From f8312b76efb5d4fdd9f950452961bf3711cf988b Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Sat, 20 May 2023 17:26:14 +0100
Subject: [PATCH] ldap: working config to limit groups

---
 machines/optimus.nix | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/machines/optimus.nix b/machines/optimus.nix
index 32b5cb7..e53e40d 100644
--- a/machines/optimus.nix
+++ b/machines/optimus.nix
@@ -73,36 +73,31 @@ in {
   services.sssd = {
     enable = true;
 
-    # just for testing purposes, don't put this into the Nix store in production!
-    environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=westwood"}";
-
     sshAuthorizedKeysIntegration = true;
 
     config = ''
       [domain/skynet.ie]
+      debug_level = 4
+
       id_provider = ldap
       auth_provider = ldap
       sudo_provider = ldap
+
       ldap_uri = ldap://193.1.99.112:389
 
       ldap_search_base = dc=skynet,dc=ie
-      ldap_user_search_base  = ou=users,dc=skynet,dc=ie
+      # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
+      ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-users,ou=groups,dc=skynet,dc=ie))
       ldap_group_search_base = ou=groups,dc=skynet,dc=ie
       ldap_sudo_search_base = cn=skynet-admins,ou=groups,dc=skynet,dc=ie
 
       ldap_group_nesting_level = 5
 
-      ldap_default_bind_dn = cn=admin,dc=skynet,dc=ie
-      ldap_default_authtok_type = password
-      ldap_default_authtok = $LDAP_BIND_PW
       cache_credentials = false
+      entry_cache_timeout = 1
 
       ldap_user_member_of = skMemberOf
 
-      access_provider = simple
-      #simple_allow_users = tux
-      simple_allow_groups = skynet-admins
-
       [sssd]
       config_file_version = 2
       services = nss, pam, sudo, ssh
@@ -115,7 +110,6 @@ in {
       [sudo]
 
       [autofs]
-
     '';
   };