]> Git — Sourcephile - sourcephile-nix.git/blob - modules/services/databases/openldap.nix
gitolite: update
[sourcephile-nix.git] / modules / services / databases / openldap.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) baseNameOf readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config.services) openldap;
7 inherit (config.users) ldap;
8 in
9 {
10 options = {
11 services.openldap.cnConfig = lib.mkOption {
12 type = types.lines;
13 description = "The cn=config in LDIF";
14 apply = lines: pkgs.writeText "cn=config.ldif"
15 (lines + "\n" + unlinesAttrs (olcSuffix: {conf, olcDbDirectory, ...}:
16 "include: file://" + pkgs.writeText "config.ldif" (conf + ''
17 olcSuffix: ${olcSuffix}
18 olcDbDirectory: ${olcDbDirectory}
19 '')
20 ) openldap.databases);
21 default = ''
22 dn: cn=config
23 objectClass: olcGlobal
24 olcLogLevel: none
25 olcToolThreads: 1
26
27 dn: cn={0}module,cn=config
28 objectClass: olcModuleList
29 olcModulePath: ${pkgs.openldap}/lib/modules
30 olcModuleLoad: pw-sha2
31 olcModuleLoad: pw-pbkdf2
32 olcModuleLoad: back_mdb
33
34 dn: olcDatabase={-1}frontend,cn=config
35 objectClass: olcDatabaseConfig
36 objectClass: olcFrontendConfig
37 olcSizeLimit: 500
38 # Allow unlimited access to local connection from the local root user
39 olcAccess: to *
40 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
41 by * break
42 # Allow unauthenticated read access for schema and base DN autodiscovery
43 olcAccess: to dn.exact=""
44 by * read
45 olcAccess: to dn.base="cn=Subschema"
46 by * read
47 # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
48 olcPasswordHash: {PBKDF2-SHA256}
49
50 dn: olcDatabase={0}config,cn=config
51 objectClass: olcDatabaseConfig
52 olcRootDN: cn=admin,cn=config
53 # Access to cn=config, system root can be manager
54 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
55 olcAccess: to *
56 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
57 by * break
58
59 dn: cn=schema,cn=config
60 objectClass: olcSchemaConfig
61
62 include: file://${pkgs.openldap}/etc/schema/core.ldif
63 include: file://${pkgs.openldap}/etc/schema/cosine.ldif
64 include: file://${pkgs.openldap}/etc/schema/nis.ldif
65 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
66 '';
67 };
68 services.openldap.databases = lib.mkOption {
69 default = {};
70 type = types.attrsOf (types.submodule ({name, options, config, ...}: {
71 options = {
72 conf = lib.mkOption {
73 type = types.lines;
74 description = "The database's config in LDIF.";
75 };
76 data = lib.mkOption {
77 type = types.nullOr types.lines;
78 description = "The database's data in LDIF.";
79 };
80 olcDbDirectory = lib.mkOption {
81 type = types.str;
82 description = "The directory where the database is stored.";
83 default = "${openldap.dataDir}/${name}";
84 };
85 };
86 }));
87 };
88 };
89 config = lib.mkIf openldap.enable {
90 systemd.services.openldap.preStart =
91 # olcDbDirectory must be created before adding the config.
92 ''
93 set -e
94 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}"
95 '' +
96 unlinesAttrs (olcSuffix: {data, olcDbDirectory, ...}: lib.optionalString (data != null) ''
97 rm -rf "${olcDbDirectory}"
98 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${olcDbDirectory}"
99 '') openldap.databases
100 # slapd is supposed to have been stopped by systemd
101 # before entering this preStart,
102 # hence slap* commands can safely be used.
103 #
104 # slapadd(8):
105 # To populate the config database slapd-config(5),
106 # use -n 0 as it is always the first database.
107 # It must physically exist on the filesystem prior to this, however.
108 + ''
109 umask 0077
110 rm -rf "${openldap.configDir}"/cn=config \
111 "${openldap.configDir}"/cn=config.ldif
112 ${pkgs.openldap}/bin/slapadd -n 0 \
113 -F "${openldap.configDir}" \
114 -l ${openldap.cnConfig}
115 chown -R "${openldap.user}:${openldap.group}" "${openldap.configDir}"
116 '' +
117 unlinesAttrs (olcSuffix: {data, olcDbDirectory, ...}: lib.optionalString (data != null) ''
118 ${pkgs.openldap}/bin/slapadd \
119 -F "${openldap.configDir}" \
120 -b ${olcSuffix} \
121 -l ${pkgs.writeText "data.ldif" data}
122 '' + ''
123 test ! -e "${olcDbDirectory}" ||
124 chown -R "${openldap.user}:${openldap.group}" "${olcDbDirectory}"
125 '') openldap.databases;
126 };
127 }