From cd1ce69f104686bbb33e049c2c4c112e78febd36 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Wed, 25 Sep 2024 21:38:13 -0400
Subject: finish idm client stuff

---
 files/usr/local/etc/nslcd.conf.common                | 14 ++++++++++++++
 files/usr/local/etc/openldap/.krb5/config.idm_server |  2 ++
 files/usr/local/etc/openldap/ldap.conf.common        |  9 +++++++++
 files/usr/local/etc/openldap/slapd.ldif.idm_server   |  2 +-
 files/usr/local/etc/ssh/sshd_config.freebsd          |  2 +-
 files/usr/local/var/krb5kdc/kadm5.acl.idm_server     |  4 ++--
 6 files changed, 29 insertions(+), 4 deletions(-)
 create mode 100644 files/usr/local/etc/nslcd.conf.common
 create mode 100644 files/usr/local/etc/openldap/.krb5/config.idm_server
 create mode 100644 files/usr/local/etc/openldap/ldap.conf.common

(limited to 'files/usr/local')

diff --git a/files/usr/local/etc/nslcd.conf.common b/files/usr/local/etc/nslcd.conf.common
new file mode 100644
index 0000000..6494c70
--- /dev/null
+++ b/files/usr/local/etc/nslcd.conf.common
@@ -0,0 +1,14 @@
+uid ${nslcd_user}
+gid ${nslcd_user}
+
+uri ${ldap_uri}
+
+base ${basedn}
+base passwd ${accounts_basedn}
+base group ${groups_basedn}
+
+sasl_mech GSSAPI
+
+nss_min_uid ${nslcd_min_uid}
+nss_initgroups_ignoreusers ALLLOCAL
+nss_nested_groups yes
diff --git a/files/usr/local/etc/openldap/.krb5/config.idm_server b/files/usr/local/etc/openldap/.krb5/config.idm_server
new file mode 100644
index 0000000..7a92f86
--- /dev/null
+++ b/files/usr/local/etc/openldap/.krb5/config.idm_server
@@ -0,0 +1,2 @@
+[libdefaults]
+  default_keytab_name = FILE:${slapd_keytab}
diff --git a/files/usr/local/etc/openldap/ldap.conf.common b/files/usr/local/etc/openldap/ldap.conf.common
new file mode 100644
index 0000000..b56dc94
--- /dev/null
+++ b/files/usr/local/etc/openldap/ldap.conf.common
@@ -0,0 +1,9 @@
+URI            ${ldap_uri}
+BASE           ${basedn}
+USE_SASL       yes
+ROOTUSE_SASL   yes
+SASL_MECH      GSSAPI
+SASL_REALM     ${realm}
+GSSAPI_SIGN    yes
+GSSAPI_ENCRYPT yes
+SUDOERS_BASE   ${sudo_basedn}
diff --git a/files/usr/local/etc/openldap/slapd.ldif.idm_server b/files/usr/local/etc/openldap/slapd.ldif.idm_server
index 9dc0086..d63641e 100644
--- a/files/usr/local/etc/openldap/slapd.ldif.idm_server
+++ b/files/usr/local/etc/openldap/slapd.ldif.idm_server
@@ -119,7 +119,7 @@ olcAccess: {1}to dn.base="cn=Subschema"
   by * read
 olcAccess: {3}to *
   by dn.exact=${slapd_replicator_dn} read
-  by dn.exact=krbPrincipalName=${boxconf_username},${robots_basedn} manage
+  by dn.exact=${boxconf_dn} manage
   by set="[cn=${slapd_admin_role},${roles_basedn}]/member* & user" manage
   by * break
 olcAccess: {4}to dn.subtree=${sudo_basedn}
diff --git a/files/usr/local/etc/ssh/sshd_config.freebsd b/files/usr/local/etc/ssh/sshd_config.freebsd
index df46af6..52d9bfe 100644
--- a/files/usr/local/etc/ssh/sshd_config.freebsd
+++ b/files/usr/local/etc/ssh/sshd_config.freebsd
@@ -3,7 +3,7 @@ Include /etc/ssh/sshd_config.d/*.conf
 PermitRootLogin prohibit-password
 AuthorizedKeysFile .ssh/authorized_keys
 AuthorizedKeysCommand /usr/local/libexec/idm-ssh-authorized-keys %u
-AuthorizedKeysCommandUser ${ssh_authzkeys_user}
+AuthorizedKeysCommandUser ${ssh_authzkeys_username}
 
 KbdInteractiveAuthentication no
 PasswordAuthentication yes
diff --git a/files/usr/local/var/krb5kdc/kadm5.acl.idm_server b/files/usr/local/var/krb5kdc/kadm5.acl.idm_server
index c2a454b..9f7507e 100644
--- a/files/usr/local/var/krb5kdc/kadm5.acl.idm_server
+++ b/files/usr/local/var/krb5kdc/kadm5.acl.idm_server
@@ -1,2 +1,2 @@
-*/admin@${realm} * * -maxlife 1h -postdateable
-${boxconf_username}@${realm} * * -maxlife 5m -postdateable
+*/admin@${realm} * *
+${boxconf_username}@${realm} * *
-- 
cgit v1.2.3