Add SSL for pam ldap connection

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-01-24 23:04:12 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-01-24 23:04:12 +0100
commit: bbba84f5f4185d2e5173a3cb8b3d008c23665e54 (patch)
tree: 57accfb03d7e8e6c21653e183e1da590e561a3e8
parent: 6f4574e7b57043340a2a520c4bbeb17dde72e0ea (diff)
download: Nix-bbba84f5f4185d2e5173a3cb8b3d008c23665e54.tar.gz
Nix-bbba84f5f4185d2e5173a3cb8b3d008c23665e54.tar.zst
Nix-bbba84f5f4185d2e5173a3cb8b3d008c23665e54.zip
1 files changed, 14 insertions, 12 deletions
diff --git a/virtual/modules/databases/default.nix b/virtual/modules/databases/default.nix
index 304ad89..94d8d75 100644
--- a/virtual/modules/databases/default.nix
+++ b/virtual/modules/databases/default.nix
@@ -111,19 +111,21 @@ in {
    };
    security.pam.services = let
-      pam_ldap = pkgs.pam_ldap;
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
      pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
-        host ldap.immae.eu
+        host ${myconfig.env.ldap.host}
-        base dc=immae,dc=eu
+        base ${myconfig.env.ldap.base}
        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
        bindpw ${myconfig.env.databases.mysql.pam_password}
+        ssl start_tls
        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
        '';
      pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
-        host ldap.immae.eu
+        host ${myconfig.env.ldap.host}
-        base dc=immae,dc=eu
+        base ${myconfig.env.ldap.base}
-        binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
+        binddn ${myconfig.env.ldap.host_dn}
        bindpw ${myconfig.env.ldap.password}
+        ssl start_tls
        pam_login_attribute cn
        '';
    in [
@@ -131,22 +133,22 @@ in {
        name = "mysql";
        text = ''
          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          auth    required ${pam_ldap} config=${pam_ldap_mysql}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          account required ${pam_ldap} config=${pam_ldap_mysql}
          '';
      }
      {
        name = "postgresql";
        text = ''
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
          '';
      }
      {
        name = "postgresql_replication";
        text = ''
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
          '';
      }
    ];
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-01-24 23:04:12 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-01-24 23:04:12 +0100
commit	bbba84f5f4185d2e5173a3cb8b3d008c23665e54 (patch)
tree	57accfb03d7e8e6c21653e183e1da590e561a3e8
parent	6f4574e7b57043340a2a520c4bbeb17dde72e0ea (diff)
download	Nix-bbba84f5f4185d2e5173a3cb8b3d008c23665e54.tar.gz Nix-bbba84f5f4185d2e5173a3cb8b3d008c23665e54.tar.zst Nix-bbba84f5f4185d2e5173a3cb8b3d008c23665e54.zip