110 lines
5.7 KiB
Scheme
110 lines
5.7 KiB
Scheme
(define-module (gnu services sssd)
|
|
#:use-module (guix gexp)
|
|
#:use-module (gnu system pam)
|
|
#:use-module (gnu services dbus)
|
|
#:use-module (gnu services base)
|
|
#:use-module (gnu services shepherd)
|
|
#:use-module (gnu packages sssd)
|
|
#:use-module (gnu services)
|
|
#:use-module (gnu services configuration)
|
|
#:export (sssd-configuration sssd-service-type))
|
|
|
|
(define-configuration/no-serialization sssd-configuration
|
|
(sssd (file-like sssd)
|
|
"SSSD Package to use")
|
|
(pam-services (list-of-strings '())
|
|
"List of pam services to use sssd for")
|
|
(config (file-like
|
|
default-sssd-conf-file)
|
|
"sssd.conf file"))
|
|
|
|
(define default-sssd-conf-file
|
|
(plain-file "sssd.conf"
|
|
(string-join (list "[sssd]"
|
|
"domains = metznet.ca"
|
|
"services = nss, sudo, pam, ssh, ifp"
|
|
""
|
|
"[domain/metznet.ca]"
|
|
"id_provider = ldap"
|
|
"auth_provider = ldap"
|
|
"cache_credentials = True"
|
|
"ldap_uri = ldaps://ldap.metznet.ca"
|
|
"ldap_tls_reqcert = never"
|
|
"ldap_tls_cacertdir = /etc/ssl/certs"
|
|
"ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca"
|
|
(string-append "ldap_default_bind_dn = "
|
|
(or (getenv "LDAP_BINDDN") ""))
|
|
"ldap_default_authtok_type = password"
|
|
(string-append "ldap_default_authtok = "
|
|
(or (getenv "LDAP_BINDPW") ""))
|
|
"") "\n")))
|
|
|
|
(define (sssd-pam-service config)
|
|
(define sssd-pam-module
|
|
(file-append (sssd-configuration-sssd config) "/lib/security/pam_sss.so"))
|
|
(lambda (pam)
|
|
(if (member (pam-service-name pam)
|
|
(sssd-configuration-pam-services config))
|
|
(let ((sufficient (pam-entry (control "sufficient")
|
|
(module sssd-pam-module))))
|
|
(pam-service (inherit pam)
|
|
(auth (cons sufficient
|
|
(pam-service-auth pam)))
|
|
(account (cons sufficient
|
|
(pam-service-account pam)))
|
|
(password (cons sufficient
|
|
(pam-service-password pam)))
|
|
(session (cons sufficient
|
|
(pam-service-session pam))))) pam)))
|
|
|
|
(define (sssd-pam-services config)
|
|
(list (sssd-pam-service config)))
|
|
|
|
(define (sssd-shepherd-service config)
|
|
(list (shepherd-service (documentation "")
|
|
(provision '(sssd))
|
|
(requirement '(networking user-processes))
|
|
(start #~(make-forkexec-constructor (list (string-append #$
|
|
(sssd-configuration-sssd
|
|
config)
|
|
"/sbin/sssd")
|
|
"-i"
|
|
"-c/var/lib/sss/sssd.conf")
|
|
#:user "root"
|
|
#:group "root"
|
|
#:environment-variables
|
|
(list (string-append
|
|
"LD_LIBRARY_PATH="
|
|
#$(sssd-configuration-sssd
|
|
config)
|
|
"/lib"))))
|
|
(stop #~(make-kill-destructor)))))
|
|
|
|
(define (sssd-activation config)
|
|
#~(begin
|
|
(let ((dbdir "/var/lib/sss/db")
|
|
(dbusdir "/var/lib/sss/pipes/private")
|
|
(user (getpw "root")))
|
|
(mkdir-p/perms dbusdir user 493)
|
|
(mkdir-p/perms dbdir user 493)
|
|
(copy-file #$(sssd-configuration-config config)
|
|
"/var/lib/sss/sssd.conf")
|
|
(chmod "/var/lib/sss/sssd.conf" #o600))))
|
|
|
|
(define-public sssd-service-type
|
|
(service-type (name 'sssd)
|
|
(description "SSSD Service")
|
|
(extensions (list (service-extension pam-root-service-type
|
|
sssd-pam-services)
|
|
(service-extension dbus-root-service-type
|
|
(compose list
|
|
sssd-configuration-sssd))
|
|
(service-extension activation-service-type
|
|
sssd-activation)
|
|
(service-extension nscd-service-type
|
|
(const (list sssd)))
|
|
(service-extension
|
|
shepherd-root-service-type
|
|
sssd-shepherd-service)))
|
|
(default-value (sssd-configuration))))
|