1 { lib, pkgs, config, openldap, ... }:
3 cfg = config.myServices.databases.openldap;
6 options.myServices.databases = {
8 enable = lib.mkOption {
11 description = "Whether to enable ldap";
12 type = lib.types.bool;
14 baseDn = lib.mkOption {
20 rootDn = lib.mkOption {
26 rootPw = lib.mkOption {
29 Root (Hashed) password
32 accessFile = lib.mkOption {
33 type = lib.types.path;
35 The file path that defines the access
38 dataDir = lib.mkOption {
39 type = lib.types.path;
40 default = "/var/lib/openldap/mdb";
42 The directory where Openldap stores its data.
45 socketsDir = lib.mkOption {
46 type = lib.types.path;
47 default = "/run/openldap";
49 The directory where Openldap puts sockets and pid files.
54 type = lib.types.attrsOf lib.types.path;
56 pid = "${cfg.socketsDir}/slapd.pid";
57 args = "${cfg.socketsDir}/slapd.args";
67 config = lib.mkIf cfg.enable {
68 myServices.dns.zones."immae.eu".subdomains.ldap =
69 with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
73 openldap_libressl_cyrus = (self.openldap.override {
74 openssl = self.libressl;
75 cyrus_sasl = self.cyrus_sasl.overrideAttrs (old: {
76 configureFlags = old.configureFlags ++ [ "--with-configdir=/etc/sasl2" ];
78 }).overrideAttrs (old: {
79 configureFlags = old.configureFlags ++ [ "--with-cyrus-sasl" "--enable-spasswd" ];
89 text = "${cfg.rootPw}";
95 text = builtins.readFile cfg.accessFile;
104 users.users.openldap.extraGroups = [ "keys" ];
105 networking.firewall.allowedTCPPorts = [ 636 389 ];
106 services.borgBackup.profiles.global.includedPaths = [
110 security.acme.certs."ldap" = {
112 domain = "ldap.immae.eu";
114 systemctl restart openldap.service
118 services.filesWatcher.openldap = {
120 paths = [ config.secrets.fullPaths."ldap" ];
123 services.openldap = {
125 urlList = [ "ldap://" "ldaps://" ];
126 package = pkgs.openldap_libressl_cyrus;
129 olcPidFile = cfg.pids.pid;
130 olcArgsFile = cfg.pids.args;
131 olcLogLevel = "none";
132 olcTLSCertificateFile = "${config.security.acme.certs.ldap.directory}/cert.pem";
133 olcTLSCertificateKeyFile = "${config.security.acme.certs.ldap.directory}/key.pem";
134 olcTLSCACertificateFile = "${config.security.acme.certs.ldap.directory}/fullchain.pem";
135 olcTLSCACertificatePath = "${pkgs.cacert.unbundled}/etc/ssl/certs/";
136 # This makes openldap crash
137 # olcTLSCipherSuite = "DEFAULT";
138 #olcSaslHost = "kerberos.immae.eu";
139 # Map sasl "dn" to ldap dn
140 #olcAuthzRegexp = ''{0}"uid=([^,]*)(,cn=IMMAE.EU)?,cn=(gssapi|gss-spnego),cn=auth" "uid=$1,ou=users,dc=immae,dc=eu"'';
146 objectClass = [ "olcModuleList" ];
147 olcModuleLoad = [ "{0}back_mdb" "{1}memberof" "{2}syncprov" ];
150 "cn=schema".includes = map (schema:
151 "${config.services.openldap.package}/etc/schema/${schema}.ldif"
152 ) [ "core" "cosine" "inetorgperson" "nis" ] ++ [
153 "${openldap.immae-ldif}"
155 "olcDatabase={0}config" = {
157 objectClass = "olcDatabaseConfig";
158 olcDatabase = "{0}config";
159 olcAccess = ["{0}to * by * none"];
162 "olcDatabase={1}mdb" = {
164 objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
165 olcDatabase = "{1}mdb";
177 join = builtins.replaceStrings ["\n"] [" "];
179 # First matching "to" + "by" wins
180 #### Replication needs full access
182 by dn.base="uid=ldap_replication,cn=ldap,ou=services,dc=immae,dc=eu" read
185 #### Prevent modification of SASL passwords
186 (join ''{1}to attrs=userPassword val.regex="^.SASL..+"
191 #### Oneself needs access to users password
192 (join ''{2}to attrs=userPassword,shadowLastChange
197 #### Should be write, but disabled during migration to psql
198 (join ''{3}to attrs=immaeSshKey
203 #### Anyone can auth, and I can see myself
210 #### Specific access for phpldapadmin
211 (join ''{5}to filter="(uid=*)" attrs=entry,uid
212 by dn.base="cn=phpldapadmin,ou=services,dc=immae,dc=eu" read
217 # The attributes are available to every host
218 (join ''{6}to dn.one="ou=hosts,dc=immae,dc=eu"
219 by dn.subtree="ou=hosts,dc=immae,dc=eu" read
220 by dn.base="dc=immae,dc=eu" search
226 # this/-* & user : all your ancestors have access to you
227 # this/memberOf/-* & user : all those whom you belong to (in a group),
228 # and their ancestors, have access to you
229 # user/immaeAccessWriteDn*/member & this : you have write access to the
230 # members of your immaeAccessDn
232 # user/immaeAccessDn*/member & this : you have access to the members
233 # of your immaeAccessDn attributes
234 # user/immaeAccessReadSubtree* & this/-* : you have access to the
235 # childrens of your immaeAccessReadSubtree
237 # this/memberOf/-* & user/immaeAccessReadSubtree*: you have access to
238 # the members of the childrens of your
239 # immaeAccessReadSubtree attributes
240 # http://www.openldap.org/faq/data/cache/1133.html
241 (join ''{7}to dn.subtree="dc=immae,dc=eu"
242 by dn.subtree="ou=external_services,dc=immae,dc=eu" break
243 by set.exact="this/-* & user" read
244 by set.exact="this/memberOf/-* & user" read
245 by set.exact="user/immaeAccessWriteDn*/member & this" write
246 by set.exact="user/immaeAccessDn*/member & this" read
247 by set.exact="user/immaeAccessReadSubtree* & this/-*" read
248 by set.exact="this/memberOf/-* & user/immaeAccessReadSubtree*" read
254 #### External services
255 # http://www.openldap.org/faq/data/cache/429.html
256 # FIXME: Find a way to whitelist?
257 (join ''{8}to attrs=immaeSshKey
258 by dn.subtree="ou=external_services,dc=immae,dc=eu" none
260 (join ''{9}to dn.subtree="dc=immae,dc=eu"
261 by set.exact="this/-* & user" read
262 by set.exact="this/memberOf/-* & user" read
263 by set.exact="user/immaeAccessDn*/member & this/-*" read
267 #### /External services
269 olcDbDirectory = cfg.dataDir;
270 olcRootDN = cfg.rootDn;
271 olcRootPW.path = config.secrets.fullPaths."ldap/password";
272 olcSuffix = cfg.baseDn;
275 "olcOverlay={0}memberof" = {
277 objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
278 olcOverlay = "{0}memberof";
281 "olcOverlay={1}syncprov" = {
283 objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ];
284 olcOverlay = "{1}syncprov";
285 olcSpCheckpoint = "100 10";
293 myServices.monitoring.fromMasterActivatedPlugins = [ "tcp" ];
294 myServices.monitoring.fromMasterObjects.service = [
296 service_description = "ldap SSL is up to date";
297 host_name = config.hostEnv.fqdn;
298 use = "external-service";
299 check_command = ["check_tcp_ssl" "636"];
301 servicegroups = "webstatus-ssl";
302 _webstatus_name = "LDAP";
303 _webstatus_url = "ldap.immae.eu";