1 {pkgs, lib, config, ...}:
2 let inherit (config.services) openldap;
3 inherit (config.users) users groups;
4 domainSuffix = openldap.domainSuffix;
13 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
14 dn: olcBackend={1}mdb,cn=config
15 objectClass: olcBackendConfig
17 dn: olcDatabase={1}mdb,cn=config
18 objectClass: olcDatabaseConfig
19 objectClass: olcMdbConfig
20 # NOTE: checkpoint the database periodically in case of system failure
21 # and to speed slapd shutdown.
22 olcDbCheckpoint: 512 30
23 # Database max size is 1G
24 olcDbMaxSize: 1073741824
26 # NOTE: database superuser. Needed for syncrepl.
27 olcRootDN: cn=admin,${domainSuffix}
28 # NOTE: superuser password, generated with slappasswd -s SECRET
29 # FIXME: remove when dovecot2 compiled with SASL
30 olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
32 olcDbIndex: objectClass eq
34 olcDbIndex: uidNumber,gidNumber eq
35 olcDbIndex: member,memberUid eq
37 olcDbIndex: mailEnabled eq
38 olcDbIndex: mailacceptinggeneralid eq
40 olcAccess: to attrs=userPassword
43 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
45 olcAccess: to attrs=shadowLastChange
48 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
49 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
50 by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
51 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
52 # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
61 objectClass: organization
62 o: ${config.networking.baseName}
64 dn: cn=admin,${domainSuffix}
65 objectClass: simpleSecurityObject
66 objectClass: organizationalRole
67 description: ${config.networking.baseName} LDAP administrator
68 roleOccupant: ${domainSuffix}
70 #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
72 dn: ou=posix,${domainSuffix}
74 objectClass: organizationalUnit
76 dn: ou=accounts,ou=posix,${domainSuffix}
78 objectClass: organizationalUnit
80 dn: ou=groups,ou=posix,${domainSuffix}
82 objectClass: organizationalUnit
84 dn: cn=users,ou=groups,ou=posix,${domainSuffix}
86 objectclass: posixGroup
91 #dn: cn=dovemail,ou=groups,ou=posix,${domainSuffix}
93 #objectclass: posixGroup
95 # # FIXME: do not hardcode this gid
99 dn: uid=ju,ou=accounts,ou=posix,${domainSuffix}
100 #objectClass: account
102 objectClass: posixAccount
103 objectclass: postfixUser
104 objectclass: PostfixBookMailAccount
105 objectclass: PostfixBookMailForward
108 mail: ju@commonsoft.coop
109 mailAlias: juju@commonsoft.coop
112 homeDirectory: /home/ju
113 loginShell: /run/current-system/sw/bin/bash
114 userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3
116 dn: uid=sevy,ou=accounts,ou=posix,${domainSuffix}
117 #objectClass: account
119 objectClass: posixAccount
120 objectclass: postfixUser
121 objectclass: PostfixBookMailAccount
122 objectclass: PostfixBookMailForward
125 mail: sevy@commonsoft.coop
126 mailAlias: severine.popek@commonsoft.coop
129 homeDirectory: /home/sevy
130 loginShell: /run/current-system/sw/bin/bash
131 userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN