gerd.lldap: utilise settings module for LDAP

2024-08-11 14:21:45 +02:00 · 2024-08-11 14:21:45 +02:00 · 865e1251de
commit 865e1251de
parent a7f869923f
3 changed files with 61 additions and 16 deletions
--- a/machines/gerd/services/lldap.nix
+++ b/machines/gerd/services/lldap.nix
@ -37,4 +37,49 @@
  age.secrets = {
    lldap-admin-user-pass.owner = "lldap";
  };
+
+  # set settings other services can use
+  #  CN = Common Name
+  #  OU = Organizational Unit
+  #  DC = Domain Component
+  #
+  # The users are all located in ou=people, + the base DN, so by default user bob is at cn=bob,ou=people,dc=example,dc=com.
+  # Similarly, the groups are located in ou=groups, so the group family will be at cn=family,ou=groups,dc=example,dc=com.
+  # Testing group membership through memberOf is supported, so you can have a filter like: (memberOf=cn=admins,ou=groups,dc=example,dc=com).
+  mine.settings.ldap = rec {
+    host = "localhost";
+    port = 3890;
+    url = "ldap://${host}:${builtins.toString port}";
+
+    dc = "dc=fricloud,dc=dk";
+    bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
+    search_base = "ou=${ou.users},${dc}";
+    user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
+    admin_filter = "(memberof=cn=${groups.admin},ou=${ou.groups},${dc})";
+
+    users = {
+      admin = "admin";
+      bind = "bind_user";
+    };
+
+    groups = {
+      admin = "lldap_admin";
+      member = "base_member";
+    };
+
+    ou = {
+      groups = "groups";
+      users = "people";
+    };
+
+    attr = {
+      uid = "uid";
+      firstname = "givenName";
+      lastname = "sn";
+      email = "mail";
+      avatar = "jpegPhoto";
+    };
+
+    age_secret = config.age.secrets.lldap-bind-user-pass.path;
+  };
 }