]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/openldap.nix
losurdo: openvpn-calyx: update CA and IPv4
[sourcephile-nix.git] / hosts / mermet / openldap.nix
1 { pkgs, lib, config, host, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) openldap;
5 inherit (config.users) ldap;
6 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." networking.domain);
7 in
8 {
9 imports = [
10 openldap/sourcephile.fr.nix
11 openldap/autogeree.net.nix
12 ];
13 users.ldap = {
14 enable = false;
15 server = "ldapi:///";
16 base = "ou=posix,${domainSuffix}";
17 bind = {
18 #distinguishedName = "cn=admin,${domainSuffix}";
19 };
20 daemon = {
21 enable = false;
22 extraConfig = ''
23 log syslog info
24
25 sasl_mech EXTERNAL
26 # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
27 # which is the DN used by nslcd when passwd is run by root
28 # to change the userPassword of an LDAP user.
29 # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
30 # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$user,ou=accounts,ou=posix,dc=sourcephile,dc=fr
31 '';
32 };
33 };
34 services.openldap = {
35 enable = true;
36 urlList = [ "ldapi:///" ]; # UNIX socket
37 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b "" -s base supportedControl
38 settings = {
39 attrs = {
40 objectClass = "olcGlobal";
41 olcLogLevel = [ "stats" ];
42 # The tool-threads parameter sets the actual amount of CPU's
43 # that is used for indexing.
44 olcToolThreads = toString host.CPUs;
45 };
46 children = {
47 "cn=schema".includes = [
48 "${pkgs.openldap}/etc/schema/core.ldif"
49 "${pkgs.openldap}/etc/schema/cosine.ldif"
50 "${pkgs.openldap}/etc/schema/nis.ldif"
51 "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
52 "${openldap/schema/postfix-book.ldif}"
53 ];
54 # The first database is the special frontend database
55 # whose settings are applied globally to all the other databases.
56 # Beware that cn={0}module,cn=config must appear before
57 # for enabling password schemes provided by the modules in olcPasswordHash.
58 # ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={-1}frontend,cn=config' -s sub '*'
59 "olcDatabase={-1}frontend".attrs = {
60 objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
61 olcDatabase = "{-1}frontend";
62 # The maximum number of entries that is returned for a search operation
63 olcSizeLimit = "500";
64 olcAccess = [
65 # Allow unlimited access to local connection from the local root user
66 ''to *
67 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
68 by * break
69 ''
70 # Allow unauthenticated read access for schema and base DN autodiscovery
71 ''to dn.exact=""
72 by * read
73 ''
74 ''to dn.base="cn=Subschema"
75 by * read
76 ''
77 ];
78 # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
79 #olcPasswordHash = "{PBKDF2-SHA256}";
80 olcPasswordHash = "{SSHA}";
81 };
82 "cn={0}module".attrs = {
83 objectClass = [ "olcModuleList" ];
84 olcModulePath = "${pkgs.openldap}/lib/modules";
85 #olcModuleLoad = "pw-sha2";
86 #olcModuleLoad = "pw-pbkdf2";
87 olcModuleLoad = "back_mdb";
88 };
89
90 "olcDatabase={0}config".attrs = {
91 objectClass = "olcDatabaseConfig";
92 olcDatabase = "{0}config";
93 olcRootDN = "cn=admin,cn=config";
94 # Access to cn=config, system root can be manager
95 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
96 olcAccess = [
97 ''to *
98 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
99 by * break
100 ''
101 ];
102 };
103 };
104 };
105 /*
106 cnConfig = ''
107 dn: cn=schema,cn=config
108 objectClass: olcSchemaConfig
109
110 dn: olcBackend=mdb,cn=config
111 objectClass: olcBackendConfig
112 '';
113 */
114 };
115 }