From 0c57b3577807aff44fa5946e38ea3fa8bed5193c Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sat, 20 May 2023 03:08:30 +0100 Subject: [PATCH] ldap: is working as intended, working on scripting to add and manage users --- applications/ldap.nix | 81 ++++++++++++++++++------------ applications/ldap/openssh-lpk.ldif | 17 +++++++ machines/optimus.nix | 19 ++++--- 3 files changed, 77 insertions(+), 40 deletions(-) create mode 100644 applications/ldap/openssh-lpk.ldif diff --git a/applications/ldap.nix b/applications/ldap.nix index 067c2d0..f7bb55c 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -6,6 +6,7 @@ Gonna use a priper nixos module for this with lib; let cfg = config.services.skynet_ldap; + base = "dc=skynet,dc=ie"; in { # these are needed for teh program in question @@ -44,12 +45,6 @@ Gonna use a priper nixos module for this config = mkIf cfg.enable { # this is athe actual configuration that we need to do - # some things first just for skynet - skynet_firewall.forward = [ - "ip daddr ${cfg.host.ip} udp dport 80 counter packets 0 bytes 0 accept" - "ip daddr ${cfg.host.ip} udp dport 443 counter packets 0 bytes 0 accept" - ]; - skynet_dns.records.cname = [ "${cfg.subdomain} CNAME ${cfg.host.name}" ]; @@ -64,36 +59,56 @@ Gonna use a priper nixos module for this 636 ]; - - # finally down to configurating teha ctual service - - # gonna need a reverse proxy set up - services.nginx = { - virtualHosts."${cfg.subdomain}.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".proxyPass = "http://localhost:${toString cfg.port}"; - }; - }; - - environment.variables = rec { - PORTUNUS_DEBUG = "true"; - SILVER_TEST = "true"; - }; - - # finally the actual service we are doing - services.portunus = { + services.openldap = { enable = true; - domain = "${cfg.subdomain}.skynet.ie"; - port = cfg.port; - # not sure if this will work - # https://nixos.org/manual/nix/stable/language/builtins.html#builtins-toPath - seedPath = ./. +"/ldap/seed.json"; - ldap = { - #searchUserName = "portunus-service"; - suffix = "dc=skynet,dc=ie"; + /* enable plain connections only */ + urlList = [ "ldap:///" ]; + + + settings = { + attrs = { + olcLogLevel = "conns config"; + }; + + children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ./ldap/openssh-lpk.ldif + ]; + + "olcDatabase={1}mdb".attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = base; + + /* your admin account, do not use writeText on a production system */ + olcRootDN = "cn=admin,${base}"; + olcRootPW.path = pkgs.writeText "olcRootPW" "westwood"; + + #olcOverlay = "memberof"; + + olcAccess = [ + /* custom access rules for userPassword attributes */ + ''{0}to attrs=userPassword + by self write + by anonymous auth + by * none'' + + /* allow read on anything else */ + ''{1}to * + by * read'' + ]; + }; + }; }; }; + }; } \ No newline at end of file diff --git a/applications/ldap/openssh-lpk.ldif b/applications/ldap/openssh-lpk.ldif new file mode 100644 index 0000000..29ab0aa --- /dev/null +++ b/applications/ldap/openssh-lpk.ldif @@ -0,0 +1,17 @@ +# LDAP SSH Public Key schema +# Source: https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap +# Homepage: https://github.com/AndriiGrytsenko/openssh-ldap-publickey +# Source2: https://github.com/turnkeylinux-apps/openldap/blob/master/overlay/etc/ldap/schema/openssh-lpk.ldif + +dn: cn=openssh-lpk,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: openssh-lpk +olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' + DESC 'MANDATORY: OpenSSH LPK objectclass' + SUP top AUXILIARY + MAY ( sshPublicKey $ uid ) + ) diff --git a/machines/optimus.nix b/machines/optimus.nix index c1f330a..43cdae6 100644 --- a/machines/optimus.nix +++ b/machines/optimus.nix @@ -67,7 +67,7 @@ in { }; security.sudo.extraRules = [ - { groups = [ "admin-skynet" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + { groups = [ "skynet-admins" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } ]; services.sssd = { @@ -83,15 +83,20 @@ in { id_provider = ldap auth_provider = ldap sudo_provider = ldap - ldap_uri = ldap://sso.skynet.ie - ldap_search_base = ou=users,dc=skynet,dc=ie - ldap_group_search_base = ou=posix-groups,dc=skynet,dc=ie - ldap_sudo_search_base = ou=admin-skynet,ou=posix-groups,dc=skynet,dc=ie - ldap_default_bind_dn = uid=portunus_service,ou=users,dc=skynet,dc=ie + ldap_uri = ldap://193.1.99.112:389 + + ldap_search_base = dc=skynet,dc=ie + ldap_user_search_base = ou=users,dc=skynet,dc=ie + ldap_group_search_base = ou=groups,dc=skynet,dc=ie + ldap_sudo_search_base = cn=skynet-admins,ou=groups,dc=skynet,dc=ie + + ldap_group_nesting_level = 5 + + ldap_default_bind_dn = cn=admin,dc=skynet,dc=ie ldap_default_authtok_type = password ldap_default_authtok = $LDAP_BIND_PW cache_credentials = false - simple_allow_groups = admin-skynet + simple_allow_groups = skynet-admins,skynet-users [sssd] config_file_version = 2