--- a/modules/config/ldap.nix +++ b/modules/config/ldap.nix @@ -2,7 +2,7 @@ ###### interface let - inherit (pkgs.lib) mkOption mkIf; + inherit (pkgs.lib) mkOption mkIf optionalString; options = { users = { @@ -39,6 +39,27 @@ let "; }; + bind = { + distinguishedName = mkOption { + default = ""; + example = "cn=admin,dc=example,dc=com"; + type = with pkgs.lib.types; string; + description = " + The distinguished name to bind to the LDAP server with. If this + is not specified, an anonymous bind will be done. + "; + }; + + password = mkOption { + default = "/etc/ldap/bind.password"; + type = with pkgs.lib.types; string; + description = " + The path to a file containing the credentials to use when binding + to the LDAP server (if not binding anonymously). + "; + }; + }; + }; }; }; @@ -62,10 +83,15 @@ mkIf config.users.ldap.enable { uri ${config.users.ldap.server} base ${config.users.ldap.base} - ${if config.users.ldap.useTLS then '' + ${optionalString (config.users.ldap.bind.distinguishedName != "") '' + binddn ${config.users.ldap.bind.distinguishedName} + bindpw + ''} + + ${optionalString config.users.ldap.useTLS '' ssl start_tls tls_checkpeer no - '' else ""} + ''} ''; target = "ldap.conf"; } @@ -73,4 +99,15 @@ mkIf config.users.ldap.enable { ]; }; + system.activationScripts.ldap = + optionalString (config.users.ldap.bind.distinguishedName != "") '' + if test -r "${config.users.ldap.bind.password}" ; then + bindpw="$(cat ${config.users.ldap.bind.password})" + if test -n "$bindpw" ; then + ${pkgs.gnused}/bin/sed -i "s/bindpw /bindpw $bindpw/" /etc/ldap.conf + chmod og-rw /etc/ldap.conf + fi + fi + ''; + }