]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/openldap.nix
mermet: iodine: stop after 30min of inactivity
[sourcephile-nix.git] / hosts / mermet / openldap.nix
1 { pkgs, lib, config, host, ... }:
2 let
3 inherit (builtins) baseNameOf readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config) networking;
7 inherit (config.services) openldap;
8 inherit (config.users) ldap;
9 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." networking.domain);
10 in
11 {
12 imports = [
13 openldap/sourcephile.fr.nix
14 openldap/autogeree.net.nix
15 ];
16 users.ldap = {
17 enable = false;
18 # FIXME: reset to ldapi:/// once https://nixpk.gs/pr-tracker.html?pr=179597 is included
19 #server = "ldapi:///";
20 server = "ldapi://%2Frun%2Fslapd%2Fsock";
21 base = "ou=posix,${domainSuffix}";
22 bind = {
23 #distinguishedName = "cn=admin,${domainSuffix}";
24 };
25 daemon = {
26 enable = false;
27 extraConfig = ''
28 log syslog info
29
30 sasl_mech EXTERNAL
31 # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
32 # which is the DN used by nslcd when passwd is run by root
33 # to change the userPassword of an LDAP user.
34 # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
35 # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$user,ou=accounts,ou=posix,dc=sourcephile,dc=fr
36 '';
37 };
38 };
39 services.openldap = {
40 enable = true;
41 #dataDir = "/var/db/ldap";
42 #configDir = "/var/db/slapd";
43 # FIXME: reset to ldapi:///
44 #urlList = [ "ldapi:///" ]; # UNIX socket
45 urlList = [ "ldapi://%%2Frun%%2Fslapd%%2Fsock" ]; # UNIX socket
46 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b "" -s base supportedControl
47 settings = {
48 attrs = {
49 objectClass = "olcGlobal";
50 olcLogLevel = [ "stats" ];
51 # The tool-threads parameter sets the actual amount of CPU's
52 # that is used for indexing.
53 olcToolThreads = toString host.CPUs;
54 };
55 children = {
56 "cn=schema".includes = [
57 "${pkgs.openldap}/etc/schema/core.ldif"
58 "${pkgs.openldap}/etc/schema/cosine.ldif"
59 "${pkgs.openldap}/etc/schema/nis.ldif"
60 "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
61 "${openldap/schema/postfix-book.ldif}"
62 ];
63 # The first database is the special frontend database
64 # whose settings are applied globally to all the other databases.
65 # Beware that cn={0}module,cn=config must appear before
66 # for enabling password schemes provided by the modules in olcPasswordHash.
67 # ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={-1}frontend,cn=config' -s sub '*'
68 "olcDatabase={-1}frontend".attrs = {
69 objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
70 olcDatabase = "{-1}frontend";
71 # The maximum number of entries that is returned for a search operation
72 olcSizeLimit = "500";
73 olcAccess = [
74 # Allow unlimited access to local connection from the local root user
75 ''to *
76 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
77 by * break
78 ''
79 # Allow unauthenticated read access for schema and base DN autodiscovery
80 ''to dn.exact=""
81 by * read
82 ''
83 ''to dn.base="cn=Subschema"
84 by * read
85 ''
86 ];
87 # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
88 #olcPasswordHash = "{PBKDF2-SHA256}";
89 olcPasswordHash = "{SSHA}";
90 };
91 "cn={0}module".attrs = {
92 objectClass = [ "olcModuleList" ];
93 olcModulePath = "${pkgs.openldap}/lib/modules";
94 #olcModuleLoad = "pw-sha2";
95 #olcModuleLoad = "pw-pbkdf2";
96 olcModuleLoad = "back_mdb";
97 };
98
99 "olcDatabase={0}config".attrs = {
100 objectClass = "olcDatabaseConfig";
101 olcDatabase = "{0}config";
102 olcRootDN = "cn=admin,cn=config";
103 # Access to cn=config, system root can be manager
104 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
105 olcAccess = [
106 ''to *
107 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
108 by * break
109 ''
110 ];
111 };
112 };
113 };
114 /*
115 cnConfig = ''
116 dn: cn=schema,cn=config
117 objectClass: olcSchemaConfig
118
119 dn: olcBackend=mdb,cn=config
120 objectClass: olcBackendConfig
121 '';
122 */
123 };
124 }