dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-conf/system/modules/openldap.nix
danny cf005ff872 feat: add formatter
2026-01-10 12:46:40 +08:00

129 lines
3.2 KiB
Nix
Executable file
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
urlList ? [ "ldap:///" ],
}:
{
pkgs,
config,
...
}:
let
create_ldap_user = pkgs.writeShellScriptBin "create_ldap_user" ''
# Base DN for LDAP directory
BASE_DN="dc=net,dc=dn"
# Organizational Unit (OU) where users are stored
OU="people"
# Prompt for username
read -p "Please enter the username: " USERNAME
# Prompt for password (hidden input)
read -s -p "Please enter the password: " USER_PASSWORD
echo
# Prompt for password confirmation (hidden input)
read -s -p "Please confirm the password: " USER_PASSWORD_CONFIRM
echo
# Check if the entered passwords match
if [ "$USER_PASSWORD" != "$USER_PASSWORD_CONFIRM" ]; then
echo " Passwords do not match. Please run the script again."
exit 1
fi
# Hash the password using slappasswd
PASSWORD_HASH=$(slappasswd -s "$USER_PASSWORD")
# Construct the Distinguished Name (DN) for the user
USER_DN="uid=$USERNAME,ou=$OU,$BASE_DN"
# Check if the base DN (dc=net,dc=dn) exists, if not, create it
ldapsearch -x -b "$BASE_DN" > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo " $BASE_DN does not exist. Creating it now..."
cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
dn: $BASE_DN
objectClass: top
objectClass: domain
dc: net
EOF
fi
# Check if the OU exists, if not, create it
ldapsearch -x -b "ou=$OU,$BASE_DN" > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo " OU=$OU does not exist. Creating it now..."
cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
dn: ou=$OU,$BASE_DN
objectClass: organizationalUnit
ou: $OU
EOF
fi
# Add the user entry to the LDAP directory
cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
dn: $USER_DN
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: $USERNAME
cn: $USERNAME
sn: $USERNAME
userPassword: $PASSWORD_HASH
EOF
# Confirm the user was successfully created
echo " User $USERNAME has been successfully created." '';
in
{
environment.systemPackages = [
create_ldap_user
];
services.openldap = {
enable = true;
urlList = urlList;
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=net,dc=dn";
olcRootDN = "cn=admin,dc=net,dc=dn";
olcRootPW.path = config.sops.secrets."openldap/adminPassword".path;
olcAccess = [
# custom access rules for userPassword attributes
''
{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
# allow read on anything else
''
{1}to *
by * read''
];
};
};
};
};
}
Reference in a new issue View git blame Copy permalink