blob: 47e67d5b091b9dca55b457c52e60ae4917bcfa94 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
{
pkgs,
config,
...
}: {
secrets.ldap-root = {
file = ./secrets/ldap-root.age;
mode = "444";
};
secrets.ldap-search = {
file = ./secrets/ldap-search-pw.age;
mode = "444";
};
services.openldap = {
enable = true;
urlList = ["ldap:///"];
# mutableConfig = true;
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/misc.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=m4siri,dc=com";
olcRootDN = "cn=admin,dc=m4siri,dc=com";
olcRootPW.path = config.secrets.ldap-root.path;
olcAccess = [
'' {0}to attrs=userPassword
by dn="cn=searchuser,ou=users,dc=m4siri,dc=com" read
by self write
by anonymous auth
by * none''
'' {1}to *
by * read''
];
};
};
};
declarativeContents = {
"dc=m4siri,dc=com" = builtins.readFile ./secrets/ldap-content;
};
};
}
|
