ldap: made ldap library, changed methods around, etc. etc.

just read it and feel cursed.
2024-08-20 23:16:46 +02:00 · 2024-08-20 23:16:46 +02:00 · 106374ce32
commit 106374ce32
parent 3ab76ae616
5 changed files with 83 additions and 20 deletions
--- a/machines/gerd/services/lldap.nix
+++ b/machines/gerd/services/lldap.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:

 let
  svc_domain = "ldap.${config.mine.shared.settings.domain}";
@ -56,8 +56,20 @@ in {
    dc = "dc=${config.mine.shared.settings.domain_sld},dc=${config.mine.shared.settings.domain_tld}";
    bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
    search_base = "ou=${ou.users},${dc}";
-    user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
-    admin_filter = "(memberof=cn=${groups.admin},ou=${ou.groups},${dc})";
+    user_filter = ph: let
+      attrs = [ attr.uid attr.email ];
+    in config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
+      llib.mkAnd [
+        (llib.mkGroup lconfig.groups.member)
+        (llib.mkOr (lib.forEach attrs (v: llib.mkSearch v ph)))
+      ]
+    );
+
+    oc = {
+      person = "person";
+      mailAccount = "mailAccount";
+      groupOfUniqueNames = "groupOfUniqueNames";
+    };

    users = {
      admin = "admin";
@ -86,6 +98,33 @@ in {
    age_secret = config.age.secrets.lldap-bind-user-pass.path;
  };

+  mine.shared.lib.ldap = rec {
+    mkGroup = group_name: "memberof=cn=${group_name},ou=${config.mine.shared.settings.ldap.ou.groups},${config.mine.shared.settings.ldap.dc}";
+    mkOC = object_class_name: "objectclass=${object_class_name}";
+    mkSearch = attribute: ph: "${attribute}=${ph}";
+
+    mkFilterAdvanced = expr: let
+      isExpr = value: if value ? type then true else false;
+
+      __mkExpr = value: if isExpr value then mkFilterAdvanced value else "(${value})";
+      _mkExpr = op: value: "(${op}" + (builtins.concatStringsSep "" (lib.forEach value (v: __mkExpr v))) + ")";
+      mkExpr = expr: assert isExpr expr; if expr.type == "and" then _mkExpr "&" expr.values else _mkExpr "|" expr.values;
+    in mkExpr expr;
+
+    mkAndOr = andExprs: orExprs: mkFilterAdvanced {
+      type = "and";
+      values = andExprs ++ [
+        { type = "or"; values = orExprs; }
+      ];
+    };
+
+    mkFilter = t: mkFilterAdvanced (t config.mine.shared.settings.ldap config.mine.shared.lib.ldap);
+    mkScope = t: t config.mine.shared.settings.ldap config.mine.shared.lib.ldap;
+
+    mkAnd = v: { type = "and"; values = v; };
+    mkOr = v: { type = "or"; values = v; };
+  };
+
  mine.shared.meta.lldap = {
    name = "LDAP";
    description = "We host our own LDAP server, you can use it to change your displayname, name, password, etc.";