diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index eac67cfdec5..4172bc6fbe1 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -484,6 +484,9 @@ let optionalString cfg.mysqlAuth '' account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + + optionalString (config.services.kanidm.enablePam) '' + account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user + '' + optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) '' account sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + @@ -617,6 +620,9 @@ let optionalString use_ldap '' auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass '' + + optionalString config.services.kanidm.enablePam '' + auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass + '' + optionalString config.services.sssd.enable '' auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass '' + @@ -653,6 +659,9 @@ let optionalString cfg.mysqlAuth '' password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + + optionalString config.services.kanidm.enablePam '' + password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so + '' + optionalString config.services.sssd.enable '' password sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + @@ -714,6 +723,9 @@ let optionalString cfg.mysqlAuth '' session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + + optionalString config.services.kanidm.enablePam '' + session optional ${pkgs.kanidm}/lib/pam_kanidm.so + '' + optionalString config.services.sssd.enable '' session optional ${pkgs.sssd}/lib/security/pam_sss.so '' + @@ -1298,6 +1310,7 @@ in # Include the PAM modules in the system path mostly for the manpages. [ pkgs.pam ] ++ optional config.users.ldap.enable pam_ldap + ++ optional config.services.kanidm.enablePam pkgs.kanidm ++ optional config.services.sssd.enable pkgs.sssd ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] @@ -1364,6 +1377,9 @@ in optionalString use_ldap '' mr ${pam_ldap}/lib/security/pam_ldap.so, '' + + optionalString config.services.kanidm.enablePam '' + mr ${pkgs.kanidm}/lib/pam_kanidm.so, + '' + optionalString config.services.sssd.enable '' mr ${pkgs.sssd}/lib/security/pam_sss.so, '' + diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 7ec7a159873..71ccded7dce 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -320,6 +320,7 @@ in ProtectHome = false; RestrictAddressFamilies = [ "AF_UNIX" ]; TemporaryFileSystem = "/:ro"; + Restart = "on-failure"; }; environment.RUST_LOG = "info"; }; diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix index 7e174590cb5..673a65174df 100644 --- a/nixos/tests/kanidm.nix +++ b/nixos/tests/kanidm.nix @@ -2,6 +2,10 @@ import ./make-test-python.nix ({ pkgs, ... }: let certs = import ./common/acme/server/snakeoil-certs.nix; serverDomain = certs.domain; + + testCredentials = { + password = "Password1_cZPEwpCWvrReripJmAZdmVIZd8HHoHcl"; + }; in { name = "kanidm"; @@ -73,17 +77,55 @@ import ./make-test-python.nix ({ pkgs, ... }: with subtest("Test CLI login"): client.succeed("kanidm login -D anonymous") client.succeed("kanidm self whoami | grep anonymous@${serverDomain}") + client.succeed("kanidm logout") with subtest("Recover idm_admin account"): # Must stop the server for account recovery or else kanidmd fails with # "unable to lock kanidm exclusive lock at /var/lib/kanidm/kanidm.db.klock". server.succeed("systemctl stop kanidm") - server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '") + idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'") server.succeed("systemctl start kanidm") with subtest("Test unixd connection"): client.wait_for_unit("kanidm-unixd.service") # TODO: client.wait_for_file("/run/kanidm-unixd/sock") client.wait_until_succeeds("kanidm-unix status | grep working!") + + with subtest("Test user creation"): + client.wait_for_unit("getty@tty1.service") + client.wait_until_succeeds("pgrep -f 'agetty.*tty1'") + client.wait_until_tty_matches("1", "login: ") + client.send_chars("root\n") + client.send_chars("kanidm login -D idm_admin\n") + client.wait_until_tty_matches("1", "Enter password: ") + client.send_chars(f"{idm_admin_password}\n") + client.wait_until_tty_matches("1", "Login Success for idm_admin") + client.succeed("kanidm person create testuser TestUser") + client.succeed("kanidm person posix set --shell \"$SHELL\" testuser") + client.send_chars("kanidm person posix set-password testuser\n") + client.wait_until_tty_matches("1", "Enter new") + client.send_chars("${testCredentials.password}\n") + client.wait_until_tty_matches("1", "Retype") + client.send_chars("${testCredentials.password}\n") + output = client.succeed("getent passwd testuser") + assert "TestUser" in output + client.succeed("kanidm group create shell") + client.succeed("kanidm group posix set shell") + client.succeed("kanidm group add-members shell testuser") + + with subtest("Test user login"): + client.send_key("alt-f2") + client.wait_until_succeeds("[ $(fgconsole) = 2 ]") + client.wait_for_unit("getty@tty2.service") + client.wait_until_succeeds("pgrep -f 'agetty.*tty2'") + client.wait_until_tty_matches("2", "login: ") + client.send_chars("testuser\n") + client.wait_until_tty_matches("2", "login: testuser") + client.wait_until_succeeds("pgrep login") + client.wait_until_tty_matches("2", "Password: ") + client.send_chars("${testCredentials.password}\n") + client.wait_until_succeeds("systemctl is-active user@$(id -u testuser).service") + client.send_chars("touch done\n") + client.wait_for_file("/home/testuser@${serverDomain}/done") ''; })