feat(idp): more ldap objects

2026-02-09 12:29:19 -08:00 · 2024-03-28 09:59:03 -07:00 · 2024-03-28 09:59:03 -07:00 · 86ac38cf2c
commit 86ac38cf2c
parent 69508d43a3
11 changed files with 503 additions and 16 deletions
--- a/nixos/ipa.nix
+++ b/nixos/ipa.nix
@ -26,6 +26,13 @@ in {
      #samba.domainSID = mkDefault "S-1-5-21-208293719-3143191303-229982100"; # HAKUREI
      userDnSuffix = mkDefault "cn=users,cn=accounts,";
      groupDnSuffix = mkDefault "cn=groups,cn=accounts,";
+      permissionDnSuffix = mkDefault "cn=permissions,cn=pbac,";
+      privilegeDnSuffix = mkDefault "cn=privileges,cn=pbac,";
+      roleDnSuffix = mkDefault "cn=roles,cn=accounts,";
+      serviceDnSuffix = mkDefault "cn=services,cn=accounts,";
+      hostDnSuffix = mkDefault "cn=computers,cn=accounts,";
+      sysAccountDnSuffix = mkDefault "cn=sysaccounts,cn=etc,";
+      domainDnSuffix = mkDefault "cn=ad,cn=etc,";
    };
    security.ipa = {
      enable = mkDefault true;
--- a/nixos/ldap/permissions.nix
+++ b/nixos/ldap/permissions.nix
@ -0,0 +1,100 @@
+{config, lib, ...}: let
+  inherit (lib.modules) mkDefault;
+  inherit (config.users) ldap;
+  inherit (ldap.management) permissions;
+  adminPriv = "cn=Custom Management Admin,${ldap.privilegeDnSuffix}";
+in {
+  config.users.ldap.management = {
+    enable = mkDefault true;
+    permissions = {
+      "Custom Anonymous User Read" = {
+        bindType = "anonymous";
+        targetType = "user";
+        attrs = [ "gidnumber" "homedirectory" "ipantsecurityidentifier" "loginshell" "manager" "objectclass" "title" "uid" "uidnumber" ];
+      };
+      "Custom Permission Admin" = {
+        location = ldap.permissionDnSuffix;
+        target = "cn=*";
+        rights = "all";
+        members = [ adminPriv ];
+        attrs = [
+          "member" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
+          "ipapermtarget" "ipapermright" "ipapermincludedattr" "ipapermbindruletype" "ipapermexcludedattr" "ipapermtargetto" "ipapermissiontype" "ipapermlocation" "ipapermdefaultattr" "ipapermtargetfrom" "ipapermtargetfilter"
+        ];
+      };
+      "Custom Privilege Admin" = {
+        location = ldap.privilegeDnSuffix;
+        target = "cn=*";
+        rights = "all";
+        members = [ adminPriv ];
+        attrs = [
+          "member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
+        ];
+      };
+      "Custom Role Admin" = {
+        location = ldap.roleDnSuffix;
+        target = "cn=*";
+        rights = "all";
+        members = [ adminPriv ];
+        attrs = [
+          "member" "memberof" "cn" "o" "ou" "owner" "description" "objectclass" "seealso" "businesscategory"
+        ];
+      };
+      "Custom Role Modify" = {
+        targetType = "role";
+        rights = [ "write" ];
+        members = [ adminPriv ];
+        attrs = permissions."Custom Role Admin".attrs;
+      };
+      "Custom Host Permission" = {
+        targetType = "host";
+        rights = [ "write" ];
+        members = [ adminPriv ];
+        attrs = [
+          "memberof"
+        ];
+      };
+      "Custom SysAccount Permission" = {
+        targetType = "sysaccount";
+        rights = [ "write" ];
+        members = [ adminPriv ];
+        attrs = [
+          "memberof"
+        ];
+      };
+      "Custom Service Permission" = {
+        targetType = "service";
+        rights = [ "write" ];
+        members = [ adminPriv ];
+        attrs = [
+          "memberof"
+        ];
+      };
+    };
+    objects = {
+      ${adminPriv} = {
+        changeType = "add";
+        settings = {
+          objectClass = [ "top" "nestedgroup" "groupofnames" ];
+          member = map config.lib.ldap.withBaseDn [
+            "cn=Security Architect,${ldap.roleDnSuffix}"
+          ];
+        };
+      };
+      # change default public access
+      "cn=System: Read User Compat Tree,${ldap.permissionDnSuffix}" = {
+        settings.ipaPermBindRuleType = "all";
+      };
+      "cn=System: Read User Views Compat Tree,${ldap.permissionDnSuffix}" = {
+        settings.ipaPermBindRuleType = "all";
+      };
+      "cn=System: Read User Standard Attributes,${ldap.permissionDnSuffix}" = {
+        settings.ipaPermBindRuleType = "all";
+      };
+      # allow reimu to actually make these changes...
+      "cn=Security Architect,${ldap.roleDnSuffix}" = {
+        settings.member = [ "fqdn=reimu.${config.networking.domain},${ldap.hostDnSuffix}${ldap.base}" ];
+      };
+    };
+  };
+}
--- a/nixos/ldap/samba.nix
+++ b/nixos/ldap/samba.nix
@ -0,0 +1,182 @@
+{config, lib, ...}: let
+  inherit (lib.modules) mkDefault;
+  inherit (config.users) ldap;
+  inherit (ldap.management) permissions;
+  adminPriv = "cn=Custom Management Admin,${ldap.privilegeDnSuffix}";
+  smbPriv = "cn=Samba smbd,${ldap.privilegeDnSuffix}";
+  smbRole = "cn=Samba smbd,${ldap.roleDnSuffix}";
+  smbAccountAttrs = [ "sambasid" "sambapwdlastset" "sambaacctflags" "sambapasswordhistory" "sambantpassword" ];
+  smbGroupAttrs = [ "sambasid" "sambagrouptype" ];
+  smbDomainAttrs = [ "sambasid" "sambaRefuseMachinePwdChange" "sambaMinPwdLength" "sambaAlgorithmicRidBase" "sambaPwdHistoryLength" "sambaDomainName" "sambaMinPwdAge" "sambaMaxPwdAge" "sambaLockoutThreshold" "sambaForceLogoff" "sambaLogonToChgPwd" "sambaLockoutObservationWindow" "sambaNextUserRid" "sambaLockoutDuration" ];
+in {
+  config.users.ldap.management = {
+    enable = mkDefault true;
+    permissions = {
+      "Custom Samba User Read" = {
+        targetType = "user";
+        attrs = [ "ipanthash" "ipanthomedirectory" "ipanthomedirectorydrive" "ipantlogonscript" "ipantprofilepath" "ipantsecurityidentifier" ] ++ smbAccountAttrs;
+        members = [ smbPriv ];
+      };
+      "Custom Samba User Modify" = {
+        targetType = "user";
+        rights = [ "write" ];
+        attrs = smbAccountAttrs;
+        members = permissions."Custom Samba User Admin".members;
+      };
+      "Custom Samba User Admin" = {
+        targetType = "user";
+        rights = [ "write" "add" ];
+        attrs = [ "objectclass" ];
+        members = [ adminPriv ];
+      };
+      "Custom Samba Group Read" = {
+        targetType = "user-group";
+        attrs = [ "ipantsecurityidentifier" "gidnumber" ] ++ smbGroupAttrs;
+        members = [ smbPriv ];
+      };
+      "Custom Samba Group Modify" = {
+        targetType = "user-group";
+        rights = [ "write" ];
+        attrs = smbGroupAttrs;
+        members = permissions."Custom Samba Group Admin".members;
+      };
+      "Custom Samba Group Admin" = {
+        targetType = "user-group";
+        rights = [ "write" "add" ];
+        attrs = [ "objectclass" ];
+        members = [ adminPriv ];
+      };
+      "Custom Samba Domain Read" = {
+        targetType = "samba-domain";
+        attrs = [ "objectClass" ] ++ smbDomainAttrs;
+        members = [ smbPriv ];
+      };
+      "Custom Samba Domain Modify" = {
+        targetType = "samba-domain";
+        rights = [ "write" ];
+        attrs = smbDomainAttrs;
+        members = permissions."Custom Samba Domain Admin".members;
+      };
+      "Custom Samba Domain Admin" = {
+        targetType = "domain";
+        rights = [ "write" "add" ];
+        attrs = [ "objectclass" ];
+        members = [ adminPriv ];
+      };
+      "Custom Samba Realm Read" = {
+        targetType = "domain";
+        attrs = [ "objectClass" "ipaNTSecurityIdentifier" "ipaNTFlatName" "ipaNTDomainGUID" "ipaNTFallbackPrimaryGroup" ] ++ smbDomainAttrs;
+        members = [ smbPriv ];
+      };
+      "Custom Samba Realm Modify" = {
+        targetType = "domain";
+        rights = [ "write" ];
+        attrs = smbDomainAttrs;
+        members = permissions."Custom Samba Realm Admin".members;
+      };
+      "Custom Samba Realm Admin" = {
+        targetType = "user-group";
+        rights = [ "write" "add" ];
+        attrs = [ "objectclass" ];
+        members = [ adminPriv ];
+      };
+    };
+    users = {
+      guest.user.enable = true;
+      admin = {
+        user.enable = true;
+        samba.enable = true;
+      };
+      opl = {
+        user.enable = true;
+        samba = {
+          enable = true;
+          #sync.enable = true;
+          accountFlags = {
+            noPasswordExpiry = mkDefault true;
+            normalUser = true;
+          };
+        };
+        object.settings.settings = {
+          sambaNTPassword = "F7C2C5D78C24EACB73550B02BF5888E3";
+          sambaLMPassword = "A5C96CDE7660B20BAAD3B435B51404EE";
+        };
+      };
+    };
+    groups = {
+      nogroup = {
+        group.enable = true;
+        samba.enable = true;
+      };
+      guest = {
+        samba = {
+          enable = true;
+          groupType = 4;
+          sid = "S-1-5-32-546";
+        };
+      };
+      admin = {
+        group.enable = true;
+        samba.enable = true;
+      };
+      kyuuto-peeps = {
+        group.enable = true;
+        samba.enable = true;
+      };
+      kyuuto = {
+        group.enable = true;
+        samba.enable = true;
+      };
+      peeps = {
+        group.enable = true;
+        samba.enable = true;
+      };
+      admins = {
+        samba = {
+          enable = true;
+          #sync.enable = true;
+          groupType = 4;
+          sid = "S-1-5-32-544";
+        };
+      };
+      smb = {
+        name = "Default SMB Group";
+        samba = {
+          enable = true;
+          #sync.enable = true;
+          groupType = 4;
+          sid = "S-1-5-32-545";
+        };
+      };
+    };
+    objects = {
+      ${smbPriv} = {
+        changeType = "add";
+        settings = {
+          objectClass = [ "top" "nestedgroup" "groupofnames" ];
+          member = map config.lib.ldap.withBaseDn [
+            "cn=Security Architect,${ldap.roleDnSuffix}"
+            "uid=samba,${ldap.sysAccountDnSuffix}"
+            smbRole
+          ];
+        };
+      };
+      ${smbRole} = {
+        changeType = "add";
+        settings = {
+          objectClass = [ "top" "nestedgroup" "groupofnames" ];
+          member = map config.lib.ldap.withBaseDn [
+            "krbprincipalname=cifs/hakurei.${config.networking.domain}@${config.security.ipa.realm},${ldap.serviceDnSuffix}"
+          ];
+        };
+      };
+      "cn=${config.networking.domain},${ldap.domainDnSuffix}" = {
+        objectClasses = [ "sambaDomain" ];
+        settings = {
+          sambaSID = ldap.samba.domainSID;
+          sambaDomainName = "GENSOKYO";
+        };
+      };
+    };
+  };
+}
--- a/nixos/ldap/users.nix
+++ b/nixos/ldap/users.nix
@ -91,6 +91,9 @@ in {
          };
        };
      };
+      objects = {
+        # TODO: ipa hostname krb5 aliases should be populated here!!!
+      };
    } ];
  };
 }