NixOS Wiki

OpenLDAP: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Rti
add non deprecated openldap setups with and without ssl support
imported>RatCornu
Add part on overlays usage
Line 135: Line 135:




=== Overlays ===


It is also possible to add OpenLDAP overlays to your NixOS configuration. For example, you can directly add the very useful "memberof" and "ppolicy" overlays such like this :
<syntaxhighlight lang="nix">
  services.openldap = {
    enable = true;
    /* enable plain and secure connections */
    urlList = [ "ldap:///" "ldaps:///" ];
    settings = {
      attrs = {
        olcLogLevel = "conns config";
        /* settings for acme ssl */
        olcTLSCACertificateFile = "/var/lib/acme/${your-host-name}/full.pem";
        olcTLSCertificateFile = "/var/lib/acme/${your-host-name}/cert.pem";
        olcTLSCertificateKeyFile = "/var/lib/acme/${your-host-name}/key.pem";
        olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
        olcTLSCRLCheck = "none";
        olcTLSVerifyClient = "never";
        olcTLSProtocolMin = "3.1";
      };
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        ];
        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/data";
            olcSuffix = "dc=example,dc=com";
            /* your admin account, do not use writeText on a production system */
            olcRootDN = "cn=admin,dc=example,dc=com";
            olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
            olcAccess = [
              /* custom access rules for userPassword attributes */
              ''{0}to attrs=userPassword
                  by self write
                  by anonymous auth
                  by * none''
              /* allow read on anything else */
              ''{1}to *
                  by * read''
            ];
          };
          children = {
            "olcOverlay={2}ppolicy".attrs = {
              objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ];
              olcOverlay = "{2}ppolicy";
              olcPPolicyHashCleartext = "TRUE";
            };
            "olcOverlay={3}memberof".attrs = {
              objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
              olcOverlay = "{3}memberof";
              olcMemberOfRefInt = "TRUE";
              olcMemberOfDangling = "ignore";
              olcMemberOfGroupOC = "groupOfNames";
              olcMemberOfMemberAD = "member";
              olcMemberOfMemberOfAD = "memberOf";
            };
            "olcOverlay={4}refint".attrs = {
              objectClass = [ "olcOverlayConfig" "olcRefintConfig" "top" ];
              olcOverlay = "{4}refint";
              olcRefintAttribute = "memberof member manager owner";
            };
          };
        };
      };
    };
  };
</syntaxhighlight>
You can see the list of schemas and overlays that can be directly used without any further work in <code>$[pkgs.openldap}/etc/schema</code>.


===Setting up a server  (officially deprecated)===
===Setting up a server  (officially deprecated)===
Retrieved from "https://wiki.nixos.org/wiki/OpenLDAP"