nix/hosts/amtmann/ldap.nix

{ config, pkgs, ... }:
{
  age.secrets."ldap-root-password" = {
    file = ../../secrets/ldap-root-password.age;
    owner = "openldap";
  };

  systemd.tmpfiles.rules = [
    "d /var/lib/openldap/data 0700 openldap openldap -"
  ];

  services.openldap = {
    enable = true;
    urlList = [ "ldap:///" "ldapi:///" ];

    settings = {
      attrs = {
        olcLogLevel = "stats";
        olcPasswordCryptSaltFormat = "$6$%.8s";
        olcDisallows = "bind_anon";
        olcRequires = "authc";
        olcIdleTimeout = "60";
      };

      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          "${pkgs.openldap}/etc/schema/nis.ldif"
          "${./samba.ldif}"
        ];

        "olcDatabase={-1}frontend" = {
          attrs = {
            objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
            olcDatabase = "{-1}frontend";
            olcSizeLimit = "unlimited";
            olcPasswordHash = "{CRYPT}";
          };
        };

        # Access only via: ldapmodify -Y EXTERNAL -H ldapi:/// (as root)
        "olcDatabase={0}config" = {
          attrs = {
            objectClass = "olcDatabaseConfig";
            olcDatabase = "{0}config";
            olcAccess = [
              ''to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none''
            ];
          };
        };

        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/data";
            olcSuffix = "dc=baubs,dc=net";
            olcRootDN = "uid=root,cn=users,dc=baubs,dc=net";
            olcRootPW.path = config.age.secrets."ldap-root-password".path;
            olcDbIndex = [
              "objectClass eq"
              "cn pres,eq,sub"
              "uid pres,eq,sub"
              "uidNumber pres,eq"
              "gidNumber pres,eq"
              "memberUid eq"
              "member eq"
              "sambaDomainName eq"
              "sambaSID eq"
              "entryCSN eq"
              "entryUUID eq"
            ];
            olcAccess = [
              ''to dn.base="" by * read''
              ''to dn.base="cn=Subschema" by * read''
              ''to attrs=userPassword by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" =w by set="[cn=Directory Consumers,cn=groups,dc=baubs,dc=net]/member* & user" read by anonymous auth''
              ''to attrs=sambaLMPassword,sambaNTPassword by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by set="[cn=Directory Consumers,cn=groups,dc=baubs,dc=net]/member* & user" read by set="[cn=Directory Clients,cn=groups,dc=baubs,dc=net]/member* & user" read''
              ''to attrs=shadowLastChange,sambaPwdLastSet by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by users read''
              ''to attrs=homeDirectory,uid,cn,uidNumber,gidNumber by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read''
              ''to attrs=gecos,@inetOrgPerson by self write by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read''
              ''to * by set="[cn=Directory Operators,cn=groups,dc=baubs,dc=net]/member* & user" write by * read''
            ];
          };

          children = {
            "olcOverlay={0}memberof" = {
              attrs = {
                objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
                olcOverlay = "{0}memberof";
                olcMemberOfDangling = "ignore";
                olcMemberOfRefInt = "FALSE";
                olcMemberOfGroupOC = "posixGroup";
              };
            };
            "olcOverlay={1}ppolicy" = {
              attrs = {
                objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
                olcOverlay = "{1}ppolicy";
                olcPPolicyDefault = "cn=default,ou=pwpolicies,dc=baubs,dc=net";
                olcPPolicyHashCleartext = "FALSE";
                olcPPolicyUseLockout = "FALSE";
              };
            };
          };
        };
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 389 636 ];
}