{ pkgs, lib, config, ... }:
let inherit (builtins) baseNameOf readFile;
    inherit (lib) types;
    inherit (pkgs.lib) unlinesAttrs;
    inherit (config) networking;
    inherit (config.services) openldap;
    inherit (config.users) ldap;
    domainSuffix = "dc=" + lib.concatStringsSep ",dc=" (lib.splitString "." networking.domain);
in
{
  imports = [
    openldap/sourcephile.nix
  ];
  config = {
    users.ldap = {
      enable = true;
      server = "ldapi:///";
      base = "ou=posix,${domainSuffix}";
      bind = {
        #distinguishedName = "cn=admin,${domainSuffix}";
      };
      daemon = {
        enable = true;
        extraConfig = ''
          sasl_mech EXTERNAL
          # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
          # which is the DN used by nslcd when passwd is run by root
          # to change the userPassword of an LDAP user.
          # SEE: https://www.reddit.com/r/linuxadmin/comments/53sxpl/how_do_i_configure_nslcd_to_use_a_sasl_external/d7w9awd/
          # Thus, use: ldappasswd -H ldapi:// -Y EXTERNAL uid=$SomeUID,ou=accounts,ou=posix,dc=sourcephile,dc=fr

          deref never
          log syslog debug
        '';
      };
    };
    services.openldap = {
      enable    = true;
      dataDir   = "/var/db/ldap";
      configDir = "/var/db/slapd";
      urlList   = [ "ldapi:///" ]; # UNIX socket
    };
  };
}