OpenLDAP: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 1:

~~===Setting up~~ a ~~simple server===~~

[https://www.openldap.org OpenLDAP] is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP).

~~<syntaxhighlight lang="nix">~~

~~services~~.~~openldap = {~~

~~enable = true;~~

~~/* enable plain connections only */~~

===Setup===

~~urlList~~ = [ "~~ldap:///~~" ];

A minimal local testing server can be run with following configuration<syntaxhighlight lang="nix">

services.openldap = {

enable = true;

/* enable plain connections only */

urlList = [ "ldap:///" ];

settings = {

attrs = {

olcLogLevel = "conns config";

};

children = {

"cn=schema".includes = [

"${pkgs.openldap}/etc/schema/core.ldif"

"${pkgs.openldap}/etc/schema/cosine.ldif"

"${pkgs.openldap}/etc/schema/inetorgperson.ldif"

];

"olcDatabase={1}mdb".attrs = {

objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];

olcDatabase = "{1}mdb";

olcDbDirectory = "/var/lib/openldap/data";

olcSuffix = "dc=example,dc=com";

/* your admin account, do not use writeText on a production system */

olcRootDN = "cn=admin,dc=example,dc=com";

olcRootPW.path = pkgs.writeText "olcRootPW" "pass";

olcAccess = [

/* custom access rules for userPassword attributes */

''{0}to attrs=userPassword

by self write

by anonymous auth

by * none''

/* allow read on anything else */

''{1}to *

by * read''

];

};

</syntaxhighlight>

Line 265:

Line 266:

Also, using the configuration directory means you cannot use the <code>extra…</code> options from the example above.

To switch to the configuration directory (also known as OLC), just set <code>configDir</code> to a directory that already contains such OLC configuration.

[[Category:Server]]

@@ Line 1: / Line 1: @@
-===Setting up a simple server===
+[https://www.openldap.org OpenLDAP] is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP).
-<syntaxhighlight lang="nix">
-  services.openldap = {
-    enable = true;
-    /* enable plain connections only */
+===Setup===
-    urlList = [ "ldap:///" ];
+A minimal local testing server can be run with following configuration<syntaxhighlight lang="nix">
+services.openldap = {
+  enable = true;
+  /* enable plain connections only */
+  urlList = [ "ldap:///" ];
-    settings = {
+  settings = {
-      attrs = {
+    attrs = {
-        olcLogLevel = "conns config";
+      olcLogLevel = "conns config";
-      };
+    };
-      children = {
+    children = {
-        "cn=schema".includes = [
+      "cn=schema".includes = [
-          "${pkgs.openldap}/etc/schema/core.ldif"
+        "${pkgs.openldap}/etc/schema/core.ldif"
-          "${pkgs.openldap}/etc/schema/cosine.ldif"
+        "${pkgs.openldap}/etc/schema/cosine.ldif"
-          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+        "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-        ];
+      ];
-        "olcDatabase={1}mdb".attrs = {
+      "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-          olcDatabase = "{1}mdb";
+        olcDatabase = "{1}mdb";
-          olcDbDirectory = "/var/lib/openldap/data";
+        olcDbDirectory = "/var/lib/openldap/data";
-          olcSuffix = "dc=example,dc=com";
+        olcSuffix = "dc=example,dc=com";
-          /* your admin account, do not use writeText on a production system */
+        /* your admin account, do not use writeText on a production system */
-          olcRootDN = "cn=admin,dc=example,dc=com";
+        olcRootDN = "cn=admin,dc=example,dc=com";
-          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
+        olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
-          olcAccess = [
+        olcAccess = [
-            /* custom access rules for userPassword attributes */
+          /* custom access rules for userPassword attributes */
-            ''{0}to attrs=userPassword
+          ''{0}to attrs=userPassword
-                by self write
+              by self write
-                by anonymous auth
+              by anonymous auth
-                by * none''
+              by * none''
-            /* allow read on anything else */
+          /* allow read on anything else */
-            ''{1}to *
+          ''{1}to *
-                by * read''
+              by * read''
-          ];
+        ];
-        };
        };
      };
    };
+};
 </syntaxhighlight>
@@ Line 265: / Line 266: @@
 Also, using the configuration directory means you cannot use the <code>extra…</code> options from the example above.
 To switch to the configuration directory (also known as OLC), just set <code>configDir</code> to a directory that already contains such OLC configuration.
+[[Category:Server]]