]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/openldap.nix
nix: factorize security.gnupg.store
[sourcephile-nix.git] / machines / mermet / openldap.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) baseNameOf readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config) networking;
7 inherit (config.services) openldap;
8 inherit (config.users) ldap;
9 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." networking.domain);
10 in
11 {
12 imports = [
13 openldap/sourcephile.fr.nix
14 openldap/autogeree.net.nix
15 ];
16 config = {
17 users.ldap = {
18 enable = false;
19 server = "ldapi:///";
20 base = "ou=posix,${domainSuffix}";
21 bind = {
22 #distinguishedName = "cn=admin,${domainSuffix}";
23 };
24 daemon = {
25 enable = false;
26 extraConfig = ''
27 log syslog info
28
29 sasl_mech EXTERNAL
30 # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
31 # which is the DN used by nslcd when passwd is run by root
32 # to change the userPassword of an LDAP user.
33 # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
34 # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$user,ou=accounts,ou=posix,dc=sourcephile,dc=fr
35 '';
36 };
37 };
38 services.openldap = {
39 enable = true;
40 dataDir = "/var/db/ldap";
41 configDir = "/var/db/slapd";
42 urlList = [ "ldapi:///" ]; # UNIX socket
43 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b "" -s base supportedControl
44 cnConfig = ''
45 dn: cn=config
46 objectClass: olcGlobal
47 olcLogLevel: none
48 # The tool-threads parameter sets the actual amount of CPU's
49 # that is used for indexing.
50 olcToolThreads: ${toString config.nix.maxJobs}
51
52 dn: cn={0}module,cn=config
53 objectClass: olcModuleList
54 olcModulePath: ${pkgs.openldap}/lib/modules
55 #olcModuleLoad: pw-sha2
56 #olcModuleLoad: pw-pbkdf2
57 olcModuleLoad: back_mdb
58
59 # The first database is the special frontend database
60 # whose settings are applied globally to all the other databases.
61 # Beware that cn={0}module,cn=config must appear before
62 # for enabling password schemes provided by the modules in olcPasswordHash.
63 # ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={-1}frontend,cn=config' -s sub '*'
64 dn: olcDatabase={-1}frontend,cn=config
65 objectClass: olcDatabaseConfig
66 objectClass: olcFrontendConfig
67 # The maximum number of entries that is returned for a search operation
68 olcSizeLimit: 500
69 # Allow unlimited access to local connection from the local root user
70 olcAccess: to *
71 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
72 by * break
73 # Allow unauthenticated read access for schema and base DN autodiscovery
74 olcAccess: to dn.exact=""
75 by * read
76 olcAccess: to dn.base="cn=Subschema"
77 by * read
78 # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
79 #olcPasswordHash: {PBKDF2-SHA256}
80 olcPasswordHash: {SSHA}
81
82 dn: olcDatabase={0}config,cn=config
83 objectClass: olcDatabaseConfig
84 olcRootDN: cn=admin,cn=config
85 # Access to cn=config, system root can be manager
86 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
87 olcAccess: to *
88 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
89 by * break
90
91 dn: cn=schema,cn=config
92 objectClass: olcSchemaConfig
93
94 dn: olcBackend=mdb,cn=config
95 objectClass: olcBackendConfig
96
97 include: file://${pkgs.openldap}/etc/schema/core.ldif
98 include: file://${pkgs.openldap}/etc/schema/cosine.ldif
99 include: file://${pkgs.openldap}/etc/schema/nis.ldif
100 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
101 include: file://${openldap/schema/postfix-book.ldif}
102 '';
103 };
104 };
105 }