Compare commits

base: torjus:kanidm-pam-client

Branches Tags

torjus:master torjus:nrec-forgejo torjus:jellyfin-maintenance torjus:loki-monitoring02 torjus:pipe-to-loki torjus:kanidm-pam-client torjus:deploy-test-hosts torjus:homelab-deploy-metrics torjus:host-vault01

..

compare: torjus:45a5a108818860b96fb58a2d1eed83940bc9798e

Branches Tags

torjus:master torjus:nrec-forgejo torjus:jellyfin-maintenance torjus:loki-monitoring02 torjus:pipe-to-loki torjus:kanidm-pam-client torjus:deploy-test-hosts torjus:homelab-deploy-metrics torjus:host-vault01

15 Commits

kanidm-pam ... 45a5a10881

Author	SHA1	Message	Date
Torjus Håkestad	45a5a10881	docs: update auth-system-replacement plan with PAM/NSS progress ... - Mark PAM/NSS client module as complete - Mark documentation as complete - Update provisioning approach (declarative groups, imperative users) - Add details on client module and verified functionality - Update next steps Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 15:09:05 +01:00
Torjus Håkestad	6a36ab4776	docs: add verified group creation example ... Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 15:05:20 +01:00
Torjus Håkestad	264862879d	docs: add verified user creation example ... Add complete example workflow and note password minimum (10 chars). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 15:02:12 +01:00
Torjus Håkestad	264d26c2b3	kanidm: remove declarative user provisioning ... Keep base groups (admins, users, ssh-users) provisioned declaratively but manage regular users via the kanidm CLI. This allows setting POSIX attributes and passwords in a single workflow. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 14:55:19 +01:00
Torjus Håkestad	71a41d83ef	docs: switch to imperative user/group management ... Replace declarative NixOS provisioning examples with full CLI workflows. POSIX users and groups are now managed entirely via kanidm CLI, which allows setting all attributes (including UNIX passwords) in one step. Declarative provisioning may still be used for OIDC clients later. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 14:51:08 +01:00
Torjus Håkestad	dd9571d83a	docs: add home directory and enabled hosts info ... - Document UUID-based home directories with symlinks - List currently enabled hosts (testvm01-03) - Add cache-invalidate command to troubleshooting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 14:45:37 +01:00
Torjus Håkestad	97c0b3f7a2	kanidm-client: use home_alias for symlink to short name ... Use home_alias instead of home_attr - this creates a symlink from /home/torjus to the actual home directory, providing a convenient short path without breaking the underlying storage. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 14:40:37 +01:00
Torjus Håkestad	44e146eedd	kanidm-client: use short name for home directory ... Set home_attr = "name" to use /home/torjus instead of /home/torjus@home.2rjus.net for user home directories. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 14:28:25 +01:00
Torjus Håkestad	d6606d3f53	docs: update kanidm troubleshooting with nscd restart ... Add troubleshooting tips discovered during testing: - kanidm-unix status command for checking connectivity - nscd restart required after config changes - Direct PAM auth test with kanidm-unix auth-test Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 14:27:15 +01:00
Torjus Håkestad	ad144bb574	kanidm-client: use short names instead of SPN format ... Configure uid_attr_map and gid_attr_map to "name" to return short usernames (torjus) instead of SPN format (torjus@home.2rjus.net). This fixes "PAM user mismatch" errors with SSH authentication. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 14:22:31 +01:00
Torjus Håkestad	74cdfae596	system: revert kanidm config to minimal for debugging	2026-02-08 14:04:59 +01:00
Torjus Håkestad	64dc10c6cd	system: fix kanidm unixd config structure for v1.8 ... Kanidm 1.8 requires: - version = "2" at top level - pam_allowed_login_groups inside [kanidm] section The NixOS module also requires pam_allowed_login_groups at top level, so we provide it at both places. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 14:00:55 +01:00
Torjus Håkestad	bab59665fd	system: fix kanidm PAM user mismatch ... Configure uid_attr_map and gid_attr_map to use short names instead of SPN format. This fixes SSH failing with "PAM user mismatch" because getent returned "torjus@home.2rjus.net" instead of "torjus". Also add user-management documentation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 13:55:11 +01:00
Torjus Håkestad	189cfc890c	flake: add kanidm to devshell ... Add kanidm_1_8 CLI for administering the Kanidm server. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 13:46:53 +01:00
Torjus Håkestad	1d7eec7ad3	system: add kanidm PAM/NSS client module ... Add homelab.kanidm.enable option for central authentication via Kanidm. The module configures: - PAM/NSS integration with kanidm-unixd - Client connection to auth.home.2rjus.net - Login authorization for ssh-users group Enable on testvm01-03 for testing. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-08 13:43:41 +01:00

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Expand all files Collapse all files

Diff Content Not Available