servers/mermet/openldap.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (builtins) baseNameOf readFile;
   3     inherit (lib) types;
   4     inherit (pkgs.lib) unlinesAttrs;
   5     inherit (config) networking;
   6     inherit (config.services) openldap;
   7     inherit (config.users) ldap;
   8     domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." networking.domain);
   9 in
  10 # LDAP is useless if you don't have to manage many shared accounts.
  11 # But well... if you want to learn about LDAP anyway, here's a good starting
  12 {
  13   imports = [
  14     openldap/sourcephile.fr.nix
  15   ];
  16   config = {
  17     users.ldap = {
  18       enable = true;
  19       server = "ldapi:///";
  20       base = "ou=posix,${domainSuffix}";
  21       bind = {
  22         #distinguishedName = "cn=admin,${domainSuffix}";
  23       };
  24       daemon = {
  25         enable = true;
  26         extraConfig = ''
  27           log syslog debug
  28
  29           sasl_mech EXTERNAL
  30           # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
  31           # which is the DN used by nslcd when passwd is run by root
  32           # to change the userPassword of an LDAP user.
  33           # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
  34           # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$user,ou=accounts,ou=posix,dc=sourcephile,dc=fr
  35         '';
  36       };
  37     };
  38     services.openldap = {
  39       enable    = true;
  40       dataDir   = "/var/db/ldap";
  41       configDir = "/var/db/slapd";
  42       urlList   = [ "ldapi:///" ]; # UNIX socket
  43     };
  44   };
  45 }