Eel: host for kerberos kdc and ldap by jaysa68 · Pull Request #326 · ocf/nix

jaysa68 · 2026-05-07T13:27:48Z

meant to replace our debian host, firestorm.

24apricots

this is a painful migration. thank you for ur hard work..

24apricots · 2026-05-10T14:08:09Z

+  ocf.kerberosKdc.enable = true;
+  ocf.ldapServer.enable = true;
+
+  ocf.acme.extraCerts = [


the extraCerts urls should be passed into a url module options in the respective modules. this would enforce correct behavior as the modules would be able to require that certs are added for ldaps://* to work properly. make sure that the module throws an error when it is enabled without adding a tls cert

24apricots · 2026-05-10T14:09:28Z

this can be done natively with kerberos, and all clients can enforce passwords by writing to kerberos and handling the error + maybe parsing the policy to get the password requirements.

this does not need to be fixed now and is not a regression. will create an issue

24apricots · 2026-05-10T14:10:01Z

+}:
+
+let
+  cfg = config.ocf.kerberosKdc;


Kdc should be KDC but whatever lol

24apricots · 2026-05-10T14:14:27Z

+          acl = [
+            # Staff /admin principals have full KDC access
+            {
+              principal = "*/admin";


can we check if a wildcard like this is ok? ocf/puppet explicitly specifies each user's admin and root principal

24apricots · 2026-05-10T14:15:31Z

+    services.kerberos_server = {
+      enable = true;
+      settings = {
+        kdc.extra-addresses = "127.0.0.2";


is this necessary

24apricots · 2026-05-10T15:09:06Z

+              # chatbot) repos anyway, no real reason for it to exist. may
+              # delete soon anyway.
+
+              olcAccess = [


this config makes me nervous since it is a lot of unnecessary fiddling around from what we know works perfectly. the comments were reworded from puppet, but that aside i think it would be better to just drop https://github.com/ocf/puppet/blob/master/modules/ocf_ldap/templates/slapd.conf.erb in services.openldap.settings.includes, but change anything that needs to be changed (for example tls certs).

24apricots · 2026-05-10T15:11:33Z

+  };
+
+  # The KDC database lives in /var/lib/heimdal/ and must be initialized manually:
+  #   kadmin -l init OCF.BERKELEY.EDU


i was going to say do this automatically, but i am leaning on letting it fail so that the person deploying knows that they have to either init an empty kdc or migrate. so i think this is ok 👍

24apricots · 2026-05-10T15:15:04Z

why was this file edited?

24apricots · 2026-05-10T15:15:15Z

why was this file edited?

24apricots · 2026-05-10T15:28:38Z

final sanity checks to do at the final moment after no more changes will be made:

check that kerberos and ldap backups work, check the backup diff to see if anything went terribly wrong
check reading and writing: kinit, ldapsearch, ldapvi
ldapsearch userPassword with gssapi auth (userPassword should only be visible with */admin ticket)
account creation
keycloak

lets start with migrating nix hosts, then debian hosts. we should do this cautiously

jaysa68 changed the title ~~Eel~~ Eel: host for kerberos kdc and ldap May 7, 2026

jaysa68 force-pushed the eel branch 3 times, most recently from 88deee8 to cdcb775 Compare May 10, 2026 05:09

jaysa68 and others added 26 commits May 9, 2026 22:09

eel draft

1c2ec9c

ldap and krb modules

dc768aa

nix fmt

2eebbd3

move kerberos-kdc into auth module dir

a68f0db

use cpw instead of change-password in heimdal acl

9ebc0e5

publicKeyType should just be publicKey

ba0900a

specify 312

52cd212

add buildPerlPackage

2c97b1f

ok, custom installPhase

3853184

only need nativeBuildInputs makeWrapper

bcf8783

writeShellScriptBin

0352865

mkIf localDeployment

9655a2e

fix format

19c6b9f

still fixing deployment

d51cb62

autoreconfHook

e6f69e8

add eel host key and ldap deploy secret

c011087

temp acme certs, fix ldap secret path

20b3ffb

extremely sad fucked up eels octet

cc6cb22

make ldap-keytab secret optional for now

93a6c6f

rekey eel secrets

771b9f4

at last, the keytab secret. after kdc dump

c4c61f8

nix fmt

153e62f

i have no mouth and i must rekey

8389c23

kerb backup script, firewall rules

b9e28cf

TLS cipher string in OpenSSL compatible format

2ab8319

upload eels real key

b74efb7

Jaysa Garcia and others added 18 commits May 9, 2026 22:09

i forgot to rekey dude

e36852b

ldap-git-backup: add missing Error.pm perl dependency

00dd7dc

ldap-server: pass -F to slapcat for NixOS config dir

52ee4f5

ldap-git-backup: patch /usr/bin/perl shebang for NixOS

9916dfb

ldap-server: add openssh to ldap-git-backup service PATH

d7516ec

ldap-server: use openssh_gssapi in ldap-git-backup service PATH

a47d913

ldap-server: set git user config in ldap-git-backup script

48d7103

ldap-server: treat git gc exit code 7 as success

0f074ef

ldap-server: handle git gc exit 7 so git push always runs

c3d92d9

add ldapai for admin access

28ea16f

temp patch to drop OpenLDAPaci

7cf9918

post-install fix pls

c9ab2dd

nix fmt

2ef45b7

add comment referring to puppet, motd, acme certs that are real

adc9e86

correct kdc name

e657c91

add openssl in base.nix

add6ed6

fullchain cert

90e8ab0

dont mess with motd module

59b721b

jaysa68 force-pushed the eel branch from cdcb775 to aaf3e2a Compare May 10, 2026 05:09

point clients at ldap0 and kdc (eel) as primary servers

5ad2e2e

jaysa68 force-pushed the eel branch from 8858b48 to 5ad2e2e Compare May 10, 2026 07:24

jaysa68 and others added 5 commits May 10, 2026 00:41

add acme cert lol

e1b0feb

enable fast false

0b25818

rekey ldap-eel keytab

689d47c

rekey secrets

cacf0c6

move kdc services start after ldap

6862d74

24apricots requested changes May 10, 2026

View reviewed changes

24apricots mentioned this pull request May 10, 2026

deprecate kerberos check-pass-strength.py #331

Open

24apricots marked this pull request as draft May 14, 2026 20:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Eel: host for kerberos kdc and ldap#326

Eel: host for kerberos kdc and ldap#326
jaysa68 wants to merge 50 commits into
mainfrom
eel

jaysa68 commented May 7, 2026 •

edited

Loading

Uh oh!

24apricots left a comment

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots May 10, 2026

Uh oh!

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots May 10, 2026

Uh oh!

24apricots commented May 10, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

jaysa68 commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

24apricots left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

24apricots commented May 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

jaysa68 commented May 7, 2026 •

edited

Loading

24apricots commented May 10, 2026 •

edited

Loading