fix(samba): trust ldap.int

2026-02-09 04:19:19 -08:00 · 2025-10-20 09:26:08 -07:00 · 2025-10-20 09:26:08 -07:00 · 253f6e38a3
commit 253f6e38a3
parent 0ed23aea31
4 changed files with 45 additions and 1 deletions
--- a/modules/nixos/ipa.nix
+++ b/modules/nixos/ipa.nix
@ -31,6 +31,40 @@ in {
        default = false;
        description = "allow the ipa module to override the ntp configuration";
      };
+      openldap = mkOption {
+        type = bool;
+        default = false;
+        description = "allow the ipa module to override ldap.conf";
+      };
+    };
+    openldap = {
+      settings = {
+        uri = mkOption {
+          type = str;
+          default = "ldaps://${cfg.server}";
+        };
+        base = mkOption {
+          type = str;
+          default = cfg.basedn;
+        };
+        tls_cacert = mkOption {
+          type = str;
+          default = "/etc/ipa/ca.crt";
+        };
+        sasl_nocanon = mkOption {
+          type = bool;
+          default = true;
+        };
+      };
+      extraConfig = mkOption {
+        type = lines;
+        default = ''
+          SASL_NOCANON ${if cfg.openldap.settings.sasl_nocanon or false then "on" else "off"}
+          URI ${cfg.openldap.settings.uri}
+          BASE ${cfg.openldap.settings.base}
+          TLS_CACERT ${cfg.openldap.settings.tls_cacert}
+        '';
+      };
    };
  };
  config.services.sssd = let
@ -144,4 +178,10 @@ in {
    mkIf (cfg.enable && !cfg.overrideConfigs.krb5) {
      text = mkForce (format.generate "krb5.conf" krb5.settings).text;
    };
+  config.environment.etc."ldap.conf" = let
+    ldapConf = cfg.openldap.extraConfig;
+  in
+    mkIf (cfg.enable && !cfg.overrideConfigs.openldap) {
+      source = mkForce (pkgs.writeText "ldap.conf" ldapConf);
+    };
 }
--- a/modules/nixos/ldap/management.nix
+++ b/modules/nixos/ldap/management.nix
@ -129,6 +129,7 @@ in {
      # man 5 ldap.conf
      LDAPBASE = ldap.base;
      LDAPURI = "ldaps://ldap.int.${config.networking.domain}";
+      LDAPTLS_CACERT = "/etc/ssl/certs/ca-bundle.crt";
    };
    ldapAuth = mkMerge [
      (mkIf config.security.krb5.enable (mapOptionDefaults {
--- a/nixos/ipa.nix
+++ b/nixos/ipa.nix
@ -24,7 +24,9 @@ in {
      overrideConfigs = {
        krb5 = mkDefault false;
        sssd = mkDefault false;
+        openldap = false;
      };
+      openldap.settings.tls_cacert = "/etc/ssl/certs/ca-bundle.crt";
    };
  };
 }
--- a/nixos/samba.nix
+++ b/nixos/samba.nix
@ -100,7 +100,8 @@ in {
        "ldap group suffix" = removeSuffix "," ldap.groupDnSuffix;
        "ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix;
        "ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix;
-        "ldap server require strong auth" = "allow_sasl_over_tls";
+        "ldap server require strong auth" = "allow_sasl_without_tls_channel_bindings";
+        #"tls trust system cas" = true;
        # TODO: ldap delete dn?
        # TODO: username map script?
      })