install/logical/friot/openldap.nix

   1 {pkgs, lib, config, ...}:
   2 let inherit (builtins) baseNameOf readFile;
   3     inherit (lib) types;
   4     inherit (pkgs.lib) unlinesAttrs;
   5     inherit (config.services) openldap;
   6     inherit (config.users) ldap;
   7     copyFile = file: pkgs.writeText (baseNameOf file) (readFile file);
   8     configLDIF = pkgs.writeText "cn=config.ldif" (''
   9       dn: cn=config
  10       objectClass: olcGlobal
  11       #olcPidFile: /run/slapd/slapd.pid
  12       # List of arguments that were passed to the server
  13       #olcArgsFile: /run/slapd/slapd.args
  14       # Read slapd-config(5) for possible values
  15       olcLogLevel: none
  16       # The tool-threads parameter sets the actual amount of CPU's
  17       # that is used for indexing.
  18       olcToolThreads: 1
  19
  20       dn: olcDatabase={-1}frontend,cn=config
  21       objectClass: olcDatabaseConfig
  22       objectClass: olcFrontendConfig
  23       # The maximum number of entries that is returned for a search operation
  24       olcSizeLimit: 500
  25       # Allow unlimited access to local connection from the local root user
  26       olcAccess: to *
  27         by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  28         by * break
  29       # Allow unauthenticated read access for schema and base DN autodiscovery
  30       olcAccess: to dn.exact=""
  31         by * read
  32       olcAccess: to dn.base="cn=Subschema"
  33         by * read
  34
  35       dn: olcDatabase=config,cn=config
  36       objectClass: olcDatabaseConfig
  37       olcRootDN: cn=admin,cn=config
  38       # Access to cn=config, system root can be manager
  39       # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
  40       olcAccess: to *
  41         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  42         by * break
  43
  44       dn: cn=schema,cn=config
  45       objectClass: olcSchemaConfig
  46
  47       include: file://${pkgs.openldap}/etc/schema/core.ldif
  48       include: file://${pkgs.openldap}/etc/schema/cosine.ldif
  49       include: file://${pkgs.openldap}/etc/schema/nis.ldif
  50       include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
  51       include: file://${copyFile openldap/schema/postfix-book.ldif}
  52
  53       dn: cn=module{0},cn=config
  54       objectClass: olcModuleList
  55       # Where the dynamically loaded modules are stored
  56       #olcModulePath: /usr/lib/ldap
  57       olcModuleLoad: back_mdb
  58
  59     '' + unlinesAttrs (olcSuffix: {conf, olcDbDirectory, ...}:
  60       "include: file://" + pkgs.writeText "config.ldif" (conf + ''
  61         olcSuffix: ${olcSuffix}
  62         olcDbDirectory: ${olcDbDirectory}
  63       '')
  64     ) openldap.databases);
  65 in
  66 {
  67   imports = [
  68     openldap/commonsoft.nix
  69   ];
  70   options = {
  71     services.openldap.domainSuffix = lib.mkOption {
  72       type    = types.str;
  73       default = "dc=${lib.concatStringsSep ",dc=" (lib.splitString "." config.networking.domain)}";
  74       description = ''
  75         LDAP suffix for config.networking.domain.
  76       '';
  77     };
  78     services.openldap.databases = lib.mkOption {
  79       default = {};
  80       type = types.attrsOf (types.submodule ({name, options, config, ...}: {
  81         options = {
  82           conf = lib.mkOption {
  83             type = types.lines;
  84             description = "The database's config in LDIF.";
  85           };
  86           data = lib.mkOption {
  87             type = types.lines;
  88             description = "The database's data in LDIF.";
  89           };
  90           olcDbDirectory = lib.mkOption {
  91             type = types.str;
  92             description = "The directory where the database is stored.";
  93             default = "${openldap.dataDir}/${name}";
  94           };
  95           resetData = lib.mkOption {
  96             type = types.bool;
  97             description = "Whether to reset the data at each start of the slapd service.";
  98             default = false;
  99           };
 100         };
 101       }));
 102     };
 103   };
 104   config = {
 105     users.ldap = {
 106       enable = true;
 107       server = "ldapi:///";
 108       base = "ou=posix,${openldap.domainSuffix}";
 109       bind = {
 110         #distinguishedName = "cn=admin,${openldap.domainSuffix}";
 111       };
 112       daemon = {
 113         enable = true;
 114         extraConfig = ''
 115           sasl_mech EXTERNAL
 116           # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
 117           # which is the DN used by nslcd when passwd is run by root
 118           # to change the userPassword of an LDAP user.
 119           # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
 120           # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$SomeUID,ou=accounts,ou=posix,dc=commonsoft,dc=org
 121         '';
 122       };
 123     };
 124     services.openldap = {
 125       enable    = true;
 126       dataDir   = "/var/db/ldap";
 127       configDir = "/var/db/slapd";
 128       urlList   = [ "ldapi:///" ]; # UNIX socket
 129     };
 130     systemd.services.openldap = {
 131       preStart = ''
 132           set -e
 133           # NOTE: slapd's config is always re-initialized.
 134           rm -rf "${openldap.configDir}"/cn=config \
 135                  "${openldap.configDir}"/cn=config.ldif
 136           install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}"
 137           # NOTE: olcDbDirectory must be created before adding the config.
 138           '' +
 139           unlinesAttrs (olcSuffix: {data, olcDbDirectory, resetData, ...}:
 140             lib.optionalString resetData ''
 141               rm -rf "${olcDbDirectory}"
 142             '' + ''
 143             install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${olcDbDirectory}"
 144             '') openldap.databases
 145           + ''
 146           # NOTE: slapd is supposed to have been stopped by systemd
 147           # before entering this preStart,
 148           # hence slap* commands can safely be used.
 149           #
 150           # NOTE: slapadd(8):
 151           # To populate the config database slapd-config(5),
 152           # use -n 0 as it is always the first database.
 153           # It must physically exist on the filesystem prior to this, however.
 154           umask 0077
 155           ${pkgs.openldap}/bin/slapadd -n 0 \
 156            -F "${openldap.configDir}" \
 157            -l ${configLDIF}
 158           chown -R "${openldap.user}:${openldap.group}" "${openldap.configDir}"
 159         '' +
 160         unlinesAttrs (olcSuffix: {data, olcDbDirectory, resetData, ...}:
 161           lib.optionalString resetData ''
 162             ${pkgs.openldap}/bin/slapadd \
 163              -F "${openldap.configDir}" \
 164              -l ${pkgs.writeText "data.ldif" data}
 165           '' + ''
 166           test ! -e "${olcDbDirectory}" ||
 167           chown -R "${openldap.user}:${openldap.group}" "${olcDbDirectory}"
 168         '') openldap.databases;
 169     };
 170   };
 171 }