servers/mermet/openldap.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (builtins) baseNameOf readFile;
   3     inherit (lib) types;
   4     inherit (pkgs.lib) unlinesAttrs;
   5     inherit (config.services) openldap;
   6     inherit (config.users) ldap;
   7     copyFile = file: pkgs.writeText (baseNameOf file) (readFile file);
   8 in
   9 {
  10   imports = [
  11     openldap/sourcephile.nix
  12   ];
  13   config = {
  14     users.ldap = {
  15       enable = true;
  16       server = "ldapi:///";
  17       base = "ou=posix,${openldap.domainSuffix}";
  18       bind = {
  19         #distinguishedName = "cn=admin,${openldap.domainSuffix}";
  20       };
  21       daemon = {
  22         enable = true;
  23         extraConfig = ''
  24           sasl_mech EXTERNAL
  25           # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
  26           # which is the DN used by nslcd when passwd is run by root
  27           # to change the userPassword of an LDAP user.
  28           # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
  29           # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$SomeUID,ou=accounts,ou=posix,dc=sourcephile,dc=fr
  30         '';
  31       };
  32     };
  33     services.openldap = {
  34       enable    = true;
  35       dataDir   = "/var/db/ldap";
  36       configDir = "/var/db/slapd";
  37       urlList   = [ "ldapi:///" ]; # UNIX socket
  38     };
  39   };
  40 }