ldap: now got skMemberOf to replace memberof (memberof does not work on unixgroups)

This commit is contained in:
silver 2023-05-20 15:26:03 +01:00
parent 0c57b35778
commit c17a28d7a9
4 changed files with 72 additions and 81 deletions

View file

@ -78,9 +78,19 @@ Gonna use a priper nixos module for this
"${pkgs.openldap}/etc/schema/inetorgperson.ldif" "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif" "${pkgs.openldap}/etc/schema/nis.ldif"
./ldap/openssh-lpk.ldif ./ldap/openssh-lpk.ldif
./ldap/skMemberOf.ldif
]; ];
"olcDatabase={1}mdb".attrs = {
"cn=modules".attrs = {
objectClass = [ "olcModuleList" ];
cn = "modules";
olcModuleLoad = ["dynlist" "memberof"];
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb"; olcDatabase = "{1}mdb";
@ -105,7 +115,22 @@ Gonna use a priper nixos module for this
''{1}to * ''{1}to *
by * read'' by * read''
]; ];
}; };
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
children = {
"olcOverlay=dynlist".attrs = {
objectClass = [ "olcOverlayConfig" "olcDynamicList" ];
olcOverlay = "dynlist";
olcDlAttrSet = "skPerson labeledURI skMemberOf";
};
};
};
}; };
}; };
}; };

View file

@ -1,56 +0,0 @@
{
"groups": [
{
"name": "admin-portunus",
"long_name": "Skynet Portunus Administrators",
"members": [
"portunus_service"
],
"permissions": {
"portunus": {
"is_admin": true
},
"ldap": {
"can_read": true
}
}
},
{
"name": "admin-skynet",
"long_name": "Skynet admin",
"members": [],
"permissions": {
"portunus": {
"is_admin": false
},
"ldap": {
"can_read": false
}
},
"posix_gid": 101
},
{
"name": "user-skynet",
"long_name": "Skynet users",
"members": [],
"permissions": {
"portunus": {
"is_admin": false
},
"ldap": {
"can_read": false
}
},
"posix_gid": 1001
}
],
"users": [
{
"login_name": "portunus_service",
"given_name": "Portunus",
"family_name": "Service Account",
"email": "portunus_service@skynet.ie",
"password": "westwood"
}
]
}

View file

@ -0,0 +1,17 @@
# LDAP SSH Public Key schema
# Source: https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
# Notes will need to get our own number https://www.iana.org/assignments/enterprise-numbers/assignment/apply/
# it needs a space at teh end of it, dont remove
dn: cn=skynet-person,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: skynet-person
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.1.1 NAME 'skMemberOf'
DESC 'Distinguished name of a group of which the object is a member'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcObjectClasses: ( 1.3.6.1.4.1.24441.2.1.1 NAME 'skPerson'
DESC 'skynet person'
SUP top AUXILIARY
MAY ( skMemberOf )
)

View file

@ -96,7 +96,12 @@ in {
ldap_default_authtok_type = password ldap_default_authtok_type = password
ldap_default_authtok = $LDAP_BIND_PW ldap_default_authtok = $LDAP_BIND_PW
cache_credentials = false cache_credentials = false
simple_allow_groups = skynet-admins,skynet-users
ldap_user_member_of = skMemberOf
access_provider = simple
#simple_allow_users = tux
simple_allow_groups = skynet-admins
[sssd] [sssd]
config_file_version = 2 config_file_version = 2