nixpkgs/nixos/modules/config/ldap.nix

{ config, lib, pkgs, ... }:

with pkgs;
with lib;

let

  cfg = config.users.ldap;

  # Careful: OpenLDAP seems to be very picky about the indentation of
  # this file.  Directives HAVE to start in the first column!
  ldapConfig = {
    target = "ldap.conf";
    source = writeText "ldap.conf" ''
      uri ${config.users.ldap.server}
      base ${config.users.ldap.base}
      timelimit ${toString config.users.ldap.timeLimit}
      bind_timelimit ${toString config.users.ldap.bind.timeLimit}
      bind_policy ${config.users.ldap.bind.policy}
      ${optionalString config.users.ldap.useTLS ''
        ssl start_tls
        tls_checkpeer no
      ''}
      ${optionalString (config.users.ldap.bind.distinguishedName != "") ''
        binddn ${config.users.ldap.bind.distinguishedName}
      ''}
      ${optionalString (cfg.extraConfig != "") cfg.extraConfig }
    '';
  };

  nslcdConfig = {
    target = "nslcd.conf";
    source = writeText "nslcd.conf" ''
      uid nslcd
      gid nslcd
      uri ${cfg.server}
      base ${cfg.base}
      timelimit ${toString cfg.timeLimit}
      bind_timelimit ${toString cfg.bind.timeLimit}
      ${optionalString (cfg.bind.distinguishedName != "")
        "binddn ${cfg.bind.distinguishedName}" }
      ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }
    '';
  };

  insertLdapPassword = !config.users.ldap.daemon.enable &&
    config.users.ldap.bind.distinguishedName != "";

in

{

  ###### interface

  options = {

    users.ldap = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable authentication against an LDAP server.";
      };

      server = mkOption {
        example = "ldap://ldap.example.org/";
        description = "The URL of the LDAP server.";
      };

      base = mkOption {
        example = "dc=example,dc=org";
        description = "The distinguished name of the search base.";
      };

      useTLS = mkOption {
        default = false;
        description = ''
          If enabled, use TLS (encryption) over an LDAP (port 389)
          connection.  The alternative is to specify an LDAPS server (port
          636) in <option>users.ldap.server</option> or to forego
          security.
        '';
      };

      timeLimit = mkOption {
        default = 0;
        type = types.int;
        description = ''
          Specifies the time limit (in seconds) to use when performing
          searches. A value of zero (0), which is the default, is to
          wait indefinitely for searches to be completed.
        '';
      };

      daemon = {
        enable = mkOption {
          default = false;
          description = ''
            Whether to let the nslcd daemon (nss-pam-ldapd) handle the
            LDAP lookups for NSS and PAM. This can improve performance,
            and if you need to bind to the LDAP server with a password,
            it increases security, since only the nslcd user needs to
            have access to the bindpw file, not everyone that uses NSS
            and/or PAM. If this option is enabled, a local nscd user is
            created automatically, and the nslcd service is started
            automatically when the network get up.
          '';
        };

        extraConfig = mkOption {
          default =  "";
          type = types.lines;
          description = ''
            Extra configuration options that will be added verbatim at
            the end of the nslcd configuration file (nslcd.conf).
          '' ;
        } ;
      };

      bind = {
        distinguishedName = mkOption {
          default = "";
          example = "cn=admin,dc=example,dc=com";
          type = types.str;
          description = ''
            The distinguished name to bind to the LDAP server with. If this
            is not specified, an anonymous bind will be done.
          '';
        };

        password = mkOption {
          default = "/etc/ldap/bind.password";
          type = types.str;
          description = ''
            The path to a file containing the credentials to use when binding
            to the LDAP server (if not binding anonymously).
          '';
        };

        timeLimit = mkOption {
          default = 30;
          type = types.int;
          description = ''
            Specifies the time limit (in seconds) to use when connecting
            to the directory server. This is distinct from the time limit
            specified in <literal>users.ldap.timeLimit</literal> and affects
            the initial server connection only.
          '';
        };

        policy = mkOption {
          default = "hard_open";
          type = types.enum [ "hard_open" "hard_init" "soft" ];
          description = ''
            Specifies the policy to use for reconnecting to an unavailable
            LDAP server. The default is <literal>hard_open</literal>, which
            reconnects if opening the connection to the directory server
            failed. By contrast, <literal>hard_init</literal> reconnects if
            initializing the connection failed. Initializing may not
            actually contact the directory server, and it is possible that
            a malformed configuration file will trigger reconnection. If
            <literal>soft</literal> is specified, then
            <literal>nss_ldap</literal> will return immediately on server
            failure. All hard reconnect policies block with exponential
            backoff before retrying.
          '';
        };
      };

      extraConfig = mkOption {
        default = "";
        type = types.lines;
        description = ''
          Extra configuration options that will be added verbatim at
          the end of the ldap configuration file (ldap.conf).
          If <literal>users.ldap.daemon</literal> is enabled, this
          configuration will not be used. In that case, use
          <literal>users.ldap.daemon.extraConfig</literal> instead.
        '' ;
      };

    };

  };

  ###### implementation

  config = mkIf cfg.enable {

    environment.etc = if cfg.daemon.enable then [nslcdConfig] else [ldapConfig];

    system.activationScripts = mkIf insertLdapPassword {
      ldap = stringAfter [ "etc" "groups" "users" ] ''
        if test -f "${cfg.bind.password}" ; then
          echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw
          mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf
          chmod 600 /etc/ldap.conf
        fi
      '';
    };

    system.nssModules = singleton (
      if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
    );

    users = mkIf cfg.daemon.enable {
      extraGroups.nslcd = {
        gid = config.ids.gids.nslcd;
      };

      extraUsers.nslcd = {
        uid = config.ids.uids.nslcd;
        description = "nslcd user.";
        group = "nslcd";
      };
    };

    systemd.services = mkIf cfg.daemon.enable {

      nslcd = {
        wantedBy = [ "multi-user.target" ];

        preStart = ''
          mkdir -p /run/nslcd
          rm -f /run/nslcd/nslcd.pid;
          chown nslcd.nslcd /run/nslcd
          ${optionalString (cfg.bind.distinguishedName != "") ''
            if test -s "${cfg.bind.password}" ; then
              ln -sfT "${cfg.bind.password}" /run/nslcd/bindpw
            fi
          ''}
        '';

        serviceConfig = {
          ExecStart = "${nss_pam_ldapd}/sbin/nslcd";
          Type = "forking";
          PIDFile = "/run/nslcd/nslcd.pid";
          Restart = "always";
        };
      };

    };

  };
}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 12:25:44 +00:00
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00			`with pkgs;`
Get all lib functions from lib, not pkgs.lib, in modules 2014-05-05 14:58:51 -04:00			`with lib;`
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00
Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 12:25:44 +00:00			`let`
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00
			`cfg = config.users.ldap;`
Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 12:25:44 +00:00
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00			`# Careful: OpenLDAP seems to be very picky about the indentation of`
			`# this file. Directives HAVE to start in the first column!`
			`ldapConfig = {`
			`target = "ldap.conf";`
			`source = writeText "ldap.conf" ''`
			`uri ${config.users.ldap.server}`
			`base ${config.users.ldap.base}`
			`timelimit ${toString config.users.ldap.timeLimit}`
			`bind_timelimit ${toString config.users.ldap.bind.timeLimit}`
			`bind_policy ${config.users.ldap.bind.policy}`
			`${optionalString config.users.ldap.useTLS ''`
			`ssl start_tls`
			`tls_checkpeer no`
			`''}`
			`${optionalString (config.users.ldap.bind.distinguishedName != "") ''`
			`binddn ${config.users.ldap.bind.distinguishedName}`
			`''}`
			`${optionalString (cfg.extraConfig != "") cfg.extraConfig }`
			`'';`
			`};`

			`nslcdConfig = {`
			`target = "nslcd.conf";`
			`source = writeText "nslcd.conf" ''`
			`uid nslcd`
			`gid nslcd`
			`uri ${cfg.server}`
			`base ${cfg.base}`
			`timelimit ${toString cfg.timeLimit}`
			`bind_timelimit ${toString cfg.bind.timeLimit}`
			`${optionalString (cfg.bind.distinguishedName != "")`
			`"binddn ${cfg.bind.distinguishedName}" }`
			`${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }`
			`'';`
			`};`

			`insertLdapPassword = !config.users.ldap.daemon.enable &&`
			`config.users.ldap.bind.distinguishedName != "";`

Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 12:25:44 +00:00			`in`

Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`{`
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`###### interface`
LDAP non-anonymous bind. Patch by Rickard Nilsson. svn path=/nixos/trunk/; revision=29563 2011-10-02 13:24:10 +00:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`options = {`

			`users.ldap = {`

			`enable = mkOption {`
Add missing 'type', 'defaultText' and 'literalExample' in module definitions - add missing types in module definitions - add missing 'defaultText' in module definitions - wrap example with 'literalExample' where necessary in module definitions 2016-01-17 19:34:55 +01:00			`type = types.bool;`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`default = false;`
			`description = "Whether to enable authentication against an LDAP server.";`
			`};`

			`server = mkOption {`
			`example = "ldap://ldap.example.org/";`
			`description = "The URL of the LDAP server.";`
			`};`

			`base = mkOption {`
			`example = "dc=example,dc=org";`
			`description = "The distinguished name of the search base.";`
			`};`

			`useTLS = mkOption {`
			`default = false;`
			`description = ''`
			`If enabled, use TLS (encryption) over an LDAP (port 389)`
			`connection. The alternative is to specify an LDAPS server (port`
			`636) in <option>users.ldap.server</option> or to forego`
			`security.`
			`'';`
			`};`

			`timeLimit = mkOption {`
			`default = 0;`
			`type = types.int;`
			`description = ''`
			`Specifies the time limit (in seconds) to use when performing`
			`searches. A value of zero (0), which is the default, is to`
			`wait indefinitely for searches to be completed.`
			`'';`
			`};`

			`daemon = {`
			`enable = mkOption {`
			`default = false;`
			`description = ''`
			`Whether to let the nslcd daemon (nss-pam-ldapd) handle the`
			`LDAP lookups for NSS and PAM. This can improve performance,`
			`and if you need to bind to the LDAP server with a password,`
			`it increases security, since only the nslcd user needs to`
			`have access to the bindpw file, not everyone that uses NSS`
			`and/or PAM. If this option is enabled, a local nscd user is`
			`created automatically, and the nslcd service is started`
			`automatically when the network get up.`
			`'';`
			`};`

			`extraConfig = mkOption {`
			`default = "";`
nixos: fix some types 2015-08-17 17:52:45 +00:00			`type = types.lines;`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`description = ''`
			`Extra configuration options that will be added verbatim at`
			`the end of the nslcd configuration file (nslcd.conf).`
			`'' ;`
			`} ;`
			`};`

			`bind = {`
			`distinguishedName = mkOption {`
			`default = "";`
			`example = "cn=admin,dc=example,dc=com";`
nixos: fix some types 2015-08-17 17:52:45 +00:00			`type = types.str;`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`description = ''`
			`The distinguished name to bind to the LDAP server with. If this`
			`is not specified, an anonymous bind will be done.`
			`'';`
			`};`

			`password = mkOption {`
			`default = "/etc/ldap/bind.password";`
nixos: fix some types 2015-08-17 17:52:45 +00:00			`type = types.str;`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`description = ''`
			`The path to a file containing the credentials to use when binding`
			`to the LDAP server (if not binding anonymously).`
			`'';`
			`};`

			`timeLimit = mkOption {`
			`default = 30;`
			`type = types.int;`
			`description = ''`
			`Specifies the time limit (in seconds) to use when connecting`
			`to the directory server. This is distinct from the time limit`
			`specified in <literal>users.ldap.timeLimit</literal> and affects`
			`the initial server connection only.`
			`'';`
			`};`

			`policy = mkOption {`
			`default = "hard_open";`
nixos: fix some types 2015-08-17 17:52:45 +00:00			`type = types.enum [ "hard_open" "hard_init" "soft" ];`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`description = ''`
			`Specifies the policy to use for reconnecting to an unavailable`
			`LDAP server. The default is <literal>hard_open</literal>, which`
			`reconnects if opening the connection to the directory server`
			`failed. By contrast, <literal>hard_init</literal> reconnects if`
			`initializing the connection failed. Initializing may not`
			`actually contact the directory server, and it is possible that`
			`a malformed configuration file will trigger reconnection. If`
			`<literal>soft</literal> is specified, then`
			`<literal>nss_ldap</literal> will return immediately on server`
			`failure. All hard reconnect policies block with exponential`
			`backoff before retrying.`
			`'';`
			`};`
			`};`

			`extraConfig = mkOption {`
			`default = "";`
nixos: fix some types 2015-08-17 17:52:45 +00:00			`type = types.lines;`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`description = ''`
			`Extra configuration options that will be added verbatim at`
			`the end of the ldap configuration file (ldap.conf).`
			`If <literal>users.ldap.daemon</literal> is enabled, this`
			`configuration will not be used. In that case, use`
			`<literal>users.ldap.daemon.extraConfig</literal> instead.`
			`'' ;`
			`};`
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00
			`};`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00			`};`

Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`###### implementation`

			`config = mkIf cfg.enable {`

			`environment.etc = if cfg.daemon.enable then [nslcdConfig] else [ldapConfig];`

			`system.activationScripts = mkIf insertLdapPassword {`
			`ldap = stringAfter [ "etc" "groups" "users" ] ''`
			`if test -f "${cfg.bind.password}" ; then`
ldap module: fix activationScripts declaration 2016-05-23 20:43:22 +00:00			`echo "bindpw "$(cat ${cfg.bind.password})"" \| cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf`
			`chmod 600 /etc/ldap.conf`
			`fi`
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00			`'';`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`};`

			`system.nssModules = singleton (`
			`if cfg.daemon.enable then nss_pam_ldapd else nss_ldap`
			`);`

			`users = mkIf cfg.daemon.enable {`
			`extraGroups.nslcd = {`
			`gid = config.ids.gids.nslcd;`
			`};`

			`extraUsers.nslcd = {`
			`uid = config.ids.uids.nslcd;`
			`description = "nslcd user.";`
			`group = "nslcd";`
			`};`
			`};`
nslcd: Adjust service definition to systemd 2013-01-27 20:07:37 +01:00
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`systemd.services = mkIf cfg.daemon.enable {`

			`nslcd = {`
nslcd nixos service: Should be wantedBy multi-user, otherwise not started if activated on running server (only starts on bootup) 2014-08-08 17:40:03 +02:00			`wantedBy = [ "multi-user.target" ];`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
			`preStart = ''`
			`mkdir -p /run/nslcd`
			`rm -f /run/nslcd/nslcd.pid;`
			`chown nslcd.nslcd /run/nslcd`
			`${optionalString (cfg.bind.distinguishedName != "") ''`
			`if test -s "${cfg.bind.password}" ; then`
			`ln -sfT "${cfg.bind.password}" /run/nslcd/bindpw`
			`fi`
			`''}`
			`'';`

			`serviceConfig = {`
			`ExecStart = "${nss_pam_ldapd}/sbin/nslcd";`
			`Type = "forking";`
			`PIDFile = "/run/nslcd/nslcd.pid";`
			`Restart = "always";`
			`};`
nslcd: Adjust service definition to systemd 2013-01-27 20:07:37 +01:00			`};`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00			`};`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00			`};`
Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 12:25:44 +00:00			`}`