2014-04-14 14:26:48 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
2009-03-06 12:25:44 +00:00
|
|
|
|
2012-09-16 17:14:19 +00:00
|
|
|
with pkgs;
|
2014-05-05 18:58:51 +00:00
|
|
|
with lib;
|
2012-09-16 17:14:19 +00:00
|
|
|
|
2009-03-06 12:25:44 +00:00
|
|
|
let
|
2012-09-16 17:14:19 +00:00
|
|
|
|
|
|
|
cfg = config.users.ldap;
|
2009-03-06 12:25:44 +00:00
|
|
|
|
2012-09-16 17:14:19 +00:00
|
|
|
# Careful: OpenLDAP seems to be very picky about the indentation of
|
|
|
|
# this file. Directives HAVE to start in the first column!
|
|
|
|
ldapConfig = {
|
|
|
|
target = "ldap.conf";
|
|
|
|
source = writeText "ldap.conf" ''
|
|
|
|
uri ${config.users.ldap.server}
|
|
|
|
base ${config.users.ldap.base}
|
|
|
|
timelimit ${toString config.users.ldap.timeLimit}
|
|
|
|
bind_timelimit ${toString config.users.ldap.bind.timeLimit}
|
|
|
|
bind_policy ${config.users.ldap.bind.policy}
|
|
|
|
${optionalString config.users.ldap.useTLS ''
|
|
|
|
ssl start_tls
|
|
|
|
''}
|
|
|
|
${optionalString (config.users.ldap.bind.distinguishedName != "") ''
|
|
|
|
binddn ${config.users.ldap.bind.distinguishedName}
|
|
|
|
''}
|
|
|
|
${optionalString (cfg.extraConfig != "") cfg.extraConfig }
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
nixos/ldap: set proper User= and Group= for nslcd service
eb90d9700958aefbc7b886f2b524c6d04dc1d80d broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.
This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.
In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).
This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.
This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)
fixes #57783
2019-03-27 01:27:57 +00:00
|
|
|
nslcdConfig = writeText "nslcd.conf" ''
|
|
|
|
uri ${cfg.server}
|
|
|
|
base ${cfg.base}
|
|
|
|
timelimit ${toString cfg.timeLimit}
|
|
|
|
bind_timelimit ${toString cfg.bind.timeLimit}
|
|
|
|
${optionalString (cfg.bind.distinguishedName != "")
|
|
|
|
"binddn ${cfg.bind.distinguishedName}" }
|
|
|
|
${optionalString (cfg.daemon.rootpwmoddn != "")
|
|
|
|
"rootpwmoddn ${cfg.daemon.rootpwmoddn}" }
|
|
|
|
${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }
|
|
|
|
'';
|
|
|
|
|
|
|
|
# nslcd normally reads configuration from /etc/nslcd.conf.
|
|
|
|
# this file might contain secrets. We append those at runtime,
|
|
|
|
# so redirect its location to something more temporary.
|
2021-08-15 15:12:23 +00:00
|
|
|
nslcdWrapped = runCommand "nslcd-wrapped" { nativeBuildInputs = [ makeWrapper ]; } ''
|
nixos/ldap: set proper User= and Group= for nslcd service
eb90d9700958aefbc7b886f2b524c6d04dc1d80d broke nslcd, as /run/nslcd was
created/chowned as root user, while nslcd wants to do parts as nslcd
user.
This commit changes the nslcd to run with the proper uid/gid from the
start (through User= and Group=), so the RuntimeDirectory has proper
permissions, too.
In some cases, secrets are baked into nslcd's config file during startup
(so we don't want to provide it from the store).
This config file is normally hard-wired to /etc/nslcd.conf, but we don't
want to use PermissionsStartOnly anymore (#56265), and activation
scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf,
which now gets provisioned inside ExecStartPre=.
This change requires the files referenced to in
users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be
readable by the nslcd user (in the non-nslcd case, this was already the
case for users.ldap.bind.passwordFile)
fixes #57783
2019-03-27 01:27:57 +00:00
|
|
|
mkdir -p $out/bin
|
|
|
|
makeWrapper ${nss_pam_ldapd}/sbin/nslcd $out/bin/nslcd \
|
|
|
|
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
|
|
|
|
--set NIX_REDIRECTS "/etc/nslcd.conf=/run/nslcd/nslcd.conf"
|
|
|
|
'';
|
2012-09-16 17:14:19 +00:00
|
|
|
|
2009-03-06 12:25:44 +00:00
|
|
|
in
|
|
|
|
|
2013-09-04 11:05:09 +00:00
|
|
|
{
|
2012-09-16 17:14:19 +00:00
|
|
|
|
2013-09-04 11:05:09 +00:00
|
|
|
###### interface
|
2011-10-02 13:24:10 +00:00
|
|
|
|
2013-09-04 11:05:09 +00:00
|
|
|
options = {
|
|
|
|
|
|
|
|
users.ldap = {
|
|
|
|
|
2020-09-26 13:26:14 +00:00
|
|
|
enable = mkEnableOption (lib.mdDoc "authentication against an LDAP server");
|
2013-09-04 11:05:09 +00:00
|
|
|
|
2016-07-18 13:20:21 +00:00
|
|
|
loginPam = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
2020-09-26 13:26:14 +00:00
|
|
|
description = lib.mdDoc "Whether to include authentication against LDAP in login PAM.";
|
2016-07-18 13:20:21 +00:00
|
|
|
};
|
|
|
|
|
2016-07-18 13:24:21 +00:00
|
|
|
nsswitch = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
2020-09-26 13:26:14 +00:00
|
|
|
description = lib.mdDoc "Whether to include lookup against LDAP in NSS.";
|
2016-07-18 13:24:21 +00:00
|
|
|
};
|
|
|
|
|
2013-09-04 11:05:09 +00:00
|
|
|
server = mkOption {
|
2020-09-26 13:11:57 +00:00
|
|
|
type = types.str;
|
2013-09-04 11:05:09 +00:00
|
|
|
example = "ldap://ldap.example.org/";
|
|
|
|
description = lib.mdDoc "The URL of the LDAP server.";
|
|
|
|
};
|
|
|
|
|
|
|
|
base = mkOption {
|
2020-09-26 13:11:57 +00:00
|
|
|
type = types.str;
|
2013-09-04 11:05:09 +00:00
|
|
|
example = "dc=example,dc=org";
|
|
|
|
description = lib.mdDoc "The distinguished name of the search base.";
|
|
|
|
};
|
|
|
|
|
|
|
|
useTLS = mkOption {
|
2020-04-27 07:04:07 +00:00
|
|
|
type = types.bool;
|
2013-09-04 11:05:09 +00:00
|
|
|
default = false;
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
If enabled, use TLS (encryption) over an LDAP (port 389)
|
|
|
|
connection. The alternative is to specify an LDAPS server (port
|
|
|
|
636) in {option}`users.ldap.server` or to forego
|
|
|
|
security.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
timeLimit = mkOption {
|
|
|
|
default = 0;
|
|
|
|
type = types.int;
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
Specifies the time limit (in seconds) to use when performing
|
|
|
|
searches. A value of zero (0), which is the default, is to
|
|
|
|
wait indefinitely for searches to be completed.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
daemon = {
|
|
|
|
enable = mkOption {
|
2020-04-27 07:04:07 +00:00
|
|
|
type = types.bool;
|
2013-09-04 11:05:09 +00:00
|
|
|
default = false;
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
Whether to let the nslcd daemon (nss-pam-ldapd) handle the
|
|
|
|
LDAP lookups for NSS and PAM. This can improve performance,
|
|
|
|
and if you need to bind to the LDAP server with a password,
|
|
|
|
it increases security, since only the nslcd user needs to
|
|
|
|
have access to the bindpw file, not everyone that uses NSS
|
|
|
|
and/or PAM. If this option is enabled, a local nscd user is
|
|
|
|
created automatically, and the nslcd service is started
|
|
|
|
automatically when the network get up.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
|
|
|
default = "";
|
2015-08-17 17:52:45 +00:00
|
|
|
type = types.lines;
|
2013-09-04 11:05:09 +00:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
Extra configuration options that will be added verbatim at
|
2020-09-26 13:26:14 +00:00
|
|
|
the end of the nslcd configuration file (`nslcd.conf(5)`).
|
2013-09-04 11:05:09 +00:00
|
|
|
'' ;
|
|
|
|
} ;
|
2019-01-08 16:01:01 +00:00
|
|
|
|
|
|
|
rootpwmoddn = mkOption {
|
|
|
|
default = "";
|
|
|
|
example = "cn=admin,dc=example,dc=com";
|
|
|
|
type = types.str;
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
The distinguished name to use to bind to the LDAP server
|
|
|
|
when the root user tries to modify a user's password.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2019-03-27 00:46:19 +00:00
|
|
|
rootpwmodpwFile = mkOption {
|
2019-01-08 16:01:01 +00:00
|
|
|
default = "";
|
|
|
|
example = "/run/keys/nslcd.rootpwmodpw";
|
|
|
|
type = types.str;
|
|
|
|
description = lib.mdDoc ''
|
2019-03-27 00:46:19 +00:00
|
|
|
The path to a file containing the credentials with which to bind to
|
|
|
|
the LDAP server if the root user tries to change a user's password.
|
2019-01-08 16:01:01 +00:00
|
|
|
'';
|
|
|
|
};
|
2013-09-04 11:05:09 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
bind = {
|
|
|
|
distinguishedName = mkOption {
|
|
|
|
default = "";
|
|
|
|
example = "cn=admin,dc=example,dc=com";
|
2015-08-17 17:52:45 +00:00
|
|
|
type = types.str;
|
2013-09-04 11:05:09 +00:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
The distinguished name to bind to the LDAP server with. If this
|
|
|
|
is not specified, an anonymous bind will be done.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2019-03-27 00:46:19 +00:00
|
|
|
passwordFile = mkOption {
|
2013-09-04 11:05:09 +00:00
|
|
|
default = "/etc/ldap/bind.password";
|
2015-08-17 17:52:45 +00:00
|
|
|
type = types.str;
|
2013-09-04 11:05:09 +00:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
The path to a file containing the credentials to use when binding
|
|
|
|
to the LDAP server (if not binding anonymously).
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
timeLimit = mkOption {
|
|
|
|
default = 30;
|
|
|
|
type = types.int;
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
Specifies the time limit (in seconds) to use when connecting
|
|
|
|
to the directory server. This is distinct from the time limit
|
2020-09-26 13:26:14 +00:00
|
|
|
specified in {option}`users.ldap.timeLimit` and affects
|
2013-09-04 11:05:09 +00:00
|
|
|
the initial server connection only.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
policy = mkOption {
|
|
|
|
default = "hard_open";
|
2015-08-17 17:52:45 +00:00
|
|
|
type = types.enum [ "hard_open" "hard_init" "soft" ];
|
2013-09-04 11:05:09 +00:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
Specifies the policy to use for reconnecting to an unavailable
|
|
|
|
LDAP server. The default is `hard_open`, which
|
|
|
|
reconnects if opening the connection to the directory server
|
|
|
|
failed. By contrast, `hard_init` reconnects if
|
|
|
|
initializing the connection failed. Initializing may not
|
|
|
|
actually contact the directory server, and it is possible that
|
|
|
|
a malformed configuration file will trigger reconnection. If
|
|
|
|
`soft` is specified, then
|
2022-08-13 03:15:06 +00:00
|
|
|
`nss_ldap` will return immediately on server
|
2013-09-04 11:05:09 +00:00
|
|
|
failure. All hard reconnect policies block with exponential
|
|
|
|
backoff before retrying.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
|
|
|
default = "";
|
2015-08-17 17:52:45 +00:00
|
|
|
type = types.lines;
|
2013-09-04 11:05:09 +00:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
Extra configuration options that will be added verbatim at
|
2020-09-26 13:26:14 +00:00
|
|
|
the end of the ldap configuration file (`ldap.conf(5)`).
|
|
|
|
If {option}`users.ldap.daemon` is enabled, this
|
2013-09-04 11:05:09 +00:00
|
|
|
configuration will not be used. In that case, use
|
2020-09-26 13:26:14 +00:00
|
|
|
{option}`users.ldap.daemon.extraConfig` instead.
|
2013-09-04 11:05:09 +00:00
|
|
|
'' ;
|
|
|
|
};
|
2012-09-16 17:14:19 +00:00
|
|
|
|
|
|
|
};
|
2013-09-04 11:05:09 +00:00
|
|
|
|
2012-09-16 17:14:19 +00:00
|
|
|
};
|
|
|
|
|
2013-09-04 11:05:09 +00:00
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
2019-09-14 17:51:29 +00:00
|
|
|
environment.etc = optionalAttrs (!cfg.daemon.enable) {
|
|
|
|
"ldap.conf" = ldapConfig;
|
|
|
|
};
|
2013-09-04 11:05:09 +00:00
|
|
|
|
2017-07-11 19:59:40 +00:00
|
|
|
system.nssModules = mkIf cfg.nsswitch (singleton (
|
2013-09-04 11:05:09 +00:00
|
|
|
if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
|
2017-07-11 19:59:40 +00:00
|
|
|
));
|
2013-09-04 11:05:09 +00:00
|
|
|
|
2020-05-05 22:09:59 +00:00
|
|
|
system.nssDatabases.group = optional cfg.nsswitch "ldap";
|
|
|
|
system.nssDatabases.passwd = optional cfg.nsswitch "ldap";
|
|
|
|
system.nssDatabases.shadow = optional cfg.nsswitch "ldap";
|
|
|
|
|
2013-09-04 11:05:09 +00:00
|
|
|
users = mkIf cfg.daemon.enable {
|
2018-06-29 23:58:35 +00:00
|
|
|
groups.nslcd = {
|
2013-09-04 11:05:09 +00:00
|
|
|
gid = config.ids.gids.nslcd;
|
|
|
|
};
|
|
|
|
|
2018-06-29 23:58:35 +00:00
|
|
|
users.nslcd = {
|
2013-09-04 11:05:09 +00:00
|
|
|
uid = config.ids.uids.nslcd;
|
|
|
|
description = "nslcd user.";
|
|
|
|
group = "nslcd";
|
|
|
|
};
|
|
|
|
};
|
2013-01-27 19:07:37 +00:00
|
|
|
|
2023-11-16 22:14:22 +00:00
|
|
|
systemd.services = mkMerge [
|
|
|
|
(mkIf (!cfg.daemon.enable) {
|
|
|
|
ldap-password = {
|
|
|
|
wantedBy = [ "sysinit.target" ];
|
|
|
|
before = [ "sysinit.target" "shutdown.target" ];
|
|
|
|
conflicts = [ "shutdown.target" ];
|
|
|
|
unitConfig.DefaultDependencies = false;
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
serviceConfig.RemainAfterExit = true;
|
|
|
|
script = ''
|
|
|
|
if test -f "${cfg.bind.passwordFile}" ; then
|
|
|
|
umask 0077
|
|
|
|
conf="$(mktemp)"
|
|
|
|
printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
|
|
|
|
cat ${ldapConfig.source} - >"$conf"
|
|
|
|
mv -fT "$conf" /etc/ldap.conf
|
|
|
|
fi
|
|
|
|
'';
|
2013-09-04 11:05:09 +00:00
|
|
|
};
|
2023-11-16 22:14:22 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
(mkIf cfg.daemon.enable {
|
|
|
|
nslcd = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
|
|
|
preStart = ''
|
|
|
|
umask 0077
|
|
|
|
conf="$(mktemp)"
|
|
|
|
{
|
|
|
|
cat ${nslcdConfig}
|
|
|
|
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' ||
|
|
|
|
printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')"
|
|
|
|
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' ||
|
|
|
|
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')"
|
|
|
|
} >"$conf"
|
|
|
|
mv -fT "$conf" /run/nslcd/nslcd.conf
|
|
|
|
'';
|
2013-09-04 11:05:09 +00:00
|
|
|
|
2023-11-16 22:14:22 +00:00
|
|
|
restartTriggers = [
|
|
|
|
nslcdConfig
|
|
|
|
cfg.bind.passwordFile
|
|
|
|
cfg.daemon.rootpwmodpwFile
|
|
|
|
];
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = "${nslcdWrapped}/bin/nslcd";
|
|
|
|
Type = "forking";
|
|
|
|
Restart = "always";
|
|
|
|
User = "nslcd";
|
|
|
|
Group = "nslcd";
|
|
|
|
RuntimeDirectory = [ "nslcd" ];
|
|
|
|
PIDFile = "/run/nslcd/nslcd.pid";
|
|
|
|
AmbientCapabilities = "CAP_SYS_RESOURCE";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
})
|
|
|
|
];
|
2013-09-04 11:05:09 +00:00
|
|
|
|
2012-09-16 17:14:19 +00:00
|
|
|
};
|
2019-03-27 00:46:19 +00:00
|
|
|
|
|
|
|
imports =
|
|
|
|
[ (mkRenamedOptionModule [ "users" "ldap" "bind" "password"] [ "users" "ldap" "bind" "passwordFile"])
|
|
|
|
];
|
2009-03-06 12:25:44 +00:00
|
|
|
}
|