gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(samba): trust ldap.int

Browse source
This commit is contained in:
arcnmx 2025-10-20 09:26:08 -07:00
parent 0ed23aea31
commit 253f6e38a3
4 changed files with 45 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

40
modules/nixos/ipa.nix
View file

@ -31,6 +31,40 @@ in {
default = false; default = false;
description = "allow the ipa module to override the ntp configuration"; description = "allow the ipa module to override the ntp configuration";
}; };
openldap = mkOption {
type = bool;
default = false;
description = "allow the ipa module to override ldap.conf";
};
};
openldap = {
settings = {
uri = mkOption {
type = str;
default = "ldaps://${cfg.server}";
};
base = mkOption {
type = str;
default = cfg.basedn;
};
tls_cacert = mkOption {
type = str;
default = "/etc/ipa/ca.crt";
};
sasl_nocanon = mkOption {
type = bool;
default = true;
};
};
extraConfig = mkOption {
type = lines;
default = ''
SASL_NOCANON ${if cfg.openldap.settings.sasl_nocanon or false then "on" else "off"}
URI ${cfg.openldap.settings.uri}
BASE ${cfg.openldap.settings.base}
TLS_CACERT ${cfg.openldap.settings.tls_cacert}
'';
};
}; };
}; };
config.services.sssd = let config.services.sssd = let
@ -144,4 +178,10 @@ in {
mkIf (cfg.enable && !cfg.overrideConfigs.krb5) { mkIf (cfg.enable && !cfg.overrideConfigs.krb5) {
text = mkForce (format.generate "krb5.conf" krb5.settings).text; text = mkForce (format.generate "krb5.conf" krb5.settings).text;
}; };
config.environment.etc."ldap.conf" = let
ldapConf = cfg.openldap.extraConfig;
in
mkIf (cfg.enable && !cfg.overrideConfigs.openldap) {
source = mkForce (pkgs.writeText "ldap.conf" ldapConf);
};
} }

1
modules/nixos/ldap/management.nix
View file

@ -129,6 +129,7 @@ in {
# man 5 ldap.conf # man 5 ldap.conf
LDAPBASE = ldap.base; LDAPBASE = ldap.base;
LDAPURI = "ldaps://ldap.int.${config.networking.domain}"; LDAPURI = "ldaps://ldap.int.${config.networking.domain}";
LDAPTLS_CACERT = "/etc/ssl/certs/ca-bundle.crt";
}; };
ldapAuth = mkMerge [ ldapAuth = mkMerge [
(mkIf config.security.krb5.enable (mapOptionDefaults { (mkIf config.security.krb5.enable (mapOptionDefaults {

2
nixos/ipa.nix
View file

@ -24,7 +24,9 @@ in {
overrideConfigs = { overrideConfigs = {
krb5 = mkDefault false; krb5 = mkDefault false;
sssd = mkDefault false; sssd = mkDefault false;
openldap = false;
}; };
openldap.settings.tls_cacert = "/etc/ssl/certs/ca-bundle.crt";
}; };
}; };
} }

3
nixos/samba.nix
View file

@ -100,7 +100,8 @@ in {
"ldap group suffix" = removeSuffix "," ldap.groupDnSuffix; "ldap group suffix" = removeSuffix "," ldap.groupDnSuffix;
"ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix; "ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix;
"ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix; "ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix;
"ldap server require strong auth" = "allow_sasl_over_tls"; "ldap server require strong auth" = "allow_sasl_without_tls_channel_bindings";
#"tls trust system cas" = true;
# TODO: ldap delete dn? # TODO: ldap delete dn?
# TODO: username map script? # TODO: username map script?
}) })