ldap: working config to limit groups

2023-05-20 17:26:14 +01:00 · 2023-05-20 17:26:14 +01:00 · f8312b76ef
commit f8312b76ef
parent c17a28d7a9
1 changed files with 6 additions and 12 deletions
--- a/machines/optimus.nix
+++ b/machines/optimus.nix
@ -73,36 +73,31 @@ in {
  services.sssd = {
    enable = true;
    # just for testing purposes, don't put this into the Nix store in production!
    environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=westwood"}";
    sshAuthorizedKeysIntegration = true;
    config = ''
      [domain/skynet.ie]
      debug_level = 4
      id_provider = ldap
      auth_provider = ldap
      sudo_provider = ldap
      ldap_uri = ldap://193.1.99.112:389
      ldap_search_base = dc=skynet,dc=ie
-      ldap_user_search_base  = ou=users,dc=skynet,dc=ie
+      # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
      ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-users,ou=groups,dc=skynet,dc=ie))
      ldap_group_search_base = ou=groups,dc=skynet,dc=ie
      ldap_sudo_search_base = cn=skynet-admins,ou=groups,dc=skynet,dc=ie
      ldap_group_nesting_level = 5
      ldap_default_bind_dn = cn=admin,dc=skynet,dc=ie
      ldap_default_authtok_type = password
      ldap_default_authtok = $LDAP_BIND_PW
      cache_credentials = false
      entry_cache_timeout = 1
      ldap_user_member_of = skMemberOf
      access_provider = simple
      #simple_allow_users = tux
      simple_allow_groups = skynet-admins
      [sssd]
      config_file_version = 2
      services = nss, pam, sudo, ssh
@ -115,7 +110,6 @@ in {
      [sudo]
      [autofs]
    '';
  };