]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/openldap/commonsoft.coop.nix
postfix: add LDAP support.
[sourcephile-nix.git] / install / logical / friot / openldap / commonsoft.coop.nix
1 {pkgs, lib, config, ...}:
2 let inherit (config.services) openldap;
3 inherit (config.users) users groups;
4 domainSuffix = openldap.domainSuffix;
5 in
6 {
7 config = {
8 services.openldap = {
9 databases = {
10 "${domainSuffix}" = {
11 resetData = true;
12 conf = ''
13 # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
14 dn: olcBackend={1}mdb,cn=config
15 objectClass: olcBackendConfig
16
17 dn: olcDatabase={1}mdb,cn=config
18 objectClass: olcDatabaseConfig
19 objectClass: olcMdbConfig
20 # NOTE: checkpoint the database periodically in case of system failure
21 # and to speed slapd shutdown.
22 olcDbCheckpoint: 512 30
23 # Database max size is 1G
24 olcDbMaxSize: 1073741824
25 olcLastMod: TRUE
26 # NOTE: database superuser. Needed for syncrepl.
27 olcRootDN: cn=admin,${domainSuffix}
28 # NOTE: superuser password, generated with slappasswd -s SECRET
29 # FIXME: remove when dovecot2 compiled with SASL
30 olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
31 #
32 olcDbIndex: objectClass eq
33 olcDbIndex: cn,uid eq
34 olcDbIndex: uidNumber,gidNumber eq
35 olcDbIndex: member,memberUid eq
36 olcDbIndex: mail eq
37 olcDbIndex: mailEnabled eq
38 olcDbIndex: mailacceptinggeneralid eq
39 #
40 olcAccess: to attrs=userPassword
41 by self write
42 by anonymous auth
43 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
44 by * none
45 olcAccess: to attrs=shadowLastChange
46 by self write
47 by * none
48 olcAccess: to dn.sub="ou=posix,${domainSuffix}"
49 by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
50 by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read
51 by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
52 # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
53 olcAccess: to *
54 by self read
55 by * none
56 '';
57 data = ''
58 dn: ${domainSuffix}
59 objectClass: top
60 objectClass: dcObject
61 objectClass: organization
62 o: ${config.networking.baseName}
63
64 dn: cn=admin,${domainSuffix}
65 objectClass: simpleSecurityObject
66 objectClass: organizationalRole
67 description: ${config.networking.baseName} LDAP administrator
68 roleOccupant: ${domainSuffix}
69 userPassword:
70 #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
71
72 dn: ou=posix,${domainSuffix}
73 objectClass: top
74 objectClass: organizationalUnit
75
76 dn: ou=accounts,ou=posix,${domainSuffix}
77 objectClass: top
78 objectClass: organizationalUnit
79
80 dn: ou=groups,ou=posix,${domainSuffix}
81 objectClass: top
82 objectClass: organizationalUnit
83
84 dn: cn=users,ou=groups,ou=posix,${domainSuffix}
85 objectclass: top
86 objectclass: posixGroup
87 gidnumber: 10000
88 memberuid: ju
89 memberuid: sevy
90
91 #dn: cn=dovemail,ou=groups,ou=posix,${domainSuffix}
92 #objectclass: top
93 #objectclass: posixGroup
94 #gidnumber: 497
95 # # FIXME: do not hardcode this gid
96 #memberuid: ju
97 #memberuid: sevy
98
99 dn: uid=ju,ou=accounts,ou=posix,${domainSuffix}
100 #objectClass: account
101 objectclass: person
102 objectClass: posixAccount
103 objectclass: postfixUser
104 objectclass: PostfixBookMailAccount
105 objectclass: PostfixBookMailForward
106 cn: Julien M.
107 sn: julm
108 mail: ju@commonsoft.coop
109 mailAlias: juju@commonsoft.coop
110 uidNumber: 10000
111 gidNumber: 497
112 homeDirectory: /home/ju
113 loginShell: /run/current-system/sw/bin/bash
114 userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3
115
116 dn: uid=sevy,ou=accounts,ou=posix,${domainSuffix}
117 #objectClass: account
118 objectclass: person
119 objectClass: posixAccount
120 objectclass: postfixUser
121 objectclass: PostfixBookMailAccount
122 objectclass: PostfixBookMailForward
123 cn: Séverine P.
124 sn: sévy
125 mail: sevy@commonsoft.coop
126 mailAlias: severine.popek@commonsoft.coop
127 uidNumber: 10001
128 gidNumber: 10000
129 homeDirectory: /home/sevy
130 loginShell: /run/current-system/sw/bin/bash
131 userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN
132 '';
133 };
134 };
135 };
136 };
137 }