diff options
author | Joel Thompson <joel@jthompson.io> | 2018-03-20 07:26:23 +0000 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2018-03-20 07:36:23 +0000 |
commit | fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4 (patch) | |
tree | 7e059642ba2959af2f46a0145db1173a001db3f1 | |
parent | d6d140f15963456fe05ed726865b8ce6ab5ef582 (diff) | |
download | nixpkgs-fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4.tar nixpkgs-fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4.tar.gz nixpkgs-fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4.tar.bz2 nixpkgs-fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4.tar.lz nixpkgs-fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4.tar.xz nixpkgs-fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4.tar.zst nixpkgs-fe2e4d6fb952fabd69d9636ee5e6b8464923f4b4.zip |
hologram: Enable configuring LDAP authorization
In AdRoll/hologram#62 support was added to hologram to configure LDAP-based authorization of which roles a user was allowed to get credentials for. This adds the ability to configure that. Additionally, AdRoll/hologram/#94 added support to customize the LDAP group query, so this also feeds that configuration through. fixes #37393
-rw-r--r-- | nixos/modules/services/security/hologram-server.nix | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/nixos/modules/services/security/hologram-server.nix b/nixos/modules/services/security/hologram-server.nix index e267fed2795..bb56e2df09b 100644 --- a/nixos/modules/services/security/hologram-server.nix +++ b/nixos/modules/services/security/hologram-server.nix @@ -12,9 +12,12 @@ let dn = cfg.ldapBindDN; password = cfg.ldapBindPassword; }; - insecureldap = cfg.ldapInsecure; - userattr = cfg.ldapUserAttr; - baseDN = cfg.ldapBaseDN; + insecureldap = cfg.ldapInsecure; + userattr = cfg.ldapUserAttr; + baseDN = cfg.ldapBaseDN; + enableldapRoles = cfg.enableLdapRoles; + roleAttr = cfg.roleAttr; + groupClassAttr = cfg.groupClassAttr; }; aws = { account = cfg.awsAccount; @@ -70,6 +73,24 @@ in { description = "Password of account to use to query the LDAP server"; }; + enableLdapRoles = mkOption { + type = types.bool; + default = false; + description = "Whether to assign user roles based on the user's LDAP group memberships"; + }; + + groupClassAttr = mkOption { + type = types.str; + default = "groupOfNames"; + description = "The objectclass attribute to search for groups when enableLdapRoles is true"; + }; + + roleAttr = mkOption { + type = types.str; + default = "businessCategory"; + description = "Which LDAP group attribute to search for authorized role ARNs"; + }; + awsAccount = mkOption { type = types.str; description = "AWS account number"; |