nixpkgs/modules/config/ldap.nix

{pkgs, config, ...}:

###### interface
let
  inherit (pkgs.lib) mkOption mkIf optionalString stringAfter;

  options = {
    users = {
      ldap = {

        enable = mkOption {
          default = false;
          description = "
            Whether to enable authentication against an LDAP server.
          ";
        };

        server = mkOption {
          example = "ldap://ldap.example.org/";
          description = "
            The URL of the LDAP server.
          ";
        };

        base = mkOption {
          example = "dc=example,dc=org";
          description = "
            The distinguished name of the search base.
          ";
        };

        useTLS = mkOption {
          default = false;
          description = "
            If enabled, use TLS (encryption) over an LDAP (port 389)
            connection.  The alternative is to specify an LDAPS server (port
            636) in <option>users.ldap.server</option> or to forego
            security.
          ";
        };

        bind = {
          distinguishedName = mkOption {
            default = "";
            example = "cn=admin,dc=example,dc=com";
            type = with pkgs.lib.types; string;
            description = "
              The distinguished name to bind to the LDAP server with. If this
              is not specified, an anonymous bind will be done.
            ";
          };

          password = mkOption {
            default = "/etc/ldap/bind.password";
            type = with pkgs.lib.types; string;
            description = "
              The path to a file containing the credentials to use when binding
              to the LDAP server (if not binding anonymously).
            ";
          };
        };

      };
    };
  };
in

###### implementation

mkIf config.users.ldap.enable {
  require = [
    options
  ];

  # LDAP configuration.
  environment = {
    etc = [

      # Careful: OpenLDAP seems to be very picky about the indentation of
      # this file.  Directives HAVE to start in the first column!
      { source = pkgs.writeText "ldap.conf"
          ''
            uri ${config.users.ldap.server}
            base ${config.users.ldap.base}

            ${optionalString config.users.ldap.useTLS ''
              ssl start_tls
              tls_checkpeer no
            ''}

            ${optionalString (config.users.ldap.bind.distinguishedName != "") ''
              binddn ${config.users.ldap.bind.distinguishedName}
            ''}
          '';
        target = "ldap.conf";
      }

    ];
  };

  system.activationScripts.ldap = stringAfter [ "etc" ] (
    optionalString (config.users.ldap.bind.distinguishedName != "") ''
      if test -f "${config.users.ldap.bind.password}" ; then
        echo "bindpw $(cat ${config.users.ldap.bind.password})" | cat /etc/ldap.conf - > /etc/ldap.conf.bindpw
        mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf
        chmod 600 /etc/ldap.conf
      fi
    ''
  );

}
Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 13:25:44 +01:00			`{pkgs, config, ...}:`

			`###### interface`
			`let`
LDAP non-anonymous bind. Patch by Rickard Nilsson. svn path=/nixos/trunk/; revision=29563 2011-10-02 15:24:10 +02:00			`inherit (pkgs.lib) mkOption mkIf optionalString stringAfter;`
Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 13:25:44 +01:00
			`options = {`
			`users = {`
			`ldap = {`

			`enable = mkOption {`
			`default = false;`
			`description = "`
			`Whether to enable authentication against an LDAP server.`
			`";`
			`};`

			`server = mkOption {`
			`example = "ldap://ldap.example.org/";`
			`description = "`
			`The URL of the LDAP server.`
			`";`
			`};`

			`base = mkOption {`
			`example = "dc=example,dc=org";`
			`description = "`
			`The distinguished name of the search base.`
			`";`
			`};`

			`useTLS = mkOption {`
			`default = false;`
			`description = "`
			`If enabled, use TLS (encryption) over an LDAP (port 389)`
			`connection. The alternative is to specify an LDAPS server (port`
			`636) in <option>users.ldap.server</option> or to forego`
			`security.`
			`";`
			`};`

LDAP non-anonymous bind. Patch by Rickard Nilsson. svn path=/nixos/trunk/; revision=29563 2011-10-02 15:24:10 +02:00			`bind = {`
			`distinguishedName = mkOption {`
			`default = "";`
			`example = "cn=admin,dc=example,dc=com";`
			`type = with pkgs.lib.types; string;`
			`description = "`
			`The distinguished name to bind to the LDAP server with. If this`
			`is not specified, an anonymous bind will be done.`
			`";`
			`};`

			`password = mkOption {`
			`default = "/etc/ldap/bind.password";`
			`type = with pkgs.lib.types; string;`
			`description = "`
			`The path to a file containing the credentials to use when binding`
			`to the LDAP server (if not binding anonymously).`
			`";`
			`};`
			`};`

Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 13:25:44 +01:00			`};`
			`};`
			`};`
			`in`

			`###### implementation`

			`mkIf config.users.ldap.enable {`
			`require = [`
			`options`
			`];`

			`# LDAP configuration.`
			`environment = {`
			`etc = [`

			`# Careful: OpenLDAP seems to be very picky about the indentation of`
			`# this file. Directives HAVE to start in the first column!`
* One down, three to go. svn path=/nixos/branches/modular-nixos/; revision=15784 2009-05-29 12:04:04 +02:00			`{ source = pkgs.writeText "ldap.conf"`
			`''`
			`uri ${config.users.ldap.server}`
			`base ${config.users.ldap.base}`

LDAP non-anonymous bind. Patch by Rickard Nilsson. svn path=/nixos/trunk/; revision=29563 2011-10-02 15:24:10 +02:00			`${optionalString config.users.ldap.useTLS ''`
* One down, three to go. svn path=/nixos/branches/modular-nixos/; revision=15784 2009-05-29 12:04:04 +02:00			`ssl start_tls`
			`tls_checkpeer no`
LDAP non-anonymous bind. Patch by Rickard Nilsson. svn path=/nixos/trunk/; revision=29563 2011-10-02 15:24:10 +02:00			`''}`

			`${optionalString (config.users.ldap.bind.distinguishedName != "") ''`
			`binddn ${config.users.ldap.bind.distinguishedName}`
			`''}`
* One down, three to go. svn path=/nixos/branches/modular-nixos/; revision=15784 2009-05-29 12:04:04 +02:00			`'';`
Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 13:25:44 +01:00			`target = "ldap.conf";`
			`}`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 20:20:50 +02:00
Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 13:25:44 +01:00			`];`
			`};`

LDAP non-anonymous bind. Patch by Rickard Nilsson. svn path=/nixos/trunk/; revision=29563 2011-10-02 15:24:10 +02:00			`system.activationScripts.ldap = stringAfter [ "etc" ] (`
			`optionalString (config.users.ldap.bind.distinguishedName != "") ''`
			`if test -f "${config.users.ldap.bind.password}" ; then`
			`echo "bindpw $(cat ${config.users.ldap.bind.password})" \| cat /etc/ldap.conf - > /etc/ldap.conf.bindpw`
			`mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf`
			`chmod 600 /etc/ldap.conf`
			`fi`
			`''`
			`);`

Convert "ldap" (untested) svn path=/nixos/branches/fix-style/; revision=14362 2009-03-06 13:25:44 +01:00			`}`