skydick: enable LDAP-backed NSS for POSIX identity resolution

Fork: 0

Skyworks / skyworks-Nix-infra

Browse code skydick: enable LDAP-backed NSS for POSIX identity resolution Add users.ldap with nslcd pointed at ldap://10.0.0.1/ for passwd/group lookups. This is identity-only: loginPam=false keeps SSH/console auth local, and Samba stays on tdbsam until sambaSamAccount objects exist in LDAP. - Add agenix secret for LDAP bind credential (cn=query_user) - nss_initgroups_ignoreusers ALLLOCAL avoids boot-time NSS deadlock - Add openldap package for admin ldapsearch/ldapmodify - Update DATAPOOL.md to reflect LDAP identity model, numeric UID/GID in tmpfiles for LDAP-only users, and current auth boundaries Co-Authored-By: Claude Opus 4.6 <[email protected]> main
1 parent c6d5865 commit ec5ead0017e603b846c6465f3b42a8993f22fd3d Dixiao-L authored 17 days ago

Browse code

Add users.ldap with nslcd pointed at ldap://10.0.0.1/ for passwd/group
lookups. This is identity-only: loginPam=false keeps SSH/console auth
local, and Samba stays on tdbsam until sambaSamAccount objects exist
in LDAP.

- Add agenix secret for LDAP bind credential (cn=query_user)
- nss_initgroups_ignoreusers ALLLOCAL avoids boot-time NSS deadlock
- Add openldap package for admin ldapsearch/ldapmodify
- Update DATAPOOL.md to reflect LDAP identity model, numeric UID/GID
  in tmpfiles for LDAP-only users, and current auth boundaries

Co-Authored-By: Claude Opus 4.6 <[email protected]>

main

1 parent c6d5865 commit ec5ead0017e603b846c6465f3b42a8993f22fd3d

Dixiao-L authored 17 days ago

Patch

Unified Split

Showing 4 changed files

Ignore Space Show notes View hosts/skydick/DATAPOOL.md

Ignore Space Show notes View hosts/skydick/default.nix

Ignore Space Show notes View secrets/secrets.nix

Ignore Space Show notes View secrets/skydick-ldap-bind.age 0 → 100644
Not supported

Show line notes below