20231204 ipa sync minor improvements (#2357)

Cargo.lock

@@ -808,9 +808,9 @@ dependencies = [
 
 [[package]]
 name = "compact_jwt"
-version = "0.3.2"
+version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75968a6d3a1232f93c8701152281fba5ae2f936091f97fe746e35bd8a892f9d0"
+checksum = "1c88e50516e010f137593b9e80dab437bc82c7c7bb4c5bf5dd042e30b0807dd7"
 dependencies = [
  "base64 0.21.5",
  "base64urlsafedata",
@@ -2994,7 +2994,9 @@ dependencies = [
 
 [[package]]
 name = "kanidm-hsm-crypto"
-version = "0.1.4"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0605892a3d0aca88b43a2d60a381ff7307c2c741d64ff87fb7c763556305791d"
 dependencies = [
  "argon2",
  "hex",
@@ -3139,7 +3141,7 @@ dependencies = [
  "async-recursion",
  "clap",
  "clap_complete",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
  "cursive",
  "dialoguer",
  "futures-concurrency",
@@ -3174,7 +3176,7 @@ dependencies = [
  "bytes",
  "clap",
  "clap_complete",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
  "csv",
  "futures",
  "hashbrown 0.14.3",
@@ -3224,7 +3226,7 @@ dependencies = [
  "axum-server",
  "bytes",
  "chrono",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
  "cron",
  "filetime",
  "futures",
@@ -3271,7 +3273,7 @@ version = "1.1.0-rc.15-dev"
 dependencies = [
  "base64 0.21.5",
  "base64urlsafedata",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
  "concread",
  "criterion",
  "dyn-clone",
@@ -3337,7 +3339,7 @@ name = "kanidmd_testkit"
 version = "1.1.0-rc.15-dev"
 dependencies = [
  "assert_cmd",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
  "escargot",
  "fantoccini",
  "futures",

book/src/integrations/pam_and_nsswitch/suse.md

@@ -16,16 +16,29 @@ authentication:
 > copy the `-pc` files. You can then edit the files safely.
 
 ```bash
+# These steps must be taken as root
+rm /etc/pam.d/common-account
+rm /etc/pam.d/common-auth
+rm /etc/pam.d/common-session
+rm /etc/pam.d/common-password
 cp /etc/pam.d/common-account-pc  /etc/pam.d/common-account
 cp /etc/pam.d/common-auth-pc     /etc/pam.d/common-auth
-cp /etc/pam.d/common-password-pc /etc/pam.d/common-password
 cp /etc/pam.d/common-session-pc  /etc/pam.d/common-session
+cp /etc/pam.d/common-password-pc /etc/pam.d/common-password
 ```
 
 The content should look like:
 
 ```text
-# /etc/pam.d/common-auth-pc
+# /etc/pam.d/common-account
+# Controls authorisation to this system (who may login)
+account    [default=1 ignore=ignore success=ok] pam_localuser.so
+account    sufficient    pam_unix.so
+account    [default=1 ignore=ignore success=ok]  pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
+account    sufficient    pam_kanidm.so ignore_unknown_user
+account    required      pam_deny.so
+
+# /etc/pam.d/common-auth
 # Controls authentication to this system (verification of credentials)
 auth        required      pam_env.so
 auth        [default=1 ignore=ignore success=ok] pam_localuser.so
@@ -34,15 +47,15 @@ auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient    pam_kanidm.so ignore_unknown_user
 auth        required      pam_deny.so
 
-# /etc/pam.d/common-account-pc
+# /etc/pam.d/common-password
-# Controls authorisation to this system (who may login)
+# Controls flow of what happens when a user invokes the passwd command. Currently does NOT
-account    [default=1 ignore=ignore success=ok] pam_localuser.so
+# push password changes back to kanidm
-account    sufficient    pam_unix.so
+password    [default=1 ignore=ignore success=ok] pam_localuser.so
-account    [default=1 ignore=ignore success=ok]  pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
+password    required    pam_unix.so use_authtok nullok shadow try_first_pass
-account    sufficient    pam_kanidm.so ignore_unknown_user
+password    [default=1 ignore=ignore success=ok]  pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
-account    required      pam_deny.so
+password    required    pam_kanidm.so
 
-# /etc/pam.d/common-session-pc
+# /etc/pam.d/common-session
 # Controls setup of the user session once a successful authentication and authorisation has
 # occurred.
 session optional    pam_systemd.so
@@ -52,14 +65,6 @@ session optional    pam_umask.so
 session [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
 session optional    pam_kanidm.so
 session optional    pam_env.so
-
-# /etc/pam.d/common-password-pc
-# Controls flow of what happens when a user invokes the passwd command. Currently does NOT
-# interact with kanidm.
-password    [default=1 ignore=ignore success=ok] pam_localuser.so
-password    required    pam_unix.so use_authtok nullok shadow try_first_pass
-password    [default=1 ignore=ignore success=ok]  pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
-password    required    pam_kanidm.so
 ```
 
 > **WARNING:** Ensure that `pam_mkhomedir` or `pam_oddjobd` are _not_ present in any stage of your

book/src/integrations/ssh_key_dist.md

@@ -66,7 +66,7 @@ lines:
 ```text
 PubkeyAuthentication yes
 UsePAM yes
-AuthorizedKeysCommand /usr/bin/kanidm_ssh_authorizedkeys %u
+AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
 AuthorizedKeysCommandUser nobody
 ```
 

book/src/integrations/sssd.md

@@ -61,7 +61,7 @@ An example configuration for SSSD is provided.
 
 # Setup for ssh keys
 # Inside /etc/ssh/sshd_config add the lines:
-#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u
 #   AuthorizedKeysCommandUser nobody
 # You can test with the command: sss_ssh_authorizedkeys <username>
 

platform/opensuse/kanidm-ipa-sync.service

@@ -0,0 +1,31 @@
+# You should not need to edit this file. Instead, use a drop-in file as described in:
+#   /usr/lib/systemd/system/kanidmd.service.d/custom.conf
+
+[Unit]
+Description=Kanidm IPA Sync Service
+After=time-sync.target network-online.target
+Wants=time-sync.target network-online.target
+
+[Service]
+Type=exec
+DynamicUser=yes
+LoadCredential=config:/etc/kanidm/ipa-sync
+Environment=KANIDM_IPA_SYNC_CONFIG=%d/config
+ExecStart=/usr/sbin/kanidm-ipa-sync --schedule
+
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

server/lib/src/constants/groups.rs

@@ -422,7 +422,7 @@ lazy_static! {
 
     pub static ref IDM_ALL_PERSONS: BuiltinGroup = BuiltinGroup {
         name: "idm_all_persons",
-        description: "Builtin IDM Group for extending high privilege accounts to be people.",
+        description: "Builtin IDM dynamic group containing all persons.",
         uuid: UUID_IDM_ALL_PERSONS,
         members: Vec::new(),
         dyngroup: true,

tools/cli/src/cli/group/account_policy.rs

@@ -79,7 +79,7 @@ impl GroupAccountPolicyOpt {
                 {
                     handle_client_error(e, copt.output_mode);
                 } else {
-                    println!("Updated webauthn attesation CA list.");
+                    println!("Updated webauthn attestation CA list.");
                 }
             }
         }

tools/iam_migrations/freeipa/src/main.rs

@@ -77,6 +77,8 @@ async fn driver_main(opt: Opt) {
         Ok(f) => f,
         Err(e) => {
             error!("Unable to open profile file [{:?}] 🥺", e);
+            let diag = kanidm_lib_file_permissions::diagnose_path(&opt.ipa_sync_config);
+            info!(%diag);
             return;
         }
     };

tools/iam_migrations/freeipa/src/opt.rs

@@ -12,7 +12,7 @@ pub struct Opt {
     pub client_config: PathBuf,
 
     /// Path to the ipa-sync config file.
-    #[clap(value_parser, short, long, default_value_os_t = DEFAULT_IPA_CONFIG_PATH.into())]
+    #[clap(value_parser, short, long, env = "KANIDM_IPA_SYNC_CONFIG", default_value_os_t = DEFAULT_IPA_CONFIG_PATH.into())]
     pub ipa_sync_config: PathBuf,
 
     /// Dump the ldap protocol inputs, as well as the scim outputs. This can be used