{pkgs, lib, config, ...}: let inherit (config.services) openldap; inherit (config.users) users groups; domainSuffix = openldap.domainSuffix; in { config = { services.openldap = { databases = { "${domainSuffix}" = { resetData = true; conf = '' # sudo ldapsearch -LLL -H ldapi:// -D cn=admin,cn=config -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s sub dn: olcBackend={1}mdb,cn=config objectClass: olcBackendConfig dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig # NOTE: checkpoint the database periodically in case of system failure # and to speed slapd shutdown. olcDbCheckpoint: 512 30 # Database max size is 1G olcDbMaxSize: 1073741824 olcLastMod: TRUE # NOTE: database superuser. Needed for syncrepl. olcRootDN: cn=admin,${domainSuffix} # NOTE: superuser password, generated with slappasswd -s SECRET # FIXME: remove when dovecot2 compiled with SASL olcRootPW: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9 # olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbIndex: mail eq olcDbIndex: mailEnabled eq olcDbIndex: mailacceptinggeneralid eq # olcAccess: to attrs=userPassword by self write by anonymous auth by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none olcAccess: to attrs=shadowLastChange by self write by * none olcAccess: to dn.sub="ou=posix,${domainSuffix}" by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read # NOTE: dovecot/auth runs as root, hence the gidNumber=0+uidNumber=0 olcAccess: to * by self read by * none ''; data = '' dn: ${domainSuffix} objectClass: top objectClass: dcObject objectClass: organization o: ${config.networking.baseName} dn: cn=admin,${domainSuffix} objectClass: simpleSecurityObject objectClass: organizationalRole description: ${config.networking.baseName} LDAP administrator roleOccupant: ${domainSuffix} userPassword: #userPassword: {SSHA}NONVwwKnKsCBmFxkMqTCFekdu3SJQHc9 dn: ou=posix,${domainSuffix} objectClass: top objectClass: organizationalUnit dn: ou=accounts,ou=posix,${domainSuffix} objectClass: top objectClass: organizationalUnit dn: ou=groups,ou=posix,${domainSuffix} objectClass: top objectClass: organizationalUnit dn: cn=users,ou=groups,ou=posix,${domainSuffix} objectclass: top objectclass: posixGroup gidnumber: 10000 memberuid: ju memberuid: sevy #dn: cn=dovemail,ou=groups,ou=posix,${domainSuffix} #objectclass: top #objectclass: posixGroup #gidnumber: 497 # # FIXME: do not hardcode this gid #memberuid: ju #memberuid: sevy dn: uid=ju,ou=accounts,ou=posix,${domainSuffix} #objectClass: account objectclass: person objectClass: posixAccount objectclass: postfixUser objectclass: PostfixBookMailAccount objectclass: PostfixBookMailForward cn: Julien M. sn: julm mail: ju@commonsoft.coop mailAlias: juju@commonsoft.coop uidNumber: 10000 gidNumber: 497 homeDirectory: /home/ju loginShell: /run/current-system/sw/bin/bash userPassword: {SSHA}144Rfau9KJ14U0U4KdLNB7OrtpiEc3E3 dn: uid=sevy,ou=accounts,ou=posix,${domainSuffix} #objectClass: account objectclass: person objectClass: posixAccount objectclass: postfixUser objectclass: PostfixBookMailAccount objectclass: PostfixBookMailForward cn: Séverine P. sn: sévy mail: sevy@commonsoft.coop mailAlias: severine.popek@commonsoft.coop uidNumber: 10001 gidNumber: 10000 homeDirectory: /home/sevy loginShell: /run/current-system/sw/bin/bash userPassword: {SSHA}dwqaKo5nmId8Bym5PghloK+UEndwrVTN ''; }; }; }; }; }