20231204 ipa sync minor improvements (#2357)

2025-02-23 12:37:00 +01:00 · 2023-12-04 16:58:15 +10:00 · 2023-12-04 16:58:15 +10:00 · 4bd5d584cb
parent a1b1379e4b
commit 4bd5d584cb
9 changed files with 71 additions and 31 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -808,9 +808,9 @@ dependencies = [

 [[package]]
 name = "compact_jwt"
-version = "0.3.2"
+version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75968a6d3a1232f93c8701152281fba5ae2f936091f97fe746e35bd8a892f9d0"
+checksum = "1c88e50516e010f137593b9e80dab437bc82c7c7bb4c5bf5dd042e30b0807dd7"
 dependencies = [
 "base64 0.21.5",
 "base64urlsafedata",
@ -2994,7 +2994,9 @@ dependencies = [

 [[package]]
 name = "kanidm-hsm-crypto"
-version = "0.1.4"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0605892a3d0aca88b43a2d60a381ff7307c2c741d64ff87fb7c763556305791d"
 dependencies = [
 "argon2",
 "hex",
@ -3139,7 +3141,7 @@ dependencies = [
 "async-recursion",
 "clap",
 "clap_complete",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
 "cursive",
 "dialoguer",
 "futures-concurrency",
@ -3174,7 +3176,7 @@ dependencies = [
 "bytes",
 "clap",
 "clap_complete",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
 "csv",
 "futures",
 "hashbrown 0.14.3",
@ -3224,7 +3226,7 @@ dependencies = [
 "axum-server",
 "bytes",
 "chrono",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
 "cron",
 "filetime",
 "futures",
@ -3271,7 +3273,7 @@ version = "1.1.0-rc.15-dev"
 dependencies = [
 "base64 0.21.5",
 "base64urlsafedata",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
 "concread",
 "criterion",
 "dyn-clone",
@ -3337,7 +3339,7 @@ name = "kanidmd_testkit"
 version = "1.1.0-rc.15-dev"
 dependencies = [
 "assert_cmd",
- "compact_jwt 0.3.2",
+ "compact_jwt 0.3.3",
 "escargot",
 "fantoccini",
 "futures",
--- a/book/src/integrations/pam_and_nsswitch/suse.md
+++ b/book/src/integrations/pam_and_nsswitch/suse.md
@ -16,16 +16,29 @@ authentication:
 > copy the `-pc` files. You can then edit the files safely.

 ```bash
+# These steps must be taken as root
+rm /etc/pam.d/common-account
+rm /etc/pam.d/common-auth
+rm /etc/pam.d/common-session
+rm /etc/pam.d/common-password
 cp /etc/pam.d/common-account-pc  /etc/pam.d/common-account
 cp /etc/pam.d/common-auth-pc     /etc/pam.d/common-auth
-cp /etc/pam.d/common-password-pc /etc/pam.d/common-password
 cp /etc/pam.d/common-session-pc  /etc/pam.d/common-session
+cp /etc/pam.d/common-password-pc /etc/pam.d/common-password
 ```

 The content should look like:

 ```text
-# /etc/pam.d/common-auth-pc
+# /etc/pam.d/common-account
+# Controls authorisation to this system (who may login)
+account    [default=1 ignore=ignore success=ok] pam_localuser.so
+account    sufficient    pam_unix.so
+account    [default=1 ignore=ignore success=ok]  pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
+account    sufficient    pam_kanidm.so ignore_unknown_user
+account    required      pam_deny.so
+
+# /etc/pam.d/common-auth
 # Controls authentication to this system (verification of credentials)
 auth        required      pam_env.so
 auth        [default=1 ignore=ignore success=ok] pam_localuser.so
@ -34,15 +47,15 @@ auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient    pam_kanidm.so ignore_unknown_user
 auth        required      pam_deny.so

-# /etc/pam.d/common-account-pc
-# Controls authorisation to this system (who may login)
-account    [default=1 ignore=ignore success=ok] pam_localuser.so
-account    sufficient    pam_unix.so
-account    [default=1 ignore=ignore success=ok]  pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
-account    sufficient    pam_kanidm.so ignore_unknown_user
-account    required      pam_deny.so
+# /etc/pam.d/common-password
+# Controls flow of what happens when a user invokes the passwd command. Currently does NOT
+# push password changes back to kanidm
+password    [default=1 ignore=ignore success=ok] pam_localuser.so
+password    required    pam_unix.so use_authtok nullok shadow try_first_pass
+password    [default=1 ignore=ignore success=ok]  pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
+password    required    pam_kanidm.so

-# /etc/pam.d/common-session-pc
+# /etc/pam.d/common-session
 # Controls setup of the user session once a successful authentication and authorisation has
 # occurred.
 session optional    pam_systemd.so
@ -52,14 +65,6 @@ session optional    pam_umask.so
 session [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
 session optional    pam_kanidm.so
 session optional    pam_env.so
-
-# /etc/pam.d/common-password-pc
-# Controls flow of what happens when a user invokes the passwd command. Currently does NOT
-# interact with kanidm.
-password    [default=1 ignore=ignore success=ok] pam_localuser.so
-password    required    pam_unix.so use_authtok nullok shadow try_first_pass
-password    [default=1 ignore=ignore success=ok]  pam_succeed_if.so uid >= 1000 quiet_success quiet_fail
-password    required    pam_kanidm.so
 ```

 > **WARNING:** Ensure that `pam_mkhomedir` or `pam_oddjobd` are _not_ present in any stage of your
--- a/book/src/integrations/ssh_key_dist.md
+++ b/book/src/integrations/ssh_key_dist.md
@ -66,7 +66,7 @@ lines:
 ```text
 PubkeyAuthentication yes
 UsePAM yes
-AuthorizedKeysCommand /usr/bin/kanidm_ssh_authorizedkeys %u
+AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
 AuthorizedKeysCommandUser nobody
 ```

--- a/book/src/integrations/sssd.md
+++ b/book/src/integrations/sssd.md
@ -61,7 +61,7 @@ An example configuration for SSSD is provided.

 # Setup for ssh keys
 # Inside /etc/ssh/sshd_config add the lines:
-#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u
 #   AuthorizedKeysCommandUser nobody
 # You can test with the command: sss_ssh_authorizedkeys <username>

--- a/platform/opensuse/kanidm-ipa-sync.service
+++ b/platform/opensuse/kanidm-ipa-sync.service
@ -0,0 +1,31 @@
+# You should not need to edit this file. Instead, use a drop-in file as described in:
+#   /usr/lib/systemd/system/kanidmd.service.d/custom.conf
+
+[Unit]
+Description=Kanidm IPA Sync Service
+After=time-sync.target network-online.target
+Wants=time-sync.target network-online.target
+
+[Service]
+Type=exec
+DynamicUser=yes
+LoadCredential=config:/etc/kanidm/ipa-sync
+Environment=KANIDM_IPA_SYNC_CONFIG=%d/config
+ExecStart=/usr/sbin/kanidm-ipa-sync --schedule
+
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
--- a/server/lib/src/constants/groups.rs
+++ b/server/lib/src/constants/groups.rs
@ -422,7 +422,7 @@ lazy_static! {

    pub static ref IDM_ALL_PERSONS: BuiltinGroup = BuiltinGroup {
        name: "idm_all_persons",
-        description: "Builtin IDM Group for extending high privilege accounts to be people.",
+        description: "Builtin IDM dynamic group containing all persons.",
        uuid: UUID_IDM_ALL_PERSONS,
        members: Vec::new(),
        dyngroup: true,
--- a/tools/cli/src/cli/group/account_policy.rs
+++ b/tools/cli/src/cli/group/account_policy.rs
@ -79,7 +79,7 @@ impl GroupAccountPolicyOpt {
                {
                    handle_client_error(e, copt.output_mode);
                } else {
-                    println!("Updated webauthn attesation CA list.");
+                    println!("Updated webauthn attestation CA list.");
                }
            }
        }
--- a/tools/iam_migrations/freeipa/src/main.rs
+++ b/tools/iam_migrations/freeipa/src/main.rs
@ -77,6 +77,8 @@ async fn driver_main(opt: Opt) {
        Ok(f) => f,
        Err(e) => {
            error!("Unable to open profile file [{:?}] 🥺", e);
+            let diag = kanidm_lib_file_permissions::diagnose_path(&opt.ipa_sync_config);
+            info!(%diag);
            return;
        }
    };
--- a/tools/iam_migrations/freeipa/src/opt.rs
+++ b/tools/iam_migrations/freeipa/src/opt.rs
@ -12,7 +12,7 @@ pub struct Opt {
    pub client_config: PathBuf,

    /// Path to the ipa-sync config file.
-    #[clap(value_parser, short, long, default_value_os_t = DEFAULT_IPA_CONFIG_PATH.into())]
+    #[clap(value_parser, short, long, env = "KANIDM_IPA_SYNC_CONFIG", default_value_os_t = DEFAULT_IPA_CONFIG_PATH.into())]
    pub ipa_sync_config: PathBuf,

    /// Dump the ldap protocol inputs, as well as the scim outputs. This can be used