Commit | Line | Data |
---|---|---|
7f93bbd5 DM |
1 | ;;; GNU Guix --- Functional package management for GNU |
2 | ;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org> | |
c16423f1 | 3 | ;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net> |
520bac7e | 4 | ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> |
7f93bbd5 DM |
5 | ;;; |
6 | ;;; This file is part of GNU Guix. | |
7 | ;;; | |
8 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
9 | ;;; under the terms of the GNU General Public License as published by | |
10 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
11 | ;;; your option) any later version. | |
12 | ;;; | |
13 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
14 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | ;;; GNU General Public License for more details. | |
17 | ;;; | |
18 | ;;; You should have received a copy of the GNU General Public License | |
19 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
20 | ||
812f6bd8 | 21 | (define-module (gnu services authentication) |
7f93bbd5 | 22 | #:use-module (gnu services) |
c16423f1 RW |
23 | #:use-module (gnu services base) |
24 | #:use-module (gnu services configuration) | |
7f93bbd5 | 25 | #:use-module (gnu services dbus) |
c16423f1 RW |
26 | #:use-module (gnu services shepherd) |
27 | #:use-module (gnu system pam) | |
28 | #:use-module (gnu system shadow) | |
29 | #:use-module (gnu packages admin) | |
7f93bbd5 | 30 | #:use-module (gnu packages freedesktop) |
c16423f1 | 31 | #:use-module (gnu packages openldap) |
7f93bbd5 DM |
32 | #:use-module (guix gexp) |
33 | #:use-module (guix records) | |
c16423f1 | 34 | #:use-module (guix packages) |
520bac7e | 35 | #:use-module (guix modules) |
c16423f1 RW |
36 | #:use-module (ice-9 match) |
37 | #:use-module (srfi srfi-1) | |
38 | #:use-module (srfi srfi-26) | |
7f93bbd5 DM |
39 | #:export (fprintd-configuration |
40 | fprintd-configuration? | |
c16423f1 RW |
41 | fprintd-service-type |
42 | ||
43 | nslcd-configuration | |
44 | nslcd-configuration? | |
45 | nslcd-service-type)) | |
7f93bbd5 | 46 | |
dc019782 DM |
47 | (define-configuration fprintd-configuration |
48 | (fprintd (package fprintd) | |
49 | "The fprintd package")) | |
7f93bbd5 | 50 | |
0682f084 DM |
51 | (define (fprintd-dbus-service config) |
52 | (list (fprintd-configuration-fprintd config))) | |
53 | ||
7f93bbd5 DM |
54 | (define fprintd-service-type |
55 | (service-type (name 'fprintd) | |
56 | (extensions | |
57 | (list (service-extension dbus-root-service-type | |
9374cbd1 DM |
58 | fprintd-dbus-service) |
59 | (service-extension polkit-service-type | |
0682f084 DM |
60 | fprintd-dbus-service))) |
61 | (default-value (fprintd-configuration)) | |
7f93bbd5 DM |
62 | (description |
63 | "Run fprintd, a fingerprint management daemon."))) | |
c16423f1 RW |
64 | |
65 | \f | |
66 | ;;; | |
67 | ;;; NSS Pam LDAP service (nslcd) | |
68 | ;;; | |
69 | ||
70 | (define (uglify-field-name name) | |
71 | (match name | |
72 | ('filters "filter") | |
73 | ('maps "map") | |
74 | (_ (string-map (match-lambda | |
75 | (#\- #\_) | |
76 | (chr chr)) | |
77 | (symbol->string name))))) | |
78 | ||
79 | (define (value->string val) | |
80 | (cond | |
81 | ((boolean? val) | |
82 | (if val "on" "off")) | |
83 | ((number? val) | |
84 | (number->string val)) | |
85 | ((symbol? val) | |
86 | (string-map (match-lambda | |
87 | (#\- #\_) | |
88 | (chr chr)) | |
89 | (symbol->string val))) | |
90 | (else val))) | |
91 | ||
92 | (define (serialize-field field-name val) | |
93 | (if (eq? field-name 'pam-services) | |
94 | #t | |
95 | (format #t "~a ~a\n" | |
96 | (uglify-field-name field-name) | |
97 | (value->string val)))) | |
98 | ||
99 | (define serialize-string serialize-field) | |
100 | (define serialize-boolean serialize-field) | |
101 | (define serialize-number serialize-field) | |
102 | (define (serialize-list field-name val) | |
103 | (map (cut serialize-field field-name <>) val)) | |
104 | (define-maybe string) | |
105 | (define-maybe boolean) | |
106 | (define-maybe number) | |
107 | ||
108 | (define (ssl-option? val) | |
109 | (or (boolean? val) | |
110 | (eq? val 'start-tls))) | |
111 | (define serialize-ssl-option serialize-field) | |
112 | (define-maybe ssl-option) | |
113 | ||
114 | (define (tls-reqcert-option? val) | |
115 | (member val '(never allow try demand hard))) | |
116 | (define serialize-tls-reqcert-option serialize-field) | |
117 | (define-maybe tls-reqcert-option) | |
118 | ||
119 | (define (deref-option? val) | |
120 | (member val '(never searching finding always))) | |
121 | (define serialize-deref-option serialize-field) | |
122 | (define-maybe deref-option) | |
123 | ||
124 | (define (comma-separated-list-of-strings? val) | |
125 | (and (list? val) | |
126 | (every string? val))) | |
127 | (define (ignore-users-option? val) | |
128 | (or (comma-separated-list-of-strings? val) | |
129 | (eq? 'all-local val))) | |
130 | (define (serialize-ignore-users-option field-name val) | |
131 | (serialize-field field-name (if (eq? 'all-local val) | |
132 | val | |
133 | (string-join val ",")))) | |
134 | (define-maybe ignore-users-option) | |
135 | ||
136 | (define (log-option? val) | |
137 | (let ((valid-scheme? (lambda (scheme) | |
138 | (or (string? scheme) | |
139 | (member scheme '(none syslog)))))) | |
140 | (match val | |
141 | ((scheme level) | |
142 | (and (valid-scheme? scheme) | |
143 | (member level '(crit error warning notice info debug)))) | |
144 | ((scheme) | |
145 | (valid-scheme? scheme))))) | |
146 | (define (serialize-log-option field-name val) | |
147 | (serialize-field field-name | |
148 | (string-join (map (cut format #f "~a" <>) val)))) | |
149 | ||
150 | (define (valid-map? val) | |
151 | "Is VAL a supported map name?" | |
152 | (member val | |
153 | '(alias aliases ether ethers group host hosts netgroup network networks | |
154 | passwd protocol protocols rpc service services shadow))) | |
155 | ||
156 | (define (scope-option? val) | |
157 | (let ((valid-scopes '(subtree onelevel base children))) | |
158 | (match val | |
159 | ((map-name scope) | |
160 | (and (valid-map? map-name) | |
161 | (member scope valid-scopes))) | |
162 | ((scope) | |
163 | (member scope valid-scopes))))) | |
164 | (define (serialize-scope-option field-name val) | |
165 | (serialize-field field-name | |
166 | (string-join (map (cut format #f "~a" <>) val)))) | |
167 | ||
168 | (define (map-entry? val) | |
169 | (match val | |
170 | (((? valid-map? map-name) | |
171 | (? string? attribute) | |
172 | (? string? new-attribute)) #t) | |
173 | (_ #f))) | |
174 | ||
175 | (define (list-of-map-entries? val) | |
176 | (and (list? val) | |
177 | (every map-entry? val))) | |
178 | ||
179 | (define (filter-entry? val) | |
180 | (match val | |
181 | (((? valid-map? map-name) | |
182 | (? string? filter-expression)) #t) | |
183 | (_ #f))) | |
184 | ||
185 | (define (list-of-filter-entries? val) | |
186 | (and (list? val) | |
187 | (every filter-entry? val))) | |
188 | ||
189 | (define (serialize-filter-entry field-name val) | |
190 | (serialize-field 'filter | |
191 | (match val | |
192 | (((? valid-map? map-name) | |
193 | (? string? filter-expression)) | |
194 | (string-append (symbol->string map-name) | |
195 | " " filter-expression))))) | |
196 | ||
197 | (define (serialize-list-of-filter-entries field-name val) | |
198 | (for-each (cut serialize-filter-entry field-name <>) val)) | |
199 | ||
200 | (define (serialize-map-entry field-name val) | |
201 | (serialize-field 'map | |
202 | (match val | |
203 | (((? valid-map? map-name) | |
204 | (? string? attribute) | |
205 | (? string? new-attribute)) | |
206 | (string-append (symbol->string map-name) | |
207 | " " attribute | |
208 | " " new-attribute))))) | |
209 | ||
210 | (define (serialize-list-of-map-entries field-name val) | |
211 | (for-each (cut serialize-map-entry field-name <>) val)) | |
212 | ||
213 | \f | |
214 | (define-configuration nslcd-configuration | |
215 | (nss-pam-ldapd | |
216 | (package nss-pam-ldapd) | |
217 | "The NSS-PAM-LDAPD package to use.") | |
218 | ||
219 | ;; Runtime options | |
220 | (threads | |
221 | (maybe-number 'disabled) | |
222 | "The number of threads to start that can handle requests and perform LDAP | |
223 | queries. Each thread opens a separate connection to the LDAP server. The | |
224 | default is to start 5 threads.") | |
225 | (uid | |
226 | (string "nslcd") | |
227 | "This specifies the user id with which the daemon should be run.") | |
228 | (gid | |
229 | (string "nslcd") | |
230 | "This specifies the group id with which the daemon should be run.") | |
231 | (log | |
232 | (log-option '("/var/log/nslcd" info)) | |
233 | "This option controls the way logging is done via a list containing SCHEME | |
234 | and LEVEL. The SCHEME argument may either be the symbols \"none\" or | |
235 | \"syslog\", or an absolute file name. The LEVEL argument is optional and | |
236 | specifies the log level. The log level may be one of the following symbols: | |
237 | \"crit\", \"error\", \"warning\", \"notice\", \"info\" or \"debug\". All | |
238 | messages with the specified log level or higher are logged.") | |
239 | ||
240 | ;; LDAP connection settings | |
241 | (uri | |
242 | (list '("ldap://localhost:389/")) | |
243 | "The list of LDAP server URIs. Normally, only the first server will be | |
244 | used with the following servers as fall-back.") | |
245 | (ldap-version | |
246 | (maybe-string 'disabled) | |
247 | "The version of the LDAP protocol to use. The default is to use the | |
248 | maximum version supported by the LDAP library.") | |
249 | (binddn | |
250 | (maybe-string 'disabled) | |
251 | "Specifies the distinguished name with which to bind to the directory | |
252 | server for lookups. The default is to bind anonymously.") | |
253 | (bindpw | |
254 | (maybe-string 'disabled) | |
255 | "Specifies the credentials with which to bind. This option is only | |
256 | applicable when used with binddn.") | |
257 | (rootpwmoddn | |
258 | (maybe-string 'disabled) | |
259 | "Specifies the distinguished name to use when the root user tries to modify | |
260 | a user's password using the PAM module.") | |
261 | (rootpwmodpw | |
262 | (maybe-string 'disabled) | |
263 | "Specifies the credentials with which to bind if the root user tries to | |
264 | change a user's password. This option is only applicable when used with | |
265 | rootpwmoddn") | |
266 | ||
267 | ;; SASL authentication options | |
268 | (sasl-mech | |
269 | (maybe-string 'disabled) | |
270 | "Specifies the SASL mechanism to be used when performing SASL | |
271 | authentication.") | |
272 | (sasl-realm | |
273 | (maybe-string 'disabled) | |
274 | "Specifies the SASL realm to be used when performing SASL authentication.") | |
275 | (sasl-authcid | |
276 | (maybe-string 'disabled) | |
277 | "Specifies the authentication identity to be used when performing SASL | |
278 | authentication.") | |
279 | (sasl-authzid | |
280 | (maybe-string 'disabled) | |
281 | "Specifies the authorization identity to be used when performing SASL | |
282 | authentication.") | |
283 | (sasl-canonicalize? | |
284 | (maybe-boolean 'disabled) | |
285 | "Determines whether the LDAP server host name should be canonicalised. If | |
286 | this is enabled the LDAP library will do a reverse host name lookup. By | |
287 | default, it is left up to the LDAP library whether this check is performed or | |
288 | not.") | |
289 | ||
290 | ;; Kerberos authentication options | |
291 | (krb5-ccname | |
292 | (maybe-string 'disabled) | |
293 | "Set the name for the GSS-API Kerberos credentials cache.") | |
294 | ||
295 | ;; Search / mapping options | |
296 | (base | |
297 | (string "dc=example,dc=com") | |
298 | "The directory search base.") | |
299 | (scope | |
300 | (scope-option '(subtree)) | |
301 | "Specifies the search scope (subtree, onelevel, base or children). The | |
302 | default scope is subtree; base scope is almost never useful for name service | |
303 | lookups; children scope is not supported on all servers.") | |
304 | (deref | |
305 | (maybe-deref-option 'disabled) | |
306 | "Specifies the policy for dereferencing aliases. The default policy is to | |
307 | never dereference aliases.") | |
308 | (referrals | |
309 | (maybe-boolean 'disabled) | |
310 | "Specifies whether automatic referral chasing should be enabled. The | |
311 | default behaviour is to chase referrals.") | |
312 | (maps | |
313 | (list-of-map-entries '()) | |
314 | "This option allows for custom attributes to be looked up instead of the | |
315 | default RFC 2307 attributes. It is a list of maps, each consisting of the | |
316 | name of a map, the RFC 2307 attribute to match and the query expression for | |
317 | the attribute as it is available in the directory.") | |
318 | (filters | |
319 | (list-of-filter-entries '()) | |
320 | "A list of filters consisting of the name of a map to which the filter | |
321 | applies and an LDAP search filter expression.") | |
322 | ||
323 | ;; Timing / reconnect options | |
324 | (bind-timelimit | |
325 | (maybe-number 'disabled) | |
326 | "Specifies the time limit in seconds to use when connecting to the | |
327 | directory server. The default value is 10 seconds.") | |
328 | (timelimit | |
329 | (maybe-number 'disabled) | |
330 | "Specifies the time limit (in seconds) to wait for a response from the LDAP | |
331 | server. A value of zero, which is the default, is to wait indefinitely for | |
332 | searches to be completed.") | |
333 | (idle-timelimit | |
334 | (maybe-number 'disabled) | |
335 | "Specifies the period if inactivity (in seconds) after which the con‐ | |
336 | nection to the LDAP server will be closed. The default is not to time out | |
337 | connections.") | |
338 | (reconnect-sleeptime | |
339 | (maybe-number 'disabled) | |
340 | "Specifies the number of seconds to sleep when connecting to all LDAP | |
341 | servers fails. By default one second is waited between the first failure and | |
342 | the first retry.") | |
343 | (reconnect-retrytime | |
344 | (maybe-number 'disabled) | |
345 | "Specifies the time after which the LDAP server is considered to be | |
346 | permanently unavailable. Once this time is reached retries will be done only | |
347 | once per this time period. The default value is 10 seconds.") | |
348 | ||
349 | ;; TLS options | |
350 | (ssl | |
351 | (maybe-ssl-option 'disabled) | |
352 | "Specifies whether to use SSL/TLS or not (the default is not to). If | |
353 | 'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.") | |
354 | (tls-reqcert | |
355 | (maybe-tls-reqcert-option 'disabled) | |
356 | "Specifies what checks to perform on a server-supplied certificate. | |
357 | The meaning of the values is described in the ldap.conf(5) manual page.") | |
358 | (tls-cacertdir | |
359 | (maybe-string 'disabled) | |
360 | "Specifies the directory containing X.509 certificates for peer authen‐ | |
361 | tication. This parameter is ignored when using GnuTLS.") | |
362 | (tls-cacertfile | |
363 | (maybe-string 'disabled) | |
364 | "Specifies the path to the X.509 certificate for peer authentication.") | |
365 | (tls-randfile | |
366 | (maybe-string 'disabled) | |
367 | "Specifies the path to an entropy source. This parameter is ignored when | |
368 | using GnuTLS.") | |
369 | (tls-ciphers | |
370 | (maybe-string 'disabled) | |
371 | "Specifies the ciphers to use for TLS as a string.") | |
372 | (tls-cert | |
373 | (maybe-string 'disabled) | |
374 | "Specifies the path to the file containing the local certificate for client | |
375 | TLS authentication.") | |
376 | (tls-key | |
377 | (maybe-string 'disabled) | |
378 | "Specifies the path to the file containing the private key for client TLS | |
379 | authentication.") | |
380 | ||
381 | ;; Other options | |
382 | (pagesize | |
383 | (maybe-number 'disabled) | |
384 | "Set this to a number greater than 0 to request paged results from the LDAP | |
385 | server in accordance with RFC2696. The default (0) is to not request paged | |
386 | results.") | |
387 | (nss-initgroups-ignoreusers | |
388 | (maybe-ignore-users-option 'disabled) | |
389 | "This option prevents group membership lookups through LDAP for the | |
390 | specified users. Alternatively, the value 'all-local may be used. With that | |
391 | value nslcd builds a full list of non-LDAP users on startup.") | |
392 | (nss-min-uid | |
393 | (maybe-number 'disabled) | |
394 | "This option ensures that LDAP users with a numeric user id lower than the | |
395 | specified value are ignored.") | |
396 | (nss-uid-offset | |
397 | (maybe-number 'disabled) | |
398 | "This option specifies an offset that is added to all LDAP numeric user | |
399 | ids. This can be used to avoid user id collisions with local users.") | |
400 | (nss-gid-offset | |
401 | (maybe-number 'disabled) | |
402 | "This option specifies an offset that is added to all LDAP numeric group | |
403 | ids. This can be used to avoid user id collisions with local groups.") | |
404 | (nss-nested-groups | |
405 | (maybe-boolean 'disabled) | |
406 | "If this option is set, the member attribute of a group may point to | |
407 | another group. Members of nested groups are also returned in the higher level | |
408 | group and parent groups are returned when finding groups for a specific user. | |
409 | The default is not to perform extra searches for nested groups.") | |
410 | (nss-getgrent-skipmembers | |
411 | (maybe-boolean 'disabled) | |
412 | "If this option is set, the group member list is not retrieved when looking | |
413 | up groups. Lookups for finding which groups a user belongs to will remain | |
414 | functional so the user will likely still get the correct groups assigned on | |
415 | login.") | |
416 | (nss-disable-enumeration | |
417 | (maybe-boolean 'disabled) | |
418 | "If this option is set, functions which cause all user/group entries to be | |
419 | loaded from the directory will not succeed in doing so. This can dramatically | |
420 | reduce LDAP server load in situations where there are a great number of users | |
421 | and/or groups. This option is not recommended for most configurations.") | |
422 | (validnames | |
423 | (maybe-string 'disabled) | |
424 | "This option can be used to specify how user and group names are verified | |
425 | within the system. This pattern is used to check all user and group names | |
426 | that are requested and returned from LDAP.") | |
427 | (ignorecase | |
428 | (maybe-boolean 'disabled) | |
429 | "This specifies whether or not to perform searches using case-insensitive | |
430 | matching. Enabling this could open up the system to authorization bypass | |
431 | vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow | |
432 | denial of service.") | |
433 | (pam-authc-ppolicy | |
434 | (maybe-boolean 'disabled) | |
435 | "This option specifies whether password policy controls are requested and | |
436 | handled from the LDAP server when performing user authentication.") | |
437 | (pam-authc-search | |
438 | (maybe-string 'disabled) | |
439 | "By default nslcd performs an LDAP search with the user's credentials after | |
440 | BIND (authentication) to ensure that the BIND operation was successful. The | |
441 | default search is a simple check to see if the user's DN exists. A search | |
442 | filter can be specified that will be used instead. It should return at least | |
443 | one entry.") | |
444 | (pam-authz-search | |
445 | (maybe-string 'disabled) | |
446 | "This option allows flexible fine tuning of the authorisation check that | |
447 | should be performed. The search filter specified is executed and if any | |
448 | entries match, access is granted, otherwise access is denied.") | |
449 | (pam-password-prohibit-message | |
450 | (maybe-string 'disabled) | |
451 | "If this option is set password modification using pam_ldap will be denied | |
452 | and the specified message will be presented to the user instead. The message | |
453 | can be used to direct the user to an alternative means of changing their | |
454 | password.") | |
455 | ||
456 | ;; Options for extension of pam-root-service-type. | |
457 | (pam-services | |
458 | (list '()) | |
459 | "List of pam service names for which LDAP authentication should suffice.")) | |
460 | ||
461 | (define %nslcd-accounts | |
462 | (list (user-group | |
463 | (name "nslcd") | |
464 | (system? #t)) | |
465 | (user-account | |
466 | (name "nslcd") | |
467 | (group "nslcd") | |
468 | (comment "NSLCD service account") | |
469 | (home-directory "/var/empty") | |
470 | (shell (file-append shadow "/sbin/nologin")) | |
471 | (system? #t)))) | |
472 | ||
473 | (define (nslcd-config-file config) | |
474 | "Return an NSLCD configuration file." | |
475 | (plain-file "nslcd.conf" | |
476 | (with-output-to-string | |
477 | (lambda () | |
478 | (serialize-configuration config nslcd-configuration-fields) | |
479 | ;; The file must end with a newline character. | |
480 | (format #t "\n"))))) | |
481 | ||
482 | ;; XXX: The file should only be readable by root if it contains a "bindpw" | |
483 | ;; declaration. Unfortunately, this etc-service-type extension does not | |
484 | ;; support setting file modes, so we do this in the activation service. | |
485 | (define (nslcd-etc-service config) | |
486 | `(("nslcd.conf" ,(nslcd-config-file config)))) | |
487 | ||
488 | (define (nslcd-shepherd-service config) | |
489 | (list (shepherd-service | |
490 | (documentation "Run the nslcd service for resolving names from LDAP.") | |
491 | (provision '(nslcd)) | |
492 | (requirement '(networking user-processes)) | |
493 | (start #~(make-forkexec-constructor | |
494 | (list (string-append #$(nslcd-configuration-nss-pam-ldapd config) | |
495 | "/sbin/nslcd") | |
496 | "--nofork") | |
497 | #:pid-file "/var/run/nslcd/nslcd.pid" | |
498 | #:environment-variables | |
499 | (list (string-append "LD_LIBRARY_PATH=" | |
500 | #$(nslcd-configuration-nss-pam-ldapd config) | |
501 | "/lib")))) | |
502 | (stop #~(make-kill-destructor))))) | |
503 | ||
504 | (define (pam-ldap-pam-service config) | |
505 | "Return a PAM service for LDAP authentication." | |
506 | (define pam-ldap-module | |
507 | #~(string-append #$(nslcd-configuration-nss-pam-ldapd config) | |
508 | "/lib/security/pam_ldap.so")) | |
509 | (lambda (pam) | |
510 | (if (member (pam-service-name pam) | |
511 | (nslcd-configuration-pam-services config)) | |
512 | (let ((sufficient | |
513 | (pam-entry | |
514 | (control "sufficient") | |
515 | (module pam-ldap-module)))) | |
516 | (pam-service | |
517 | (inherit pam) | |
518 | (auth (cons sufficient (pam-service-auth pam))) | |
519 | (session (cons sufficient (pam-service-session pam))) | |
520 | (account (cons sufficient (pam-service-account pam))))) | |
521 | pam))) | |
522 | ||
523 | (define (pam-ldap-pam-services config) | |
524 | (list (pam-ldap-pam-service config))) | |
525 | ||
520bac7e MD |
526 | (define %nslcd-activation |
527 | (with-imported-modules (source-module-closure '((gnu build activation))) | |
528 | #~(begin | |
529 | (use-modules (gnu build activation)) | |
530 | (let ((rundir "/var/run/nslcd") | |
531 | (user (getpwnam "nslcd"))) | |
532 | (mkdir-p/perms rundir user #o755) | |
533 | (when (file-exists? "/etc/nslcd.conf") | |
534 | (chmod "/etc/nslcd.conf" #o400)))))) | |
535 | ||
c16423f1 RW |
536 | (define nslcd-service-type |
537 | (service-type | |
538 | (name 'nslcd) | |
539 | (description "Run the NSLCD service for looking up names from LDAP.") | |
540 | (extensions | |
541 | (list (service-extension account-service-type | |
542 | (const %nslcd-accounts)) | |
543 | (service-extension etc-service-type | |
544 | nslcd-etc-service) | |
545 | (service-extension activation-service-type | |
520bac7e | 546 | (const %nslcd-activation)) |
c16423f1 RW |
547 | (service-extension pam-root-service-type |
548 | pam-ldap-pam-services) | |
549 | (service-extension nscd-service-type | |
550 | (const (list nss-pam-ldapd))) | |
551 | (service-extension shepherd-root-service-type | |
552 | nslcd-shepherd-service))) | |
553 | (default-value (nslcd-configuration)))) | |
554 | ||
555 | (define (generate-nslcd-documentation) | |
556 | (generate-documentation | |
557 | `((nslcd-configuration ,nslcd-configuration-fields)) | |
558 | 'nslcd-configuration)) |