ldap: is working as intended, working on scripting to add and manage users

applications/ldap.nix

@@ -6,6 +6,7 @@ Gonna use a priper nixos module for this
   with lib;
   let
     cfg = config.services.skynet_ldap;
+    base = "dc=skynet,dc=ie";
   in {
 
   # these are needed for teh program in question
@@ -44,12 +45,6 @@ Gonna use a priper nixos module for this
   config = mkIf cfg.enable {
     # this is athe actual configuration that we need to do
 
-    # some things first just for skynet
-    skynet_firewall.forward = [
-      "ip daddr ${cfg.host.ip} udp dport 80 counter packets 0 bytes 0 accept"
-      "ip daddr ${cfg.host.ip} udp dport 443 counter packets 0 bytes 0 accept"
-    ];
-
     skynet_dns.records.cname = [
       "${cfg.subdomain}  CNAME   ${cfg.host.name}"
     ];
@@ -64,36 +59,56 @@ Gonna use a priper nixos module for this
       636
     ];
 
-
-    # finally down to configurating teha ctual service
-
-    # gonna need a reverse proxy set up
-    services.nginx = {
-      virtualHosts."${cfg.subdomain}.skynet.ie" = {
-        forceSSL = true;
-        useACMEHost = "skynet";
-        locations."/".proxyPass = "http://localhost:${toString cfg.port}";
-      };
-    };
-
-     environment.variables = rec {
-        PORTUNUS_DEBUG  = "true";
-        SILVER_TEST  = "true";
-      };
-
-    # finally the actual service we are doing
-    services.portunus = {
+    services.openldap = {
       enable = true;
-      domain = "${cfg.subdomain}.skynet.ie";
-      port = cfg.port;
-      # not sure if this will work
-      # https://nixos.org/manual/nix/stable/language/builtins.html#builtins-toPath
-      seedPath = ./. +"/ldap/seed.json";
 
-      ldap = {
-        #searchUserName = "portunus-service";
-        suffix = "dc=skynet,dc=ie";
+      /* enable plain connections only */
+      urlList = [ "ldap:///" ];
+
+
+      settings = {
+        attrs = {
+          olcLogLevel = "conns config";
+        };
+
+        children = {
+          "cn=schema".includes = [
+            "${pkgs.openldap}/etc/schema/core.ldif"
+            "${pkgs.openldap}/etc/schema/cosine.ldif"
+            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+            "${pkgs.openldap}/etc/schema/nis.ldif"
+            ./ldap/openssh-lpk.ldif
+          ];
+
+          "olcDatabase={1}mdb".attrs = {
+            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+            olcDatabase = "{1}mdb";
+            olcDbDirectory = "/var/lib/openldap/data";
+
+            olcSuffix = base;
+
+            /* your admin account, do not use writeText on a production system */
+            olcRootDN = "cn=admin,${base}";
+            olcRootPW.path = pkgs.writeText "olcRootPW" "westwood";
+
+            #olcOverlay =  "memberof";
+
+            olcAccess = [
+              /* custom access rules for userPassword attributes */
+              ''{0}to attrs=userPassword
+                  by self write
+                  by anonymous auth
+                  by * none''
+
+              /* allow read on anything else */
+              ''{1}to *
+                  by * read''
+            ];
+          };
+        };
       };
     };
+
   };
 }

applications/ldap/openssh-lpk.ldif

@@ -0,0 +1,17 @@
+# LDAP SSH Public Key schema
+# Source: https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap
+# Homepage: https://github.com/AndriiGrytsenko/openssh-ldap-publickey
+# Source2: https://github.com/turnkeylinux-apps/openldap/blob/master/overlay/etc/ldap/schema/openssh-lpk.ldif
+
+dn: cn=openssh-lpk,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: openssh-lpk
+olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
+    DESC 'MANDATORY: OpenSSH Public key'
+    EQUALITY octetStringMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey'
+    DESC 'MANDATORY: OpenSSH LPK objectclass'
+    SUP top AUXILIARY
+    MAY ( sshPublicKey $ uid )
+    )

machines/optimus.nix

@@ -67,7 +67,7 @@ in {
   };
 
   security.sudo.extraRules = [
-     { groups = [ "admin-skynet" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
+     { groups = [ "skynet-admins" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
   ];
 
   services.sssd = {
@@ -83,15 +83,20 @@ in {
       id_provider = ldap
       auth_provider = ldap
       sudo_provider = ldap
-      ldap_uri = ldap://sso.skynet.ie
-      ldap_search_base = ou=users,dc=skynet,dc=ie
-      ldap_group_search_base = ou=posix-groups,dc=skynet,dc=ie
-      ldap_sudo_search_base = ou=admin-skynet,ou=posix-groups,dc=skynet,dc=ie
-      ldap_default_bind_dn = uid=portunus_service,ou=users,dc=skynet,dc=ie
+      ldap_uri = ldap://193.1.99.112:389
+
+      ldap_search_base = dc=skynet,dc=ie
+      ldap_user_search_base  = ou=users,dc=skynet,dc=ie
+      ldap_group_search_base = ou=groups,dc=skynet,dc=ie
+      ldap_sudo_search_base = cn=skynet-admins,ou=groups,dc=skynet,dc=ie
+
+      ldap_group_nesting_level = 5
+
+      ldap_default_bind_dn = cn=admin,dc=skynet,dc=ie
       ldap_default_authtok_type = password
       ldap_default_authtok = $LDAP_BIND_PW
       cache_credentials = false
-      simple_allow_groups = admin-skynet
+      simple_allow_groups = skynet-admins,skynet-users
 
       [sssd]
       config_file_version = 2