From 4bd5d584cb4767284358ca9a6be9dbf78e46fe8e Mon Sep 17 00:00:00 2001 From: Firstyear Date: Mon, 4 Dec 2023 16:58:15 +1000 Subject: [PATCH] 20231204 ipa sync minor improvements (#2357) --- Cargo.lock | 18 ++++---- .../src/integrations/pam_and_nsswitch/suse.md | 41 +++++++++++-------- book/src/integrations/ssh_key_dist.md | 2 +- book/src/integrations/sssd.md | 2 +- platform/opensuse/kanidm-ipa-sync.service | 31 ++++++++++++++ server/lib/src/constants/groups.rs | 2 +- tools/cli/src/cli/group/account_policy.rs | 2 +- tools/iam_migrations/freeipa/src/main.rs | 2 + tools/iam_migrations/freeipa/src/opt.rs | 2 +- 9 files changed, 71 insertions(+), 31 deletions(-) create mode 100644 platform/opensuse/kanidm-ipa-sync.service diff --git a/Cargo.lock b/Cargo.lock index 4573778c9..c5373549b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -808,9 +808,9 @@ dependencies = [ [[package]] name = "compact_jwt" -version = "0.3.2" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75968a6d3a1232f93c8701152281fba5ae2f936091f97fe746e35bd8a892f9d0" +checksum = "1c88e50516e010f137593b9e80dab437bc82c7c7bb4c5bf5dd042e30b0807dd7" dependencies = [ "base64 0.21.5", "base64urlsafedata", @@ -2994,7 +2994,9 @@ dependencies = [ [[package]] name = "kanidm-hsm-crypto" -version = "0.1.4" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0605892a3d0aca88b43a2d60a381ff7307c2c741d64ff87fb7c763556305791d" dependencies = [ "argon2", "hex", @@ -3139,7 +3141,7 @@ dependencies = [ "async-recursion", "clap", "clap_complete", - "compact_jwt 0.3.2", + "compact_jwt 0.3.3", "cursive", "dialoguer", "futures-concurrency", @@ -3174,7 +3176,7 @@ dependencies = [ "bytes", "clap", "clap_complete", - "compact_jwt 0.3.2", + "compact_jwt 0.3.3", "csv", "futures", "hashbrown 0.14.3", @@ -3224,7 +3226,7 @@ dependencies = [ "axum-server", "bytes", "chrono", - "compact_jwt 0.3.2", + "compact_jwt 0.3.3", "cron", "filetime", "futures", @@ -3271,7 +3273,7 @@ version = "1.1.0-rc.15-dev" dependencies = [ "base64 0.21.5", "base64urlsafedata", - "compact_jwt 0.3.2", + "compact_jwt 0.3.3", "concread", "criterion", "dyn-clone", @@ -3337,7 +3339,7 @@ name = "kanidmd_testkit" version = "1.1.0-rc.15-dev" dependencies = [ "assert_cmd", - "compact_jwt 0.3.2", + "compact_jwt 0.3.3", "escargot", "fantoccini", "futures", diff --git a/book/src/integrations/pam_and_nsswitch/suse.md b/book/src/integrations/pam_and_nsswitch/suse.md index b4e720abd..788b078e2 100644 --- a/book/src/integrations/pam_and_nsswitch/suse.md +++ b/book/src/integrations/pam_and_nsswitch/suse.md @@ -16,16 +16,29 @@ authentication: > copy the `-pc` files. You can then edit the files safely. ```bash +# These steps must be taken as root +rm /etc/pam.d/common-account +rm /etc/pam.d/common-auth +rm /etc/pam.d/common-session +rm /etc/pam.d/common-password cp /etc/pam.d/common-account-pc /etc/pam.d/common-account cp /etc/pam.d/common-auth-pc /etc/pam.d/common-auth -cp /etc/pam.d/common-password-pc /etc/pam.d/common-password cp /etc/pam.d/common-session-pc /etc/pam.d/common-session +cp /etc/pam.d/common-password-pc /etc/pam.d/common-password ``` The content should look like: ```text -# /etc/pam.d/common-auth-pc +# /etc/pam.d/common-account +# Controls authorisation to this system (who may login) +account [default=1 ignore=ignore success=ok] pam_localuser.so +account sufficient pam_unix.so +account [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet_success quiet_fail +account sufficient pam_kanidm.so ignore_unknown_user +account required pam_deny.so + +# /etc/pam.d/common-auth # Controls authentication to this system (verification of credentials) auth required pam_env.so auth [default=1 ignore=ignore success=ok] pam_localuser.so @@ -34,15 +47,15 @@ auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_kanidm.so ignore_unknown_user auth required pam_deny.so -# /etc/pam.d/common-account-pc -# Controls authorisation to this system (who may login) -account [default=1 ignore=ignore success=ok] pam_localuser.so -account sufficient pam_unix.so -account [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet_success quiet_fail -account sufficient pam_kanidm.so ignore_unknown_user -account required pam_deny.so +# /etc/pam.d/common-password +# Controls flow of what happens when a user invokes the passwd command. Currently does NOT +# push password changes back to kanidm +password [default=1 ignore=ignore success=ok] pam_localuser.so +password required pam_unix.so use_authtok nullok shadow try_first_pass +password [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet_success quiet_fail +password required pam_kanidm.so -# /etc/pam.d/common-session-pc +# /etc/pam.d/common-session # Controls setup of the user session once a successful authentication and authorisation has # occurred. session optional pam_systemd.so @@ -52,14 +65,6 @@ session optional pam_umask.so session [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet_success quiet_fail session optional pam_kanidm.so session optional pam_env.so - -# /etc/pam.d/common-password-pc -# Controls flow of what happens when a user invokes the passwd command. Currently does NOT -# interact with kanidm. -password [default=1 ignore=ignore success=ok] pam_localuser.so -password required pam_unix.so use_authtok nullok shadow try_first_pass -password [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet_success quiet_fail -password required pam_kanidm.so ``` > **WARNING:** Ensure that `pam_mkhomedir` or `pam_oddjobd` are _not_ present in any stage of your diff --git a/book/src/integrations/ssh_key_dist.md b/book/src/integrations/ssh_key_dist.md index db4a61477..a009ee754 100644 --- a/book/src/integrations/ssh_key_dist.md +++ b/book/src/integrations/ssh_key_dist.md @@ -66,7 +66,7 @@ lines: ```text PubkeyAuthentication yes UsePAM yes -AuthorizedKeysCommand /usr/bin/kanidm_ssh_authorizedkeys %u +AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u AuthorizedKeysCommandUser nobody ``` diff --git a/book/src/integrations/sssd.md b/book/src/integrations/sssd.md index 4344069c5..58c6edb3b 100644 --- a/book/src/integrations/sssd.md +++ b/book/src/integrations/sssd.md @@ -61,7 +61,7 @@ An example configuration for SSSD is provided. # Setup for ssh keys # Inside /etc/ssh/sshd_config add the lines: -# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys +# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u # AuthorizedKeysCommandUser nobody # You can test with the command: sss_ssh_authorizedkeys diff --git a/platform/opensuse/kanidm-ipa-sync.service b/platform/opensuse/kanidm-ipa-sync.service new file mode 100644 index 000000000..0db54cb51 --- /dev/null +++ b/platform/opensuse/kanidm-ipa-sync.service @@ -0,0 +1,31 @@ +# You should not need to edit this file. Instead, use a drop-in file as described in: +# /usr/lib/systemd/system/kanidmd.service.d/custom.conf + +[Unit] +Description=Kanidm IPA Sync Service +After=time-sync.target network-online.target +Wants=time-sync.target network-online.target + +[Service] +Type=exec +DynamicUser=yes +LoadCredential=config:/etc/kanidm/ipa-sync +Environment=KANIDM_IPA_SYNC_CONFIG=%d/config +ExecStart=/usr/sbin/kanidm-ipa-sync --schedule + +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +NoNewPrivileges=true +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target diff --git a/server/lib/src/constants/groups.rs b/server/lib/src/constants/groups.rs index a5cb0cbc0..96efa30b9 100644 --- a/server/lib/src/constants/groups.rs +++ b/server/lib/src/constants/groups.rs @@ -422,7 +422,7 @@ lazy_static! { pub static ref IDM_ALL_PERSONS: BuiltinGroup = BuiltinGroup { name: "idm_all_persons", - description: "Builtin IDM Group for extending high privilege accounts to be people.", + description: "Builtin IDM dynamic group containing all persons.", uuid: UUID_IDM_ALL_PERSONS, members: Vec::new(), dyngroup: true, diff --git a/tools/cli/src/cli/group/account_policy.rs b/tools/cli/src/cli/group/account_policy.rs index a46c2dc9e..554394b92 100644 --- a/tools/cli/src/cli/group/account_policy.rs +++ b/tools/cli/src/cli/group/account_policy.rs @@ -79,7 +79,7 @@ impl GroupAccountPolicyOpt { { handle_client_error(e, copt.output_mode); } else { - println!("Updated webauthn attesation CA list."); + println!("Updated webauthn attestation CA list."); } } } diff --git a/tools/iam_migrations/freeipa/src/main.rs b/tools/iam_migrations/freeipa/src/main.rs index 739eb6e55..97d343f2b 100644 --- a/tools/iam_migrations/freeipa/src/main.rs +++ b/tools/iam_migrations/freeipa/src/main.rs @@ -77,6 +77,8 @@ async fn driver_main(opt: Opt) { Ok(f) => f, Err(e) => { error!("Unable to open profile file [{:?}] 🥺", e); + let diag = kanidm_lib_file_permissions::diagnose_path(&opt.ipa_sync_config); + info!(%diag); return; } }; diff --git a/tools/iam_migrations/freeipa/src/opt.rs b/tools/iam_migrations/freeipa/src/opt.rs index 174ee35bf..f06758054 100644 --- a/tools/iam_migrations/freeipa/src/opt.rs +++ b/tools/iam_migrations/freeipa/src/opt.rs @@ -12,7 +12,7 @@ pub struct Opt { pub client_config: PathBuf, /// Path to the ipa-sync config file. - #[clap(value_parser, short, long, default_value_os_t = DEFAULT_IPA_CONFIG_PATH.into())] + #[clap(value_parser, short, long, env = "KANIDM_IPA_SYNC_CONFIG", default_value_os_t = DEFAULT_IPA_CONFIG_PATH.into())] pub ipa_sync_config: PathBuf, /// Dump the ldap protocol inputs, as well as the scim outputs. This can be used