Try enabling SSSD

2023-10-01 14:51:39 -07:00 · 2023-10-01 14:51:39 -07:00 · 2a46e1bfe3
parent 66128a5cd2
commit 2a46e1bfe3
2 changed files with 55 additions and 1 deletions
--- a/dovecot.nix
+++ b/dovecot.nix
@ -207,6 +207,48 @@ in {
          after = [ "dovecot2.service" ];
        };

+        sssd = {
+          enable = true;
+          environmentFile = "/run/dovecotSecrets/sssd.env";
+          config = ''
+            [nss]
+            filter_users = root
+            filter_groups = root
+            reconnection_retries = 3
+
+            [sssd]
+            config_file_version = 2
+            reconnection_retries = 3
+            sbus_timeout = 30
+            domains = informis.land
+            services = nss, pam
+
+            [pam]
+            reconnection_retries = 3
+
+            [domain/informis.land]
+            cache_credentials = False
+            id_provider = ldap
+            auth_provider = ldap
+            access_provider = ldap
+            chpass_provider = ldap
+            ldap_uri = SSSD_LDAP_SERVER
+
+            ldap_schema = rfc2307bis
+            ldap_search_base = SSSD_LDAP_SEARCH_BASE
+            ldap_user_search_base = SSSD_LDAP_USER_SEARCH_BASE
+            ldap_group_search_base = SSSD_LDAP_GROUP_SEARCH_BASE
+
+            ldap_user_object_class = user
+            ldap_user_name = cn
+            ldap_group_object_class = group
+            ldap_group_name = cn
+
+            ldap_default_bind_fn = SSSD_LDAP_BIND_DN
+            ldap_default_authtok = SSSD_LDAP_AUTH_TOKEN
+          '';
+        };
+
        dovecot-sieve-generator = let
          isRegularFile = _: type: type == "regular";
          sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
@ -356,7 +398,6 @@ in {

          passdb {
            driver = ldap
-            user_format = %n
            args = ${cfg.ldap-conf}
          }

--- a/mail-server.nix
+++ b/mail-server.nix
@ -199,6 +199,18 @@ in {
        target-file = "/run/ldap-proxy/env";
      };

+      dovecotSssdEnv = {
+        source-file = pkgs.writeText "dovecot-sssd.env" (concatStringsSep "\n" [
+          "SSSD_LDAP_SERVER=ldap://ldap-proxy:3389/"
+          "SSSD_LDAP_SEARCH_BASE=${cfg.ldap.base}"
+          "SSSD_LDAP_USER_SEARCH_BASE=${cfg.ldap.user-ou},${cfg.ldap.base}"
+          "SSSD_LDAP_GROUP_SEARCH_BASE=${cfg.ldap.group-ou},${cfg.ldap.base}"
+          "SSSD_LDAP_BIND_DN=${cfg.ldap.bind-dn}"
+          "SSSD_LDAP_AUTH_TOKEN=${readFile cfg.ldap.bind-password-file}"
+        ]);
+        target-file = "/run/dovecot-secret/sssd.env";
+      };
+
      dovecotLdapConfig = {
        source-file = pkgs.writeText "dovecot-ldap.conf"
          (concatStringsSep "\n" [
@ -321,6 +333,7 @@ in {
                "${cfg.imap.ssl-directory}:/run/certs/imap"
                "${cfg.state-directory}/dovecot-dhparams:/var/lib/dhparams"
                "${cfg.state-directory}/mail:/mail"
+                "${hostSecrets.dovecotSssdEnv}:/run/dovecot-secrets/sssd.env"
              ];
              depends_on = [ "antispam" "ldap-proxy" ];
            };