Use security.ldap for ldap login
This commit is contained in:
parent
0fb9607021
commit
547ad2e011
|
@ -127,6 +127,12 @@ in
|
|||
"/var/lib/hydra/machines"
|
||||
];
|
||||
hydraURL = "https://hydra.hq.c3d2.de";
|
||||
ldap = {
|
||||
enable = true;
|
||||
roleMappings = [
|
||||
{ hydra-admins = "admin"; }
|
||||
];
|
||||
};
|
||||
logo = ./c3d2.svg;
|
||||
minimumDiskFree = 50;
|
||||
minimumDiskFreeEvaluator = 50;
|
||||
|
@ -144,59 +150,6 @@ in
|
|||
max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
|
||||
store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
|
||||
upload_logs_to_binary_cache = true
|
||||
|
||||
# https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
|
||||
<ldap>
|
||||
<config>
|
||||
<credential>
|
||||
class = Password
|
||||
password_field = password
|
||||
password_type = self_check
|
||||
</credential>
|
||||
<store>
|
||||
class = LDAP
|
||||
ldap_server = auth.c3d2.de
|
||||
<ldap_server_options>
|
||||
scheme = ldaps
|
||||
timeout = 10
|
||||
</ldap_server_options>
|
||||
binddn = "uid=search,ou=users,dc=c3d2,dc=de"
|
||||
include ldap-password.conf
|
||||
start_tls = 0
|
||||
<start_tls_options>
|
||||
ciphers = TLS_AES_256_GCM_SHA384
|
||||
sslversion = tlsv1_3
|
||||
# verify = none
|
||||
</start_tls_options>
|
||||
user_basedn = "ou=users,dc=c3d2,dc=de"
|
||||
user_filter = "(&(objectclass=person)(uid=%s))"
|
||||
user_scope = one
|
||||
user_field = uid
|
||||
<user_search_options>
|
||||
deref = always
|
||||
</user_search_options>
|
||||
# Important for role mappings to work:
|
||||
use_roles = 1
|
||||
role_basedn = "ou=groups,dc=c3d2,dc=de"
|
||||
role_filter = "(&(objectclass=groupOfNames)(cn=hydra-admins))"
|
||||
role_scope = one
|
||||
role_field = cn
|
||||
role_value = dn
|
||||
<role_search_options>
|
||||
deref = always
|
||||
</role_search_options>
|
||||
</store>
|
||||
</config>
|
||||
<role_mapping>
|
||||
# maps directly to user roles
|
||||
# Make all users in the hydra-admin group Hydra admins
|
||||
# IMPORTANT: if new groups are used, they need to be added to the role_filter above
|
||||
hydra-admins = admin
|
||||
# Allow all users in the dev group to restart jobs and cancel builds
|
||||
#dev = restart-jobs
|
||||
#dev = cancel-build
|
||||
</role_mapping>
|
||||
</ldap>
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue