From fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4 Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Tue, 20 Mar 2018 07:26:23 +0000 Subject: [PATCH] hologram: Enable configuring LDAP authorization In AdRoll/hologram#62 support was added to hologram to configure LDAP-based authorization of which roles a user was allowed to get credentials for. This adds the ability to configure that. Additionally, AdRoll/hologram/#94 added support to customize the LDAP group query, so this also feeds that configuration through. fixes #37393 --- .../services/security/hologram-server.nix | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/security/hologram-server.nix b/nixos/modules/services/security/hologram-server.nix index e267fed27955..bb56e2df09b7 100644 --- a/nixos/modules/services/security/hologram-server.nix +++ b/nixos/modules/services/security/hologram-server.nix @@ -12,9 +12,12 @@ let dn = cfg.ldapBindDN; password = cfg.ldapBindPassword; }; - insecureldap = cfg.ldapInsecure; - userattr = cfg.ldapUserAttr; - baseDN = cfg.ldapBaseDN; + insecureldap = cfg.ldapInsecure; + userattr = cfg.ldapUserAttr; + baseDN = cfg.ldapBaseDN; + enableldapRoles = cfg.enableLdapRoles; + roleAttr = cfg.roleAttr; + groupClassAttr = cfg.groupClassAttr; }; aws = { account = cfg.awsAccount; @@ -70,6 +73,24 @@ in { description = "Password of account to use to query the LDAP server"; }; + enableLdapRoles = mkOption { + type = types.bool; + default = false; + description = "Whether to assign user roles based on the user's LDAP group memberships"; + }; + + groupClassAttr = mkOption { + type = types.str; + default = "groupOfNames"; + description = "The objectclass attribute to search for groups when enableLdapRoles is true"; + }; + + roleAttr = mkOption { + type = types.str; + default = "businessCategory"; + description = "Which LDAP group attribute to search for authorized role ARNs"; + }; + awsAccount = mkOption { type = types.str; description = "AWS account number";