{ config, pkgs, ... }: { age.secrets."ldap-root-password" = { file = ../../secrets/ldap-root-password.age; owner = "openldap"; }; systemd.tmpfiles.rules = [ "d /var/lib/openldap/data 0700 openldap openldap -" ]; services.openldap = { enable = true; urlList = [ "ldap:///" "ldapi:///" ]; settings = { attrs = { olcLogLevel = "stats"; olcPasswordCryptSaltFormat = "$6$%.8s"; olcDisallows = "bind_anon"; olcRequires = "authc"; olcIdleTimeout = "60"; }; children = { "cn=schema".includes = [ "${pkgs.openldap}/etc/schema/core.ldif" "${pkgs.openldap}/etc/schema/cosine.ldif" "${pkgs.openldap}/etc/schema/inetorgperson.ldif" "${pkgs.openldap}/etc/schema/nis.ldif" "${./samba.ldif}" ]; "olcDatabase={-1}frontend" = { attrs = { objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ]; olcDatabase = "{-1}frontend"; olcSizeLimit = "unlimited"; olcPasswordHash = "{CRYPT}"; }; }; # Access only via: ldapmodify -Y EXTERNAL -H ldapi:/// (as root) "olcDatabase={0}config" = { attrs = { objectClass = "olcDatabaseConfig"; olcDatabase = "{0}config"; olcAccess = [ ''to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none'' ]; }; }; "olcDatabase={1}mdb" = { attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=baubs,dc=net"; olcRootDN = "uid=root,cn=users,dc=baubs,dc=net"; olcRootPW.path = config.age.secrets."ldap-root-password".path; olcDbIndex = [ "objectClass eq" "cn pres,eq,sub" "uid pres,eq,sub" "uidNumber pres,eq" "gidNumber pres,eq" "memberUid eq" "member eq" "sambaDomainName eq" "sambaSID eq" "entryCSN eq" "entryUUID eq" ]; olcAccess = [ ''to dn.base="" by * read'' ''to dn.base="cn=Subschema" by * read'' ''to attrs=userPassword by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" =w by set="[cn=Directory Consumers,cn=groups,dc=baubs,dc=net]/member* & user" read by anonymous auth'' ''to attrs=sambaLMPassword,sambaNTPassword by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by set="[cn=Directory Consumers,cn=groups,dc=baubs,dc=net]/member* & user" read by set="[cn=Directory Clients,cn=groups,dc=baubs,dc=net]/member* & user" read'' ''to attrs=shadowLastChange,sambaPwdLastSet by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by users read'' ''to attrs=homeDirectory,uid,cn,uidNumber,gidNumber by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read'' ''to attrs=gecos,@inetOrgPerson by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read'' ''to * by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read'' ]; }; children = { "olcOverlay={0}memberof" = { attrs = { objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; olcOverlay = "{0}memberof"; olcMemberOfDangling = "ignore"; olcMemberOfRefInt = "FALSE"; olcMemberOfGroupOC = "posixGroup"; }; }; "olcOverlay={1}ppolicy" = { attrs = { objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; olcOverlay = "{1}ppolicy"; olcPPolicyDefault = "cn=default,ou=pwpolicies,dc=baubs,dc=net"; olcPPolicyHashCleartext = "FALSE"; olcPPolicyUseLockout = "FALSE"; }; }; }; }; }; }; }; networking.firewall.allowedTCPPorts = [ 389 636 ]; }