2014-04-14 16:26:48 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
2009-03-06 13:25:44 +01:00
|
|
|
|
2012-09-16 19:14:19 +02:00
|
|
|
with pkgs;
|
2014-05-05 20:58:51 +02:00
|
|
|
with lib;
|
2012-09-16 19:14:19 +02:00
|
|
|
|
2009-03-06 13:25:44 +01:00
|
|
|
let
|
2012-09-16 19:14:19 +02:00
|
|
|
|
|
|
|
cfg = config.users.ldap;
|
2009-03-06 13:25:44 +01:00
|
|
|
|
2012-09-16 19:14:19 +02:00
|
|
|
# Careful: OpenLDAP seems to be very picky about the indentation of
|
|
|
|
# this file. Directives HAVE to start in the first column!
|
|
|
|
ldapConfig = {
|
|
|
|
target = "ldap.conf";
|
|
|
|
source = writeText "ldap.conf" ''
|
|
|
|
uri ${config.users.ldap.server}
|
|
|
|
base ${config.users.ldap.base}
|
|
|
|
timelimit ${toString config.users.ldap.timeLimit}
|
|
|
|
bind_timelimit ${toString config.users.ldap.bind.timeLimit}
|
|
|
|
bind_policy ${config.users.ldap.bind.policy}
|
|
|
|
${optionalString config.users.ldap.useTLS ''
|
|
|
|
ssl start_tls
|
|
|
|
''}
|
|
|
|
${optionalString (config.users.ldap.bind.distinguishedName != "") ''
|
|
|
|
binddn ${config.users.ldap.bind.distinguishedName}
|
|
|
|
''}
|
|
|
|
${optionalString (cfg.extraConfig != "") cfg.extraConfig }
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
nslcdConfig = {
|
|
|
|
target = "nslcd.conf";
|
|
|
|
source = writeText "nslcd.conf" ''
|
|
|
|
uid nslcd
|
|
|
|
gid nslcd
|
|
|
|
uri ${cfg.server}
|
|
|
|
base ${cfg.base}
|
|
|
|
timelimit ${toString cfg.timeLimit}
|
|
|
|
bind_timelimit ${toString cfg.bind.timeLimit}
|
|
|
|
${optionalString (cfg.bind.distinguishedName != "")
|
|
|
|
"binddn ${cfg.bind.distinguishedName}" }
|
2019-01-08 17:01:01 +01:00
|
|
|
${optionalString (cfg.daemon.rootpwmoddn != "")
|
|
|
|
"rootpwmoddn ${cfg.daemon.rootpwmoddn}" }
|
2012-09-16 19:14:19 +02:00
|
|
|
${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
insertLdapPassword = !config.users.ldap.daemon.enable &&
|
|
|
|
config.users.ldap.bind.distinguishedName != "";
|
|
|
|
|
2009-03-06 13:25:44 +01:00
|
|
|
in
|
|
|
|
|
2013-09-04 13:05:09 +02:00
|
|
|
{
|
2012-09-16 19:14:19 +02:00
|
|
|
|
2013-09-04 13:05:09 +02:00
|
|
|
###### interface
|
2011-10-02 15:24:10 +02:00
|
|
|
|
2013-09-04 13:05:09 +02:00
|
|
|
options = {
|
|
|
|
|
|
|
|
users.ldap = {
|
|
|
|
|
|
|
|
enable = mkOption {
|
2016-01-17 19:34:55 +01:00
|
|
|
type = types.bool;
|
2013-09-04 13:05:09 +02:00
|
|
|
default = false;
|
|
|
|
description = "Whether to enable authentication against an LDAP server.";
|
|
|
|
};
|
|
|
|
|
2016-07-18 15:20:21 +02:00
|
|
|
loginPam = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = "Whether to include authentication against LDAP in login PAM";
|
|
|
|
};
|
|
|
|
|
2016-07-18 15:24:21 +02:00
|
|
|
nsswitch = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = "Whether to include lookup against LDAP in NSS";
|
|
|
|
};
|
|
|
|
|
2013-09-04 13:05:09 +02:00
|
|
|
server = mkOption {
|
|
|
|
example = "ldap://ldap.example.org/";
|
|
|
|
description = "The URL of the LDAP server.";
|
|
|
|
};
|
|
|
|
|
|
|
|
base = mkOption {
|
|
|
|
example = "dc=example,dc=org";
|
|
|
|
description = "The distinguished name of the search base.";
|
|
|
|
};
|
|
|
|
|
|
|
|
useTLS = mkOption {
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
If enabled, use TLS (encryption) over an LDAP (port 389)
|
|
|
|
connection. The alternative is to specify an LDAPS server (port
|
|
|
|
636) in <option>users.ldap.server</option> or to forego
|
|
|
|
security.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
timeLimit = mkOption {
|
|
|
|
default = 0;
|
|
|
|
type = types.int;
|
|
|
|
description = ''
|
|
|
|
Specifies the time limit (in seconds) to use when performing
|
|
|
|
searches. A value of zero (0), which is the default, is to
|
|
|
|
wait indefinitely for searches to be completed.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
daemon = {
|
|
|
|
enable = mkOption {
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Whether to let the nslcd daemon (nss-pam-ldapd) handle the
|
|
|
|
LDAP lookups for NSS and PAM. This can improve performance,
|
|
|
|
and if you need to bind to the LDAP server with a password,
|
|
|
|
it increases security, since only the nslcd user needs to
|
|
|
|
have access to the bindpw file, not everyone that uses NSS
|
|
|
|
and/or PAM. If this option is enabled, a local nscd user is
|
|
|
|
created automatically, and the nslcd service is started
|
|
|
|
automatically when the network get up.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
|
|
|
default = "";
|
2015-08-17 19:52:45 +02:00
|
|
|
type = types.lines;
|
2013-09-04 13:05:09 +02:00
|
|
|
description = ''
|
|
|
|
Extra configuration options that will be added verbatim at
|
|
|
|
the end of the nslcd configuration file (nslcd.conf).
|
|
|
|
'' ;
|
|
|
|
} ;
|
2019-01-08 17:01:01 +01:00
|
|
|
|
|
|
|
rootpwmoddn = mkOption {
|
|
|
|
default = "";
|
|
|
|
example = "cn=admin,dc=example,dc=com";
|
|
|
|
type = types.str;
|
|
|
|
description = ''
|
|
|
|
The distinguished name to use to bind to the LDAP server
|
|
|
|
when the root user tries to modify a user's password.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
rootpwmodpw = mkOption {
|
|
|
|
default = "";
|
|
|
|
example = "/run/keys/nslcd.rootpwmodpw";
|
|
|
|
type = types.str;
|
|
|
|
description = ''
|
|
|
|
The path to a file containing the credentials with which
|
|
|
|
to bind to the LDAP server if the root user tries to change a user's password
|
|
|
|
'';
|
|
|
|
};
|
2013-09-04 13:05:09 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
bind = {
|
|
|
|
distinguishedName = mkOption {
|
|
|
|
default = "";
|
|
|
|
example = "cn=admin,dc=example,dc=com";
|
2015-08-17 19:52:45 +02:00
|
|
|
type = types.str;
|
2013-09-04 13:05:09 +02:00
|
|
|
description = ''
|
|
|
|
The distinguished name to bind to the LDAP server with. If this
|
|
|
|
is not specified, an anonymous bind will be done.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
password = mkOption {
|
|
|
|
default = "/etc/ldap/bind.password";
|
2015-08-17 19:52:45 +02:00
|
|
|
type = types.str;
|
2013-09-04 13:05:09 +02:00
|
|
|
description = ''
|
|
|
|
The path to a file containing the credentials to use when binding
|
|
|
|
to the LDAP server (if not binding anonymously).
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
timeLimit = mkOption {
|
|
|
|
default = 30;
|
|
|
|
type = types.int;
|
|
|
|
description = ''
|
|
|
|
Specifies the time limit (in seconds) to use when connecting
|
|
|
|
to the directory server. This is distinct from the time limit
|
|
|
|
specified in <literal>users.ldap.timeLimit</literal> and affects
|
|
|
|
the initial server connection only.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
policy = mkOption {
|
|
|
|
default = "hard_open";
|
2015-08-17 19:52:45 +02:00
|
|
|
type = types.enum [ "hard_open" "hard_init" "soft" ];
|
2013-09-04 13:05:09 +02:00
|
|
|
description = ''
|
|
|
|
Specifies the policy to use for reconnecting to an unavailable
|
|
|
|
LDAP server. The default is <literal>hard_open</literal>, which
|
|
|
|
reconnects if opening the connection to the directory server
|
|
|
|
failed. By contrast, <literal>hard_init</literal> reconnects if
|
|
|
|
initializing the connection failed. Initializing may not
|
|
|
|
actually contact the directory server, and it is possible that
|
|
|
|
a malformed configuration file will trigger reconnection. If
|
|
|
|
<literal>soft</literal> is specified, then
|
|
|
|
<literal>nss_ldap</literal> will return immediately on server
|
|
|
|
failure. All hard reconnect policies block with exponential
|
|
|
|
backoff before retrying.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
|
|
|
default = "";
|
2015-08-17 19:52:45 +02:00
|
|
|
type = types.lines;
|
2013-09-04 13:05:09 +02:00
|
|
|
description = ''
|
|
|
|
Extra configuration options that will be added verbatim at
|
|
|
|
the end of the ldap configuration file (ldap.conf).
|
|
|
|
If <literal>users.ldap.daemon</literal> is enabled, this
|
|
|
|
configuration will not be used. In that case, use
|
|
|
|
<literal>users.ldap.daemon.extraConfig</literal> instead.
|
|
|
|
'' ;
|
|
|
|
};
|
2012-09-16 19:14:19 +02:00
|
|
|
|
|
|
|
};
|
2013-09-04 13:05:09 +02:00
|
|
|
|
2012-09-16 19:14:19 +02:00
|
|
|
};
|
|
|
|
|
2013-09-04 13:05:09 +02:00
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
|
|
|
environment.etc = if cfg.daemon.enable then [nslcdConfig] else [ldapConfig];
|
|
|
|
|
|
|
|
system.activationScripts = mkIf insertLdapPassword {
|
|
|
|
ldap = stringAfter [ "etc" "groups" "users" ] ''
|
|
|
|
if test -f "${cfg.bind.password}" ; then
|
2019-01-08 17:01:01 +01:00
|
|
|
umask 0077
|
|
|
|
conf="$(mktemp)"
|
|
|
|
printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" |
|
|
|
|
cat ${ldapConfig.source} - >"$conf"
|
|
|
|
mv -fT "$conf" /etc/ldap.conf
|
2013-09-04 13:05:09 +02:00
|
|
|
fi
|
2012-09-16 19:14:19 +02:00
|
|
|
'';
|
2013-09-04 13:05:09 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
system.nssModules = singleton (
|
|
|
|
if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
|
|
|
|
);
|
|
|
|
|
|
|
|
users = mkIf cfg.daemon.enable {
|
2018-06-30 01:58:35 +02:00
|
|
|
groups.nslcd = {
|
2013-09-04 13:05:09 +02:00
|
|
|
gid = config.ids.gids.nslcd;
|
|
|
|
};
|
|
|
|
|
2018-06-30 01:58:35 +02:00
|
|
|
users.nslcd = {
|
2013-09-04 13:05:09 +02:00
|
|
|
uid = config.ids.uids.nslcd;
|
|
|
|
description = "nslcd user.";
|
|
|
|
group = "nslcd";
|
|
|
|
};
|
|
|
|
};
|
2013-01-27 20:07:37 +01:00
|
|
|
|
2013-09-04 13:05:09 +02:00
|
|
|
systemd.services = mkIf cfg.daemon.enable {
|
|
|
|
|
|
|
|
nslcd = {
|
2014-08-08 17:40:03 +02:00
|
|
|
wantedBy = [ "multi-user.target" ];
|
2013-09-04 13:05:09 +02:00
|
|
|
|
|
|
|
preStart = ''
|
2019-01-08 17:01:01 +01:00
|
|
|
umask 0077
|
|
|
|
conf="$(mktemp)"
|
|
|
|
{
|
|
|
|
cat ${nslcdConfig.source}
|
|
|
|
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' ||
|
|
|
|
printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')"
|
|
|
|
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' ||
|
|
|
|
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')"
|
|
|
|
} >"$conf"
|
|
|
|
mv -fT "$conf" /etc/nslcd.conf
|
2013-09-04 13:05:09 +02:00
|
|
|
'';
|
|
|
|
|
2018-09-17 03:23:32 +02:00
|
|
|
# NOTE: because one cannot pass a custom config path to `nslcd`
|
|
|
|
# (which is only able to use `/etc/nslcd.conf`)
|
|
|
|
# changes in `nslcdConfig` won't change `serviceConfig`,
|
|
|
|
# and thus won't restart `nslcd`.
|
|
|
|
# Therefore `restartTriggers` is used on `/etc/nslcd.conf`.
|
|
|
|
restartTriggers = [ nslcdConfig.source ];
|
|
|
|
|
2013-09-04 13:05:09 +02:00
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = "${nss_pam_ldapd}/sbin/nslcd";
|
|
|
|
Type = "forking";
|
|
|
|
PIDFile = "/run/nslcd/nslcd.pid";
|
|
|
|
Restart = "always";
|
2018-12-30 11:36:46 +01:00
|
|
|
RuntimeDirectory = [ "nslcd" ];
|
2013-09-04 13:05:09 +02:00
|
|
|
};
|
2013-01-27 20:07:37 +01:00
|
|
|
};
|
2013-09-04 13:05:09 +02:00
|
|
|
|
2012-09-16 19:14:19 +02:00
|
|
|
};
|
2013-09-04 13:05:09 +02:00
|
|
|
|
2012-09-16 19:14:19 +02:00
|
|
|
};
|
2009-03-06 13:25:44 +01:00
|
|
|
}
|