(define-module (gnu services sssd) #:use-module (guix gexp) #:use-module (gnu system pam) #:use-module (gnu services dbus) #:use-module (gnu services base) #:use-module (gnu services shepherd) #:use-module (gnu packages sssd) #:use-module (gnu services) #:use-module (gnu services configuration) #:export (sssd-configuration sssd-service-type)) (define default-sssd-conf-file (plain-file "sssd.conf" (string-join (list "[sssd]" "domains = metznet.ca" "services = nss, sudo, pam, ssh, ifp" "" "[domain/metznet.ca]" "id_provider = ldap" "auth_provider = ldap" "cache_credentials = True" "ldap_uri = ldaps://ldap.metznet.ca" "ldap_tls_reqcert = never" "ldap_tls_cacertdir = /etc/ssl/certs" "ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca" (string-append "ldap_default_bind_dn = " (or (getenv "LDAP_BINDDN") "")) "ldap_default_authtok_type = password" (string-append "ldap_default_authtok = " (or (getenv "LDAP_BINDPW") "")) "") "\n"))) (define-configuration/no-serialization sssd-configuration (sssd (file-like sssd) "SSSD Package to use") (pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" "passwd")) "List of pam services to use sssd for") (config (file-like default-sssd-conf-file) "sssd.conf file")) (define (sssd-pam-service config) (define sssd-pam-module (file-append (sssd-configuration-sssd config) "/lib/security/pam_sss.so")) (lambda (pam) (if (member (pam-service-name pam) (sssd-configuration-pam-services config)) (let ((sufficient (pam-entry (control "sufficient") (module sssd-pam-module)))) (pam-service (inherit pam) (auth (cons sufficient (pam-service-auth pam))) (account (cons sufficient (pam-service-account pam))) (password (cons sufficient (pam-service-password pam))) (session (cons sufficient (pam-service-session pam))))) pam))) (define (sssd-pam-services config) (list (sssd-pam-service config))) (define (sssd-shepherd-service config) (list (shepherd-service (documentation "") (provision '(sssd)) (requirement '(networking user-processes)) (start #~(make-forkexec-constructor (list (string-append #$ (sssd-configuration-sssd config) "/sbin/sssd") "-i" "-c/var/lib/sss/sssd.conf") #:user "root" #:group "root" #:environment-variables (list (string-append "LD_LIBRARY_PATH=" #$(sssd-configuration-sssd config) "/lib")))) (stop #~(make-kill-destructor))))) (define (sssd-activation config) #~(begin (let ((dbdir "/var/lib/sss/db") (dbusdir "/var/lib/sss/pipes/private") (user (getpw "root"))) (mkdir-p/perms dbusdir user 493) (mkdir-p/perms dbdir user 493) (copy-file #$(sssd-configuration-config config) "/var/lib/sss/sssd.conf") (chmod "/var/lib/sss/sssd.conf" #o600)))) (define-public sssd-service-type (service-type (name 'sssd) (description "SSSD Service") (extensions (list (service-extension pam-root-service-type sssd-pam-services) (service-extension dbus-root-service-type (compose list sssd-configuration-sssd)) (service-extension activation-service-type sssd-activation) (service-extension nscd-service-type (const (list sssd))) (service-extension shepherd-root-service-type sssd-shepherd-service))) (default-value (sssd-configuration))))