Merge 9dc6528845 into 4f050cded5

build(deps): bump actions/checkout from 4.1.4 to 4.1.5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4.1.4...v4.1.5) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2024-05-07 09:41:26 +02:00 · 2024-05-06 22:40:29 +02:00 · 2024-04-23 23:01:05 +02:00
3 changed files with 158 additions and 8 deletions
--- a/.github/workflows/docker-build-static.yml
+++ b/.github/workflows/docker-build-static.yml
@ -87,7 +87,7 @@ jobs:
      image: lldap/rust-dev:latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5
      - uses: actions/cache@v4
        with:
          path: |
@ -132,7 +132,7 @@ jobs:
        CARGO_HOME: ${GITHUB_WORKSPACE}/.cargo
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5
      - uses: actions/cache@v4
        with:
          path: |
@ -294,7 +294,7 @@ jobs:

    steps:
       - name: Checkout scripts
-         uses: actions/checkout@v4.1.4
+         uses: actions/checkout@v4.1.5
         with:
           sparse-checkout: 'scripts'

@ -482,7 +482,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5

      - name: Download all artifacts
        uses: actions/download-artifact@v4
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@ -33,7 +33,7 @@ jobs:

    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5
      - uses: Swatinem/rust-cache@v2
      - name: Build
        run: cargo build --verbose --workspace
@ -52,7 +52,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5

      - uses: Swatinem/rust-cache@v2

@ -69,7 +69,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5

      - uses: Swatinem/rust-cache@v2

@ -88,7 +88,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5

      - name: Install Rust
        run: rustup toolchain install nightly --component llvm-tools-preview && rustup component add llvm-tools-preview --toolchain stable-x86_64-unknown-linux-gnu
--- a/example_configs/sssd.md
+++ b/example_configs/sssd.md
@ -0,0 +1,150 @@
+# SSSD configuration
+
+> [!WARNING]  
+> Since we need to create custom user attributes, you must run `latest` version of LLDAP - `stable` does not have this functionality yet.
+
+The following configuration was tested on sssd version 2.9.1. It may not work on older versions.
+
+To work properly SSSD also needs correct openldap-client configuration.
+
+## Packages
+
+Here are the packages needed in Oracle Linux 9:
+
+`openldap-clients openldap-devel sssd sssd-ldap`
+
+## Configure OpenLDAP client
+
+### Certificates - skip if you don't use LDAPS
+
+1. Place your certs in `/etc/openldap/certs`
+2. Run `openssl rehash /etc/openldap/certs`
+
+### Config
+
+Create or modify `/etc/openldap/ldap.conf`:
+
+```
+URI ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
+BASE dc=example,dc=com
+TLS_CACERTDIR /etc/openldap/certs # Skip if you don't use LDAPS
+ssl on # Skip if you don't use LDAPS
+```
+
+### Verify
+
+To check if your config is correct you can use `ldapsearch`:
+
+```bash
+ldapsearch -x -D "uid=admin,ou=people,dc=example,dc=com" -w "${ADMIN_PASSWORD}" -b "ou=people,dc=example,dc=com"
+```
+
+The above command should return list of your users.
+
+## Prepare LLDAP
+
+SSSD requires some specific setup.
+
+All of your users need `uidnumber` and `gidnumber` - these are not generated by default in LLDAP.
+
+To create these user attributes you can use either the web GUI or [lldap-cli](https://github.com/Zepmann/lldap-cli), but webp GUI does not support setting them.
+
+To set these custom user attributes with [lldap-cli](https://github.com/Zepmann/lldap-cli):
+
+```bash
+# Login to your LLDAP server
+eval $(lldap-cli -D admin -w abcd1234 login)
+
+# Add uidnumber and gidnumber attributes
+lldap-cli schema attribute user add uidnumber integer
+lldap-cli schema attribute user add gidnumber integer
+```
+
+You must also manually set the above attributes for each user, eg. for user `admin` with `uidnumber` 2000 and `gidnumber` 2000:
+
+```bash
+lldap-cli user update set admin uidnumber 2000
+lldap-cli user update set admin gidnumber 2000
+```
+
+> [!WARNING]
+> To set each user's home directory, use `homeDirectory` attribute. It can be also simply hardcoded in SSSD (as shown below).
+
+To overwrite user's shell you can use `loginShell` attribute.
+
+To make groups discoverable by SSSD you need to add `posixGroup` objectClass:
+
+```bash
+lldap-cli schema objectclass group add posixGroup
+```
+
+## Configure SSSD
+
+1. Configure System Services for SSSD:
+
+```bash
+authselect select sssd
+```
+
+2. Create or modify `/etc/sssd/sssd.conf`:
+
+```bash
+[domain/default]
+ldap_uri               = ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
+ldap_default_bind_dn   = uid=admin,ou=people,dc=example,dc=com
+ldap_default_authtok   = ADMIN_PASSWORD
+ldap_search_base       = dc=example,dc=com
+ldap_tls_reqcert       = allow # Skip if you don't use LDAPS
+ldap_tls_cacertdir     = /etc/openldap/certs # Skip if you don't use LDAPS
+ldap_schema = rfc2307bis
+
+enumerate              = true
+cache_credentials      = true
+
+id_provider            = ldap
+auth_provider          = ldap
+chpass_provider        = ldap
+
+override_homedir       = /home/ldapusers     # Skip if you use homeDirectory attribute
+default_shell          = /bin/bash
+
+[sssd]
+services               = nss, pam, ssh, sudo
+config_file_version    = 2
+
+domains = default
+```
+
+Remember to set correct permissions for `sssd.conf`:
+
+```bash
+chmod 600 /etc/sssd/sssd.conf
+```
+
+3. Start sssd daemon:
+
+```bash
+systemctl start sssd
+```
+
+### Verify
+
+To check if SSSD works correctly:
+
+```bash
+getent passwd <UID>
+```
+
+The above command should return passwd entry for your user.
+
+# SUDO
+
+Since LLDAP does not have `sudoRole` objectClass, to allow access to sudo you must use groups and manually modify `sudoers` on each host.
+
+The group you want to use must have `gidnumber` attribute.
+
+For example to allow any user in the group with gidNumber 2000 to run any sudo command append the following in the `sudoers` (`visudo`):
+
+```
+%#2000 ALL=(ALL:ALL) ALL
+```