Official NixOS Wiki

OpenLDAP: Difference between revisions

← Older edit
VisualWikitext
imported>Rti
add non deprecated openldap setups with and without ssl support
Onny (talk | contribs)
285 edits
Reformat
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
===Setting up a simple server===
[https://www.openldap.org OpenLDAP] is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP).
<syntaxhighlight lang="nix">
  services.openldap = {
    enable = true;


    /* enable plain connections only */
===Setup===
    urlList = [ "ldap:///" ];
A minimal local testing server can be run with following configuration<syntaxhighlight lang="nix">
services.openldap = {
  enable = true;


  /* enable plain connections only */
  urlList = [ "ldap:///" ];


    settings = {
  settings = {
      attrs = {
    attrs = {
        olcLogLevel = "conns config";
      olcLogLevel = "conns config";
      };
    };


      children = {
    children = {
        "cn=schema".includes = [
      "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
        "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
        "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        ];
      ];


        "olcDatabase={1}mdb".attrs = {
      "olcDatabase={1}mdb".attrs = {
          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];


          olcDatabase = "{1}mdb";
        olcDatabase = "{1}mdb";
          olcDbDirectory = "/var/lib/openldap/data";
        olcDbDirectory = "/var/lib/openldap/data";


          olcSuffix = "dc=example,dc=com";
        olcSuffix = "dc=example,dc=com";


          /* your admin account, do not use writeText on a production system */
        /* your admin account, do not use writeText on a production system */
          olcRootDN = "cn=admin,dc=example,dc=com";
        olcRootDN = "cn=admin,dc=example,dc=com";
          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
        olcRootPW.path = pkgs.writeText "olcRootPW" "pass";


          olcAccess = [
        olcAccess = [
            /* custom access rules for userPassword attributes */
          /* custom access rules for userPassword attributes */
            ''{0}to attrs=userPassword
          ''{0}to attrs=userPassword
                by self write
              by self write
                by anonymous auth
              by anonymous auth
                by * none''
              by * none''


            /* allow read on anything else */
          /* allow read on anything else */
            ''{1}to *
          ''{1}to *
                by * read''
              by * read''
          ];
        ];
        };
       };
       };
     };
     };
   };
   };
};
</syntaxhighlight>
</syntaxhighlight>


Line 135: Line 136:




=== Overlays ===
It is also possible to add OpenLDAP overlays to your NixOS configuration. For example, you can directly add the very useful "memberof" and "ppolicy" overlays such like this :
<syntaxhighlight lang="nix">
  services.openldap = {
    enable = true;
    /* enable plain and secure connections */
    urlList = [ "ldap:///" "ldaps:///" ];
    settings = {
      attrs = {
        olcLogLevel = "conns config";


        /* settings for acme ssl */
        olcTLSCACertificateFile = "/var/lib/acme/${your-host-name}/full.pem";
        olcTLSCertificateFile = "/var/lib/acme/${your-host-name}/cert.pem";
        olcTLSCertificateKeyFile = "/var/lib/acme/${your-host-name}/key.pem";
        olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
        olcTLSCRLCheck = "none";
        olcTLSVerifyClient = "never";
        olcTLSProtocolMin = "3.1";
      };
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        ];
        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/data";
            olcSuffix = "dc=example,dc=com";
            /* your admin account, do not use writeText on a production system */
            olcRootDN = "cn=admin,dc=example,dc=com";
            olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
            olcAccess = [
              /* custom access rules for userPassword attributes */
              ''{0}to attrs=userPassword
                  by self write
                  by anonymous auth
                  by * none''
              /* allow read on anything else */
              ''{1}to *
                  by * read''
            ];
          };
          children = {
            "olcOverlay={2}ppolicy".attrs = {
              objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ];
              olcOverlay = "{2}ppolicy";
              olcPPolicyHashCleartext = "TRUE";
            };
            "olcOverlay={3}memberof".attrs = {
              objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
              olcOverlay = "{3}memberof";
              olcMemberOfRefInt = "TRUE";
              olcMemberOfDangling = "ignore";
              olcMemberOfGroupOC = "groupOfNames";
              olcMemberOfMemberAD = "member";
              olcMemberOfMemberOfAD = "memberOf";
            };
            "olcOverlay={4}refint".attrs = {
              objectClass = [ "olcOverlayConfig" "olcRefintConfig" "top" ];
              olcOverlay = "{4}refint";
              olcRefintAttribute = "memberof member manager owner";
            };
          };
        };
      };
    };
  };
</syntaxhighlight>
You can see the list of schemas and overlays that can be directly used without any further work in <code>$[pkgs.openldap}/etc/schema</code>.


===Setting up a server  (officially deprecated)===
===Setting up a server  (officially deprecated)===
Line 178: Line 266:
Also, using the configuration directory means you cannot use the <code>extra…</code> options from the example above.
Also, using the configuration directory means you cannot use the <code>extra…</code> options from the example above.
To switch to the configuration directory (also known as OLC), just set <code>configDir</code> to a directory that already contains such OLC configuration.
To switch to the configuration directory (also known as OLC), just set <code>configDir</code> to a directory that already contains such OLC configuration.
[[Category:Server]]
Retrieved from "https://wiki.nixos.org/wiki/OpenLDAP"