Add SSL for pam ldap connection

author Ismaël Bouya <ismael.bouya@normalesup.org>

Thu, 24 Jan 2019 22:04:12 +0000 (23:04 +0100)

committer Ismaël Bouya <ismael.bouya@normalesup.org>

Thu, 24 Jan 2019 22:04:12 +0000 (23:04 +0100)
author Ismaël Bouya <ismael.bouya@normalesup.org>
Thu, 24 Jan 2019 22:04:12 +0000 (23:04 +0100)
committer Ismaël Bouya <ismael.bouya@normalesup.org>
Thu, 24 Jan 2019 22:04:12 +0000 (23:04 +0100)
diff --git a/virtual/modules/databases/default.nix b/virtual/modules/databases/default.nix

index 304ad8923484ad0c9c874ed52616485f10d00062..94d8d75ededd5c134c58fd75c56a2d2a585b56f6 100644 (file)
--- a/virtual/modules/databases/default.nix
+++ b/virtual/modules/databases/default.nix
@@ -111,19 +111,21 @@ in {
      };
  
      security.pam.services = let
-      pam_ldap = pkgs.pam_ldap;
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
        pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
          binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
          bindpw ${myconfig.env.databases.mysql.pam_password}
+        ssl start_tls
          pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
          '';
        pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
-        binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
+        binddn ${myconfig.env.ldap.host_dn}
          bindpw ${myconfig.env.ldap.password}
+        ssl start_tls
          pam_login_attribute cn
          '';
      in [
@@ -131,22 +133,22 @@ in {
          name = "mysql";
          text = ''
            # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          auth    required ${pam_ldap} config=${pam_ldap_mysql}
+          account required ${pam_ldap} config=${pam_ldap_mysql}
            '';
        }
        {
          name = "postgresql";
          text = ''
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
            '';
        }
        {
          name = "postgresql_replication";
          text = ''
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
            '';
        }
      ];
author	Ismaël Bouya <ismael.bouya@normalesup.org>
	Thu, 24 Jan 2019 22:04:12 +0000 (23:04 +0100)
committer	Ismaël Bouya <ismael.bouya@normalesup.org>
	Thu, 24 Jan 2019 22:04:12 +0000 (23:04 +0100)