]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/openldap/commonsoft.nix
nslcd: fix passwd support
[sourcephile-nix.git] / install / logical / friot / openldap / commonsoft.nix
1 {pkgs, lib, config, ...}:
2 let inherit (config) networking;
3 inherit (config.services) openldap;
4 inherit (config.users) users groups;
5 inherit (pkgs.lib) unlines;
6 domainSuffix = openldap.domainSuffix;
7 posixAccount =
8 { uid
9 , uidNumber ? null
10 , gidNumber ? uidNumber
11 , cn ? ""
12 , sn ? ""
13 , userPassword ? "{SSHA}xeJMEPlG8UKU3iTPwOgFyadeCHwSZH+z"
14 , mailAlias ? []
15 , loginShell ? "/run/current-system/sw/bin/bash"
16 , mailEnabled ? true
17 , mailForwardingAddress ? []
18 , domain ? networking.domain
19 }: "\n" + lib.concatStringsSep "\n\n" [
20 (unlines ([ ''
21 dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
22 objectClass: person
23 objectClass: posixAccount
24 objectClass: shadowAccount
25 objectClass: PostfixBookMailAccount
26 objectClass: PostfixBookMailForward
27 cn: ${cn}
28 sn: ${sn}
29 mail: ${uid}${lib.optionalString (networking.domain != "") "@${networking.domain}"}
30 mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
31 #mailGroupMember: ${networking.domainBase}
32 homeDirectory: /home/${uid}
33 uidNumber: ${toString uidNumber}
34 gidNumber: ${toString gidNumber}
35 loginShell: ${loginShell}'' ]
36 ++ lib.optional (userPassword != "") "userPassword: ${userPassword}"
37 ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
38 ++ map (alias: "mailAlias: ${alias}@${networking.domain}") mailAlias
39 ++ lib.optional (mailAlias == []) "mailAlias:"
40 # NOTE: required by PostfixBookMailForward
41 ))
42 ''
43 dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
44 objectClass: top
45 objectClass: posixGroup
46 gidNumber: ${toString gidNumber}
47 memberUid: ${uid}
48 ''
49 ];
50 in
51 {
52 config = lib.mkIf config.users.ldap.enable {
53 services.openldap = {
54 databases = {
55 "${domainSuffix}" = {
56 resetData = true;
57 conf = ''
58 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
59 dn: olcBackend={1}mdb,cn=config
60 objectClass: olcBackendConfig
61
62 dn: olcDatabase={1}mdb,cn=config
63 objectClass: olcDatabaseConfig
64 objectClass: olcMdbConfig
65 # NOTE: checkpoint the database periodically in case of system failure
66 # and to speed slapd shutdown.
67 olcDbCheckpoint: 512 30
68 # Database max size is 1G
69 olcDbMaxSize: 1073741824
70 olcLastMod: TRUE
71 # NOTE: database superuser. Needed for syncrepl.
72 olcRootDN: cn=admin,${domainSuffix}
73 # NOTE: superuser password, generated with slappasswd -h "{SSHA}" -s "$password"
74 #olcRootPW: {SSHA}COkATGNe7rs/g8vWcYP5rqt4u5sWdMgP
75 #
76 olcDbIndex: objectClass eq
77 olcDbIndex: cn,uid eq
78 olcDbIndex: uidNumber,gidNumber eq
79 olcDbIndex: member,memberUid eq
80 olcDbIndex: mail eq
81 olcDbIndex: mailAlias eq
82 olcDbIndex: mailEnabled eq
83 #
84 olcAccess: to attrs=userPassword
85 by self write
86 by anonymous auth
87 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
88 by * none
89 olcAccess: to attrs=shadowLastChange
90 by self write
91 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
92 by * none
93 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
94 by self read
95 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
96 by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
97 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
98 # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
99 olcAccess: to *
100 by self read
101 by * none
102 '';
103 data = ''
104 dn: ${domainSuffix}
105 objectClass: top
106 objectClass: dcObject
107 objectClass: organization
108 o: ${networking.domainBase}
109
110 dn: cn=admin,${domainSuffix}
111 objectClass: simpleSecurityObject
112 objectClass: organizationalRole
113 description: ${networking.domainBase} LDAP administrator
114 roleOccupant: ${domainSuffix}
115 userPassword:
116 #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
117
118 dn: ou=posix,${domainSuffix}
119 objectClass: top
120 objectClass: organizationalUnit
121
122 dn: ou=accounts,ou=posix,${domainSuffix}
123 objectClass: top
124 objectClass: organizationalUnit
125
126 dn: ou=groups,ou=posix,${domainSuffix}
127 objectClass: top
128 objectClass: organizationalUnit
129
130 dn: cn=${networking.domainBase},ou=groups,ou=posix,${domainSuffix}
131 objectClass: top
132 objectClass: posixGroup
133 gidnumber: 20000
134 memberuid: ju
135 memberuid: sevy
136
137 ''
138 + lib.concatMapStrings posixAccount [
139 { uid="ju"; uidNumber=10000; cn="Julien M."; sn="julm"; mailAlias = ["juju"]; }
140 { uid="sevy"; uidNumber=10001; cn="Séverine P."; sn="sévy"; mailAlias = ["severine.popek" "ouais-ouais"]; }
141 { uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
142 { uid="post"; domain="friot"; mailForwardingAddress = ["ju@${networking.domain}"]; }
143 { uid="host"; mailForwardingAddress = ["ju@${networking.domain}"]; }
144 ];
145 };
146 };
147 };
148 };
149 }