jan-henrik/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix/hosts/amtmann/ldap.nix

113 lines
4.3 KiB
Nix
Raw Permalink Blame History

{ config, pkgs, ... }:
{
age.secrets."ldap-root-password" = {
file = ../../secrets/ldap-root-password.age;
owner = "openldap";
};
systemd.tmpfiles.rules = [
"d /var/lib/openldap/data 0700 openldap openldap -"
];
services.openldap = {
enable = true;
urlList = [ "ldap:///" "ldapi:///" ];
settings = {
attrs = {
olcLogLevel = "stats";
olcPasswordCryptSaltFormat = "$6$%.8s";
olcDisallows = "bind_anon";
olcRequires = "authc";
olcIdleTimeout = "60";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
"${./samba.ldif}"
];
"olcDatabase={-1}frontend" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
olcDatabase = "{-1}frontend";
olcSizeLimit = "unlimited";
olcPasswordHash = "{CRYPT}";
};
};
# Access only via: ldapmodify -Y EXTERNAL -H ldapi:/// (as root)
"olcDatabase={0}config" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{0}config";
olcAccess = [
''to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none''
];
};
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=baubs,dc=net";
olcRootDN = "uid=root,cn=users,dc=baubs,dc=net";
olcRootPW.path = config.age.secrets."ldap-root-password".path;
olcDbIndex = [
"objectClass eq"
"cn pres,eq,sub"
"uid pres,eq,sub"
"uidNumber pres,eq"
"gidNumber pres,eq"
"memberUid eq"
"member eq"
"sambaDomainName eq"
"sambaSID eq"
"entryCSN eq"
"entryUUID eq"
];
olcAccess = [
''to dn.base="" by * read''
''to dn.base="cn=Subschema" by * read''
''to attrs=userPassword by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" =w by set="[cn=Directory Consumers,cn=groups,dc=baubs,dc=net]/member* & user" read by anonymous auth''
''to attrs=sambaLMPassword,sambaNTPassword by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by set="[cn=Directory Consumers,cn=groups,dc=baubs,dc=net]/member* & user" read by set="[cn=Directory Clients,cn=groups,dc=baubs,dc=net]/member* & user" read''
''to attrs=shadowLastChange,sambaPwdLastSet by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by users read''
''to attrs=homeDirectory,uid,cn,uidNumber,gidNumber by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read''
''to attrs=gecos,@inetOrgPerson by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read''
''to * by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read''
];
};
children = {
"olcOverlay={0}memberof" = {
attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "{0}memberof";
olcMemberOfDangling = "ignore";
olcMemberOfRefInt = "FALSE";
olcMemberOfGroupOC = "posixGroup";
};
};
"olcOverlay={1}ppolicy" = {
attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "{1}ppolicy";
olcPPolicyDefault = "cn=default,ou=pwpolicies,dc=baubs,dc=net";
olcPPolicyHashCleartext = "FALSE";
olcPPolicyUseLockout = "FALSE";
};
};
};
};
};
};
};
networking.firewall.allowedTCPPorts = [ 389 636 ];
}
Reference in a new issue View git blame Copy permalink