Loading nixos/modules/security/pam.nix +16 −0 Original line number Diff line number Diff line Loading @@ -484,6 +484,9 @@ let optionalString cfg.mysqlAuth '' account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + optionalString (config.services.kanidm.enablePam) '' account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user '' + optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) '' account sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + Loading Loading @@ -617,6 +620,9 @@ let optionalString use_ldap '' auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass '' + optionalString config.services.kanidm.enablePam '' auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass '' + optionalString config.services.sssd.enable '' auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass '' + Loading Loading @@ -653,6 +659,9 @@ let optionalString cfg.mysqlAuth '' password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + optionalString config.services.kanidm.enablePam '' password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so '' + optionalString config.services.sssd.enable '' password sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + Loading Loading @@ -714,6 +723,9 @@ let optionalString cfg.mysqlAuth '' session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + optionalString config.services.kanidm.enablePam '' session optional ${pkgs.kanidm}/lib/pam_kanidm.so '' + optionalString config.services.sssd.enable '' session optional ${pkgs.sssd}/lib/security/pam_sss.so '' + Loading Loading @@ -1298,6 +1310,7 @@ in # Include the PAM modules in the system path mostly for the manpages. [ pkgs.pam ] ++ optional config.users.ldap.enable pam_ldap ++ optional config.services.kanidm.enablePam pkgs.kanidm ++ optional config.services.sssd.enable pkgs.sssd ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] Loading Loading @@ -1364,6 +1377,9 @@ in optionalString use_ldap '' mr ${pam_ldap}/lib/security/pam_ldap.so, '' + optionalString config.services.kanidm.enablePam '' mr ${pkgs.kanidm}/lib/pam_kanidm.so, '' + optionalString config.services.sssd.enable '' mr ${pkgs.sssd}/lib/security/pam_sss.so, '' + Loading nixos/modules/services/security/kanidm.nix +1 −0 Original line number Diff line number Diff line Loading @@ -320,6 +320,7 @@ in ProtectHome = false; RestrictAddressFamilies = [ "AF_UNIX" ]; TemporaryFileSystem = "/:ro"; Restart = "on-failure"; }; environment.RUST_LOG = "info"; }; Loading nixos/tests/kanidm.nix +43 −1 Original line number Diff line number Diff line Loading @@ -2,6 +2,10 @@ import ./make-test-python.nix ({ pkgs, ... }: let certs = import ./common/acme/server/snakeoil-certs.nix; serverDomain = certs.domain; testCredentials = { password = "Password1_cZPEwpCWvrReripJmAZdmVIZd8HHoHcl"; }; in { name = "kanidm"; Loading Loading @@ -73,17 +77,55 @@ import ./make-test-python.nix ({ pkgs, ... }: with subtest("Test CLI login"): client.succeed("kanidm login -D anonymous") client.succeed("kanidm self whoami | grep anonymous@${serverDomain}") client.succeed("kanidm logout") with subtest("Recover idm_admin account"): # Must stop the server for account recovery or else kanidmd fails with # "unable to lock kanidm exclusive lock at /var/lib/kanidm/kanidm.db.klock". server.succeed("systemctl stop kanidm") server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '") idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'") server.succeed("systemctl start kanidm") with subtest("Test unixd connection"): client.wait_for_unit("kanidm-unixd.service") # TODO: client.wait_for_file("/run/kanidm-unixd/sock") client.wait_until_succeeds("kanidm-unix status | grep working!") with subtest("Test user creation"): client.wait_for_unit("getty@tty1.service") client.wait_until_succeeds("pgrep -f 'agetty.*tty1'") client.wait_until_tty_matches("1", "login: ") client.send_chars("root\n") client.send_chars("kanidm login -D idm_admin\n") client.wait_until_tty_matches("1", "Enter password: ") client.send_chars(f"{idm_admin_password}\n") client.wait_until_tty_matches("1", "Login Success for idm_admin") client.succeed("kanidm person create testuser TestUser") client.succeed("kanidm person posix set --shell \"$SHELL\" testuser") client.send_chars("kanidm person posix set-password testuser\n") client.wait_until_tty_matches("1", "Enter new") client.send_chars("${testCredentials.password}\n") client.wait_until_tty_matches("1", "Retype") client.send_chars("${testCredentials.password}\n") output = client.succeed("getent passwd testuser") assert "TestUser" in output client.succeed("kanidm group create shell") client.succeed("kanidm group posix set shell") client.succeed("kanidm group add-members shell testuser") with subtest("Test user login"): client.send_key("alt-f2") client.wait_until_succeeds("[ $(fgconsole) = 2 ]") client.wait_for_unit("getty@tty2.service") client.wait_until_succeeds("pgrep -f 'agetty.*tty2'") client.wait_until_tty_matches("2", "login: ") client.send_chars("testuser\n") client.wait_until_tty_matches("2", "login: testuser") client.wait_until_succeeds("pgrep login") client.wait_until_tty_matches("2", "Password: ") client.send_chars("${testCredentials.password}\n") client.wait_until_succeeds("systemctl is-active user@$(id -u testuser).service") client.send_chars("touch done\n") client.wait_for_file("/home/testuser@${serverDomain}/done") ''; }) Loading
nixos/modules/security/pam.nix +16 −0 Original line number Diff line number Diff line Loading @@ -484,6 +484,9 @@ let optionalString cfg.mysqlAuth '' account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + optionalString (config.services.kanidm.enablePam) '' account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user '' + optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) '' account sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + Loading Loading @@ -617,6 +620,9 @@ let optionalString use_ldap '' auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass '' + optionalString config.services.kanidm.enablePam '' auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass '' + optionalString config.services.sssd.enable '' auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass '' + Loading Loading @@ -653,6 +659,9 @@ let optionalString cfg.mysqlAuth '' password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + optionalString config.services.kanidm.enablePam '' password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so '' + optionalString config.services.sssd.enable '' password sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + Loading Loading @@ -714,6 +723,9 @@ let optionalString cfg.mysqlAuth '' session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + optionalString config.services.kanidm.enablePam '' session optional ${pkgs.kanidm}/lib/pam_kanidm.so '' + optionalString config.services.sssd.enable '' session optional ${pkgs.sssd}/lib/security/pam_sss.so '' + Loading Loading @@ -1298,6 +1310,7 @@ in # Include the PAM modules in the system path mostly for the manpages. [ pkgs.pam ] ++ optional config.users.ldap.enable pam_ldap ++ optional config.services.kanidm.enablePam pkgs.kanidm ++ optional config.services.sssd.enable pkgs.sssd ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] Loading Loading @@ -1364,6 +1377,9 @@ in optionalString use_ldap '' mr ${pam_ldap}/lib/security/pam_ldap.so, '' + optionalString config.services.kanidm.enablePam '' mr ${pkgs.kanidm}/lib/pam_kanidm.so, '' + optionalString config.services.sssd.enable '' mr ${pkgs.sssd}/lib/security/pam_sss.so, '' + Loading
nixos/modules/services/security/kanidm.nix +1 −0 Original line number Diff line number Diff line Loading @@ -320,6 +320,7 @@ in ProtectHome = false; RestrictAddressFamilies = [ "AF_UNIX" ]; TemporaryFileSystem = "/:ro"; Restart = "on-failure"; }; environment.RUST_LOG = "info"; }; Loading
nixos/tests/kanidm.nix +43 −1 Original line number Diff line number Diff line Loading @@ -2,6 +2,10 @@ import ./make-test-python.nix ({ pkgs, ... }: let certs = import ./common/acme/server/snakeoil-certs.nix; serverDomain = certs.domain; testCredentials = { password = "Password1_cZPEwpCWvrReripJmAZdmVIZd8HHoHcl"; }; in { name = "kanidm"; Loading Loading @@ -73,17 +77,55 @@ import ./make-test-python.nix ({ pkgs, ... }: with subtest("Test CLI login"): client.succeed("kanidm login -D anonymous") client.succeed("kanidm self whoami | grep anonymous@${serverDomain}") client.succeed("kanidm logout") with subtest("Recover idm_admin account"): # Must stop the server for account recovery or else kanidmd fails with # "unable to lock kanidm exclusive lock at /var/lib/kanidm/kanidm.db.klock". server.succeed("systemctl stop kanidm") server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '") idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'") server.succeed("systemctl start kanidm") with subtest("Test unixd connection"): client.wait_for_unit("kanidm-unixd.service") # TODO: client.wait_for_file("/run/kanidm-unixd/sock") client.wait_until_succeeds("kanidm-unix status | grep working!") with subtest("Test user creation"): client.wait_for_unit("getty@tty1.service") client.wait_until_succeeds("pgrep -f 'agetty.*tty1'") client.wait_until_tty_matches("1", "login: ") client.send_chars("root\n") client.send_chars("kanidm login -D idm_admin\n") client.wait_until_tty_matches("1", "Enter password: ") client.send_chars(f"{idm_admin_password}\n") client.wait_until_tty_matches("1", "Login Success for idm_admin") client.succeed("kanidm person create testuser TestUser") client.succeed("kanidm person posix set --shell \"$SHELL\" testuser") client.send_chars("kanidm person posix set-password testuser\n") client.wait_until_tty_matches("1", "Enter new") client.send_chars("${testCredentials.password}\n") client.wait_until_tty_matches("1", "Retype") client.send_chars("${testCredentials.password}\n") output = client.succeed("getent passwd testuser") assert "TestUser" in output client.succeed("kanidm group create shell") client.succeed("kanidm group posix set shell") client.succeed("kanidm group add-members shell testuser") with subtest("Test user login"): client.send_key("alt-f2") client.wait_until_succeeds("[ $(fgconsole) = 2 ]") client.wait_for_unit("getty@tty2.service") client.wait_until_succeeds("pgrep -f 'agetty.*tty2'") client.wait_until_tty_matches("2", "login: ") client.send_chars("testuser\n") client.wait_until_tty_matches("2", "login: testuser") client.wait_until_succeeds("pgrep login") client.wait_until_tty_matches("2", "Password: ") client.send_chars("${testCredentials.password}\n") client.wait_until_succeeds("systemctl is-active user@$(id -u testuser).service") client.send_chars("touch done\n") client.wait_for_file("/home/testuser@${serverDomain}/done") ''; })
