install/logical/friot/openldap.nix

   1 {pkgs, lib, config, ...}:
   2 let inherit (builtins) baseNameOf readFile;
   3     inherit (config.services) openldap;
   4     inherit (config.users) ldap;
   5     copyFile = file: pkgs.writeText (baseNameOf file) (readFile file);
   6     configLDIF = pkgs.writeText "cn=config.ldif" ''
   7       dn: cn=config
   8       objectClass: olcGlobal
   9       #olcPidFile: /run/slapd/slapd.pid
  10       # List of arguments that were passed to the server
  11       #olcArgsFile: /run/slapd/slapd.args
  12       # Read slapd-config(5) for possible values
  13       olcLogLevel: none
  14       # The tool-threads parameter sets the actual amount of cpu's
  15       # that is used for indexing.
  16       olcToolThreads: 1
  17
  18       dn: olcDatabase={-1}frontend,cn=config
  19       objectClass: olcDatabaseConfig
  20       objectClass: olcFrontendConfig
  21       # The maximum number of entries that is returned for a search operation
  22       olcSizeLimit: 500
  23       # Allow unlimited access to local connection from the local root user
  24       olcAccess: to *
  25         by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  26         by * break
  27       # Allow unauthenticated read access for schema and base DN autodiscovery
  28       olcAccess: to dn.exact=""
  29         by * read
  30       olcAccess: to dn.base="cn=Subschema"
  31         by * read
  32
  33       dn: olcDatabase=config,cn=config
  34       objectClass: olcDatabaseConfig
  35       olcRootDN: cn=admin,cn=config
  36       # Access to cn=config, system root can be manager
  37       # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
  38       olcAccess: to *
  39         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  40         by * break
  41
  42       dn: cn=schema,cn=config
  43       objectClass: olcSchemaConfig
  44
  45       include: file://${pkgs.openldap}/etc/schema/core.ldif
  46       include: file://${pkgs.openldap}/etc/schema/cosine.ldif
  47       include: file://${pkgs.openldap}/etc/schema/nis.ldif
  48       include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
  49       include: file://${copyFile openldap/postfix-book.ldif}
  50       include: file://${copyFile openldap/postfix2.ldif}
  51
  52       dn: cn=module{0},cn=config
  53       objectClass: olcModuleList
  54       # Where the dynamically loaded modules are stored
  55       #olcModulePath: /usr/lib/ldap
  56       olcModuleLoad: back_mdb
  57
  58       dn: olcBackend={1}mdb,cn=config
  59       objectClass: olcBackendConfig
  60
  61       include: file://${domainConfigLDIF openldap.domainSuffix}
  62     '';
  63     domainConfigLDIF = dbSuffix: pkgs.writeText "config.ldif" ''
  64       # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
  65       dn: olcDatabase={1}mdb,cn=config
  66       objectClass: olcDatabaseConfig
  67       objectClass: olcMdbConfig
  68       # NOTE: checkpoint the database periodically in case of system failure
  69       # and to speed slapd shutdown.
  70       olcDbCheckpoint: 512 30
  71       # Database max size is 1G
  72       olcDbMaxSize: 1073741824
  73       olcLastMod: TRUE
  74       olcSuffix: ${dbSuffix}
  75       olcDbDirectory: ${openldap.dataDir}
  76       # NOTE: database superuser. Needed for syncrepl.
  77       olcRootDN: cn=admin,${dbSuffix}
  78       # NOTE: superuser password, generated with slappasswd -s SECRET
  79       # FIXME: remove when dovecot2 compiled with SASL
  80       olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
  81       olcDbIndex: objectClass eq
  82       olcDbIndex: cn,uid eq
  83       olcDbIndex: uidNumber,gidNumber eq
  84       olcDbIndex: member,memberUid eq
  85       olcDbIndex: mail eq
  86       olcDbIndex: mailEnabled eq
  87       olcAccess: to attrs=userPassword
  88         by self write
  89         by anonymous auth
  90         by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  91         by * none
  92       olcAccess: to attrs=shadowLastChange
  93         by self write
  94         by * none
  95       olcAccess: to dn.sub="ou=posix,${dbSuffix}"
  96         by dn="gidNumber=${toString config.users.groups.nslcd.gid}+uidNumber=${toString config.users.users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
  97         by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  98       olcAccess: to *
  99         by self read
 100         by * none
 101     '';
 102     domainDataLDIF = dbSuffix: pkgs.writeText "data.ldif" ''
 103       dn: ${dbSuffix}
 104       objectClass: top
 105       objectClass: dcObject
 106       objectClass: organization
 107       o: ${config.networking.baseName}
 108
 109       dn: cn=admin,${dbSuffix}
 110       objectClass: simpleSecurityObject
 111       objectClass: organizationalRole
 112       description: ${config.networking.baseName} LDAP administrator
 113       roleOccupant: ${dbSuffix}
 114       userPassword:
 115       #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
 116
 117       dn: ou=posix,${dbSuffix}
 118       objectClass: top
 119       objectClass: organizationalUnit
 120
 121       dn: ou=accounts,ou=posix,${dbSuffix}
 122       objectClass: top
 123       objectClass: organizationalUnit
 124
 125       dn: ou=groups,ou=posix,${dbSuffix}
 126       objectClass: top
 127       objectClass: organizationalUnit
 128
 129       dn: cn=users,ou=groups,ou=posix,${dbSuffix}
 130       objectclass: top
 131       objectclass: posixGroup
 132       gidnumber: 10000
 133       memberuid: ju
 134       memberuid: sevy
 135
 136       #dn: cn=dovemail,ou=groups,ou=posix,${dbSuffix}
 137       #objectclass: top
 138       #objectclass: posixGroup
 139       #gidnumber: 497
 140       # # FIXME: do not hardcode this gid
 141       #memberuid: ju
 142       #memberuid: sevy
 143
 144       dn: uid=ju,ou=accounts,ou=posix,${dbSuffix}
 145       #objectClass: account
 146       objectclass: person
 147       objectClass: posixAccount
 148       objectclass: postfixUser
 149       objectclass: PostfixBookMailAccount
 150       objectclass: PostfixBookMailForward
 151       cn: Julien M.
 152       sn: julm
 153       mail: ju@commonsoft.coop
 154       mailAlias: julien.moutinho@commonsoft.coop
 155       uidNumber: 10000
 156       gidNumber: 497
 157       homeDirectory: /home/ju
 158       loginShell: /run/current-system/sw/bin/bash
 159       userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3
 160
 161       dn: uid=sevy,ou=accounts,ou=posix,${dbSuffix}
 162       #objectClass: account
 163       objectclass: person
 164       objectClass: posixAccount
 165       objectclass: postfixUser
 166       objectclass: PostfixBookMailAccount
 167       objectclass: PostfixBookMailForward
 168       cn: Séverine P.
 169       sn: sévy
 170       mail: sevy@commonsoft.coop
 171       mailAlias: severine.popek@commonsoft.coop
 172       uidNumber: 10001
 173       gidNumber: 10000
 174       homeDirectory: /home/sevy
 175       loginShell: /run/current-system/sw/bin/bash
 176       userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN
 177     '';
 178 in
 179 {
 180   options.services.openldap.domainSuffix = lib.mkOption {
 181     type    = lib.types.str;
 182     default = "dc=${lib.concatStringsSep ",dc=" (lib.splitString "." config.networking.domain)}";
 183     description = ''
 184       LDAP suffix for the first database.
 185     '';
 186   };
 187   config = {
 188     users.ldap = {
 189       enable = true;
 190       # FIXME: even with the correct LD_LIBRARY_PATH to libnss_ldap.so,
 191       #        passwd still does not work on LDAP accounts.
 192       daemon = {
 193         enable = true;
 194         extraConfig = ''
 195           sasl_mech EXTERNAL
 196         '';
 197       };
 198       server = "ldapi:///";
 199       base = "ou=posix,${openldap.domainSuffix}";
 200       bind = {
 201         #distinguishedName = "cn=admin,${openldap.domainSuffix}";
 202       };
 203     };
 204     services.openldap = {
 205       enable    = true;
 206       dataDir   = "/var/db/ldap";
 207       configDir = "/var/db/slapd";
 208       urlList   = [ "ldapi:///" ]; # UNIX socket
 209     };
 210     systemd.services.openldap = {
 211       preStart = ''
 212         # NOTE: slapd's config is always re-initialized.
 213         rm -rf "${openldap.configDir}"/cn=config \
 214                "${openldap.configDir}"/cn=config.ldif
 215         umask 0077
 216          install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}"
 217
 218         # NOTE: slapd is supposed to be stopped while in preStart,
 219         #       hence slap* commands can safely be used.
 220         ${pkgs.openldap}/bin/slapadd -n 0 -F "${openldap.configDir}" -l ${configLDIF}
 221         # NOTE: slapadd(8): To populate the config database slapd-config(5),
 222         #                   use -n 0 as it is always the first database.
 223         #                   It must physically exist on the filesystem prior to this, however.
 224
 225         # NOTE: the data are only initialized, never re-initialized.
 226         if test ! -e "${openldap.dataDir}"/data.mdb
 227          then
 228           install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.dataDir}"
 229           ${pkgs.openldap}/bin/slapadd -F "${openldap.configDir}" -l ${domainDataLDIF openldap.domainSuffix}
 230          fi
 231         chown -R "${openldap.user}:${openldap.group}" \
 232          "${openldap.dataDir}" \
 233          "${openldap.configDir}"
 234       '';
 235     };
 236   };
 237 }