OpenLDAP

From NixOS Wiki
Revision as of 12:39, 27 October 2019 by imported>Das j (Init of this page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Setting up a server

Use with the configuration file (officially deprecated): 

{
  services.openldap = {
    enable = true;
    dataDir = "/var/lib/openldap";
    urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates)
    suffix = "dc=nixos,dc=org";
    rootdn = "cn=admin,dc=nixos,dc=org";
    rootpw = "water"; # Or use rootpwFile
    # See https://www.openldap.org/doc/admin24/slapdconfig.html
    extraDatabaseConfig = ''
      access to dn.base="dc=nixos,dc=org" by * read
      # Add your own ACLs here…
      # Drop everything that wasn't handled by previous ACLs:
      access to * by * none

      index objectClass eq
      index uid eq
      index mail sub
      # Accelerates replication if you use it
      index entryCSN eq
      index entryUUID eq
    '';
    # Setting this causes OpenLDAP to drop the entire database on startup and write the contents of
    # of this LDIF string into the database. This ensures that only nix-managed content is found in the
    # database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt
    # startup performance.
    # Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be
    # lost.
    declarativeContents = "…";
  };
}

To use the not-deprecated configuration directory, the recommended way is to create a simple configuration file and convert it using slaptest. This however is out of scope for this page. Also, using the configuration directory means you cannot use the extra… options from the example above. To switch to the configuration directory (also known as OLC), just set configDir to a directory that already contains such OLC configuration.

Retrieved from "https://wiki.nixos.org/w/index.php?title=OpenLDAP&oldid=7059"