fix: ldap auth

2025-08-01 22:16:01 +02:00
parent 619136674e
commit 467ade9340
3 changed files with 39 additions and 31 deletions
--- a/utils/modules/ldap-auth.nix
+++ b/utils/modules/ldap-auth.nix
@@ -1,8 +1,8 @@
-{ lib, config, pkgs, ... }:
+{ config, pkgs, ... }:
 let
  ldapAuthorizedKeys =
    pkgs.writeShellScript "ldap-authorized-keys" ''
-      exec ${pkgs.openldap}/bin/ldapsearch -LLL -x -H ldap://ldap.cloonar.com \
+      exec ${pkgs.openldap}/bin/ldapsearch -LLL -ZZ -o ldif-wrap=no -x -H ldap://ldap.cloonar.com \
        -D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \
        -y ${config.sops.secrets.linuxbind-password.path} \
        -b "ou=users,dc=cloonar,dc=com" \
@@ -11,47 +11,54 @@ let
    '';
 in
 {
-  environment.systemPackages = with pkgs; [ openldap ];
-
-  users.ldap = {
+  services.sssd = {
    enable = true;
-    daemon.enable = true;
-    base = "ou=users,dc=cloonar,dc=com";
-    server = "ldap://ldap.cloonar.com/";
-    useTLS = true;
-    bind = {
-      policy = "soft";
-      distinguishedName = "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com";
-      passwordFile = config.sops.secrets.linuxbind-password.path;
-    };
-    loginPam = true;
-    extraConfig = ''
-      ldap_version 3
-      # pam_password ssha
-      pam_filter objectClass=posixAccount
-      pam_login_attribute uid
-      pam_member_attribute gidNumber
+    config = ''
+      [sssd]
+      config_file_version = 2
+      services = nss, pam
+      domains = cloonar.com
+      
+      [domain/cloonar.com]
+      default_shell = /run/current-system/sw/bin/bash
+      cache_credentials = true
+      enumerate = true
+
+      id_provider = ldap
+      auth_provider = ldap
+
+      ldap_uri = ldap://ldap.cloonar.com
+      ldap_search_base = dc=cloonar,dc=com
+      ldap_user_search_base = ou=users,dc=cloonar,dc=com
+      ldap_group_search_base = cn=linux,ou=groups,dc=cloonar,dc=com
+      ldap_id_use_start_tls = true
+      chpass_provider = ldap
+      entry_cache_timeout = 604800
+      ldap_network_timeout = 2
+      
+      ldap_default_bind_dn = cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com
+      ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
+
+      ldap_schema = rfc2307
+      ldap_group_member = memberUid
    '';
+    environmentFile = config.sops.secrets.sssd-environment.path;
  };

  security.pam.services.login.makeHomeDir = true;
  security.pam.services.systemd-user.makeHomeDir = true;
-  systemd.services.nslcd = {
-    after = [ "Network-Manager.service" ];
-  };
-
-  # evil, horrifying hack for dysfunctional nss_override_attribute_value
  systemd.tmpfiles.rules = [
    "L /bin/bash - - - - /run/current-system/sw/bin/bash"
  ];

  services.openssh = {
    settings = {
-      AuthorizedKeysCommand      = ldapAuthorizedKeys;
+      AuthorizedKeysCommand      = toString ldapAuthorizedKeys;
      AuthorizedKeysCommandUser  = "nslcd";   # default is “nobody” :contentReference[oaicite:0]{index=0}
      PubkeyAuthentication       = "yes";
    };
  };

-  sops.secrets.linuxbind-password.owner = "nslcd";
+  sops.secrets.sssd-environment = {};
+  sops.secrets.linuxbind-password = {};
 }