thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: disable kanidm anon account in kanidm unit

Browse Source
This commit is contained in:
nhnn
2025-07-10 11:59:56 +03:00
committed by Inex Code
parent 76cc815db0
commit cf160379c0
2 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
auth/auth-module.nix
View File

@@ -81,9 +81,6 @@ let
fi fi
fi fi
# disable anonymous account because it allows to freely iterate over all users on kanidm instance.
$KANIDM service-account validity expire-at anonymous epoch
# create a new token for kanidm # create a new token for kanidm
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" ${lib.strings.optionalString isRW "--rw"} --output json)" if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" ${lib.strings.optionalString isRW "--rw"} --output json)"
then then

5
auth/kanidm.nix
View File

@@ -234,7 +234,12 @@ let
export KANIDM_URL="${cfg.provision.instanceUrl}" export KANIDM_URL="${cfg.provision.instanceUrl}"
export KANIDM_SKIP_HOSTNAME_VERIFICATION="true" export KANIDM_SKIP_HOSTNAME_VERIFICATION="true"
KANIDM_PASSWORD="$KANIDM_IDM_ADMIN_PASSWORD" ${cfg.package}/bin/kanidm login KANIDM_PASSWORD="$KANIDM_IDM_ADMIN_PASSWORD" ${cfg.package}/bin/kanidm login
# disable anonymous account because it allows to freely iterate over all users on kanidm instance.
${cfg.package}/bin/kanidm service-account validity expire-at anonymous epoch
${createAndPopulateGroups} ${createAndPopulateGroups}
unset HOME unset HOME
unset KANIDM_NAME unset KANIDM_NAME
unset KANIDM_URL unset KANIDM_URL