NixOS Wiki

OpenLDAP: Difference between revisions

Newer edit →
VisualWikitext
imported>Das j
Init of this page
 
imported>Rti
add non deprecated openldap setups with and without ssl support
Line 1: Line 1:
===Setting up a server===
===Setting up a simple server===
<syntaxhighlight lang="nix">
  services.openldap = {
    enable = true;


Use with the configuration file (officially deprecated):
    /* enable plain connections only */
    urlList = [ "ldap:///" ];
 
 
    settings = {
      attrs = {
        olcLogLevel = "conns config";
      };
 
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        ];
 
        "olcDatabase={1}mdb".attrs = {
          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
 
          olcDatabase = "{1}mdb";
          olcDbDirectory = "/var/lib/openldap/data";
 
          olcSuffix = "dc=example,dc=com";
 
          /* your admin account, do not use writeText on a production system */
          olcRootDN = "cn=admin,dc=example,dc=com";
          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
 
          olcAccess = [
            /* custom access rules for userPassword attributes */
            ''{0}to attrs=userPassword
                by self write
                by anonymous auth
                by * none''
 
            /* allow read on anything else */
            ''{1}to *
                by * read''
          ];
        };
      };
    };
  };
</syntaxhighlight>
 
Checkout https://www.openldap.org/doc/admin26/slapdconf2.html for more information.
 
 
===Setting up a server with SSL certs via ACME===
<syntaxhighlight lang="nix">
  services.openldap = {
    enable = true;
 
    /* enable plain and secure connections */
    urlList = [ "ldap:///" "ldaps:///" ];
 
    settings = {
      attrs = {
        olcLogLevel = "conns config";
 
        /* settings for acme ssl */
        olcTLSCACertificateFile = "/var/lib/acme/${your-host-name}/full.pem";
        olcTLSCertificateFile = "/var/lib/acme/${your-host-name}/cert.pem";
        olcTLSCertificateKeyFile = "/var/lib/acme/${your-host-name}/key.pem";
        olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
        olcTLSCRLCheck = "none";
        olcTLSVerifyClient = "never";
        olcTLSProtocolMin = "3.1";
      };
 
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        ];
 
        "olcDatabase={1}mdb".attrs = {
          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
 
          olcDatabase = "{1}mdb";
          olcDbDirectory = "/var/lib/openldap/data";
 
          olcSuffix = "dc=example,dc=com";
 
          /* your admin account, do not use writeText on a production system */
          olcRootDN = "cn=admin,dc=example,dc=com";
          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
 
          olcAccess = [
            /* custom access rules for userPassword attributes */
            ''{0}to attrs=userPassword
                by self write
                by anonymous auth
                by * none''
 
            /* allow read on anything else */
            ''{1}to *
                by * read''
          ];
        };
      };
    };
  };
 
  /* ensure openldap is launched after certificates are created */
  systemd.services.openldap = {
    wants = [ "acme-${your-host-name}.service" ];
    after = [ "acme-${your-host-name}.service" ];
  };
 
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "your-email@example.com";
 
  /* make acme certificates accessible by openldap */
  security.acme.defaults.group = "certs";
  users.groups.certs.members = [ "openldap" ];
 
  /* trigger the actual certificate generation for your hostname */
  security.acme.certs."${your-host-name}" = {
    extraDomainNames = [];
  };
 
  /* example using hetzner dns to run letsencrypt verification */
  security.acme.defaults.dnsProvider = "hetzner";
  security.acme.defaults.credentialsFile = pkgs.writeText "credentialsFile" ''
    HETZNER_API_KEY=<your-hetzner-dns-api-key>
  '';
</syntaxhighlight>
 
 
 
 
===Setting up a server  (officially deprecated)===
 
Use with the configuration file:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Retrieved from "https://wiki.nixos.org/wiki/OpenLDAP"