OpenLDAP: Difference between revisions
imported>Rti add non deprecated openldap setups with and without ssl support |
Beginning sentence and Category:Server |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP). | |||
===Setting up a simple server=== | ===Setting up a simple server=== | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
Line 135: | Line 137: | ||
=== Overlays === | |||
It is also possible to add OpenLDAP overlays to your NixOS configuration. For example, you can directly add the very useful "memberof" and "ppolicy" overlays such like this : | |||
<syntaxhighlight lang="nix"> | |||
services.openldap = { | |||
enable = true; | |||
/* enable plain and secure connections */ | |||
urlList = [ "ldap:///" "ldaps:///" ]; | |||
settings = { | |||
attrs = { | |||
olcLogLevel = "conns config"; | |||
/* settings for acme ssl */ | |||
olcTLSCACertificateFile = "/var/lib/acme/${your-host-name}/full.pem"; | |||
olcTLSCertificateFile = "/var/lib/acme/${your-host-name}/cert.pem"; | |||
olcTLSCertificateKeyFile = "/var/lib/acme/${your-host-name}/key.pem"; | |||
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; | |||
olcTLSCRLCheck = "none"; | |||
olcTLSVerifyClient = "never"; | |||
olcTLSProtocolMin = "3.1"; | |||
}; | |||
children = { | |||
"cn=schema".includes = [ | |||
"${pkgs.openldap}/etc/schema/core.ldif" | |||
"${pkgs.openldap}/etc/schema/cosine.ldif" | |||
"${pkgs.openldap}/etc/schema/inetorgperson.ldif" | |||
]; | |||
"olcDatabase={1}mdb" = { | |||
attrs = { | |||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; | |||
olcDatabase = "{1}mdb"; | |||
olcDbDirectory = "/var/lib/openldap/data"; | |||
olcSuffix = "dc=example,dc=com"; | |||
/* your admin account, do not use writeText on a production system */ | |||
olcRootDN = "cn=admin,dc=example,dc=com"; | |||
olcRootPW.path = pkgs.writeText "olcRootPW" "pass"; | |||
olcAccess = [ | |||
/* custom access rules for userPassword attributes */ | |||
''{0}to attrs=userPassword | |||
by self write | |||
by anonymous auth | |||
by * none'' | |||
/* allow read on anything else */ | |||
''{1}to * | |||
by * read'' | |||
]; | |||
}; | |||
children = { | |||
"olcOverlay={2}ppolicy".attrs = { | |||
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ]; | |||
olcOverlay = "{2}ppolicy"; | |||
olcPPolicyHashCleartext = "TRUE"; | |||
}; | |||
"olcOverlay={3}memberof".attrs = { | |||
objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ]; | |||
olcOverlay = "{3}memberof"; | |||
olcMemberOfRefInt = "TRUE"; | |||
olcMemberOfDangling = "ignore"; | |||
olcMemberOfGroupOC = "groupOfNames"; | |||
olcMemberOfMemberAD = "member"; | |||
olcMemberOfMemberOfAD = "memberOf"; | |||
}; | |||
"olcOverlay={4}refint".attrs = { | |||
objectClass = [ "olcOverlayConfig" "olcRefintConfig" "top" ]; | |||
olcOverlay = "{4}refint"; | |||
olcRefintAttribute = "memberof member manager owner"; | |||
}; | |||
}; | |||
}; | |||
}; | |||
}; | |||
}; | |||
</syntaxhighlight> | |||
You can see the list of schemas and overlays that can be directly used without any further work in <code>$[pkgs.openldap}/etc/schema</code>. | |||
===Setting up a server (officially deprecated)=== | ===Setting up a server (officially deprecated)=== | ||
Line 178: | Line 267: | ||
Also, using the configuration directory means you cannot use the <code>extra…</code> options from the example above. | Also, using the configuration directory means you cannot use the <code>extra…</code> options from the example above. | ||
To switch to the configuration directory (also known as OLC), just set <code>configDir</code> to a directory that already contains such OLC configuration. | To switch to the configuration directory (also known as OLC), just set <code>configDir</code> to a directory that already contains such OLC configuration. | ||
[[Category:Server]] |
Latest revision as of 20:29, 19 April 2024
OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP).
Setting up a simple server
services.openldap = {
enable = true;
/* enable plain connections only */
urlList = [ "ldap:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=example,dc=com";
/* your admin account, do not use writeText on a production system */
olcRootDN = "cn=admin,dc=example,dc=com";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/* allow read on anything else */
''{1}to *
by * read''
];
};
};
};
};
Checkout https://www.openldap.org/doc/admin26/slapdconf2.html for more information.
Setting up a server with SSL certs via ACME
services.openldap = {
enable = true;
/* enable plain and secure connections */
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
/* settings for acme ssl */
olcTLSCACertificateFile = "/var/lib/acme/${your-host-name}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${your-host-name}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${your-host-name}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=example,dc=com";
/* your admin account, do not use writeText on a production system */
olcRootDN = "cn=admin,dc=example,dc=com";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/* allow read on anything else */
''{1}to *
by * read''
];
};
};
};
};
/* ensure openldap is launched after certificates are created */
systemd.services.openldap = {
wants = [ "acme-${your-host-name}.service" ];
after = [ "acme-${your-host-name}.service" ];
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "your-email@example.com";
/* make acme certificates accessible by openldap */
security.acme.defaults.group = "certs";
users.groups.certs.members = [ "openldap" ];
/* trigger the actual certificate generation for your hostname */
security.acme.certs."${your-host-name}" = {
extraDomainNames = [];
};
/* example using hetzner dns to run letsencrypt verification */
security.acme.defaults.dnsProvider = "hetzner";
security.acme.defaults.credentialsFile = pkgs.writeText "credentialsFile" ''
HETZNER_API_KEY=<your-hetzner-dns-api-key>
'';
Overlays
It is also possible to add OpenLDAP overlays to your NixOS configuration. For example, you can directly add the very useful "memberof" and "ppolicy" overlays such like this :
services.openldap = {
enable = true;
/* enable plain and secure connections */
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
/* settings for acme ssl */
olcTLSCACertificateFile = "/var/lib/acme/${your-host-name}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${your-host-name}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${your-host-name}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=example,dc=com";
/* your admin account, do not use writeText on a production system */
olcRootDN = "cn=admin,dc=example,dc=com";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/* allow read on anything else */
''{1}to *
by * read''
];
};
children = {
"olcOverlay={2}ppolicy".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ];
olcOverlay = "{2}ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcOverlay={3}memberof".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
olcOverlay = "{3}memberof";
olcMemberOfRefInt = "TRUE";
olcMemberOfDangling = "ignore";
olcMemberOfGroupOC = "groupOfNames";
olcMemberOfMemberAD = "member";
olcMemberOfMemberOfAD = "memberOf";
};
"olcOverlay={4}refint".attrs = {
objectClass = [ "olcOverlayConfig" "olcRefintConfig" "top" ];
olcOverlay = "{4}refint";
olcRefintAttribute = "memberof member manager owner";
};
};
};
};
};
};
You can see the list of schemas and overlays that can be directly used without any further work in $[pkgs.openldap}/etc/schema
.
Setting up a server (officially deprecated)
Use with the configuration file:
{
services.openldap = {
enable = true;
dataDir = "/var/lib/openldap";
urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates)
suffix = "dc=nixos,dc=org";
rootdn = "cn=admin,dc=nixos,dc=org";
rootpw = "water"; # Or use rootpwFile
# See https://www.openldap.org/doc/admin24/slapdconfig.html
extraDatabaseConfig = ''
access to dn.base="dc=nixos,dc=org" by * read
# Add your own ACLs here…
# Drop everything that wasn't handled by previous ACLs:
access to * by * none
index objectClass eq
index uid eq
index mail sub
# Accelerates replication if you use it
index entryCSN eq
index entryUUID eq
'';
# Setting this causes OpenLDAP to drop the entire database on startup and write the contents of
# of this LDIF string into the database. This ensures that only nix-managed content is found in the
# database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt
# startup performance.
# Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be
# lost.
declarativeContents = "…";
};
}
To use the not-deprecated configuration directory, the recommended way is to create a simple configuration file and convert it using slaptest
. This however is out of scope for this page.
Also, using the configuration directory means you cannot use the extra…
options from the example above.
To switch to the configuration directory (also known as OLC), just set configDir
to a directory that already contains such OLC configuration.