]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/openldap.nix
nix: revamp secrets
[sourcephile-nix.git] / hosts / mermet / openldap.nix
1 { pkgs, lib, config, host, ... }:
2 let
3 inherit (builtins) baseNameOf readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config) networking;
7 inherit (config.services) openldap;
8 inherit (config.users) ldap;
9 domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." networking.domain);
10 in
11 {
12 imports = [
13 openldap/sourcephile.fr.nix
14 openldap/autogeree.net.nix
15 ];
16 users.ldap = {
17 enable = false;
18 server = "ldapi:///";
19 base = "ou=posix,${domainSuffix}";
20 bind = {
21 #distinguishedName = "cn=admin,${domainSuffix}";
22 };
23 daemon = {
24 enable = false;
25 extraConfig = ''
26 log syslog info
27
28 sasl_mech EXTERNAL
29 # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
30 # which is the DN used by nslcd when passwd is run by root
31 # to change the userPassword of an LDAP user.
32 # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
33 # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$user,ou=accounts,ou=posix,dc=sourcephile,dc=fr
34 '';
35 };
36 };
37 services.openldap = {
38 enable = true;
39 urlList = [ "ldapi:///" ]; # UNIX socket
40 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b "" -s base supportedControl
41 settings = {
42 attrs = {
43 objectClass = "olcGlobal";
44 olcLogLevel = [ "stats" ];
45 # The tool-threads parameter sets the actual amount of CPU's
46 # that is used for indexing.
47 olcToolThreads = toString host.CPUs;
48 };
49 children = {
50 "cn=schema".includes = [
51 "${pkgs.openldap}/etc/schema/core.ldif"
52 "${pkgs.openldap}/etc/schema/cosine.ldif"
53 "${pkgs.openldap}/etc/schema/nis.ldif"
54 "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
55 "${openldap/schema/postfix-book.ldif}"
56 ];
57 # The first database is the special frontend database
58 # whose settings are applied globally to all the other databases.
59 # Beware that cn={0}module,cn=config must appear before
60 # for enabling password schemes provided by the modules in olcPasswordHash.
61 # ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={-1}frontend,cn=config' -s sub '*'
62 "olcDatabase={-1}frontend".attrs = {
63 objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
64 olcDatabase = "{-1}frontend";
65 # The maximum number of entries that is returned for a search operation
66 olcSizeLimit = "500";
67 olcAccess = [
68 # Allow unlimited access to local connection from the local root user
69 ''to *
70 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
71 by * break
72 ''
73 # Allow unauthenticated read access for schema and base DN autodiscovery
74 ''to dn.exact=""
75 by * read
76 ''
77 ''to dn.base="cn=Subschema"
78 by * read
79 ''
80 ];
81 # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
82 #olcPasswordHash = "{PBKDF2-SHA256}";
83 olcPasswordHash = "{SSHA}";
84 };
85 "cn={0}module".attrs = {
86 objectClass = [ "olcModuleList" ];
87 olcModulePath = "${pkgs.openldap}/lib/modules";
88 #olcModuleLoad = "pw-sha2";
89 #olcModuleLoad = "pw-pbkdf2";
90 olcModuleLoad = "back_mdb";
91 };
92
93 "olcDatabase={0}config".attrs = {
94 objectClass = "olcDatabaseConfig";
95 olcDatabase = "{0}config";
96 olcRootDN = "cn=admin,cn=config";
97 # Access to cn=config, system root can be manager
98 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
99 olcAccess = [
100 ''to *
101 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
102 by * break
103 ''
104 ];
105 };
106 };
107 };
108 /*
109 cnConfig = ''
110 dn: cn=schema,cn=config
111 objectClass: olcSchemaConfig
112
113 dn: olcBackend=mdb,cn=config
114 objectClass: olcBackendConfig
115 '';
116 */
117 };
118 }