From 45a5a108818860b96fb58a2d1eed83940bc9798e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sun, 8 Feb 2026 15:09:05 +0100 Subject: [PATCH] docs: update auth-system-replacement plan with PAM/NSS progress - Mark PAM/NSS client module as complete - Mark documentation as complete - Update provisioning approach (declarative groups, imperative users) - Add details on client module and verified functionality - Update next steps Co-Authored-By: Claude Opus 4.5 --- docs/plans/auth-system-replacement.md | 52 +++++++++++++++++++-------- 1 file changed, 38 insertions(+), 14 deletions(-) diff --git a/docs/plans/auth-system-replacement.md b/docs/plans/auth-system-replacement.md index 569e683..dcd97c7 100644 --- a/docs/plans/auth-system-replacement.md +++ b/docs/plans/auth-system-replacement.md @@ -66,9 +66,9 @@ This future migration path is a strong argument for Kanidm over LDAP-only soluti - Vault integration for idm_admin password - LDAPS on port 636 -2. **Configure declarative provisioning** ✅ - - Groups: `admins`, `users`, `ssh-users` - - User: `torjus` (member of all groups) +2. **Configure provisioning** ✅ + - Groups provisioned declaratively: `admins`, `users`, `ssh-users` + - Users managed imperatively via CLI (allows setting POSIX passwords in one step) - POSIX attributes enabled (UID/GID range 65,536-69,999) 3. **Test NAS integration** (in progress) @@ -80,14 +80,16 @@ This future migration path is a strong argument for Kanidm over LDAP-only soluti - Grafana - Other services as needed -5. **Create client module** in `system/` for PAM/NSS - - Enable on all hosts that need central auth - - Configure trusted CA +5. **Create client module** in `system/` for PAM/NSS ✅ + - Module: `system/kanidm-client.nix` + - `homelab.kanidm.enable = true` enables PAM/NSS + - Short usernames (not SPN format) + - Home directory symlinks via `home_alias` + - Enabled on test tier: testvm01, testvm02, testvm03 -6. **Documentation** - - User management procedures - - Adding new OAuth2 clients - - Troubleshooting PAM/NSS issues +6. **Documentation** ✅ + - `docs/user-management.md` - CLI workflows, troubleshooting + - User/group creation procedures verified working ## Progress @@ -106,14 +108,37 @@ This future migration path is a strong argument for Kanidm over LDAP-only soluti - Prometheus monitoring scrape target configured **Provisioned entities:** -- Groups: `admins`, `users`, `ssh-users` -- User: `torjus` (member of all groups, POSIX enabled with GID 65536) +- Groups: `admins`, `users`, `ssh-users` (declarative) +- Users managed via CLI (imperative) **Verified working:** - WebUI login with idm_admin - LDAP bind and search with POSIX-enabled user - LDAPS with valid internal CA certificate +### Completed (2026-02-08) - PAM/NSS Client + +**Client module deployed (`system/kanidm-client.nix`):** +- `homelab.kanidm.enable = true` enables PAM/NSS integration +- Connects to auth.home.2rjus.net +- Short usernames (`torjus` instead of `torjus@home.2rjus.net`) +- Home directory symlinks (`/home/torjus` → UUID-based dir) +- Login restricted to `ssh-users` group + +**Enabled on test tier:** +- testvm01, testvm02, testvm03 + +**Verified working:** +- User/group resolution via `getent` +- SSH login with Kanidm unix passwords +- Home directory creation with symlinks +- Imperative user/group creation via CLI + +**Documentation:** +- `docs/user-management.md` with full CLI workflows +- Password requirements (min 10 chars) +- Troubleshooting guide (nscd, cache invalidation) + ### UID/GID Range (Resolved) **Range: 65,536 - 69,999** (manually allocated) @@ -128,10 +153,9 @@ Rationale: ### Next Steps -1. Deploy to monitoring01 to enable Prometheus scraping +1. Enable PAM/NSS on production hosts (after test tier validation) 2. Configure TrueNAS LDAP client for NAS integration testing 3. Add OAuth2 clients (Grafana first) -4. Create PAM/NSS client module for other hosts ## References