From c17a28d7a930fb572fe0d4fbed383b7ddab2abc1 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sat, 20 May 2023 15:26:03 +0100 Subject: [PATCH] ldap: now got skMemberOf to replace memberof (memberof does not work on unixgroups) --- applications/ldap.nix | 73 +++++++++++++++++++++---------- applications/ldap/seed.json | 56 ------------------------ applications/ldap/skMemberOf.ldif | 17 +++++++ machines/optimus.nix | 7 ++- 4 files changed, 72 insertions(+), 81 deletions(-) delete mode 100644 applications/ldap/seed.json create mode 100644 applications/ldap/skMemberOf.ldif diff --git a/applications/ldap.nix b/applications/ldap.nix index f7bb55c..9be518e 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -78,34 +78,59 @@ Gonna use a priper nixos module for this "${pkgs.openldap}/etc/schema/inetorgperson.ldif" "${pkgs.openldap}/etc/schema/nis.ldif" ./ldap/openssh-lpk.ldif + ./ldap/skMemberOf.ldif ]; - "olcDatabase={1}mdb".attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/lib/openldap/data"; - - olcSuffix = base; - - /* your admin account, do not use writeText on a production system */ - olcRootDN = "cn=admin,${base}"; - olcRootPW.path = pkgs.writeText "olcRootPW" "westwood"; - - #olcOverlay = "memberof"; - - olcAccess = [ - /* custom access rules for userPassword attributes */ - ''{0}to attrs=userPassword - by self write - by anonymous auth - by * none'' - - /* allow read on anything else */ - ''{1}to * - by * read'' - ]; + "cn=modules".attrs = { + objectClass = [ "olcModuleList" ]; + cn = "modules"; + olcModuleLoad = ["dynlist" "memberof"]; }; + + + "olcDatabase={1}mdb" = { + attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = base; + + /* your admin account, do not use writeText on a production system */ + olcRootDN = "cn=admin,${base}"; + olcRootPW.path = pkgs.writeText "olcRootPW" "westwood"; + + #olcOverlay = "memberof"; + + olcAccess = [ + /* custom access rules for userPassword attributes */ + ''{0}to attrs=userPassword + by self write + by anonymous auth + by * none'' + + /* allow read on anything else */ + ''{1}to * + by * read'' + ]; + + + }; + + # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/ + children = { + "olcOverlay=dynlist".attrs = { + objectClass = [ "olcOverlayConfig" "olcDynamicList" ]; + olcOverlay = "dynlist"; + olcDlAttrSet = "skPerson labeledURI skMemberOf"; + }; + }; + + + }; + }; }; }; diff --git a/applications/ldap/seed.json b/applications/ldap/seed.json deleted file mode 100644 index 7292b17..0000000 --- a/applications/ldap/seed.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "groups": [ - { - "name": "admin-portunus", - "long_name": "Skynet Portunus Administrators", - "members": [ - "portunus_service" - ], - "permissions": { - "portunus": { - "is_admin": true - }, - "ldap": { - "can_read": true - } - } - }, - { - "name": "admin-skynet", - "long_name": "Skynet admin", - "members": [], - "permissions": { - "portunus": { - "is_admin": false - }, - "ldap": { - "can_read": false - } - }, - "posix_gid": 101 - }, - { - "name": "user-skynet", - "long_name": "Skynet users", - "members": [], - "permissions": { - "portunus": { - "is_admin": false - }, - "ldap": { - "can_read": false - } - }, - "posix_gid": 1001 - } - ], - "users": [ - { - "login_name": "portunus_service", - "given_name": "Portunus", - "family_name": "Service Account", - "email": "portunus_service@skynet.ie", - "password": "westwood" - } - ] -} \ No newline at end of file diff --git a/applications/ldap/skMemberOf.ldif b/applications/ldap/skMemberOf.ldif new file mode 100644 index 0000000..a8facb0 --- /dev/null +++ b/applications/ldap/skMemberOf.ldif @@ -0,0 +1,17 @@ +# LDAP SSH Public Key schema +# Source: https://blog.oddbit.com/post/2013-07-22-generating-a-membero/ +# Notes will need to get our own number https://www.iana.org/assignments/enterprise-numbers/assignment/apply/ +# it needs a space at teh end of it, dont remove + +dn: cn=skynet-person,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: skynet-person +olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.1.1 NAME 'skMemberOf' + DESC 'Distinguished name of a group of which the object is a member' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcObjectClasses: ( 1.3.6.1.4.1.24441.2.1.1 NAME 'skPerson' + DESC 'skynet person' + SUP top AUXILIARY + MAY ( skMemberOf ) + ) diff --git a/machines/optimus.nix b/machines/optimus.nix index 43cdae6..32b5cb7 100644 --- a/machines/optimus.nix +++ b/machines/optimus.nix @@ -96,7 +96,12 @@ in { ldap_default_authtok_type = password ldap_default_authtok = $LDAP_BIND_PW cache_credentials = false - simple_allow_groups = skynet-admins,skynet-users + + ldap_user_member_of = skMemberOf + + access_provider = simple + #simple_allow_users = tux + simple_allow_groups = skynet-admins [sssd] config_file_version = 2