{ lib, pkgs, config, openldap, ... }: let cfg = config.myServices.databases.openldap; in { options.myServices.databases = { openldap = { enable = lib.mkOption { default = false; example = true; description = "Whether to enable ldap"; type = lib.types.bool; }; baseDn = lib.mkOption { type = lib.types.str; description = '' Base DN for LDAP ''; }; rootDn = lib.mkOption { type = lib.types.str; description = '' Root DN ''; }; rootPw = lib.mkOption { type = lib.types.str; description = '' Root (Hashed) password ''; }; accessFile = lib.mkOption { type = lib.types.path; description = '' The file path that defines the access ''; }; dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/openldap/mdb"; description = '' The directory where Openldap stores its data. ''; }; socketsDir = lib.mkOption { type = lib.types.path; default = "/run/openldap"; description = '' The directory where Openldap puts sockets and pid files. ''; }; # Output variables pids = lib.mkOption { type = lib.types.attrsOf lib.types.path; default = { pid = "${cfg.socketsDir}/slapd.pid"; args = "${cfg.socketsDir}/slapd.args"; }; readOnly = true; description = '' Slapd pid files ''; }; }; }; config = lib.mkIf cfg.enable { myServices.dns.zones."immae.eu".subdomains.ldap = with config.myServices.dns.helpers; ips servers.eldiron.ips.main; nixpkgs.overlays = [ (self: super: { openldap_libressl_cyrus = (self.openldap.override { openssl = self.libressl; cyrus_sasl = self.cyrus_sasl.overrideAttrs (old: { configureFlags = old.configureFlags ++ [ "--with-configdir=/etc/sasl2" ]; }); }).overrideAttrs (old: { configureFlags = old.configureFlags ++ [ "--with-cyrus-sasl" "--enable-spasswd" ]; }); }) ]; secrets.keys = { "ldap/password" = { permissions = "0400"; user = "openldap"; group = "openldap"; text = "${cfg.rootPw}"; }; "ldap/access" = { permissions = "0400"; user = "openldap"; group = "openldap"; text = builtins.readFile cfg.accessFile; }; "ldap" = { permissions = "0500"; user = "openldap"; group = "openldap"; isDir = true; }; }; users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; security.acme.certs."ldap" = { group = "openldap"; domain = "ldap.immae.eu"; postRun = '' systemctl restart openldap.service ''; }; services.filesWatcher.openldap = { restart = true; paths = [ config.secrets.fullPaths."ldap" ]; }; services.openldap = { enable = true; urlList = [ "ldap://" "ldaps://" ]; package = pkgs.openldap_libressl_cyrus; settings = { attrs = { olcPidFile = cfg.pids.pid; olcArgsFile = cfg.pids.args; olcLogLevel = "none"; olcTLSCertificateFile = "${config.security.acme.certs.ldap.directory}/cert.pem"; olcTLSCertificateKeyFile = "${config.security.acme.certs.ldap.directory}/key.pem"; olcTLSCACertificateFile = "${config.security.acme.certs.ldap.directory}/fullchain.pem"; olcTLSCACertificatePath = "${pkgs.cacert.unbundled}/etc/ssl/certs/"; # This makes openldap crash # olcTLSCipherSuite = "DEFAULT"; #olcSaslHost = "kerberos.immae.eu"; # Map sasl "dn" to ldap dn #olcAuthzRegexp = ''{0}"uid=([^,]*)(,cn=IMMAE.EU)?,cn=(gssapi|gss-spnego),cn=auth" "uid=$1,ou=users,dc=immae,dc=eu"''; }; children = { "cn=module{0}" = { attrs = { cn = "module{0}"; objectClass = [ "olcModuleList" ]; olcModuleLoad = [ "{0}back_mdb" "{1}memberof" "{2}syncprov" ]; }; }; "cn=schema".includes = map (schema: "${config.services.openldap.package}/etc/schema/${schema}.ldif" ) [ "core" "cosine" "inetorgperson" "nis" ] ++ [ "${openldap.immae-ldif}" ]; "olcDatabase={0}config" = { attrs = { objectClass = "olcDatabaseConfig"; olcDatabase = "{0}config"; olcAccess = ["{0}to * by * none"]; }; }; "olcDatabase={1}mdb" = { attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbIndex = [ "objectClass eq" "uid pres,eq" "mail pres,eq,sub" "cn pres,eq,sub" "sn pres,eq,sub" "dc eq" "member eq" "memberOf eq" ]; olcAccess = let join = builtins.replaceStrings ["\n"] [" "]; in [ # First matching "to" + "by" wins #### Replication needs full access (join ''{0}to * by dn.base="uid=ldap_replication,cn=ldap,ou=services,dc=immae,dc=eu" read by * break '') #### Prevent modification of SASL passwords (join ''{1}to attrs=userPassword val.regex="^.SASL..+" by self read by anonymous auth by * none '') #### Oneself needs access to users password (join ''{2}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none '') #### Should be write, but disabled during migration to psql (join ''{3}to attrs=immaeSshKey by self read by * break '') #### Anyone can auth, and I can see myself (join ''{4}to * by self read by anonymous auth by * break '') #### Specific access for phpldapadmin (join ''{5}to filter="(uid=*)" attrs=entry,uid by dn.base="cn=phpldapadmin,ou=services,dc=immae,dc=eu" read by * break '') #### Hosts # The attributes are available to every host (join ''{6}to dn.one="ou=hosts,dc=immae,dc=eu" by dn.subtree="ou=hosts,dc=immae,dc=eu" read by dn.base="dc=immae,dc=eu" search by * break '') #### /Hosts #### Local services # this/-* & user : all your ancestors have access to you # this/memberOf/-* & user : all those whom you belong to (in a group), # and their ancestors, have access to you # user/immaeAccessWriteDn*/member & this : you have write access to the # members of your immaeAccessDn # attributes # user/immaeAccessDn*/member & this : you have access to the members # of your immaeAccessDn attributes # user/immaeAccessReadSubtree* & this/-* : you have access to the # childrens of your immaeAccessReadSubtree # attributes # this/memberOf/-* & user/immaeAccessReadSubtree*: you have access to # the members of the childrens of your # immaeAccessReadSubtree attributes # http://www.openldap.org/faq/data/cache/1133.html (join ''{7}to dn.subtree="dc=immae,dc=eu" by dn.subtree="ou=external_services,dc=immae,dc=eu" break by set.exact="this/-* & user" read by set.exact="this/memberOf/-* & user" read by set.exact="user/immaeAccessWriteDn*/member & this" write by set.exact="user/immaeAccessDn*/member & this" read by set.exact="user/immaeAccessReadSubtree* & this/-*" read by set.exact="this/memberOf/-* & user/immaeAccessReadSubtree*" read by users search by * break '') #### /Local services #### External services # http://www.openldap.org/faq/data/cache/429.html # FIXME: Find a way to whitelist? (join ''{8}to attrs=immaeSshKey by dn.subtree="ou=external_services,dc=immae,dc=eu" none '') (join ''{9}to dn.subtree="dc=immae,dc=eu" by set.exact="this/-* & user" read by set.exact="this/memberOf/-* & user" read by set.exact="user/immaeAccessDn*/member & this/-*" read by users search by * none '') #### /External services ]; olcDbDirectory = cfg.dataDir; olcRootDN = cfg.rootDn; olcRootPW.path = config.secrets.fullPaths."ldap/password"; olcSuffix = cfg.baseDn; }; children = { "olcOverlay={0}memberof" = { attrs = { objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; olcOverlay = "{0}memberof"; }; }; "olcOverlay={1}syncprov" = { attrs = { objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ]; olcOverlay = "{1}syncprov"; olcSpCheckpoint = "100 10"; }; }; }; }; }; }; }; myServices.monitoring.fromMasterActivatedPlugins = [ "tcp" ]; myServices.monitoring.fromMasterObjects.service = [ { service_description = "ldap SSL is up to date"; host_name = config.hostEnv.fqdn; use = "external-service"; check_command = ["check_tcp_ssl" "636"]; servicegroups = "webstatus-ssl"; _webstatus_name = "LDAP"; _webstatus_url = "ldap.immae.eu"; } ]; }; }