ldap: working config to limit groups

machines/optimus.nix

@@ -73,36 +73,31 @@ in {
   services.sssd = {
     enable = true;
 
-    # just for testing purposes, don't put this into the Nix store in production!
-    environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=westwood"}";
-
     sshAuthorizedKeysIntegration = true;
 
     config = ''
       [domain/skynet.ie]
+      debug_level = 4
+
       id_provider = ldap
       auth_provider = ldap
       sudo_provider = ldap
+
       ldap_uri = ldap://193.1.99.112:389
 
       ldap_search_base = dc=skynet,dc=ie
-      ldap_user_search_base  = ou=users,dc=skynet,dc=ie
+      # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
+      ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-users,ou=groups,dc=skynet,dc=ie))
       ldap_group_search_base = ou=groups,dc=skynet,dc=ie
       ldap_sudo_search_base = cn=skynet-admins,ou=groups,dc=skynet,dc=ie
 
       ldap_group_nesting_level = 5
 
-      ldap_default_bind_dn = cn=admin,dc=skynet,dc=ie
-      ldap_default_authtok_type = password
-      ldap_default_authtok = $LDAP_BIND_PW
       cache_credentials = false
+      entry_cache_timeout = 1
 
       ldap_user_member_of = skMemberOf
 
-      access_provider = simple
-      #simple_allow_users = tux
-      simple_allow_groups = skynet-admins
-
       [sssd]
       config_file_version = 2
       services = nss, pam, sudo, ssh
@@ -115,7 +110,6 @@ in {
       [sudo]
 
       [autofs]
-
     '';
   };