From bbba84f5f4185d2e5173a3cb8b3d008c23665e54 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Thu, 24 Jan 2019 23:04:12 +0100
Subject: [PATCH] Add SSL for pam ldap connection

---
 virtual/modules/databases/default.nix | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/virtual/modules/databases/default.nix b/virtual/modules/databases/default.nix
index 304ad89..94d8d75 100644
--- a/virtual/modules/databases/default.nix
+++ b/virtual/modules/databases/default.nix
@@ -111,19 +111,21 @@ in {
     };
 
     security.pam.services = let
-      pam_ldap = pkgs.pam_ldap;
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
       pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
         binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
         bindpw ${myconfig.env.databases.mysql.pam_password}
+        ssl start_tls
         pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
         '';
       pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
-        binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
+        binddn ${myconfig.env.ldap.host_dn}
         bindpw ${myconfig.env.ldap.password}
+        ssl start_tls
         pam_login_attribute cn
         '';
     in [
@@ -131,22 +133,22 @@ in {
         name = "mysql";
         text = ''
           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          auth    required ${pam_ldap} config=${pam_ldap_mysql}
+          account required ${pam_ldap} config=${pam_ldap_mysql}
           '';
       }
       {
         name = "postgresql";
         text = ''
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
           '';
       }
       {
         name = "postgresql_replication";
         text = ''
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
           '';
       }
     ];
-- 
2.41.0