ldap: working config to limit groups

This commit is contained in:
silver 2023-05-20 17:26:14 +01:00
parent c17a28d7a9
commit f8312b76ef

View file

@ -73,36 +73,31 @@ in {
services.sssd = { services.sssd = {
enable = true; enable = true;
# just for testing purposes, don't put this into the Nix store in production!
environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=westwood"}";
sshAuthorizedKeysIntegration = true; sshAuthorizedKeysIntegration = true;
config = '' config = ''
[domain/skynet.ie] [domain/skynet.ie]
debug_level = 4
id_provider = ldap id_provider = ldap
auth_provider = ldap auth_provider = ldap
sudo_provider = ldap sudo_provider = ldap
ldap_uri = ldap://193.1.99.112:389 ldap_uri = ldap://193.1.99.112:389
ldap_search_base = dc=skynet,dc=ie ldap_search_base = dc=skynet,dc=ie
ldap_user_search_base = ou=users,dc=skynet,dc=ie # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-users,ou=groups,dc=skynet,dc=ie))
ldap_group_search_base = ou=groups,dc=skynet,dc=ie ldap_group_search_base = ou=groups,dc=skynet,dc=ie
ldap_sudo_search_base = cn=skynet-admins,ou=groups,dc=skynet,dc=ie ldap_sudo_search_base = cn=skynet-admins,ou=groups,dc=skynet,dc=ie
ldap_group_nesting_level = 5 ldap_group_nesting_level = 5
ldap_default_bind_dn = cn=admin,dc=skynet,dc=ie
ldap_default_authtok_type = password
ldap_default_authtok = $LDAP_BIND_PW
cache_credentials = false cache_credentials = false
entry_cache_timeout = 1
ldap_user_member_of = skMemberOf ldap_user_member_of = skMemberOf
access_provider = simple
#simple_allow_users = tux
simple_allow_groups = skynet-admins
[sssd] [sssd]
config_file_version = 2 config_file_version = 2
services = nss, pam, sudo, ssh services = nss, pam, sudo, ssh
@ -115,7 +110,6 @@ in {
[sudo] [sudo]
[autofs] [autofs]
''; '';
}; };