1 {pkgs, lib, config, ...}:
2 let inherit (config.services) openldap;
3 inherit (config.users) ldap;
4 cnConfigLDIF = pkgs.writeText "cn=config.ldif" ''
8 #olcPidFile: /run/slapd/slapd.pid
9 # List of arguments that were passed to the server
10 #olcArgsFile: /run/slapd/slapd.args
11 # Read slapd-config(5) for possible values
13 # The tool-threads parameter sets the actual amount of cpu's that is used
17 dn: olcDatabase={-1}frontend,cn=config
18 olcDatabase: {-1}frontend
19 objectClass: olcDatabaseConfig
20 objectClass: olcFrontendConfig
21 # The maximum number of entries that is returned for a search operation
23 # Allow unlimited access to local connection from the local root user
25 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
27 # Allow unauthenticated read access for schema and base DN autodiscovery
28 olcAccess: to dn.exact=""
30 olcAccess: to dn.base="cn=Subschema"
33 dn: olcDatabase=config,cn=config
35 objectClass: olcDatabaseConfig
36 olcRootDN: cn=admin,cn=config
37 # Access to cn=config, system root can be manager
38 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
40 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
43 dn: cn=schema,cn=config
45 objectClass: olcSchemaConfig
47 include: file://${pkgs.openldap}/etc/schema/core.ldif
48 include: file://${pkgs.openldap}/etc/schema/cosine.ldif
49 include: file://${pkgs.openldap}/etc/schema/nis.ldif
50 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
52 dn: cn=module{0},cn=config
54 objectClass: olcModuleList
55 # Where the dynamically loaded modules are stored
56 #olcModulePath: /usr/lib/ldap
57 olcModuleLoad: back_mdb
59 dn: olcBackend={1}mdb,cn=config
61 objectClass: olcBackendConfig
63 include: file://${mdb1Config}
65 mdb1Suffix = "dc=${config.networking.baseName}";
66 mdb1Config = pkgs.writeText "${mdb1Suffix}.config.ldif" ''
67 # sudo ldapsearch -LLL -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
68 dn: olcDatabase={1}mdb,cn=config
70 objectClass: olcDatabaseConfig
71 objectClass: olcMdbConfig
72 # Checkpoint the database periodically in case of system
73 # failure and to speed slapd shutdown.
74 olcDbCheckpoint: 512 30
75 # Database max size is 1G
76 olcDbMaxSize: 1073741824
78 olcSuffix: ${mdb1Suffix}
79 olcDbDirectory: ${openldap.dataDir}
80 # Database superuser. Needed for syncrepl.
81 olcRootDN: cn=admin,${mdb1Suffix}
82 # superuser password, generated with slappasswd -s SECRET
83 # olcRootPW: {SSHA}VUlLVeNl3IKltfX50f/PokMRnlhRsSDI
84 olcDbIndex: objectClass eq
86 olcDbIndex: uidNumber,gidNumber eq
87 olcDbIndex: member,memberUid eq
88 olcAccess: to attrs=userPassword
92 olcAccess: to attrs=shadowLastChange
95 olcAccess: to dn.sub="ou=posix,${mdb1Suffix}"
96 by dn="gidNumber=${toString config.users.groups.nslcd.gid}+uidNumber=${toString config.users.users.nslcd.uid},cn=peercred,cn=external,cn=auth" manage
101 mdb1LDIF = pkgs.writeText "${mdb1Suffix}.ldif" ''
103 dc: ${config.networking.baseName}
105 objectClass: dcObject
106 objectClass: organization
109 dn: cn=admin,${mdb1Suffix}
111 objectClass: simpleSecurityObject
112 objectClass: organizationalRole
113 description: ${config.networking.baseName} LDAP administrator
114 roleOccupant: ${mdb1Suffix}
117 dn: ou=posix,${mdb1Suffix}
120 objectClass: organizationalUnit
122 dn: ou=accounts,ou=posix,${mdb1Suffix}
125 objectClass: organizationalUnit
127 dn: ou=groups,ou=posix,${mdb1Suffix}
130 objectClass: organizationalUnit
132 dn: cn=users,ou=groups,ou=posix,${mdb1Suffix}
135 objectclass: posixGroup
140 dn: uid=julm,ou=accounts,ou=posix,${mdb1Suffix}
143 objectClass: posixAccount
147 homeDirectory: /home/julm
148 loginShell: /run/current-system/sw/bin/bash
149 userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3
151 dn: uid=sevy,ou=accounts,ou=posix,${mdb1Suffix}
154 objectClass: posixAccount
158 homeDirectory: /home/sevy
159 loginShell: /run/current-system/sw/bin/bash
160 userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN
167 # FIXME: even with the correct LD_LIBRARY_PATH to libnss_ldap.so,
168 # passwd still does not work on LDAP accounts.
175 server = "ldapi:///";
176 base = "ou=posix,${mdb1Suffix}";
178 #distinguishedName = "cn=admin,${mdb1Suffix}";
181 services.openldap = {
183 dataDir = "/var/db/ldap";
184 configDir = "/var/db/slapd";
185 urlList = [ "ldapi:///" ]; # UNIX socket
187 systemd.services.openldap = {
189 # NOTE: the config is always re-initialized.
190 rm -rf "${openldap.configDir}"/cn=config \
191 "${openldap.configDir}"/cn=config.ldif
193 install -D -d -m 0700 \
194 -o "${openldap.user}" \
195 -g "${openldap.group}" \
196 "${openldap.dataDir}" \
197 "${openldap.configDir}"
199 # NOTE: slapd is stopped in preStart, slap* commands can therefore be used.
200 ${pkgs.openldap}/bin/slapadd -n 0 -F "${openldap.configDir}" -l ${cnConfigLDIF}
201 # NOTE: slapadd(8): To populate the config database slapd-config(5),
202 # use -n 0 as it is always the first database.
203 # It must physically exist on the filesystem prior to this, however.
205 # NOTE: the data are only initialized, never re-initialized.
206 if test ! -e "${openldap.dataDir}"/data.mdb
208 ${pkgs.openldap}/bin/slapadd -F "${openldap.configDir}" -l ${mdb1LDIF}
210 chown -R "${openldap.user}:${openldap.group}" \
211 "${openldap.dataDir}" \
212 "${openldap.configDir}"