]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/openldap.nix
gitolite: update
[sourcephile-nix.git] / install / logical / friot / openldap.nix
1 {pkgs, lib, config, ...}:
2 let inherit (builtins) baseNameOf readFile;
3 inherit (lib) types;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) openldap;
6 inherit (config.users) ldap;
7 copyFile = file: pkgs.writeText (baseNameOf file) (readFile file);
8 configLDIF = pkgs.writeText "cn=config.ldif" (''
9 dn: cn=config
10 objectClass: olcGlobal
11 #olcPidFile: /run/slapd/slapd.pid
12 # List of arguments that were passed to the server
13 #olcArgsFile: /run/slapd/slapd.args
14 # Read slapd-config(5) for possible values
15 olcLogLevel: none
16 # The tool-threads parameter sets the actual amount of CPU's
17 # that is used for indexing.
18 olcToolThreads: 1
19
20 dn: olcDatabase={-1}frontend,cn=config
21 objectClass: olcDatabaseConfig
22 objectClass: olcFrontendConfig
23 # The maximum number of entries that is returned for a search operation
24 olcSizeLimit: 500
25 # Allow unlimited access to local connection from the local root user
26 olcAccess: to *
27 by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
28 by * break
29 # Allow unauthenticated read access for schema and base DN autodiscovery
30 olcAccess: to dn.exact=""
31 by * read
32 olcAccess: to dn.base="cn=Subschema"
33 by * read
34
35 dn: olcDatabase=config,cn=config
36 objectClass: olcDatabaseConfig
37 olcRootDN: cn=admin,cn=config
38 # Access to cn=config, system root can be manager
39 # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
40 olcAccess: to *
41 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
42 by * break
43
44 dn: cn=schema,cn=config
45 objectClass: olcSchemaConfig
46
47 include: file://${pkgs.openldap}/etc/schema/core.ldif
48 include: file://${pkgs.openldap}/etc/schema/cosine.ldif
49 include: file://${pkgs.openldap}/etc/schema/nis.ldif
50 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
51 include: file://${copyFile openldap/schema/postfix-book.ldif}
52
53 dn: cn=module{0},cn=config
54 objectClass: olcModuleList
55 # Where the dynamically loaded modules are stored
56 #olcModulePath: /usr/lib/ldap
57 olcModuleLoad: back_mdb
58
59 '' + unlinesAttrs (olcSuffix: {conf, olcDbDirectory, ...}:
60 "include: file://" + pkgs.writeText "config.ldif" (conf + ''
61 olcSuffix: ${olcSuffix}
62 olcDbDirectory: ${olcDbDirectory}
63 '')
64 ) openldap.databases);
65 in
66 {
67 imports = [
68 openldap/commonsoft.nix
69 ];
70 options = {
71 services.openldap.domainSuffix = lib.mkOption {
72 type = types.str;
73 default = "dc=${lib.concatStringsSep ",dc=" (lib.splitString "." config.networking.domain)}";
74 description = ''
75 LDAP suffix for config.networking.domain.
76 '';
77 };
78 services.openldap.databases = lib.mkOption {
79 default = {};
80 type = types.attrsOf (types.submodule ({name, options, config, ...}: {
81 options = {
82 conf = lib.mkOption {
83 type = types.lines;
84 description = "The database's config in LDIF.";
85 };
86 data = lib.mkOption {
87 type = types.lines;
88 description = "The database's data in LDIF.";
89 };
90 olcDbDirectory = lib.mkOption {
91 type = types.str;
92 description = "The directory where the database is stored.";
93 default = "${openldap.dataDir}/${name}";
94 };
95 resetData = lib.mkOption {
96 type = types.bool;
97 description = "Whether to reset the data at each start of the slapd service.";
98 default = false;
99 };
100 };
101 }));
102 };
103 };
104 config = {
105 users.ldap = {
106 enable = true;
107 server = "ldapi:///";
108 base = "ou=posix,${openldap.domainSuffix}";
109 bind = {
110 #distinguishedName = "cn=admin,${openldap.domainSuffix}";
111 };
112 daemon = {
113 enable = true;
114 extraConfig = ''
115 sasl_mech EXTERNAL
116 # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
117 # which is the DN used by nslcd when passwd is run by root
118 # to change the userPassword of an LDAP user.
119 # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
120 # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$SomeUID,ou=accounts,ou=posix,dc=commonsoft,dc=org
121 '';
122 };
123 };
124 services.openldap = {
125 enable = true;
126 dataDir = "/var/db/ldap";
127 configDir = "/var/db/slapd";
128 urlList = [ "ldapi:///" ]; # UNIX socket
129 };
130 systemd.services.openldap = {
131 preStart = ''
132 set -e
133 # NOTE: slapd's config is always re-initialized.
134 rm -rf "${openldap.configDir}"/cn=config \
135 "${openldap.configDir}"/cn=config.ldif
136 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}"
137 # NOTE: olcDbDirectory must be created before adding the config.
138 '' +
139 unlinesAttrs (olcSuffix: {data, olcDbDirectory, resetData, ...}:
140 lib.optionalString resetData ''
141 rm -rf "${olcDbDirectory}"
142 '' + ''
143 install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${olcDbDirectory}"
144 '') openldap.databases
145 + ''
146 # NOTE: slapd is supposed to have been stopped by systemd
147 # before entering this preStart,
148 # hence slap* commands can safely be used.
149 #
150 # NOTE: slapadd(8):
151 # To populate the config database slapd-config(5),
152 # use -n 0 as it is always the first database.
153 # It must physically exist on the filesystem prior to this, however.
154 umask 0077
155 ${pkgs.openldap}/bin/slapadd -n 0 \
156 -F "${openldap.configDir}" \
157 -l ${configLDIF}
158 chown -R "${openldap.user}:${openldap.group}" "${openldap.configDir}"
159 '' +
160 unlinesAttrs (olcSuffix: {data, olcDbDirectory, resetData, ...}:
161 lib.optionalString resetData ''
162 ${pkgs.openldap}/bin/slapadd \
163 -F "${openldap.configDir}" \
164 -l ${pkgs.writeText "data.ldif" data}
165 '' + ''
166 test ! -e "${olcDbDirectory}" ||
167 chown -R "${openldap.user}:${openldap.group}" "${olcDbDirectory}"
168 '') openldap.databases;
169 };
170 };
171 }