You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
231 lines
6.1 KiB
231 lines
6.1 KiB
{ pkgs, lib, config, inputs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
baseDN = concatMapStringsSep ","
|
|
(part: "dc=${part}")
|
|
(splitString "." "informatik.hs-fulda.de");
|
|
|
|
ldap-sync =
|
|
let
|
|
wrapped = pkgs.callPackage inputs.ldap-sync { };
|
|
env = pkgs.runCommand "ldap-sync-env" { } ''
|
|
mkdir -p $out
|
|
ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties
|
|
'';
|
|
in
|
|
pkgs.runCommand "ldap-sync-wrapper"
|
|
{
|
|
nativeBuildInputs = [ pkgs.makeWrapper ];
|
|
} ''
|
|
mkdir -p $out/bin
|
|
makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \
|
|
--chdir "${env}"
|
|
'';
|
|
|
|
in
|
|
{
|
|
services.openldap = {
|
|
enable = true;
|
|
|
|
package = (pkgs.openldap.overrideAttrs (final: prev: {
|
|
configureFlags = prev.configureFlags ++ [
|
|
"--enable-overlays"
|
|
"--enable-remoteauth"
|
|
"--enable-spasswd"
|
|
"--with-cyrus-sasl"
|
|
];
|
|
|
|
doCheck = false;
|
|
|
|
})).override {
|
|
cyrus_sasl = pkgs.cyrus_sasl.override {
|
|
enableLdap = true;
|
|
};
|
|
};
|
|
|
|
urlList = [ "ldap:///" "ldaps:///" ];
|
|
|
|
settings = {
|
|
attrs = {
|
|
olcLogLevel = "config ACL stats stats2 trace";
|
|
|
|
olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path;
|
|
olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path;
|
|
olcTLSCRLCheck = "none";
|
|
olcTLSVerifyClient = "never";
|
|
olcTLSProtocolMin = "3.1";
|
|
|
|
olcSaslHost = "localhost";
|
|
olcSaslSecProps = "none";
|
|
|
|
olcSizeLimit = "unlimited";
|
|
};
|
|
|
|
children = {
|
|
"cn=schema".includes = [
|
|
"${config.services.openldap.package}/etc/schema/core.ldif"
|
|
"${config.services.openldap.package}/etc/schema/cosine.ldif"
|
|
"${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
|
|
"${config.services.openldap.package}/etc/schema/nis.ldif"
|
|
];
|
|
"olcDatabase={1}mdb" = {
|
|
attrs = {
|
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
|
|
|
olcDatabase = "{1}mdb";
|
|
olcDbDirectory = "/var/lib/openldap/db";
|
|
|
|
olcSuffix = baseDN;
|
|
|
|
olcRootDN = "cn=root,${baseDN}";
|
|
olcRootPW.path = config.sops.secrets."ldap/root/password".path;
|
|
|
|
# Increase max DB size to fit all the users
|
|
olcDbMaxSize = "10737418240";
|
|
|
|
olcAccess = [
|
|
# Custom access rules for userPassword attributes
|
|
''{0}to attrs=userPassword
|
|
by self read
|
|
by anonymous auth
|
|
by * none
|
|
''
|
|
|
|
# Synced is managed by sync
|
|
''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de"
|
|
by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage
|
|
by * break
|
|
''
|
|
|
|
# Allow login to read users
|
|
''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de"
|
|
by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read
|
|
by self read
|
|
by * break
|
|
''
|
|
|
|
# Prevent access
|
|
''{3}to *
|
|
by * none
|
|
''
|
|
];
|
|
};
|
|
|
|
children = {
|
|
"olcOverlay={0}remoteauth" = {
|
|
attrs = {
|
|
objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ];
|
|
|
|
olcOverlay = "{0}remoteauth";
|
|
|
|
olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\"";
|
|
olcRemoteAuthDNAttribute = "seeAlso";
|
|
olcRemoteAuthDomainAttribute = "associatedDomain";
|
|
olcRemoteAuthDefaultDomain = "upstream";
|
|
olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}";
|
|
olcRemoteAuthRetryCount = "3";
|
|
olcRemoteAuthStore = "false";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
declarativeContents = {
|
|
"dc=informatik,dc=hs-fulda,dc=de" = ''
|
|
dn: dc=informatik,dc=hs-fulda,dc=de
|
|
objectClass: domain
|
|
dc: informatik
|
|
|
|
dn: ou=users,dc=informatik,dc=hs-fulda,dc=de
|
|
objectClass: organizationalUnit
|
|
ou: users
|
|
|
|
dn: ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de
|
|
objectClass: organizationalUnit
|
|
ou: users
|
|
|
|
dn: cn=sync,dc=informatik,dc=hs-fulda,dc=de
|
|
objectClass: applicationProcess
|
|
objectClass: simpleSecurityObject
|
|
objectClass: top
|
|
cn: sync
|
|
userPassword: {SSHA}Kf5ViggnBdUAPJ3/X5F80Qf/tXOzGI9G
|
|
|
|
dn: cn=login,dc=informatik,dc=hs-fulda,dc=de
|
|
objectClass: applicationProcess
|
|
objectClass: simpleSecurityObject
|
|
objectClass: top
|
|
cn: login
|
|
userPassword: {SSHA}esWkdMFThbFD0gSE5tC+jJ1rjwfUuI0p
|
|
'';
|
|
};
|
|
};
|
|
|
|
systemd.services."openldap" = {
|
|
environment = {
|
|
SASL_PATH = pkgs.writeTextFile {
|
|
name = "openldap-sasl-path";
|
|
destination = "/slapd.conf";
|
|
text = ''
|
|
pwcheck_method: saslauthd
|
|
saslauthd_path: /var/run/saslauthd/mux
|
|
mech_list: GSSAPI EXTERNAL PLAIN NTLM
|
|
'';
|
|
};
|
|
};
|
|
|
|
onSuccess = [ "ldap-sync.service" ];
|
|
};
|
|
|
|
systemd.services."ldap-sync" = {
|
|
script = "${ldap-sync}/bin/ldap-sync";
|
|
startAt = "hourly";
|
|
|
|
requisite = [ "openldap.service" ];
|
|
|
|
# Flush caches
|
|
postStop = ''
|
|
${config.services.nscd.package}/bin/nscd --invalidate=group
|
|
${config.services.nscd.package}/bin/nscd --invalidate=passwd
|
|
'';
|
|
};
|
|
|
|
sops.secrets = {
|
|
"ldap/root/password" = {
|
|
sopsFile = ./secrets/ldap.yaml;
|
|
owner = "openldap";
|
|
};
|
|
|
|
"ldap/upstream" = {
|
|
sopsFile = ./secrets/ldap.yaml;
|
|
owner = "openldap";
|
|
};
|
|
|
|
"ldap/tls/key" = {
|
|
sopsFile = ./secrets/ldap.tls.key;
|
|
format = "binary";
|
|
owner = "openldap";
|
|
};
|
|
|
|
"ldap/tls/crt" = {
|
|
sopsFile = ./secrets/ldap.tls.crt;
|
|
format = "binary";
|
|
owner = "openldap";
|
|
};
|
|
|
|
"ldap/sync/config" = {
|
|
sopsFile = ./secrets/ldap.yaml;
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
22
|
|
389
|
|
636
|
|
];
|
|
}
|
|
|