Compare commits
	
		
			3 Commits
		
	
	
		
			pvvvvv
			...
			dagali-hei
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 051dd82f57 | |||
| 735d590f85 | |||
| 57a2bf8bf1 | 
| @@ -3,6 +3,10 @@ | |||||||
|   systemd.network.enable = true; |   systemd.network.enable = true; | ||||||
|   networking.domain = "pvv.ntnu.no"; |   networking.domain = "pvv.ntnu.no"; | ||||||
|   networking.useDHCP = false; |   networking.useDHCP = false; | ||||||
|  |   # networking.search = [ "pvv.ntnu.no" "pvv.org" ]; | ||||||
|  |   # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ]; | ||||||
|  |   # networking.tempAddresses = lib.mkDefault "disabled"; | ||||||
|  |   # networking.defaultGateway = values.hosts.gateway; | ||||||
|  |  | ||||||
|   # The rest of the networking configuration is usually sourced from /values.nix |   # The rest of the networking configuration is usually sourced from /values.nix | ||||||
|  |  | ||||||
|   | |||||||
| @@ -145,6 +145,8 @@ | |||||||
|           inputs.gergle.overlays.default |           inputs.gergle.overlays.default | ||||||
|         ]; |         ]; | ||||||
|       }; |       }; | ||||||
|  |  | ||||||
|  |       dagali = unstableNixosConfig "dagali" { }; | ||||||
|     }; |     }; | ||||||
|  |  | ||||||
|     nixosModules = { |     nixosModules = { | ||||||
|   | |||||||
							
								
								
									
										78
									
								
								hosts/dagali/TODO.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										78
									
								
								hosts/dagali/TODO.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,78 @@ | |||||||
|  | # Tracking document for new PVV kerberos auth stack | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  | <div align="center"> | ||||||
|  |   Bensinstasjon på heimdal | ||||||
|  | </div> | ||||||
|  |  | ||||||
|  | ### TODO: | ||||||
|  |  | ||||||
|  | - [ ] setup heimdal | ||||||
|  |   - [x] ensure running with systemd | ||||||
|  |   - [x] compile smbk5pwd (part of openldap) | ||||||
|  |   - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively | ||||||
|  |   - [ ] fully initialize PVV.NTNU.NO | ||||||
|  |     - [x] `kadmin -l init PVV.NTNU.NO` | ||||||
|  |     - [x] add oysteikt/admin@PVV.NTNU.NO principal | ||||||
|  |     - [x] add oysteikt@PVV.NTNU.NO principal | ||||||
|  |     - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal? | ||||||
|  |       - why is this needed, and where is it documented? | ||||||
|  |       - `kadmin check` seems to work under sudo? | ||||||
|  |       - (it is included by default, just included as error message | ||||||
|  |          in a weird state) | ||||||
|  |  | ||||||
|  |     - [x] Ensure client is working correctly | ||||||
|  |       - [x] Ensure kinit works on darbu | ||||||
|  |       - [x] Ensure kpasswd works on darbu | ||||||
|  |       - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu | ||||||
|  |  | ||||||
|  |     - [ ] Ensure kdc is working correctly | ||||||
|  |       - [x] Ensure kinit works on dagali | ||||||
|  |       - [x] Ensure kpasswd works on dagali | ||||||
|  |       - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali | ||||||
|  |  | ||||||
|  |     - [x] Fix FQDN | ||||||
|  |       - https://github.com/NixOS/nixpkgs/issues/94011 | ||||||
|  |       - https://github.com/NixOS/nixpkgs/issues/261269 | ||||||
|  |       - Possibly fixed by disabling systemd-resolved | ||||||
|  |  | ||||||
|  | - [ ] setup cyrus sasl | ||||||
|  |   - [x] ensure running with systemd  | ||||||
|  |   - [x] verify GSSAPI support plugin is installed | ||||||
|  |     - `nix-shell -p cyrus_sasl --command pluginviewer` | ||||||
|  |   - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab | ||||||
|  |   - [x] verify cyrus sasl is able to talk to heimdal | ||||||
|  |     - `sudo testsaslauthd -u oysteikt -p <password>` | ||||||
|  |   - [ ] provide ldap principal to cyrus sasl through keytab | ||||||
|  |  | ||||||
|  | - [ ] setup openldap | ||||||
|  |   - [x] ensure running with systemd | ||||||
|  |   - [ ] verify openldap is able to talk to cyrus sasl | ||||||
|  |   - [ ] create user for oysteikt in openldap | ||||||
|  |   - [ ] authenticate openldap login through sasl | ||||||
|  |     - does this require creating an ldap user? | ||||||
|  |  | ||||||
|  | - [ ] fix smbk5pwd integration | ||||||
|  |   - [x] add smbk5pwd schemas to openldap | ||||||
|  |   - [x] create openldap db for smbk5pwd with overlays | ||||||
|  |   - [ ] test to ensure that user sync is working | ||||||
|  |   - [ ] test as user source (replace passwd) | ||||||
|  |   - [ ] test as PAM auth source | ||||||
|  |   - [ ] test as auth source for 3rd party appliation | ||||||
|  |  | ||||||
|  | - [ ] Set up ldap administration panel | ||||||
|  |   - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin? | ||||||
|  |  | ||||||
|  | - [ ] Set up kerberos SRV DNS entry | ||||||
|  |  | ||||||
|  | ### Information and URLS | ||||||
|  |  | ||||||
|  | - OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html | ||||||
|  | - Use a keytab: https://kb.iu.edu/d/aumh | ||||||
|  | - 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos | ||||||
|  | - Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html | ||||||
|  | - Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html | ||||||
|  | - PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos | ||||||
|  | - OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd | ||||||
|  | - saslauthd(8): https://linux.die.net/man/8/saslauthd | ||||||
							
								
								
									
										51
									
								
								hosts/dagali/configuration.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										51
									
								
								hosts/dagali/configuration.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,51 @@ | |||||||
|  |  | ||||||
|  | { config, pkgs, values, lib, ... }: | ||||||
|  | { | ||||||
|  |   imports = [ | ||||||
|  |     ./hardware-configuration.nix | ||||||
|  |     ../../base.nix | ||||||
|  |     ../../misc/metrics-exporters.nix | ||||||
|  |  | ||||||
|  |     ./services/heimdal.nix | ||||||
|  |     #./services/openldap.nix | ||||||
|  |     ./services/cyrus-sasl.nix | ||||||
|  |   ]; | ||||||
|  |  | ||||||
|  |   # buskerud does not support efi? | ||||||
|  |   # boot.loader.systemd-boot.enable = true; | ||||||
|  |   # boot.loader.efi.canTouchEfiVariables = true; | ||||||
|  |   boot.loader.grub.enable = true; | ||||||
|  |   boot.loader.grub.device = "/dev/sda"; | ||||||
|  |  | ||||||
|  |   # resolved messes up FQDN coming from nscd | ||||||
|  |   services.resolved.enable = false; | ||||||
|  |  | ||||||
|  |   networking.hostName = "dagali"; | ||||||
|  |   networking.domain = lib.mkForce "pvv.local"; | ||||||
|  |   networking.hosts = { | ||||||
|  |     "129.241.210.185" = [ "dagali.pvv.local" ]; | ||||||
|  |   }; | ||||||
|  |   #networking.search = [ "pvv.ntnu.no" "pvv.org" ]; | ||||||
|  |   networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; | ||||||
|  |   networking.tempAddresses = "disabled"; | ||||||
|  |   networking.networkmanager.enable = true; | ||||||
|  |  | ||||||
|  |   systemd.network.networks."ens18" = values.defaultNetworkConfig // { | ||||||
|  |     matchConfig.Name = "ens18"; | ||||||
|  |     address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ]; | ||||||
|  |   }; | ||||||
|  |  | ||||||
|  |   # List packages installed in system profile | ||||||
|  |   environment.systemPackages = with pkgs; [ | ||||||
|  |     # TODO: consider adding to base.nix | ||||||
|  |     nix-output-monitor | ||||||
|  |   ]; | ||||||
|  |  | ||||||
|  |   # This value determines the NixOS release from which the default | ||||||
|  |   # settings for stateful data, like file locations and database versions | ||||||
|  |   # on your system were taken. It‘s perfectly fine and recommended to leave | ||||||
|  |   # this value at the release version of the first install of this system. | ||||||
|  |   # Before changing this value read the documentation for this option | ||||||
|  |   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). | ||||||
|  |   system.stateVersion = "24.05"; # Did you read the comment? | ||||||
|  | } | ||||||
							
								
								
									
										33
									
								
								hosts/dagali/hardware-configuration.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								hosts/dagali/hardware-configuration.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,33 @@ | |||||||
|  | # Do not modify this file!  It was generated by ‘nixos-generate-config’ | ||||||
|  | # and may be overwritten by future invocations.  Please make changes | ||||||
|  | # to /etc/nixos/configuration.nix instead. | ||||||
|  | { config, lib, pkgs, modulesPath, ... }: | ||||||
|  |  | ||||||
|  | { | ||||||
|  |   imports = | ||||||
|  |     [ (modulesPath + "/profiles/qemu-guest.nix") | ||||||
|  |     ]; | ||||||
|  |  | ||||||
|  |   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; | ||||||
|  |   boot.initrd.kernelModules = [ ]; | ||||||
|  |   boot.kernelModules = [ ]; | ||||||
|  |   boot.extraModulePackages = [ ]; | ||||||
|  |  | ||||||
|  |   fileSystems."/" = | ||||||
|  |     { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3"; | ||||||
|  |       fsType = "ext4"; | ||||||
|  |     }; | ||||||
|  |  | ||||||
|  |   swapDevices = | ||||||
|  |     [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; } | ||||||
|  |     ]; | ||||||
|  |  | ||||||
|  |   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking | ||||||
|  |   # (the default) this is the recommended approach. When using systemd-networkd it's | ||||||
|  |   # still possible to use this option, but it's recommended to use it in conjunction | ||||||
|  |   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. | ||||||
|  |   networking.useDHCP = lib.mkDefault true; | ||||||
|  |   # networking.interfaces.ens18.useDHCP = lib.mkDefault true; | ||||||
|  |  | ||||||
|  |   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; | ||||||
|  | } | ||||||
							
								
								
									
										21
									
								
								hosts/dagali/services/cyrus-sasl.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								hosts/dagali/services/cyrus-sasl.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | |||||||
|  | { config, ... }: | ||||||
|  | let | ||||||
|  |   cfg = config.services.saslauthd; | ||||||
|  | in | ||||||
|  | { | ||||||
|  |   # TODO: This is seemingly required for openldap to authenticate | ||||||
|  |   #       against kerberos, but I have no idea how to configure it as | ||||||
|  |   #       such. Does it need a keytab? There's a binary "testsaslauthd" | ||||||
|  |   #       that follows with `pkgs.cyrus_sasl` that might be useful. | ||||||
|  |   services.saslauthd = { | ||||||
|  |     enable = true; | ||||||
|  |     mechanism = "kerberos5"; | ||||||
|  |     config = '' | ||||||
|  |       mech_list: gs2-krb5 gssapi | ||||||
|  |       keytab: /etc/krb5.keytab | ||||||
|  |     ''; | ||||||
|  |   }; | ||||||
|  |  | ||||||
|  |   # TODO: maybe the upstream module should consider doing this? | ||||||
|  |   environment.systemPackages = [ cfg.package ]; | ||||||
|  | } | ||||||
							
								
								
									
										100
									
								
								hosts/dagali/services/heimdal.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										100
									
								
								hosts/dagali/services/heimdal.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,100 @@ | |||||||
|  | { config, pkgs, lib, ... }: | ||||||
|  | let | ||||||
|  |   realm = "PVV.LOCAL"; | ||||||
|  |   cfg = config.security.krb5; | ||||||
|  | in | ||||||
|  | { | ||||||
|  |   security.krb5 = { | ||||||
|  |     enable = true; | ||||||
|  |  | ||||||
|  |     # NOTE: This is required in order to build smbk5pwd, because of some nested includes. | ||||||
|  |     #       We should open an issue upstream (heimdal, not nixpkgs), but this patch | ||||||
|  |     #       will do for now. | ||||||
|  |     package = pkgs.heimdal.overrideAttrs (prev: { | ||||||
|  |       postInstall = prev.postInstall + '' | ||||||
|  |         cp include/heim_threads.h $dev/include | ||||||
|  |       ''; | ||||||
|  |     }); | ||||||
|  |  | ||||||
|  |     settings = { | ||||||
|  |       realms.${realm} = { | ||||||
|  |         kdc = [ "dagali.${lib.toLower realm}" ]; | ||||||
|  |         admin_server = "dagali.${lib.toLower realm}"; | ||||||
|  |         kpasswd_server = "dagali.${lib.toLower realm}"; | ||||||
|  |         default_domain = lib.toLower realm; | ||||||
|  |         primary_kdc = "dagali.${lib.toLower realm}"; | ||||||
|  |       }; | ||||||
|  |  | ||||||
|  |       kadmin.default_keys = lib.concatStringsSep " " [ | ||||||
|  |         "aes256-cts-hmac-sha1-96:pw-salt" | ||||||
|  |         "aes128-cts-hmac-sha1-96:pw-salt" | ||||||
|  |       ]; | ||||||
|  |  | ||||||
|  |       libdefaults.default_etypes = lib.concatStringsSep " " [ | ||||||
|  |         "aes256-cts-hmac-sha1-96" | ||||||
|  |         "aes128-cts-hmac-sha1-96" | ||||||
|  |       ]; | ||||||
|  |  | ||||||
|  |       libdefaults = { | ||||||
|  |         default_realm = realm; | ||||||
|  |         dns_lookup_kdc = false; | ||||||
|  |         dns_lookup_realm = false; | ||||||
|  |       }; | ||||||
|  |  | ||||||
|  |       domain_realm = { | ||||||
|  |         "${lib.toLower realm}" = realm; | ||||||
|  |         ".${lib.toLower realm}" = realm; | ||||||
|  |       }; | ||||||
|  |  | ||||||
|  |       logging = { | ||||||
|  |         # kdc = "CONSOLE"; | ||||||
|  |         kdc = "SYSLOG:DEBUG:AUTH"; | ||||||
|  |         admin_server = "SYSLOG:DEBUG:AUTH"; | ||||||
|  |         default = "SYSLOG:DEBUG:AUTH"; | ||||||
|  |       }; | ||||||
|  |     }; | ||||||
|  |   }; | ||||||
|  |  | ||||||
|  |   services.kerberos_server = { | ||||||
|  |     enable = true; | ||||||
|  |     settings = { | ||||||
|  |       realms.${realm} = { | ||||||
|  |         dbname = "/var/lib/heimdal/heimdal"; | ||||||
|  |         mkey = "/var/lib/heimdal/m-key"; | ||||||
|  |         acl = [ | ||||||
|  |           { | ||||||
|  |             principal = "kadmin/admin"; | ||||||
|  |             access = "all"; | ||||||
|  |           } | ||||||
|  |           { | ||||||
|  |             principal = "felixalb/admin"; | ||||||
|  |             access = "all"; | ||||||
|  |           } | ||||||
|  |           { | ||||||
|  |             principal = "oysteikt/admin"; | ||||||
|  |             access = "all"; | ||||||
|  |           } | ||||||
|  |         ]; | ||||||
|  |       }; | ||||||
|  |       # kadmin.default_keys = lib.concatStringsSep " " [ | ||||||
|  |       #   "aes256-cts-hmac-sha1-96:pw-salt" | ||||||
|  |       #   "aes128-cts-hmac-sha1-96:pw-salt" | ||||||
|  |       # ]; | ||||||
|  |  | ||||||
|  |       # libdefaults.default_etypes = lib.concatStringsSep " " [ | ||||||
|  |       #   "aes256-cts-hmac-sha1-96" | ||||||
|  |       #   "aes128-cts-hmac-sha1-96" | ||||||
|  |       # ]; | ||||||
|  |  | ||||||
|  |       # password_quality.min_length = 8; | ||||||
|  |     }; | ||||||
|  |   }; | ||||||
|  |  | ||||||
|  |   networking.firewall.allowedTCPPorts = [ 88 464 749 ]; | ||||||
|  |   networking.firewall.allowedUDPPorts = [ 88 464 749 ]; | ||||||
|  |  | ||||||
|  |   networking.hosts = { | ||||||
|  |     "127.0.0.2" = lib.mkForce [ ]; | ||||||
|  |     "::1" = lib.mkForce [ ]; | ||||||
|  |   }; | ||||||
|  | } | ||||||
							
								
								
									
										121
									
								
								hosts/dagali/services/openldap.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										121
									
								
								hosts/dagali/services/openldap.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,121 @@ | |||||||
|  | { config, pkgs, lib, ... }: | ||||||
|  | { | ||||||
|  |   services.openldap = let | ||||||
|  |     dn = "dc=pvv,dc=ntnu,dc=no"; | ||||||
|  |     cfg = config.services.openldap; | ||||||
|  |  | ||||||
|  |     heimdal = config.security.krb5.package; | ||||||
|  |   in { | ||||||
|  |     enable = true; | ||||||
|  |  | ||||||
|  |     # NOTE: this is a custom build of openldap with support for | ||||||
|  |     #       perl and kerberos. | ||||||
|  |     package = pkgs.openldap.overrideAttrs (prev: { | ||||||
|  |       # https://github.com/openldap/openldap/blob/master/configure | ||||||
|  |       configureFlags = prev.configureFlags ++ [ | ||||||
|  |         # Connect to slapd via UNIX socket | ||||||
|  |         "--enable-local" | ||||||
|  |         # Cyrus SASL | ||||||
|  |         "--enable-spasswd" | ||||||
|  |         # Reverse hostname lookups | ||||||
|  |         "--enable-rlookups" | ||||||
|  |         # perl | ||||||
|  |         "--enable-perl" | ||||||
|  |       ]; | ||||||
|  |  | ||||||
|  |       buildInputs = prev.buildInputs ++ [ | ||||||
|  |         pkgs.perl | ||||||
|  | 	# NOTE: do not upstream this, it might not work with | ||||||
|  | 	#       MIT in the same way | ||||||
|  |         heimdal | ||||||
|  |       ]; | ||||||
|  |  | ||||||
|  |       extraContribModules = prev.extraContribModules ++ [ | ||||||
|  |         # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules | ||||||
|  |         "smbk5pwd" | ||||||
|  |       ]; | ||||||
|  |     }); | ||||||
|  |  | ||||||
|  |     settings = { | ||||||
|  |       attrs = { | ||||||
|  |         olcLogLevel = [ "stats" "config" "args" ]; | ||||||
|  |  | ||||||
|  |         # olcAuthzRegexp = '' | ||||||
|  |         #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth | ||||||
|  |         #         "uid=heimdal,${dn2}" | ||||||
|  |         # ''; | ||||||
|  |  | ||||||
|  |         # olcSaslSecProps = "minssf=0"; | ||||||
|  |       }; | ||||||
|  |  | ||||||
|  |       children = { | ||||||
|  |         "cn=schema".includes = let | ||||||
|  |           # NOTE: needed for smbk5pwd.so module | ||||||
|  |           schemaToLdif = name: path: pkgs.runCommandNoCC name { | ||||||
|  |             buildInputs = with pkgs; [ schema2ldif ]; | ||||||
|  |           } '' | ||||||
|  |             schema2ldif "${path}" > $out | ||||||
|  |           ''; | ||||||
|  |  | ||||||
|  |           hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema"; | ||||||
|  |           samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema"; | ||||||
|  |         in [ | ||||||
|  |            "${cfg.package}/etc/schema/core.ldif" | ||||||
|  |            "${cfg.package}/etc/schema/cosine.ldif" | ||||||
|  |            "${cfg.package}/etc/schema/nis.ldif" | ||||||
|  |            "${cfg.package}/etc/schema/inetorgperson.ldif" | ||||||
|  |            "${hdb-ldif}" | ||||||
|  |            "${samba-ldif}" | ||||||
|  |         ]; | ||||||
|  |  | ||||||
|  |         # NOTE: installation of smbk5pwd.so module | ||||||
|  |         #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd | ||||||
|  |         "cn=module{0}".attrs = { | ||||||
|  |           objectClass = [ "olcModuleList" ]; | ||||||
|  |           olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ]; | ||||||
|  |         }; | ||||||
|  |  | ||||||
|  |         # NOTE: activation of smbk5pwd.so module for {1}mdb | ||||||
|  |         "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = { | ||||||
|  |           objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ]; | ||||||
|  |           olcOverlay = "{0}smbk5pwd"; | ||||||
|  |           olcSmbK5PwdEnable = [ "krb5" "samba" ]; | ||||||
|  |           olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000); | ||||||
|  |         }; | ||||||
|  |  | ||||||
|  |         "olcDatabase={1}mdb".attrs = { | ||||||
|  |           objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; | ||||||
|  |  | ||||||
|  |           olcDatabase = "{1}mdb"; | ||||||
|  |  | ||||||
|  |           olcSuffix = dn; | ||||||
|  |  | ||||||
|  |           # TODO: PW is supposed to be a secret, but it's probably fine for testing | ||||||
|  |           olcRootDN = "cn=users,${dn}"; | ||||||
|  |  | ||||||
|  |           # TODO: replace with proper secret | ||||||
|  |           olcRootPW.path = pkgs.writeText "olcRootPW" "pass"; | ||||||
|  |  | ||||||
|  |           olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db"; | ||||||
|  |           olcDbIndex = "objectClass eq"; | ||||||
|  |  | ||||||
|  |           olcAccess = [ | ||||||
|  |             ''{0}to attrs=userPassword,shadowLastChange | ||||||
|  |                 by dn.exact=cn=users,${dn} write | ||||||
|  |                 by self write | ||||||
|  |                 by anonymous auth | ||||||
|  |                 by * none'' | ||||||
|  |  | ||||||
|  |             ''{1}to dn.base="" | ||||||
|  |                 by * read'' | ||||||
|  |  | ||||||
|  |             /* allow read on anything else */ | ||||||
|  |             # ''{2}to * | ||||||
|  |             #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write | ||||||
|  |             #     by * read'' | ||||||
|  |           ]; | ||||||
|  |         }; | ||||||
|  |       }; | ||||||
|  |     }; | ||||||
|  |   }; | ||||||
|  | } | ||||||
| @@ -31,6 +31,10 @@ in rec { | |||||||
|       ipv4 = pvv-ipv4 168; |       ipv4 = pvv-ipv4 168; | ||||||
|       ipv6 = pvv-ipv6 168; |       ipv6 = pvv-ipv6 168; | ||||||
|     }; |     }; | ||||||
|  |     dagali = { | ||||||
|  |       ipv4 = pvv-ipv4 185; | ||||||
|  |       ipv6 = pvv-ipv6 185; | ||||||
|  |     }; | ||||||
|     ildkule = { |     ildkule = { | ||||||
|       ipv4 = "129.241.153.213"; |       ipv4 = "129.241.153.213"; | ||||||
|       ipv4_internal = "192.168.12.209"; |       ipv4_internal = "192.168.12.209"; | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user