HCoop / jackhill / guix / guix.git / blame
| Commit | Line | Data |
|---|---|---|
| 7f93bbd5 DM |
1 | ;;; GNU Guix --- Functional package management for GNU |
| 2 | ;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org> | |
| c16423f1 | 3 | ;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net> |
| 520bac7e | 4 | ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> |
| 7f93bbd5 DM |
5 | ;;; |
| 6 | ;;; This file is part of GNU Guix. | |
| 7 | ;;; | |
| 8 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
| 9 | ;;; under the terms of the GNU General Public License as published by | |
| 10 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
| 11 | ;;; your option) any later version. | |
| 12 | ;;; | |
| 13 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
| 14 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 15 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 16 | ;;; GNU General Public License for more details. | |
| 17 | ;;; | |
| 18 | ;;; You should have received a copy of the GNU General Public License | |
| 19 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
| 20 | ||
| 812f6bd8 | 21 | (define-module (gnu services authentication) |
| 7f93bbd5 | 22 | #:use-module (gnu services) |
| c16423f1 RW |
23 | #:use-module (gnu services base) |
| 24 | #:use-module (gnu services configuration) | |
| 7f93bbd5 | 25 | #:use-module (gnu services dbus) |
| c16423f1 RW |
26 | #:use-module (gnu services shepherd) |
| 27 | #:use-module (gnu system pam) | |
| 28 | #:use-module (gnu system shadow) | |
| 29 | #:use-module (gnu packages admin) | |
| 7f93bbd5 | 30 | #:use-module (gnu packages freedesktop) |
| c16423f1 | 31 | #:use-module (gnu packages openldap) |
| 7f93bbd5 DM |
32 | #:use-module (guix gexp) |
| 33 | #:use-module (guix records) | |
| c16423f1 | 34 | #:use-module (guix packages) |
| 520bac7e | 35 | #:use-module (guix modules) |
| c16423f1 RW |
36 | #:use-module (ice-9 match) |
| 37 | #:use-module (srfi srfi-1) | |
| 38 | #:use-module (srfi srfi-26) | |
| 7f93bbd5 DM |
39 | #:export (fprintd-configuration |
| 40 | fprintd-configuration? | |
| c16423f1 RW |
41 | fprintd-service-type |
| 42 | ||
| 43 | nslcd-configuration | |
| 44 | nslcd-configuration? | |
| 45 | nslcd-service-type)) | |
| 7f93bbd5 | 46 | |
| dc019782 DM |
47 | (define-configuration fprintd-configuration |
| 48 | (fprintd (package fprintd) | |
| 49 | "The fprintd package")) | |
| 7f93bbd5 | 50 | |
| 0682f084 DM |
51 | (define (fprintd-dbus-service config) |
| 52 | (list (fprintd-configuration-fprintd config))) | |
| 53 | ||
| 7f93bbd5 DM |
54 | (define fprintd-service-type |
| 55 | (service-type (name 'fprintd) | |
| 56 | (extensions | |
| 57 | (list (service-extension dbus-root-service-type | |
| 9374cbd1 DM |
58 | fprintd-dbus-service) |
| 59 | (service-extension polkit-service-type | |
| 0682f084 DM |
60 | fprintd-dbus-service))) |
| 61 | (default-value (fprintd-configuration)) | |
| 7f93bbd5 DM |
62 | (description |
| 63 | "Run fprintd, a fingerprint management daemon."))) | |
| c16423f1 RW |
64 | |
| 65 | \f | |
| 66 | ;;; | |
| 67 | ;;; NSS Pam LDAP service (nslcd) | |
| 68 | ;;; | |
| 69 | ||
| 70 | (define (uglify-field-name name) | |
| 71 | (match name | |
| 72 | ('filters "filter") | |
| 73 | ('maps "map") | |
| 74 | (_ (string-map (match-lambda | |
| 75 | (#\- #\_) | |
| 76 | (chr chr)) | |
| 77 | (symbol->string name))))) | |
| 78 | ||
| 79 | (define (value->string val) | |
| 80 | (cond | |
| 81 | ((boolean? val) | |
| 82 | (if val "on" "off")) | |
| 83 | ((number? val) | |
| 84 | (number->string val)) | |
| 85 | ((symbol? val) | |
| 86 | (string-map (match-lambda | |
| 87 | (#\- #\_) | |
| 88 | (chr chr)) | |
| 89 | (symbol->string val))) | |
| 90 | (else val))) | |
| 91 | ||
| 92 | (define (serialize-field field-name val) | |
| 93 | (if (eq? field-name 'pam-services) | |
| 94 | #t | |
| 95 | (format #t "~a ~a\n" | |
| 96 | (uglify-field-name field-name) | |
| 97 | (value->string val)))) | |
| 98 | ||
| 99 | (define serialize-string serialize-field) | |
| 100 | (define serialize-boolean serialize-field) | |
| 101 | (define serialize-number serialize-field) | |
| 102 | (define (serialize-list field-name val) | |
| 103 | (map (cut serialize-field field-name <>) val)) | |
| 104 | (define-maybe string) | |
| 105 | (define-maybe boolean) | |
| 106 | (define-maybe number) | |
| 107 | ||
| 108 | (define (ssl-option? val) | |
| 109 | (or (boolean? val) | |
| 110 | (eq? val 'start-tls))) | |
| 111 | (define serialize-ssl-option serialize-field) | |
| 112 | (define-maybe ssl-option) | |
| 113 | ||
| 114 | (define (tls-reqcert-option? val) | |
| 115 | (member val '(never allow try demand hard))) | |
| 116 | (define serialize-tls-reqcert-option serialize-field) | |
| 117 | (define-maybe tls-reqcert-option) | |
| 118 | ||
| 119 | (define (deref-option? val) | |
| 120 | (member val '(never searching finding always))) | |
| 121 | (define serialize-deref-option serialize-field) | |
| 122 | (define-maybe deref-option) | |
| 123 | ||
| 124 | (define (comma-separated-list-of-strings? val) | |
| 125 | (and (list? val) | |
| 126 | (every string? val))) | |
| 127 | (define (ignore-users-option? val) | |
| 128 | (or (comma-separated-list-of-strings? val) | |
| 129 | (eq? 'all-local val))) | |
| 130 | (define (serialize-ignore-users-option field-name val) | |
| 131 | (serialize-field field-name (if (eq? 'all-local val) | |
| 132 | val | |
| 133 | (string-join val ",")))) | |
| 134 | (define-maybe ignore-users-option) | |
| 135 | ||
| 136 | (define (log-option? val) | |
| 137 | (let ((valid-scheme? (lambda (scheme) | |
| 138 | (or (string? scheme) | |
| 139 | (member scheme '(none syslog)))))) | |
| 140 | (match val | |
| 141 | ((scheme level) | |
| 142 | (and (valid-scheme? scheme) | |
| 143 | (member level '(crit error warning notice info debug)))) | |
| 144 | ((scheme) | |
| 145 | (valid-scheme? scheme))))) | |
| 146 | (define (serialize-log-option field-name val) | |
| 147 | (serialize-field field-name | |
| 148 | (string-join (map (cut format #f "~a" <>) val)))) | |
| 149 | ||
| 150 | (define (valid-map? val) | |
| 151 | "Is VAL a supported map name?" | |
| 152 | (member val | |
| 153 | '(alias aliases ether ethers group host hosts netgroup network networks | |
| 154 | passwd protocol protocols rpc service services shadow))) | |
| 155 | ||
| 156 | (define (scope-option? val) | |
| 157 | (let ((valid-scopes '(subtree onelevel base children))) | |
| 158 | (match val | |
| 159 | ((map-name scope) | |
| 160 | (and (valid-map? map-name) | |
| 161 | (member scope valid-scopes))) | |
| 162 | ((scope) | |
| 163 | (member scope valid-scopes))))) | |
| 164 | (define (serialize-scope-option field-name val) | |
| 165 | (serialize-field field-name | |
| 166 | (string-join (map (cut format #f "~a" <>) val)))) | |
| 167 | ||
| 168 | (define (map-entry? val) | |
| 169 | (match val | |
| 170 | (((? valid-map? map-name) | |
| 171 | (? string? attribute) | |
| 172 | (? string? new-attribute)) #t) | |
| 173 | (_ #f))) | |
| 174 | ||
| 175 | (define (list-of-map-entries? val) | |
| 176 | (and (list? val) | |
| 177 | (every map-entry? val))) | |
| 178 | ||
| 179 | (define (filter-entry? val) | |
| 180 | (match val | |
| 181 | (((? valid-map? map-name) | |
| 182 | (? string? filter-expression)) #t) | |
| 183 | (_ #f))) | |
| 184 | ||
| 185 | (define (list-of-filter-entries? val) | |
| 186 | (and (list? val) | |
| 187 | (every filter-entry? val))) | |
| 188 | ||
| 189 | (define (serialize-filter-entry field-name val) | |
| 190 | (serialize-field 'filter | |
| 191 | (match val | |
| 192 | (((? valid-map? map-name) | |
| 193 | (? string? filter-expression)) | |
| 194 | (string-append (symbol->string map-name) | |
| 195 | " " filter-expression))))) | |
| 196 | ||
| 197 | (define (serialize-list-of-filter-entries field-name val) | |
| 198 | (for-each (cut serialize-filter-entry field-name <>) val)) | |
| 199 | ||
| 200 | (define (serialize-map-entry field-name val) | |
| 201 | (serialize-field 'map | |
| 202 | (match val | |
| 203 | (((? valid-map? map-name) | |
| 204 | (? string? attribute) | |
| 205 | (? string? new-attribute)) | |
| 206 | (string-append (symbol->string map-name) | |
| 207 | " " attribute | |
| 208 | " " new-attribute))))) | |
| 209 | ||
| 210 | (define (serialize-list-of-map-entries field-name val) | |
| 211 | (for-each (cut serialize-map-entry field-name <>) val)) | |
| 212 | ||
| 213 | \f | |
| 214 | (define-configuration nslcd-configuration | |
| 215 | (nss-pam-ldapd | |
| 216 | (package nss-pam-ldapd) | |
| 217 | "The NSS-PAM-LDAPD package to use.") | |
| 218 | ||
| 219 | ;; Runtime options | |
| 220 | (threads | |
| 221 | (maybe-number 'disabled) | |
| 222 | "The number of threads to start that can handle requests and perform LDAP | |
| 223 | queries. Each thread opens a separate connection to the LDAP server. The | |
| 224 | default is to start 5 threads.") | |
| 225 | (uid | |
| 226 | (string "nslcd") | |
| 227 | "This specifies the user id with which the daemon should be run.") | |
| 228 | (gid | |
| 229 | (string "nslcd") | |
| 230 | "This specifies the group id with which the daemon should be run.") | |
| 231 | (log | |
| 232 | (log-option '("/var/log/nslcd" info)) | |
| 233 | "This option controls the way logging is done via a list containing SCHEME | |
| 234 | and LEVEL. The SCHEME argument may either be the symbols \"none\" or | |
| 235 | \"syslog\", or an absolute file name. The LEVEL argument is optional and | |
| 236 | specifies the log level. The log level may be one of the following symbols: | |
| 237 | \"crit\", \"error\", \"warning\", \"notice\", \"info\" or \"debug\". All | |
| 238 | messages with the specified log level or higher are logged.") | |
| 239 | ||
| 240 | ;; LDAP connection settings | |
| 241 | (uri | |
| 242 | (list '("ldap://localhost:389/")) | |
| 243 | "The list of LDAP server URIs. Normally, only the first server will be | |
| 244 | used with the following servers as fall-back.") | |
| 245 | (ldap-version | |
| 246 | (maybe-string 'disabled) | |
| 247 | "The version of the LDAP protocol to use. The default is to use the | |
| 248 | maximum version supported by the LDAP library.") | |
| 249 | (binddn | |
| 250 | (maybe-string 'disabled) | |
| 251 | "Specifies the distinguished name with which to bind to the directory | |
| 252 | server for lookups. The default is to bind anonymously.") | |
| 253 | (bindpw | |
| 254 | (maybe-string 'disabled) | |
| 255 | "Specifies the credentials with which to bind. This option is only | |
| 256 | applicable when used with binddn.") | |
| 257 | (rootpwmoddn | |
| 258 | (maybe-string 'disabled) | |
| 259 | "Specifies the distinguished name to use when the root user tries to modify | |
| 260 | a user's password using the PAM module.") | |
| 261 | (rootpwmodpw | |
| 262 | (maybe-string 'disabled) | |
| 263 | "Specifies the credentials with which to bind if the root user tries to | |
| 264 | change a user's password. This option is only applicable when used with | |
| 265 | rootpwmoddn") | |
| 266 | ||
| 267 | ;; SASL authentication options | |
| 268 | (sasl-mech | |
| 269 | (maybe-string 'disabled) | |
| 270 | "Specifies the SASL mechanism to be used when performing SASL | |
| 271 | authentication.") | |
| 272 | (sasl-realm | |
| 273 | (maybe-string 'disabled) | |
| 274 | "Specifies the SASL realm to be used when performing SASL authentication.") | |
| 275 | (sasl-authcid | |
| 276 | (maybe-string 'disabled) | |
| 277 | "Specifies the authentication identity to be used when performing SASL | |
| 278 | authentication.") | |
| 279 | (sasl-authzid | |
| 280 | (maybe-string 'disabled) | |
| 281 | "Specifies the authorization identity to be used when performing SASL | |
| 282 | authentication.") | |
| 283 | (sasl-canonicalize? | |
| 284 | (maybe-boolean 'disabled) | |
| 285 | "Determines whether the LDAP server host name should be canonicalised. If | |
| 286 | this is enabled the LDAP library will do a reverse host name lookup. By | |
| 287 | default, it is left up to the LDAP library whether this check is performed or | |
| 288 | not.") | |
| 289 | ||
| 290 | ;; Kerberos authentication options | |
| 291 | (krb5-ccname | |
| 292 | (maybe-string 'disabled) | |
| 293 | "Set the name for the GSS-API Kerberos credentials cache.") | |
| 294 | ||
| 295 | ;; Search / mapping options | |
| 296 | (base | |
| 297 | (string "dc=example,dc=com") | |
| 298 | "The directory search base.") | |
| 299 | (scope | |
| 300 | (scope-option '(subtree)) | |
| 301 | "Specifies the search scope (subtree, onelevel, base or children). The | |
| 302 | default scope is subtree; base scope is almost never useful for name service | |
| 303 | lookups; children scope is not supported on all servers.") | |
| 304 | (deref | |
| 305 | (maybe-deref-option 'disabled) | |
| 306 | "Specifies the policy for dereferencing aliases. The default policy is to | |
| 307 | never dereference aliases.") | |
| 308 | (referrals | |
| 309 | (maybe-boolean 'disabled) | |
| 310 | "Specifies whether automatic referral chasing should be enabled. The | |
| 311 | default behaviour is to chase referrals.") | |
| 312 | (maps | |
| 313 | (list-of-map-entries '()) | |
| 314 | "This option allows for custom attributes to be looked up instead of the | |
| 315 | default RFC 2307 attributes. It is a list of maps, each consisting of the | |
| 316 | name of a map, the RFC 2307 attribute to match and the query expression for | |
| 317 | the attribute as it is available in the directory.") | |
| 318 | (filters | |
| 319 | (list-of-filter-entries '()) | |
| 320 | "A list of filters consisting of the name of a map to which the filter | |
| 321 | applies and an LDAP search filter expression.") | |
| 322 | ||
| 323 | ;; Timing / reconnect options | |
| 324 | (bind-timelimit | |
| 325 | (maybe-number 'disabled) | |
| 326 | "Specifies the time limit in seconds to use when connecting to the | |
| 327 | directory server. The default value is 10 seconds.") | |
| 328 | (timelimit | |
| 329 | (maybe-number 'disabled) | |
| 330 | "Specifies the time limit (in seconds) to wait for a response from the LDAP | |
| 331 | server. A value of zero, which is the default, is to wait indefinitely for | |
| 332 | searches to be completed.") | |
| 333 | (idle-timelimit | |
| 334 | (maybe-number 'disabled) | |
| 335 | "Specifies the period if inactivity (in seconds) after which the con‐ | |
| 336 | nection to the LDAP server will be closed. The default is not to time out | |
| 337 | connections.") | |
| 338 | (reconnect-sleeptime | |
| 339 | (maybe-number 'disabled) | |
| 340 | "Specifies the number of seconds to sleep when connecting to all LDAP | |
| 341 | servers fails. By default one second is waited between the first failure and | |
| 342 | the first retry.") | |
| 343 | (reconnect-retrytime | |
| 344 | (maybe-number 'disabled) | |
| 345 | "Specifies the time after which the LDAP server is considered to be | |
| 346 | permanently unavailable. Once this time is reached retries will be done only | |
| 347 | once per this time period. The default value is 10 seconds.") | |
| 348 | ||
| 349 | ;; TLS options | |
| 350 | (ssl | |
| 351 | (maybe-ssl-option 'disabled) | |
| 352 | "Specifies whether to use SSL/TLS or not (the default is not to). If | |
| 353 | 'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.") | |
| 354 | (tls-reqcert | |
| 355 | (maybe-tls-reqcert-option 'disabled) | |
| 356 | "Specifies what checks to perform on a server-supplied certificate. | |
| 357 | The meaning of the values is described in the ldap.conf(5) manual page.") | |
| 358 | (tls-cacertdir | |
| 359 | (maybe-string 'disabled) | |
| 360 | "Specifies the directory containing X.509 certificates for peer authen‐ | |
| 361 | tication. This parameter is ignored when using GnuTLS.") | |
| 362 | (tls-cacertfile | |
| 363 | (maybe-string 'disabled) | |
| 364 | "Specifies the path to the X.509 certificate for peer authentication.") | |
| 365 | (tls-randfile | |
| 366 | (maybe-string 'disabled) | |
| 367 | "Specifies the path to an entropy source. This parameter is ignored when | |
| 368 | using GnuTLS.") | |
| 369 | (tls-ciphers | |
| 370 | (maybe-string 'disabled) | |
| 371 | "Specifies the ciphers to use for TLS as a string.") | |
| 372 | (tls-cert | |
| 373 | (maybe-string 'disabled) | |
| 374 | "Specifies the path to the file containing the local certificate for client | |
| 375 | TLS authentication.") | |
| 376 | (tls-key | |
| 377 | (maybe-string 'disabled) | |
| 378 | "Specifies the path to the file containing the private key for client TLS | |
| 379 | authentication.") | |
| 380 | ||
| 381 | ;; Other options | |
| 382 | (pagesize | |
| 383 | (maybe-number 'disabled) | |
| 384 | "Set this to a number greater than 0 to request paged results from the LDAP | |
| 385 | server in accordance with RFC2696. The default (0) is to not request paged | |
| 386 | results.") | |
| 387 | (nss-initgroups-ignoreusers | |
| 388 | (maybe-ignore-users-option 'disabled) | |
| 389 | "This option prevents group membership lookups through LDAP for the | |
| 390 | specified users. Alternatively, the value 'all-local may be used. With that | |
| 391 | value nslcd builds a full list of non-LDAP users on startup.") | |
| 392 | (nss-min-uid | |
| 393 | (maybe-number 'disabled) | |
| 394 | "This option ensures that LDAP users with a numeric user id lower than the | |
| 395 | specified value are ignored.") | |
| 396 | (nss-uid-offset | |
| 397 | (maybe-number 'disabled) | |
| 398 | "This option specifies an offset that is added to all LDAP numeric user | |
| 399 | ids. This can be used to avoid user id collisions with local users.") | |
| 400 | (nss-gid-offset | |
| 401 | (maybe-number 'disabled) | |
| 402 | "This option specifies an offset that is added to all LDAP numeric group | |
| 403 | ids. This can be used to avoid user id collisions with local groups.") | |
| 404 | (nss-nested-groups | |
| 405 | (maybe-boolean 'disabled) | |
| 406 | "If this option is set, the member attribute of a group may point to | |
| 407 | another group. Members of nested groups are also returned in the higher level | |
| 408 | group and parent groups are returned when finding groups for a specific user. | |
| 409 | The default is not to perform extra searches for nested groups.") | |
| 410 | (nss-getgrent-skipmembers | |
| 411 | (maybe-boolean 'disabled) | |
| 412 | "If this option is set, the group member list is not retrieved when looking | |
| 413 | up groups. Lookups for finding which groups a user belongs to will remain | |
| 414 | functional so the user will likely still get the correct groups assigned on | |
| 415 | login.") | |
| 416 | (nss-disable-enumeration | |
| 417 | (maybe-boolean 'disabled) | |
| 418 | "If this option is set, functions which cause all user/group entries to be | |
| 419 | loaded from the directory will not succeed in doing so. This can dramatically | |
| 420 | reduce LDAP server load in situations where there are a great number of users | |
| 421 | and/or groups. This option is not recommended for most configurations.") | |
| 422 | (validnames | |
| 423 | (maybe-string 'disabled) | |
| 424 | "This option can be used to specify how user and group names are verified | |
| 425 | within the system. This pattern is used to check all user and group names | |
| 426 | that are requested and returned from LDAP.") | |
| 427 | (ignorecase | |
| 428 | (maybe-boolean 'disabled) | |
| 429 | "This specifies whether or not to perform searches using case-insensitive | |
| 430 | matching. Enabling this could open up the system to authorization bypass | |
| 431 | vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow | |
| 432 | denial of service.") | |
| 433 | (pam-authc-ppolicy | |
| 434 | (maybe-boolean 'disabled) | |
| 435 | "This option specifies whether password policy controls are requested and | |
| 436 | handled from the LDAP server when performing user authentication.") | |
| 437 | (pam-authc-search | |
| 438 | (maybe-string 'disabled) | |
| 439 | "By default nslcd performs an LDAP search with the user's credentials after | |
| 440 | BIND (authentication) to ensure that the BIND operation was successful. The | |
| 441 | default search is a simple check to see if the user's DN exists. A search | |
| 442 | filter can be specified that will be used instead. It should return at least | |
| 443 | one entry.") | |
| 444 | (pam-authz-search | |
| 445 | (maybe-string 'disabled) | |
| 446 | "This option allows flexible fine tuning of the authorisation check that | |
| 447 | should be performed. The search filter specified is executed and if any | |
| 448 | entries match, access is granted, otherwise access is denied.") | |
| 449 | (pam-password-prohibit-message | |
| 450 | (maybe-string 'disabled) | |
| 451 | "If this option is set password modification using pam_ldap will be denied | |
| 452 | and the specified message will be presented to the user instead. The message | |
| 453 | can be used to direct the user to an alternative means of changing their | |
| 454 | password.") | |
| 455 | ||
| 456 | ;; Options for extension of pam-root-service-type. | |
| 457 | (pam-services | |
| 458 | (list '()) | |
| 459 | "List of pam service names for which LDAP authentication should suffice.")) | |
| 460 | ||
| 461 | (define %nslcd-accounts | |
| 462 | (list (user-group | |
| 463 | (name "nslcd") | |
| 464 | (system? #t)) | |
| 465 | (user-account | |
| 466 | (name "nslcd") | |
| 467 | (group "nslcd") | |
| 468 | (comment "NSLCD service account") | |
| 469 | (home-directory "/var/empty") | |
| 470 | (shell (file-append shadow "/sbin/nologin")) | |
| 471 | (system? #t)))) | |
| 472 | ||
| 473 | (define (nslcd-config-file config) | |
| 474 | "Return an NSLCD configuration file." | |
| 475 | (plain-file "nslcd.conf" | |
| 476 | (with-output-to-string | |
| 477 | (lambda () | |
| 478 | (serialize-configuration config nslcd-configuration-fields) | |
| 479 | ;; The file must end with a newline character. | |
| 480 | (format #t "\n"))))) | |
| 481 | ||
| 482 | ;; XXX: The file should only be readable by root if it contains a "bindpw" | |
| 483 | ;; declaration. Unfortunately, this etc-service-type extension does not | |
| 484 | ;; support setting file modes, so we do this in the activation service. | |
| 485 | (define (nslcd-etc-service config) | |
| 486 | `(("nslcd.conf" ,(nslcd-config-file config)))) | |
| 487 | ||
| 488 | (define (nslcd-shepherd-service config) | |
| 489 | (list (shepherd-service | |
| 490 | (documentation "Run the nslcd service for resolving names from LDAP.") | |
| 491 | (provision '(nslcd)) | |
| 492 | (requirement '(networking user-processes)) | |
| 493 | (start #~(make-forkexec-constructor | |
| 494 | (list (string-append #$(nslcd-configuration-nss-pam-ldapd config) | |
| 495 | "/sbin/nslcd") | |
| 496 | "--nofork") | |
| 497 | #:pid-file "/var/run/nslcd/nslcd.pid" | |
| 498 | #:environment-variables | |
| 499 | (list (string-append "LD_LIBRARY_PATH=" | |
| 500 | #$(nslcd-configuration-nss-pam-ldapd config) | |
| 501 | "/lib")))) | |
| 502 | (stop #~(make-kill-destructor))))) | |
| 503 | ||
| 504 | (define (pam-ldap-pam-service config) | |
| 505 | "Return a PAM service for LDAP authentication." | |
| 506 | (define pam-ldap-module | |
| 507 | #~(string-append #$(nslcd-configuration-nss-pam-ldapd config) | |
| 508 | "/lib/security/pam_ldap.so")) | |
| 509 | (lambda (pam) | |
| 510 | (if (member (pam-service-name pam) | |
| 511 | (nslcd-configuration-pam-services config)) | |
| 512 | (let ((sufficient | |
| 513 | (pam-entry | |
| 514 | (control "sufficient") | |
| 515 | (module pam-ldap-module)))) | |
| 516 | (pam-service | |
| 517 | (inherit pam) | |
| 518 | (auth (cons sufficient (pam-service-auth pam))) | |
| 519 | (session (cons sufficient (pam-service-session pam))) | |
| 520 | (account (cons sufficient (pam-service-account pam))))) | |
| 521 | pam))) | |
| 522 | ||
| 523 | (define (pam-ldap-pam-services config) | |
| 524 | (list (pam-ldap-pam-service config))) | |
| 525 | ||
| 520bac7e MD |
526 | (define %nslcd-activation |
| 527 | (with-imported-modules (source-module-closure '((gnu build activation))) | |
| 528 | #~(begin | |
| 529 | (use-modules (gnu build activation)) | |
| 530 | (let ((rundir "/var/run/nslcd") | |
| 531 | (user (getpwnam "nslcd"))) | |
| 532 | (mkdir-p/perms rundir user #o755) | |
| 533 | (when (file-exists? "/etc/nslcd.conf") | |
| 534 | (chmod "/etc/nslcd.conf" #o400)))))) | |
| 535 | ||
| c16423f1 RW |
536 | (define nslcd-service-type |
| 537 | (service-type | |
| 538 | (name 'nslcd) | |
| 539 | (description "Run the NSLCD service for looking up names from LDAP.") | |
| 540 | (extensions | |
| 541 | (list (service-extension account-service-type | |
| 542 | (const %nslcd-accounts)) | |
| 543 | (service-extension etc-service-type | |
| 544 | nslcd-etc-service) | |
| 545 | (service-extension activation-service-type | |
| 520bac7e | 546 | (const %nslcd-activation)) |
| c16423f1 RW |
547 | (service-extension pam-root-service-type |
| 548 | pam-ldap-pam-services) | |
| 549 | (service-extension nscd-service-type | |
| 550 | (const (list nss-pam-ldapd))) | |
| 551 | (service-extension shepherd-root-service-type | |
| 552 | nslcd-shepherd-service))) | |
| 553 | (default-value (nslcd-configuration)))) | |
| 554 | ||
| 555 | (define (generate-nslcd-documentation) | |
| 556 | (generate-documentation | |
| 557 | `((nslcd-configuration ,nslcd-configuration-fields)) | |
| 558 | 'nslcd-configuration)) |