New Grimoire

2026-04-12 09:53:51 -05:00 · 2026-04-12 09:53:51 -05:00 · cc574f8aed
commit cc574f8aed
parent 77d589a13d
157 changed files with 29420 additions and 0 deletions
--- a/Ward-Grimoire/Access/Auth-Overview.md
+++ b/Ward-Grimoire/Access/Auth-Overview.md
@ -0,0 +1,39 @@
+---
+title: Authentication Overview
+description: SSO, LDAP, and access control in Netgrimoire
+published: true
+date: 2026-04-12T00:00:00.000Z
+tags: ward, auth, sso
+editor: markdown
+dateCreated: 2026-04-12T00:00:00.000Z
+---
+
+# Authentication Overview
+
+## SSO Providers
+
+| Provider | Scope | URL |
+|----------|-------|-----|
+| Authentik | `*.netgrimoire.com` | Protected via `caddy.import_1: authentik` label |
+| Authelia | `*.wasted-bandwidth.net` | Green Grimoire + Shadow Grimoire services |
+
+Both providers use LLDAP as their LDAP backend.
+
+## LLDAP
+
+Lightweight LDAP directory at `ldap.netgrimoire.com`. Postgres backend. Provides the user directory for both Authentik and Authelia.
+
+See [LDAP Client Setup](/Ward-Grimoire/Access/LDAP-Client-Setup) for configuring hosts to authenticate via LLDAP.
+
+## Vaultwarden
+
+Password manager at `pass.netgrimoire.com`. Protected by Authentik.
+
+## WireGuard
+
+5 VPN peers on 192.168.32.0/24. Managed in OPNsense. See [Host Inventory](/Keystone-Grimoire/Hosts/Host-Inventory) for peer assignments.
+
+## YubiKey (Planned)
+
+- PIV SSH authentication on all hosts — highest-impact pending integration
+- Challenge-response for LUKS / Kopia key derivation on znas
--- a/Ward-Grimoire/Access/LDAP-Client-Setup.md
+++ b/Ward-Grimoire/Access/LDAP-Client-Setup.md
@ -0,0 +1,218 @@
+---
+title: LDAP Client Setup
+description: 
+published: true
+date: 2026-02-20T04:33:31.862Z
+tags: 
+editor: markdown
+dateCreated: 2026-01-21T13:21:40.588Z
+---
+
+
+Your content here✅ LLDAP + SSSD Node Join Checklist (FINAL)
+
+Assumptions
+
+LLDAP server: docker4
+
+LDAP URI: ldap://docker4:3890
+
+Base DN: dc=netgrimoire,dc=com
+
+Users/groups use lowercase attributes (uidnumber, gidnumber, homedirectory, unixshell, uniquemember)
+
+No TLS (lab only)
+
+Docker group GID = 1964 in LDAP
+
+This node is Ubuntu/Debian-based
+
+0️⃣ Safety first (do this every time)
+
+Open two SSH sessions to the node
+
+Confirm you can sudo
+
+Do not edit nsswitch.conf until SSSD is confirmed working
+
+1️⃣ Install required packages
+sudo apt update
+sudo apt install -y sssd sssd-ldap sssd-tools libpam-sss libnss-sss libsss-sudo ldap-utils oddjob oddjob-mkhomedir
+
+Ensure legacy LDAP NSS is NOT installed
+sudo apt purge -y libnss-ldap libpam-ldap nslcd libnss-ldapd libpam-ldapd || true
+sudo apt autoremove -y
+
+2️⃣ Verify LDAP connectivity (must pass)
+getent hosts docker4
+nc -vz docker4 3890
+ldapwhoami -x -H ldap://docker4:3890 \
+  -D 'uid=admin,ou=people,dc=netgrimoire,dc=com' -w 'F@lcon13'
+
+
+❌ If any fail → stop and fix networking/DNS/firewall.
+
+3️⃣ Create /etc/sssd/sssd.conf (single file, no includes)
+sudo vi /etc/sssd/sssd.conf
+
+
+Paste exactly:
+
+[sssd]
+services = nss, pam, ssh
+config_file_version = 2
+domains = netgrimoire.com
+
+[nss]
+filter_users = root
+filter_groups = root
+
+[pam]
+offline_failed_login_attempts = 3
+offline_failed_login_delay = 5
+
+[ssh]
+
+[domain/netgrimoire.com]
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+access_provider = permit
+
+enumerate = false
+cache_credentials = true
+
+ldap_uri = ldap://docker4:3890
+ldap_schema = rfc2307bis
+ldap_search_base = dc=netgrimoire,dc=com
+
+ldap_auth_disable_tls_never_use_in_production = true
+ldap_id_use_start_tls = false
+ldap_tls_reqcert = never
+
+ldap_default_bind_dn = uid=admin,ou=people,dc=netgrimoire,dc=com
+ldap_default_authtok = F@lcon13
+
+# USERS (lowercase attributes)
+ldap_user_search_base = ou=people,dc=netgrimoire,dc=com
+ldap_user_object_class = posixAccount
+ldap_user_name = uid
+ldap_user_gecos = cn
+ldap_user_uid_number = uidnumber
+ldap_user_gid_number = gidnumber
+ldap_user_home_directory = homedirectory
+ldap_user_shell = unixshell
+
+# GROUPS (lowercase attributes)
+ldap_group_search_base = ou=groups,dc=netgrimoire,dc=com
+ldap_group_object_class = groupOfUniqueNames
+ldap_group_name = cn
+ldap_group_gid_number = gidnumber
+ldap_group_member = uniquemember
+
+4️⃣ Fix permissions (SSSD will NOT start without this)
+sudo chown root:root /etc/sssd/sssd.conf
+sudo chmod 600 /etc/sssd/sssd.conf
+sudo chmod 700 /etc/sssd
+
+
+Validate:
+
+sudo sssctl config-check
+
+5️⃣ Start SSSD cleanly
+sudo systemctl enable sssd
+sudo systemctl stop sssd
+sudo rm -f /var/lib/sss/db/* /var/lib/sss/mc/*
+sudo systemctl start sssd
+
+
+Verify:
+
+sudo systemctl status sssd --no-pager -l
+sudo sssctl domain-status netgrimoire.com
+
+
+Expected:
+
+Online status: Online
+LDAP: docker4
+
+6️⃣ Enable NSS lookups via SSSD (LDAP-first)
+
+Edit /etc/nsswitch.conf:
+
+passwd: sss files systemd
+group:  sss files systemd
+shadow: sss files
+
+
+Test:
+
+getent passwd graymutt
+getent group docker
+id graymutt
+
+7️⃣ 🔑 RE-INITIALIZE PAM (THIS IS THE STEP YOU REMEMBERED)
+
+This step is mandatory on Debian/Ubuntu.
+
+sudo pam-auth-update
+
+In the menu, ENABLE:
+
+✅ Unix authentication
+
+✅ SSSD
+
+✅ Create home directory on login
+
+DISABLE:
+
+❌ LDAP Authentication (legacy)
+
+❌ Kerberos (unless you explicitly use it)
+
+Press OK.
+
+8️⃣ Verify PAM wiring
+grep pam_sss.so /etc/pam.d/common-*
+grep pam_mkhomedir /etc/pam.d/common-session
+
+
+You should see:
+
+session required pam_mkhomedir.so skel=/etc/skel umask=0022
+
+9️⃣ Final login test (definitive)
+ssh graymutt@localhost
+
+
+Expected:
+
+Login succeeds
+
+/home/graymutt is auto-created
+
+Correct LDAP groups present
+
+🔟 (Optional but recommended) Remove local docker group
+
+If the node has a local docker group (gid 998):
+
+sudo groupdel docker
+
+
+Verify:
+
+getent group docker
+
+
+Expected:
+
+docker:x:1964:graymutt,dockhand
+
+🧪 Fast troubleshooting commands
+sudo sssctl domain-status netgrimoire.com
+sudo tail -n 200 /var/log/sssd/sssd_netgrimoire.com.log
+sudo systemctl status sssd --no-pager -l