignore_group_members = true
+      subdomain_inherit = ignore_group_members
+
+      entry_negative_timeout = 3
+
+      override_gid = ${toString config.users.groups."cluster".gid}
+
+      cache_credentials = true
+
+      min_id = 1000
+      enumerate = true
+    '';
+  };
+
+  users.groups."cluster" = {
+    gid = 1000; # Fixed, becaused it is used for LDAP users
+  };
+
+  sops.secrets."ldap/login/environment" = {
    sopsFile = ./secrets.yaml;
  };
 }