{pkgs, lib, config, ...}:
let inherit (config.services) openldap;
inherit (config.users) users groups;
domainSuffix = openldap.domainSuffix;
in
{
config = {
services.openldap = {
databases = {
"${domainSuffix}" = {
resetData = true;
conf = ''
# sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub
dn: olcBackend={1}mdb,cn=config
objectClass: olcBackendConfig
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
# NOTE: checkpoint the database periodically in case of system failure
# and to speed slapd shutdown.
olcDbCheckpoint: 512 30
# Database max size is 1G
olcDbMaxSize: 1073741824
olcLastMod: TRUE
# NOTE: database superuser. Needed for syncrepl.
olcRootDN: cn=admin,${domainSuffix}
# NOTE: superuser password, generated with slappasswd -s SECRET
# FIXME: remove when dovecot2 compiled with SASL
olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
#
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: mail eq
olcDbIndex: mailEnabled eq
olcDbIndex: mailacceptinggeneralid eq
#
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by * none
olcAccess: to attrs=shadowLastChange
by self write
by * none
olcAccess: to dn.sub="ou=posix,${domainSuffix}"
by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
# NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0
olcAccess: to *
by self read
by * none
'';
data = ''
dn: ${domainSuffix}
objectClass: top
objectClass: dcObject
objectClass: organization
o: ${config.networking.baseName}
dn: cn=admin,${domainSuffix}
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: ${config.networking.baseName} LDAP administrator
roleOccupant: ${domainSuffix}
userPassword:
#userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9
dn: ou=posix,${domainSuffix}
objectClass: top
objectClass: organizationalUnit
dn: ou=accounts,ou=posix,${domainSuffix}
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,ou=posix,${domainSuffix}
objectClass: top
objectClass: organizationalUnit
dn: cn=users,ou=groups,ou=posix,${domainSuffix}
objectclass: top
objectclass: posixGroup
gidnumber: 10000
memberuid: ju
memberuid: sevy
#dn: cn=dovemail,ou=groups,ou=posix,${domainSuffix}
#objectclass: top
#objectclass: posixGroup
#gidnumber: 497
# # FIXME: do not hardcode this gid
#memberuid: ju
#memberuid: sevy
dn: uid=ju,ou=accounts,ou=posix,${domainSuffix}
#objectClass: account
objectclass: person
objectClass: posixAccount
objectclass: postfixUser
objectclass: PostfixBookMailAccount
objectclass: PostfixBookMailForward
cn: Julien M.
sn: julm
mail: ju@commonsoft.coop
mailAlias: juju@commonsoft.coop
#mailacceptinggeneralid: julm
#maildrop:
uidNumber: 10000
gidNumber: 497
homeDirectory: /home/ju
loginShell: /run/current-system/sw/bin/bash
userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3
dn: uid=sevy,ou=accounts,ou=posix,${domainSuffix}
#objectClass: account
objectclass: person
objectClass: posixAccount
objectclass: postfixUser
objectclass: PostfixBookMailAccount
objectclass: PostfixBookMailForward
cn: Séverine P.
sn: sévy
mail: sevy@commonsoft.coop
mailAlias: severine.popek@commonsoft.coop
uidNumber: 10001
gidNumber: 10000
homeDirectory: /home/sevy
loginShell: /run/current-system/sw/bin/bash
userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN
'';
};
};
};
};
}