51 lines
1.4 KiB
Nix
51 lines
1.4 KiB
Nix
{ config, ... }: {
|
|
age.secrets.ldap-bind-password = {
|
|
file = ../secrets/ldap-bind-password.age;
|
|
owner = "nslcd";
|
|
group = "nslcd";
|
|
};
|
|
|
|
services.openssh.settings.AllowGroups = [ "root" "ssh" "federezadmin" ];
|
|
security.sudo.extraRules = [
|
|
{ groups = [ "sudoldap" ]; commands = [ "ALL" ]; }
|
|
];
|
|
|
|
security.pam.services.login.makeHomeDir = true;
|
|
security.pam.services.passwd.makeHomeDir = true;
|
|
security.pam.services.sshd.makeHomeDir = true;
|
|
security.pam.makeHomeDir = {
|
|
umask = "0022";
|
|
};
|
|
|
|
systemd.services.nslcd.serviceConfig.LogsDirectory = "nslcd";
|
|
users.ldap = {
|
|
enable = true;
|
|
nsswitch = true;
|
|
# nslcd daemon
|
|
daemon.enable = true;
|
|
base = "dc=federez,dc=net";
|
|
bind = {
|
|
distinguishedName = "cn=nssauth,ou=service-users,dc=federez,dc=net";
|
|
passwordFile = config.age.secrets.ldap-bind-password.path;
|
|
};
|
|
# ldaps://ldap.federez.net ldaps://ldap-ro.federez.net
|
|
server = "ldaps://ldap.federez.net";
|
|
daemon.extraConfig = ''
|
|
log /var/log/nslcd/debug.log debug
|
|
|
|
uri ldaps://ldap-ro.federez.net
|
|
|
|
base passwd cn=Utilisateurs,dc=federez,dc=net
|
|
base shadow cn=Utilisateurs,dc=federez,dc=net
|
|
base group ou=posix,ou=groups,dc=federez,dc=net
|
|
|
|
map passwd loginShell /run/current-system/sw/bin/bash
|
|
|
|
ldap_version 3
|
|
|
|
ssl on
|
|
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
|
|
tls_reqcert demand
|
|
'';
|
|
};
|
|
}
|