|
|
@ -31,15 +31,11 @@
|
|
|
|
(cache_credentials maybe-boolean "cache credentials")
|
|
|
|
(cache_credentials maybe-boolean "cache credentials")
|
|
|
|
(ldap_uri maybe-string "ldap server uri")
|
|
|
|
(ldap_uri maybe-string "ldap server uri")
|
|
|
|
(ldap_tls_reqcert maybe-string "tls_reqcert")
|
|
|
|
(ldap_tls_reqcert maybe-string "tls_reqcert")
|
|
|
|
(ldap_tls_cacertdir maybe-string
|
|
|
|
(ldap_tls_cacertdir maybe-string "ca certificate directory")
|
|
|
|
"ca certificate directory")
|
|
|
|
|
|
|
|
(ldap_search_base maybe-string "base dn for search")
|
|
|
|
(ldap_search_base maybe-string "base dn for search")
|
|
|
|
(ldap_default_bind_dn maybe-string
|
|
|
|
(ldap_default_bind_dn maybe-string "dn to bind for search")
|
|
|
|
"dn to bind for search")
|
|
|
|
(ldap_default_authtok_type maybe-string "ldap auth token type")
|
|
|
|
(ldap_default_authtok_type maybe-string
|
|
|
|
(ldap_default_authtok maybe-string "token to use for ldap bind"))
|
|
|
|
"ldap auth token type")
|
|
|
|
|
|
|
|
(ldap_default_authtok maybe-string
|
|
|
|
|
|
|
|
"token to use for ldap bind"))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define (sssd-domain-configuration-with-name? val)
|
|
|
|
(define (sssd-domain-configuration-with-name? val)
|
|
|
|
(if (pair? val)
|
|
|
|
(if (pair? val)
|
|
|
@ -70,35 +66,38 @@
|
|
|
|
|
|
|
|
|
|
|
|
(define-configuration sssd-configuration
|
|
|
|
(define-configuration sssd-configuration
|
|
|
|
(sssd (file-like sssd) "sssd package to use")
|
|
|
|
(sssd (file-like sssd) "sssd package to use")
|
|
|
|
(pam-services (list-of-strings (list "su" "gdm-password"
|
|
|
|
(pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd"
|
|
|
|
"login" "sshd"
|
|
|
|
|
|
|
|
"passwd"))
|
|
|
|
"passwd"))
|
|
|
|
"list of pam services to configure login for"
|
|
|
|
"list of pam services to configure login for"
|
|
|
|
(lambda (a b)
|
|
|
|
(lambda (a b)
|
|
|
|
""))
|
|
|
|
""))
|
|
|
|
(services (list-of-strings (list "nss" "sudo" "pam"
|
|
|
|
(services (list-of-strings (list "nss" "sudo" "pam" "ssh" "ifp"))
|
|
|
|
"ssh" "ifp"))
|
|
|
|
|
|
|
|
"list of services")
|
|
|
|
"list of services")
|
|
|
|
(domains (list-of-sssd-domain-configurations '())
|
|
|
|
(domains (list-of-sssd-domain-configurations '())
|
|
|
|
"sssd domains to configure"))
|
|
|
|
"sssd domains to configure"))
|
|
|
|
|
|
|
|
|
|
|
|
(define (sssd-pam-service config)
|
|
|
|
(define (sssd-pam-service config)
|
|
|
|
(define sssd-pam-module
|
|
|
|
|
|
|
|
(file-append (sssd-configuration-sssd config) "/lib/security/pam_sss.so"))
|
|
|
|
|
|
|
|
(lambda (pam)
|
|
|
|
|
|
|
|
(if (member (pam-service-name pam)
|
|
|
|
|
|
|
|
(sssd-configuration-pam-services config))
|
|
|
|
|
|
|
|
(let ((sufficient (pam-entry (control "sufficient")
|
|
|
|
(let ((sufficient (pam-entry (control "sufficient")
|
|
|
|
(module sssd-pam-module))))
|
|
|
|
(module (file-append (sssd-configuration-sssd
|
|
|
|
|
|
|
|
config)
|
|
|
|
|
|
|
|
"/lib/security/pam_sss.so")))))
|
|
|
|
|
|
|
|
(pam-extension (transformer (lambda (pam)
|
|
|
|
|
|
|
|
(if (member (pam-service-name pam)
|
|
|
|
|
|
|
|
(sssd-configuration-pam-services
|
|
|
|
|
|
|
|
config))
|
|
|
|
(pam-service (inherit pam)
|
|
|
|
(pam-service (inherit pam)
|
|
|
|
(auth (cons sufficient
|
|
|
|
(auth (cons sufficient
|
|
|
|
(pam-service-auth pam)))
|
|
|
|
(pam-service-auth
|
|
|
|
|
|
|
|
pam)))
|
|
|
|
(account (cons sufficient
|
|
|
|
(account (cons sufficient
|
|
|
|
(pam-service-account pam)))
|
|
|
|
(pam-service-account
|
|
|
|
|
|
|
|
pam)))
|
|
|
|
(password (cons sufficient
|
|
|
|
(password (cons sufficient
|
|
|
|
(pam-service-password pam)))
|
|
|
|
(pam-service-password
|
|
|
|
|
|
|
|
pam)))
|
|
|
|
(session (cons sufficient
|
|
|
|
(session (cons sufficient
|
|
|
|
(pam-service-session pam))))) pam)))
|
|
|
|
(pam-service-session
|
|
|
|
|
|
|
|
pam)))) pam))))))
|
|
|
|
|
|
|
|
|
|
|
|
(define (sssd-pam-services config)
|
|
|
|
(define (sssd-pam-services config)
|
|
|
|
(list (sssd-pam-service config)))
|
|
|
|
(list (sssd-pam-service config)))
|
|
|
|