ldap: now got skMemberOf to replace memberof (memberof does not work on unixgroups)

applications/ldap.nix

@@ -78,34 +78,59 @@ Gonna use a priper nixos module for this
             "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
             "${pkgs.openldap}/etc/schema/nis.ldif"
             ./ldap/openssh-lpk.ldif
+            ./ldap/skMemberOf.ldif
           ];
 
-          "olcDatabase={1}mdb".attrs = {
-            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
 
-            olcDatabase = "{1}mdb";
+          "cn=modules".attrs = {
-            olcDbDirectory = "/var/lib/openldap/data";
+            objectClass = [ "olcModuleList" ];
-
+            cn =  "modules";
-            olcSuffix = base;
+            olcModuleLoad = ["dynlist" "memberof"];
-
-            /* your admin account, do not use writeText on a production system */
-            olcRootDN = "cn=admin,${base}";
-            olcRootPW.path = pkgs.writeText "olcRootPW" "westwood";
-
-            #olcOverlay =  "memberof";
-
-            olcAccess = [
-              /* custom access rules for userPassword attributes */
-              ''{0}to attrs=userPassword
-                  by self write
-                  by anonymous auth
-                  by * none''
-
-              /* allow read on anything else */
-              ''{1}to *
-                  by * read''
-            ];
           };
+
+
+          "olcDatabase={1}mdb" = {
+            attrs = {
+              objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+              olcDatabase = "{1}mdb";
+              olcDbDirectory = "/var/lib/openldap/data";
+
+              olcSuffix = base;
+
+              /* your admin account, do not use writeText on a production system */
+              olcRootDN = "cn=admin,${base}";
+              olcRootPW.path = pkgs.writeText "olcRootPW" "westwood";
+
+              #olcOverlay =  "memberof";
+
+              olcAccess = [
+                /* custom access rules for userPassword attributes */
+                ''{0}to attrs=userPassword
+                    by self write
+                    by anonymous auth
+                    by * none''
+
+                /* allow read on anything else */
+                ''{1}to *
+                    by * read''
+              ];
+
+
+            };
+
+            # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
+            children = {
+              "olcOverlay=dynlist".attrs = {
+                objectClass = [ "olcOverlayConfig" "olcDynamicList" ];
+                olcOverlay =  "dynlist";
+                olcDlAttrSet = "skPerson labeledURI skMemberOf";
+              };
+            };
+
+
+          };
+
         };
       };
     };

applications/ldap/seed.json

@@ -1,56 +0,0 @@
-{
-  "groups": [
-    {
-      "name": "admin-portunus",
-      "long_name": "Skynet Portunus Administrators",
-      "members": [
-        "portunus_service"
-      ],
-      "permissions": {
-        "portunus": {
-          "is_admin": true
-        },
-        "ldap": {
-          "can_read": true
-        }
-      }
-    },
-    {
-      "name": "admin-skynet",
-      "long_name": "Skynet admin",
-      "members": [],
-      "permissions": {
-        "portunus": {
-          "is_admin": false
-        },
-        "ldap": {
-          "can_read": false
-        }
-      },
-      "posix_gid": 101
-    },
-    {
-      "name": "user-skynet",
-      "long_name": "Skynet users",
-      "members": [],
-      "permissions": {
-        "portunus": {
-          "is_admin": false
-        },
-        "ldap": {
-          "can_read": false
-        }
-      },
-      "posix_gid": 1001
-    }
-  ],
-  "users": [
-    {
-      "login_name": "portunus_service",
-      "given_name": "Portunus",
-      "family_name": "Service Account",
-      "email": "portunus_service@skynet.ie",
-      "password": "westwood"
-    }
-  ]
-}

applications/ldap/skMemberOf.ldif

@@ -0,0 +1,17 @@
+# LDAP SSH Public Key schema
+# Source: https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
+# Notes will need to get our own number https://www.iana.org/assignments/enterprise-numbers/assignment/apply/
+# it needs a space at teh end of it, dont remove
+
+dn: cn=skynet-person,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: skynet-person
+olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.1.1 NAME 'skMemberOf'
+    DESC 'Distinguished name of a group of which the object is a member'
+    EQUALITY distinguishedNameMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcObjectClasses: ( 1.3.6.1.4.1.24441.2.1.1 NAME 'skPerson'
+    DESC 'skynet person'
+    SUP top AUXILIARY
+    MAY ( skMemberOf )
+    )

machines/optimus.nix

@@ -96,7 +96,12 @@ in {
       ldap_default_authtok_type = password
       ldap_default_authtok = $LDAP_BIND_PW
       cache_credentials = false
-      simple_allow_groups = skynet-admins,skynet-users
+
+      ldap_user_member_of = skMemberOf
+
+      access_provider = simple
+      #simple_allow_users = tux
+      simple_allow_groups = skynet-admins
 
       [sssd]
       config_file_version = 2