Merge pull request #236757 from max-privatevoid/pam-kanidm
nixos/pam: support Kanidm
This commit is contained in:
commit
fe2f291e17
3 changed files with 60 additions and 1 deletions
|
@ -484,6 +484,9 @@ let
|
|||
optionalString cfg.mysqlAuth ''
|
||||
account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
|
||||
'' +
|
||||
optionalString (config.services.kanidm.enablePam) ''
|
||||
account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user
|
||||
'' +
|
||||
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
|
||||
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
|
||||
'' +
|
||||
|
@ -617,6 +620,9 @@ let
|
|||
optionalString use_ldap ''
|
||||
auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
|
||||
'' +
|
||||
optionalString config.services.kanidm.enablePam ''
|
||||
auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass
|
||||
'' +
|
||||
optionalString config.services.sssd.enable ''
|
||||
auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
|
||||
'' +
|
||||
|
@ -653,6 +659,9 @@ let
|
|||
optionalString cfg.mysqlAuth ''
|
||||
password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
|
||||
'' +
|
||||
optionalString config.services.kanidm.enablePam ''
|
||||
password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so
|
||||
'' +
|
||||
optionalString config.services.sssd.enable ''
|
||||
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so
|
||||
'' +
|
||||
|
@ -714,6 +723,9 @@ let
|
|||
optionalString cfg.mysqlAuth ''
|
||||
session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
|
||||
'' +
|
||||
optionalString config.services.kanidm.enablePam ''
|
||||
session optional ${pkgs.kanidm}/lib/pam_kanidm.so
|
||||
'' +
|
||||
optionalString config.services.sssd.enable ''
|
||||
session optional ${pkgs.sssd}/lib/security/pam_sss.so
|
||||
'' +
|
||||
|
@ -1298,6 +1310,7 @@ in
|
|||
# Include the PAM modules in the system path mostly for the manpages.
|
||||
[ pkgs.pam ]
|
||||
++ optional config.users.ldap.enable pam_ldap
|
||||
++ optional config.services.kanidm.enablePam pkgs.kanidm
|
||||
++ optional config.services.sssd.enable pkgs.sssd
|
||||
++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds]
|
||||
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
|
||||
|
@ -1364,6 +1377,9 @@ in
|
|||
optionalString use_ldap ''
|
||||
mr ${pam_ldap}/lib/security/pam_ldap.so,
|
||||
'' +
|
||||
optionalString config.services.kanidm.enablePam ''
|
||||
mr ${pkgs.kanidm}/lib/pam_kanidm.so,
|
||||
'' +
|
||||
optionalString config.services.sssd.enable ''
|
||||
mr ${pkgs.sssd}/lib/security/pam_sss.so,
|
||||
'' +
|
||||
|
|
|
@ -320,6 +320,7 @@ in
|
|||
ProtectHome = false;
|
||||
RestrictAddressFamilies = [ "AF_UNIX" ];
|
||||
TemporaryFileSystem = "/:ro";
|
||||
Restart = "on-failure";
|
||||
};
|
||||
environment.RUST_LOG = "info";
|
||||
};
|
||||
|
|
|
@ -2,6 +2,10 @@ import ./make-test-python.nix ({ pkgs, ... }:
|
|||
let
|
||||
certs = import ./common/acme/server/snakeoil-certs.nix;
|
||||
serverDomain = certs.domain;
|
||||
|
||||
testCredentials = {
|
||||
password = "Password1_cZPEwpCWvrReripJmAZdmVIZd8HHoHcl";
|
||||
};
|
||||
in
|
||||
{
|
||||
name = "kanidm";
|
||||
|
@ -73,17 +77,55 @@ import ./make-test-python.nix ({ pkgs, ... }:
|
|||
with subtest("Test CLI login"):
|
||||
client.succeed("kanidm login -D anonymous")
|
||||
client.succeed("kanidm self whoami | grep anonymous@${serverDomain}")
|
||||
client.succeed("kanidm logout")
|
||||
|
||||
with subtest("Recover idm_admin account"):
|
||||
# Must stop the server for account recovery or else kanidmd fails with
|
||||
# "unable to lock kanidm exclusive lock at /var/lib/kanidm/kanidm.db.klock".
|
||||
server.succeed("systemctl stop kanidm")
|
||||
server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '")
|
||||
idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'")
|
||||
server.succeed("systemctl start kanidm")
|
||||
|
||||
with subtest("Test unixd connection"):
|
||||
client.wait_for_unit("kanidm-unixd.service")
|
||||
# TODO: client.wait_for_file("/run/kanidm-unixd/sock")
|
||||
client.wait_until_succeeds("kanidm-unix status | grep working!")
|
||||
|
||||
with subtest("Test user creation"):
|
||||
client.wait_for_unit("getty@tty1.service")
|
||||
client.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
|
||||
client.wait_until_tty_matches("1", "login: ")
|
||||
client.send_chars("root\n")
|
||||
client.send_chars("kanidm login -D idm_admin\n")
|
||||
client.wait_until_tty_matches("1", "Enter password: ")
|
||||
client.send_chars(f"{idm_admin_password}\n")
|
||||
client.wait_until_tty_matches("1", "Login Success for idm_admin")
|
||||
client.succeed("kanidm person create testuser TestUser")
|
||||
client.succeed("kanidm person posix set --shell \"$SHELL\" testuser")
|
||||
client.send_chars("kanidm person posix set-password testuser\n")
|
||||
client.wait_until_tty_matches("1", "Enter new")
|
||||
client.send_chars("${testCredentials.password}\n")
|
||||
client.wait_until_tty_matches("1", "Retype")
|
||||
client.send_chars("${testCredentials.password}\n")
|
||||
output = client.succeed("getent passwd testuser")
|
||||
assert "TestUser" in output
|
||||
client.succeed("kanidm group create shell")
|
||||
client.succeed("kanidm group posix set shell")
|
||||
client.succeed("kanidm group add-members shell testuser")
|
||||
|
||||
with subtest("Test user login"):
|
||||
client.send_key("alt-f2")
|
||||
client.wait_until_succeeds("[ $(fgconsole) = 2 ]")
|
||||
client.wait_for_unit("getty@tty2.service")
|
||||
client.wait_until_succeeds("pgrep -f 'agetty.*tty2'")
|
||||
client.wait_until_tty_matches("2", "login: ")
|
||||
client.send_chars("testuser\n")
|
||||
client.wait_until_tty_matches("2", "login: testuser")
|
||||
client.wait_until_succeeds("pgrep login")
|
||||
client.wait_until_tty_matches("2", "Password: ")
|
||||
client.send_chars("${testCredentials.password}\n")
|
||||
client.wait_until_succeeds("systemctl is-active user@$(id -u testuser).service")
|
||||
client.send_chars("touch done\n")
|
||||
client.wait_for_file("/home/testuser@${serverDomain}/done")
|
||||
'';
|
||||
})
|
||||
|
|
Loading…
Reference in a new issue