[jackhill/guix/guix.git] / gnu / services / authentication.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org>
;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu services authentication)
  #:use-module (gnu services)
  #:use-module (gnu services base)
  #:use-module (gnu services configuration)
  #:use-module (gnu services dbus)
  #:use-module (gnu services shepherd)
  #:use-module (gnu system pam)
  #:use-module (gnu system shadow)
  #:use-module (gnu packages admin)
  #:use-module (gnu packages freedesktop)
  #:use-module (gnu packages openldap)
  #:use-module (guix gexp)
  #:use-module (guix records)
  #:use-module (guix packages)
  #:use-module (ice-9 match)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-26)
  #:export (fprintd-configuration
            fprintd-configuration?
            fprintd-service-type

            nslcd-configuration
            nslcd-configuration?
            nslcd-service-type))

(define-configuration fprintd-configuration
  (fprintd      (package fprintd)
                "The fprintd package"))

(define (fprintd-dbus-service config)
  (list (fprintd-configuration-fprintd config)))

(define fprintd-service-type
  (service-type (name 'fprintd)
                (extensions
                 (list (service-extension dbus-root-service-type
                                          fprintd-dbus-service)
                       (service-extension polkit-service-type
                                          fprintd-dbus-service)))
                (default-value (fprintd-configuration))
                (description
                 "Run fprintd, a fingerprint management daemon.")))

\f
;;;
;;; NSS Pam LDAP service (nslcd)
;;;

(define (uglify-field-name name)
  (match name
    ('filters "filter")
    ('maps "map")
    (_ (string-map (match-lambda
                     (#\- #\_)
                     (chr chr))
                   (symbol->string name)))))

(define (value->string val)
  (cond
   ((boolean? val)
    (if val "on" "off"))
   ((number? val)
    (number->string val))
   ((symbol? val)
    (string-map (match-lambda
                     (#\- #\_)
                     (chr chr))
                   (symbol->string val)))
   (else val)))

(define (serialize-field field-name val)
  (if (eq? field-name 'pam-services)
      #t
      (format #t "~a ~a\n"
              (uglify-field-name field-name)
              (value->string val))))

(define serialize-string serialize-field)
(define serialize-boolean serialize-field)
(define serialize-number serialize-field)
(define (serialize-list field-name val)
  (map (cut serialize-field field-name <>) val))
(define-maybe string)
(define-maybe boolean)
(define-maybe number)

(define (ssl-option? val)
  (or (boolean? val)
      (eq? val 'start-tls)))
(define serialize-ssl-option serialize-field)
(define-maybe ssl-option)

(define (tls-reqcert-option? val)
  (member val '(never allow try demand hard)))
(define serialize-tls-reqcert-option serialize-field)
(define-maybe tls-reqcert-option)

(define (deref-option? val)
  (member val '(never searching finding always)))
(define serialize-deref-option serialize-field)
(define-maybe deref-option)

(define (comma-separated-list-of-strings? val)
  (and (list? val)
       (every string? val)))
(define (ignore-users-option? val)
  (or (comma-separated-list-of-strings? val)
      (eq? 'all-local val)))
(define (serialize-ignore-users-option field-name val)
  (serialize-field field-name (if (eq? 'all-local val)
                                  val
                                  (string-join val ","))))
(define-maybe ignore-users-option)

(define (log-option? val)
  (let ((valid-scheme? (lambda (scheme)
                         (or (string? scheme)
                             (member scheme '(none syslog))))))
    (match val
      ((scheme level)
       (and (valid-scheme? scheme)
            (member level '(crit error warning notice info debug))))
      ((scheme)
       (valid-scheme? scheme)))))
(define (serialize-log-option field-name val)
  (serialize-field field-name
                   (string-join (map (cut format #f "~a" <>) val))))

(define (valid-map? val)
  "Is VAL a supported map name?"
  (member val
          '(alias aliases ether ethers group host hosts netgroup network networks
            passwd protocol protocols rpc service services shadow)))

(define (scope-option? val)
  (let ((valid-scopes '(subtree onelevel base children)))
    (match val
      ((map-name scope)
       (and (valid-map? map-name)
            (member scope valid-scopes)))
      ((scope)
       (member scope valid-scopes)))))
(define (serialize-scope-option field-name val)
  (serialize-field field-name
                   (string-join (map (cut format #f "~a" <>) val))))

(define (map-entry? val)
  (match val
    (((? valid-map? map-name)
      (? string? attribute)
      (? string? new-attribute)) #t)
    (_ #f)))

(define (list-of-map-entries? val)
  (and (list? val)
       (every map-entry? val)))

(define (filter-entry? val)
  (match val
    (((? valid-map? map-name)
      (? string? filter-expression)) #t)
    (_ #f)))

(define (list-of-filter-entries? val)
  (and (list? val)
       (every filter-entry? val)))

(define (serialize-filter-entry field-name val)
  (serialize-field 'filter
                   (match val
                     (((? valid-map? map-name)
                       (? string? filter-expression))
                      (string-append (symbol->string map-name)
                                     " " filter-expression)))))

(define (serialize-list-of-filter-entries field-name val)
  (for-each (cut serialize-filter-entry field-name <>) val))

(define (serialize-map-entry field-name val)
  (serialize-field 'map
                   (match val
                     (((? valid-map? map-name)
                       (? string? attribute)
                       (? string? new-attribute))
                      (string-append (symbol->string map-name)
                                     " " attribute
                                     " " new-attribute)))))

(define (serialize-list-of-map-entries field-name val)
  (for-each (cut serialize-map-entry field-name <>) val))

\f
(define-configuration nslcd-configuration
  (nss-pam-ldapd
   (package nss-pam-ldapd)
   "The NSS-PAM-LDAPD package to use.")

  ;; Runtime options
  (threads
   (maybe-number 'disabled)
   "The number of threads to start that can handle requests and perform LDAP
queries.  Each thread opens a separate connection to the LDAP server.  The
default is to start 5 threads.")
  (uid
   (string "nslcd")
   "This specifies the user id with which the daemon should be run.")
  (gid
   (string "nslcd")
   "This specifies the group id with which the daemon should be run.")
  (log
   (log-option '("/var/log/nslcd" info))
   "This option controls the way logging is done via a list containing SCHEME
and LEVEL.  The SCHEME argument may either be the symbols \"none\" or
\"syslog\", or an absolute file name.  The LEVEL argument is optional and
specifies the log level.  The log level may be one of the following symbols:
\"crit\", \"error\", \"warning\", \"notice\", \"info\" or \"debug\".  All
messages with the specified log level or higher are logged.")

  ;; LDAP connection settings
  (uri
   (list '("ldap://localhost:389/"))
   "The list of LDAP server URIs.  Normally, only the first server will be
used with the following servers as fall-back.")
  (ldap-version
   (maybe-string 'disabled)
   "The version of the LDAP protocol to use.  The default is to use the
maximum version supported by the LDAP library.")
  (binddn
   (maybe-string 'disabled)
   "Specifies the distinguished name with which to bind to the directory
server for lookups.  The default is to bind anonymously.")
  (bindpw
   (maybe-string 'disabled)
   "Specifies the credentials with which to bind.  This option is only
applicable when used with binddn.")
  (rootpwmoddn
   (maybe-string 'disabled)
   "Specifies the distinguished name to use when the root user tries to modify
a user's password using the PAM module.")
  (rootpwmodpw
   (maybe-string 'disabled)
   "Specifies the credentials with which to bind if the root user tries to
change a user's password.  This option is only applicable when used with
rootpwmoddn")

  ;; SASL authentication options
  (sasl-mech
   (maybe-string 'disabled)
   "Specifies the SASL mechanism to be used when performing SASL
authentication.")
  (sasl-realm
   (maybe-string 'disabled)
   "Specifies the SASL realm to be used when performing SASL authentication.")
  (sasl-authcid
   (maybe-string 'disabled)
   "Specifies the authentication identity to be used when performing SASL
authentication.")
  (sasl-authzid
   (maybe-string 'disabled)
   "Specifies the authorization identity to be used when performing SASL
authentication.")
  (sasl-canonicalize?
   (maybe-boolean 'disabled)
   "Determines whether the LDAP server host name should be canonicalised.  If
this is enabled the LDAP library will do a reverse host name lookup.  By
default, it is left up to the LDAP library whether this check is performed or
not.")

  ;; Kerberos authentication options
  (krb5-ccname
   (maybe-string 'disabled)
   "Set the name for the GSS-API Kerberos credentials cache.")

  ;; Search / mapping options
  (base
   (string "dc=example,dc=com")
   "The directory search base.")
  (scope
   (scope-option '(subtree))
   "Specifies the search scope (subtree, onelevel, base or children).  The
default scope is subtree; base scope is almost never useful for name service
lookups; children scope is not supported on all servers.")
  (deref
   (maybe-deref-option 'disabled)
   "Specifies the policy for dereferencing aliases.  The default policy is to
never dereference aliases.")
  (referrals
   (maybe-boolean 'disabled)
   "Specifies whether automatic referral chasing should be enabled.  The
default behaviour is to chase referrals.")
  (maps
   (list-of-map-entries '())
   "This option allows for custom attributes to be looked up instead of the
default RFC 2307 attributes.  It is a list of maps, each consisting of the
name of a map, the RFC 2307 attribute to match and the query expression for
the attribute as it is available in the directory.")
  (filters
   (list-of-filter-entries '())
   "A list of filters consisting of the name of a map to which the filter
applies and an LDAP search filter expression.")

  ;; Timing / reconnect options
  (bind-timelimit
   (maybe-number 'disabled)
   "Specifies the time limit in seconds to use when connecting to the
directory server.  The default value is 10 seconds.")
  (timelimit
   (maybe-number 'disabled)
   "Specifies the time limit (in seconds) to wait for a response from the LDAP
server.  A value of zero, which is the default, is to wait indefinitely for
searches to be completed.")
  (idle-timelimit
   (maybe-number 'disabled)
   "Specifies the period if inactivity (in seconds) after which the con‐
nection to the LDAP server will be closed.  The default is not to time out
connections.")
  (reconnect-sleeptime
   (maybe-number 'disabled)
   "Specifies the number of seconds to sleep when connecting to all LDAP
servers fails.  By default one second is waited between the first failure and
the first retry.")
  (reconnect-retrytime
   (maybe-number 'disabled)
   "Specifies the time after which the LDAP server is considered to be
permanently unavailable.  Once this time is reached retries will be done only
once per this time period.  The default value is 10 seconds.")

  ;; TLS options
  (ssl
   (maybe-ssl-option 'disabled)
   "Specifies whether to use SSL/TLS or not (the default is not to).  If
'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.")
  (tls-reqcert
   (maybe-tls-reqcert-option 'disabled)
   "Specifies what checks to perform on a server-supplied certificate.
The meaning of the values is described in the ldap.conf(5) manual page.")
  (tls-cacertdir
   (maybe-string 'disabled)
   "Specifies the directory containing X.509 certificates for peer authen‐
tication.  This parameter is ignored when using GnuTLS.")
  (tls-cacertfile
   (maybe-string 'disabled)
   "Specifies the path to the X.509 certificate for peer authentication.")
  (tls-randfile
   (maybe-string 'disabled)
   "Specifies the path to an entropy source.  This parameter is ignored when
using GnuTLS.")
  (tls-ciphers
   (maybe-string 'disabled)
   "Specifies the ciphers to use for TLS as a string.")
  (tls-cert
   (maybe-string 'disabled)
   "Specifies the path to the file containing the local certificate for client
TLS authentication.")
  (tls-key
   (maybe-string 'disabled)
   "Specifies the path to the file containing the private key for client TLS
authentication.")

  ;; Other options
  (pagesize
   (maybe-number 'disabled)
   "Set this to a number greater than 0 to request paged results from the LDAP
server in accordance with RFC2696.  The default (0) is to not request paged
results.")
  (nss-initgroups-ignoreusers
   (maybe-ignore-users-option 'disabled)
   "This option prevents group membership lookups through LDAP for the
specified users.  Alternatively, the value 'all-local may be used.  With that
value nslcd builds a full list of non-LDAP users on startup.")
  (nss-min-uid
   (maybe-number 'disabled)
   "This option ensures that LDAP users with a numeric user id lower than the
specified value are ignored.")
  (nss-uid-offset
   (maybe-number 'disabled)
   "This option specifies an offset that is added to all LDAP numeric user
ids.  This can be used to avoid user id collisions with local users.")
  (nss-gid-offset
   (maybe-number 'disabled)
   "This option specifies an offset that is added to all LDAP numeric group
ids.  This can be used to avoid user id collisions with local groups.")
  (nss-nested-groups
   (maybe-boolean 'disabled)
   "If this option is set, the member attribute of a group may point to
another group.  Members of nested groups are also returned in the higher level
group and parent groups are returned when finding groups for a specific user.
The default is not to perform extra searches for nested groups.")
  (nss-getgrent-skipmembers
   (maybe-boolean 'disabled)
   "If this option is set, the group member list is not retrieved when looking
up groups.  Lookups for finding which groups a user belongs to will remain
functional so the user will likely still get the correct groups assigned on
login.")
  (nss-disable-enumeration
   (maybe-boolean 'disabled)
   "If this option is set, functions which cause all user/group entries to be
loaded from the directory will not succeed in doing so.  This can dramatically
reduce LDAP server load in situations where there are a great number of users
and/or groups.  This option is not recommended for most configurations.")
  (validnames
   (maybe-string 'disabled)
   "This option can be used to specify how user and group names are verified
within the system.  This pattern is used to check all user and group names
that are requested and returned from LDAP.")
  (ignorecase
   (maybe-boolean 'disabled)
   "This specifies whether or not to perform searches using case-insensitive
matching.  Enabling this could open up the system to authorization bypass
vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow
denial of service.")
  (pam-authc-ppolicy
   (maybe-boolean 'disabled)
   "This option specifies whether password policy controls are requested and
handled from the LDAP server when performing user authentication.")
  (pam-authc-search
   (maybe-string 'disabled)
   "By default nslcd performs an LDAP search with the user's credentials after
BIND (authentication) to ensure that the BIND operation was successful.  The
default search is a simple check to see if the user's DN exists.  A search
filter can be specified that will be used instead.  It should return at least
one entry.")
  (pam-authz-search
   (maybe-string 'disabled)
   "This option allows flexible fine tuning of the authorisation check that
should be performed.  The search filter specified is executed and if any
entries match, access is granted, otherwise access is denied.")
  (pam-password-prohibit-message
   (maybe-string 'disabled)
   "If this option is set password modification using pam_ldap will be denied
and the specified message will be presented to the user instead.  The message
can be used to direct the user to an alternative means of changing their
password.")

  ;; Options for extension of pam-root-service-type.
  (pam-services
   (list '())
   "List of pam service names for which LDAP authentication should suffice."))

(define %nslcd-accounts
  (list (user-group
         (name "nslcd")
         (system? #t))
        (user-account
         (name "nslcd")
         (group "nslcd")
         (comment "NSLCD service account")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin"))
         (system? #t))))

(define (nslcd-config-file config)
  "Return an NSLCD configuration file."
  (plain-file "nslcd.conf"
              (with-output-to-string
                (lambda ()
                  (serialize-configuration config nslcd-configuration-fields)
                  ;; The file must end with a newline character.
                  (format #t "\n")))))

;; XXX: The file should only be readable by root if it contains a "bindpw"
;; declaration.  Unfortunately, this etc-service-type extension does not
;; support setting file modes, so we do this in the activation service.
(define (nslcd-etc-service config)
  `(("nslcd.conf" ,(nslcd-config-file config))))

(define (nslcd-shepherd-service config)
  (list (shepherd-service
         (documentation "Run the nslcd service for resolving names from LDAP.")
         (provision '(nslcd))
         (requirement '(networking user-processes))
         (start #~(make-forkexec-constructor
                   (list (string-append #$(nslcd-configuration-nss-pam-ldapd config)
                                        "/sbin/nslcd")
                         "--nofork")
                   #:pid-file "/var/run/nslcd/nslcd.pid"
                   #:environment-variables
                   (list (string-append "LD_LIBRARY_PATH="
                                        #$(nslcd-configuration-nss-pam-ldapd config)
                                        "/lib"))))
         (stop #~(make-kill-destructor)))))

(define (pam-ldap-pam-service config)
  "Return a PAM service for LDAP authentication."
  (define pam-ldap-module
    #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
                     "/lib/security/pam_ldap.so"))
  (lambda (pam)
    (if (member (pam-service-name pam)
                (nslcd-configuration-pam-services config))
        (let ((sufficient
               (pam-entry
                (control "sufficient")
                (module pam-ldap-module))))
          (pam-service
           (inherit pam)
           (auth (cons sufficient (pam-service-auth pam)))
           (session (cons sufficient (pam-service-session pam)))
           (account (cons sufficient (pam-service-account pam)))))
        pam)))

(define (pam-ldap-pam-services config)
  (list (pam-ldap-pam-service config)))

(define nslcd-service-type
  (service-type
   (name 'nslcd)
   (description "Run the NSLCD service for looking up names from LDAP.")
   (extensions
    (list (service-extension account-service-type
                             (const %nslcd-accounts))
          (service-extension etc-service-type
                             nslcd-etc-service)
          (service-extension activation-service-type
                             (const #~(begin
                                        (use-modules (guix build utils))
                                        (let ((rundir "/var/run/nslcd")
                                              (user (getpwnam "nslcd")))
                                          (mkdir-p rundir)
                                          (chown rundir (passwd:uid user) (passwd:gid user))
                                          (chmod rundir #o755)
                                          (when (file-exists? "/etc/nslcd.conf")
                                            (chmod "/etc/nslcd.conf" #o400))))))
          (service-extension pam-root-service-type
                             pam-ldap-pam-services)
          (service-extension nscd-service-type
                             (const (list nss-pam-ldapd)))
          (service-extension shepherd-root-service-type
                             nslcd-shepherd-service)))
   (default-value (nslcd-configuration))))

(define (generate-nslcd-documentation)
  (generate-documentation
   `((nslcd-configuration ,nslcd-configuration-fields))
   'nslcd-configuration))
Commit	Line	Data
7f93bbd5 DM	1	;;; GNU Guix --- Functional package management for GNU
7f93bbd5 DM	2	;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org>
c16423f1	3	;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
7f93bbd5 DM	4	;;;
	5	;;; This file is part of GNU Guix.
	6	;;;
	7	;;; GNU Guix is free software; you can redistribute it and/or modify it
	8	;;; under the terms of the GNU General Public License as published by
	9	;;; the Free Software Foundation; either version 3 of the License, or (at
	10	;;; your option) any later version.
	11	;;;
	12	;;; GNU Guix is distributed in the hope that it will be useful, but
	13	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	14	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	;;; GNU General Public License for more details.
	16	;;;
	17	;;; You should have received a copy of the GNU General Public License
	18	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	19
812f6bd8	20	(define-module (gnu services authentication)
7f93bbd5	21	#:use-module (gnu services)
c16423f1 RW	22	#:use-module (gnu services base)
c16423f1 RW	23	#:use-module (gnu services configuration)
7f93bbd5	24	#:use-module (gnu services dbus)
c16423f1 RW	25	#:use-module (gnu services shepherd)
	26	#:use-module (gnu system pam)
	27	#:use-module (gnu system shadow)
	28	#:use-module (gnu packages admin)
7f93bbd5	29	#:use-module (gnu packages freedesktop)
c16423f1	30	#:use-module (gnu packages openldap)
7f93bbd5 DM	31	#:use-module (guix gexp)
7f93bbd5 DM	32	#:use-module (guix records)
c16423f1 RW	33	#:use-module (guix packages)
	34	#:use-module (ice-9 match)
	35	#:use-module (srfi srfi-1)
	36	#:use-module (srfi srfi-26)
7f93bbd5 DM	37	#:export (fprintd-configuration
7f93bbd5 DM	38	fprintd-configuration?
c16423f1 RW	39	fprintd-service-type
	40
	41	nslcd-configuration
	42	nslcd-configuration?
	43	nslcd-service-type))
7f93bbd5	44
dc019782 DM	45	(define-configuration fprintd-configuration
	46	(fprintd (package fprintd)
	47	"The fprintd package"))
7f93bbd5	48
0682f084 DM	49	(define (fprintd-dbus-service config)
	50	(list (fprintd-configuration-fprintd config)))
	51
7f93bbd5 DM	52	(define fprintd-service-type
	53	(service-type (name 'fprintd)
	54	(extensions
	55	(list (service-extension dbus-root-service-type
9374cbd1 DM	56	fprintd-dbus-service)
9374cbd1 DM	57	(service-extension polkit-service-type
0682f084 DM	58	fprintd-dbus-service)))
0682f084 DM	59	(default-value (fprintd-configuration))
7f93bbd5 DM	60	(description
7f93bbd5 DM	61	"Run fprintd, a fingerprint management daemon.")))
c16423f1 RW	62
	63	\f
	64	;;;
	65	;;; NSS Pam LDAP service (nslcd)
	66	;;;
	67
	68	(define (uglify-field-name name)
	69	(match name
	70	('filters "filter")
	71	('maps "map")
	72	(_ (string-map (match-lambda
	73	(#\- #\_)
	74	(chr chr))
	75	(symbol->string name)))))
	76
	77	(define (value->string val)
	78	(cond
	79	((boolean? val)
	80	(if val "on" "off"))
	81	((number? val)
	82	(number->string val))
	83	((symbol? val)
	84	(string-map (match-lambda
	85	(#\- #\_)
	86	(chr chr))
	87	(symbol->string val)))
	88	(else val)))
	89
	90	(define (serialize-field field-name val)
	91	(if (eq? field-name 'pam-services)
	92	#t
	93	(format #t "~a ~a\n"
	94	(uglify-field-name field-name)
	95	(value->string val))))
	96
	97	(define serialize-string serialize-field)
	98	(define serialize-boolean serialize-field)
	99	(define serialize-number serialize-field)
	100	(define (serialize-list field-name val)
	101	(map (cut serialize-field field-name <>) val))
	102	(define-maybe string)
	103	(define-maybe boolean)
	104	(define-maybe number)
	105
	106	(define (ssl-option? val)
	107	(or (boolean? val)
	108	(eq? val 'start-tls)))
	109	(define serialize-ssl-option serialize-field)
	110	(define-maybe ssl-option)
	111
	112	(define (tls-reqcert-option? val)
	113	(member val '(never allow try demand hard)))
	114	(define serialize-tls-reqcert-option serialize-field)
	115	(define-maybe tls-reqcert-option)
	116
	117	(define (deref-option? val)
	118	(member val '(never searching finding always)))
	119	(define serialize-deref-option serialize-field)
	120	(define-maybe deref-option)
	121
	122	(define (comma-separated-list-of-strings? val)
	123	(and (list? val)
	124	(every string? val)))
	125	(define (ignore-users-option? val)
126	(or (comma-separated-list-of-strings? val)
127	(eq? 'all-local val)))
128	(define (serialize-ignore-users-option field-name val)
129	(serialize-field field-name (if (eq? 'all-local val)
130	val
131	(string-join val ","))))
132	(define-maybe ignore-users-option)
133
134	(define (log-option? val)
135	(let ((valid-scheme? (lambda (scheme)
136	(or (string? scheme)
137	(member scheme '(none syslog))))))
138	(match val
139	((scheme level)
140	(and (valid-scheme? scheme)
141	(member level '(crit error warning notice info debug))))
142	((scheme)
143	(valid-scheme? scheme)))))
144	(define (serialize-log-option field-name val)
145	(serialize-field field-name
146	(string-join (map (cut format #f "~a" <>) val))))
147
148	(define (valid-map? val)
149	"Is VAL a supported map name?"
150	(member val
151	'(alias aliases ether ethers group host hosts netgroup network networks
152	passwd protocol protocols rpc service services shadow)))
153
154	(define (scope-option? val)
155	(let ((valid-scopes '(subtree onelevel base children)))
156	(match val
157	((map-name scope)
158	(and (valid-map? map-name)
159	(member scope valid-scopes)))
160	((scope)
161	(member scope valid-scopes)))))
162	(define (serialize-scope-option field-name val)
163	(serialize-field field-name
164	(string-join (map (cut format #f "~a" <>) val))))
165
166	(define (map-entry? val)
167	(match val
168	(((? valid-map? map-name)
169	(? string? attribute)
170	(? string? new-attribute)) #t)
171	(_ #f)))
172
173	(define (list-of-map-entries? val)
174	(and (list? val)
175	(every map-entry? val)))
176
177	(define (filter-entry? val)
178	(match val
179	(((? valid-map? map-name)
180	(? string? filter-expression)) #t)
181	(_ #f)))
182
183	(define (list-of-filter-entries? val)
184	(and (list? val)
185	(every filter-entry? val)))
186
187	(define (serialize-filter-entry field-name val)
188	(serialize-field 'filter
189	(match val
190	(((? valid-map? map-name)
191	(? string? filter-expression))
192	(string-append (symbol->string map-name)
193	" " filter-expression)))))
194
195	(define (serialize-list-of-filter-entries field-name val)
196	(for-each (cut serialize-filter-entry field-name <>) val))
197
198	(define (serialize-map-entry field-name val)
199	(serialize-field 'map
200	(match val
201	(((? valid-map? map-name)
202	(? string? attribute)
203	(? string? new-attribute))
204	(string-append (symbol->string map-name)
205	" " attribute
206	" " new-attribute)))))
207
208	(define (serialize-list-of-map-entries field-name val)
209	(for-each (cut serialize-map-entry field-name <>) val))
210
211	\f
212	(define-configuration nslcd-configuration
213	(nss-pam-ldapd
214	(package nss-pam-ldapd)
215	"The NSS-PAM-LDAPD package to use.")
216
217	;; Runtime options
218	(threads
219	(maybe-number 'disabled)
220	"The number of threads to start that can handle requests and perform LDAP
221	queries. Each thread opens a separate connection to the LDAP server. The
222	default is to start 5 threads.")
223	(uid
224	(string "nslcd")
225	"This specifies the user id with which the daemon should be run.")
226	(gid
227	(string "nslcd")
228	"This specifies the group id with which the daemon should be run.")
229	(log
230	(log-option '("/var/log/nslcd" info))
231	"This option controls the way logging is done via a list containing SCHEME
232	and LEVEL. The SCHEME argument may either be the symbols \"none\" or
233	\"syslog\", or an absolute file name. The LEVEL argument is optional and
234	specifies the log level. The log level may be one of the following symbols:
235	\"crit\", \"error\", \"warning\", \"notice\", \"info\" or \"debug\". All
236	messages with the specified log level or higher are logged.")
237
238	;; LDAP connection settings
239	(uri
240	(list '("ldap://localhost:389/"))
241	"The list of LDAP server URIs. Normally, only the first server will be
242	used with the following servers as fall-back.")
243	(ldap-version
244	(maybe-string 'disabled)
245	"The version of the LDAP protocol to use. The default is to use the
246	maximum version supported by the LDAP library.")
247	(binddn
248	(maybe-string 'disabled)
249	"Specifies the distinguished name with which to bind to the directory
250	server for lookups. The default is to bind anonymously.")
251	(bindpw
252	(maybe-string 'disabled)
253	"Specifies the credentials with which to bind. This option is only
254	applicable when used with binddn.")
255	(rootpwmoddn
256	(maybe-string 'disabled)
257	"Specifies the distinguished name to use when the root user tries to modify
258	a user's password using the PAM module.")
259	(rootpwmodpw
260	(maybe-string 'disabled)
261	"Specifies the credentials with which to bind if the root user tries to
262	change a user's password. This option is only applicable when used with
263	rootpwmoddn")
264
265	;; SASL authentication options
266	(sasl-mech
267	(maybe-string 'disabled)
268	"Specifies the SASL mechanism to be used when performing SASL
269	authentication.")
270	(sasl-realm
271	(maybe-string 'disabled)
272	"Specifies the SASL realm to be used when performing SASL authentication.")
273	(sasl-authcid
274	(maybe-string 'disabled)
275	"Specifies the authentication identity to be used when performing SASL
276	authentication.")
277	(sasl-authzid
278	(maybe-string 'disabled)
279	"Specifies the authorization identity to be used when performing SASL
280	authentication.")
281	(sasl-canonicalize?
282	(maybe-boolean 'disabled)
283	"Determines whether the LDAP server host name should be canonicalised. If
284	this is enabled the LDAP library will do a reverse host name lookup. By
285	default, it is left up to the LDAP library whether this check is performed or
286	not.")
287
288	;; Kerberos authentication options
289	(krb5-ccname
290	(maybe-string 'disabled)
291	"Set the name for the GSS-API Kerberos credentials cache.")
292
293	;; Search / mapping options
294	(base
295	(string "dc=example,dc=com")
296	"The directory search base.")
297	(scope
298	(scope-option '(subtree))
299	"Specifies the search scope (subtree, onelevel, base or children). The
300	default scope is subtree; base scope is almost never useful for name service
301	lookups; children scope is not supported on all servers.")
302	(deref
303	(maybe-deref-option 'disabled)
304	"Specifies the policy for dereferencing aliases. The default policy is to
305	never dereference aliases.")
306	(referrals
307	(maybe-boolean 'disabled)
308	"Specifies whether automatic referral chasing should be enabled. The
309	default behaviour is to chase referrals.")
310	(maps
311	(list-of-map-entries '())
312	"This option allows for custom attributes to be looked up instead of the
313	default RFC 2307 attributes. It is a list of maps, each consisting of the
314	name of a map, the RFC 2307 attribute to match and the query expression for
315	the attribute as it is available in the directory.")
316	(filters
317	(list-of-filter-entries '())
318	"A list of filters consisting of the name of a map to which the filter
319	applies and an LDAP search filter expression.")
320
321	;; Timing / reconnect options
322	(bind-timelimit
323	(maybe-number 'disabled)
324	"Specifies the time limit in seconds to use when connecting to the
325	directory server. The default value is 10 seconds.")
326	(timelimit
327	(maybe-number 'disabled)
328	"Specifies the time limit (in seconds) to wait for a response from the LDAP
329	server. A value of zero, which is the default, is to wait indefinitely for
330	searches to be completed.")
331	(idle-timelimit
332	(maybe-number 'disabled)
333	"Specifies the period if inactivity (in seconds) after which the con‐
334	nection to the LDAP server will be closed. The default is not to time out
335	connections.")
336	(reconnect-sleeptime
337	(maybe-number 'disabled)
338	"Specifies the number of seconds to sleep when connecting to all LDAP
339	servers fails. By default one second is waited between the first failure and
340	the first retry.")
341	(reconnect-retrytime
342	(maybe-number 'disabled)
343	"Specifies the time after which the LDAP server is considered to be
344	permanently unavailable. Once this time is reached retries will be done only
345	once per this time period. The default value is 10 seconds.")
346
347	;; TLS options
348	(ssl
349	(maybe-ssl-option 'disabled)
350	"Specifies whether to use SSL/TLS or not (the default is not to). If
351	'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.")
352	(tls-reqcert
353	(maybe-tls-reqcert-option 'disabled)
354	"Specifies what checks to perform on a server-supplied certificate.
355	The meaning of the values is described in the ldap.conf(5) manual page.")
356	(tls-cacertdir
357	(maybe-string 'disabled)
358	"Specifies the directory containing X.509 certificates for peer authen‐
359	tication. This parameter is ignored when using GnuTLS.")
360	(tls-cacertfile
361	(maybe-string 'disabled)
362	"Specifies the path to the X.509 certificate for peer authentication.")
363	(tls-randfile
364	(maybe-string 'disabled)
365	"Specifies the path to an entropy source. This parameter is ignored when
366	using GnuTLS.")
367	(tls-ciphers
368	(maybe-string 'disabled)
369	"Specifies the ciphers to use for TLS as a string.")
370	(tls-cert
371	(maybe-string 'disabled)
372	"Specifies the path to the file containing the local certificate for client
373	TLS authentication.")
374	(tls-key
375	(maybe-string 'disabled)
376	"Specifies the path to the file containing the private key for client TLS
377	authentication.")
378
379	;; Other options
380	(pagesize
381	(maybe-number 'disabled)
382	"Set this to a number greater than 0 to request paged results from the LDAP
383	server in accordance with RFC2696. The default (0) is to not request paged
384	results.")
385	(nss-initgroups-ignoreusers
386	(maybe-ignore-users-option 'disabled)
387	"This option prevents group membership lookups through LDAP for the
388	specified users. Alternatively, the value 'all-local may be used. With that
389	value nslcd builds a full list of non-LDAP users on startup.")
390	(nss-min-uid
391	(maybe-number 'disabled)
392	"This option ensures that LDAP users with a numeric user id lower than the
393	specified value are ignored.")
394	(nss-uid-offset
395	(maybe-number 'disabled)
396	"This option specifies an offset that is added to all LDAP numeric user
397	ids. This can be used to avoid user id collisions with local users.")
398	(nss-gid-offset
399	(maybe-number 'disabled)
400	"This option specifies an offset that is added to all LDAP numeric group
401	ids. This can be used to avoid user id collisions with local groups.")
402	(nss-nested-groups
403	(maybe-boolean 'disabled)
404	"If this option is set, the member attribute of a group may point to
405	another group. Members of nested groups are also returned in the higher level
406	group and parent groups are returned when finding groups for a specific user.
407	The default is not to perform extra searches for nested groups.")
408	(nss-getgrent-skipmembers
409	(maybe-boolean 'disabled)
410	"If this option is set, the group member list is not retrieved when looking
411	up groups. Lookups for finding which groups a user belongs to will remain
412	functional so the user will likely still get the correct groups assigned on
413	login.")
414	(nss-disable-enumeration
415	(maybe-boolean 'disabled)
416	"If this option is set, functions which cause all user/group entries to be
417	loaded from the directory will not succeed in doing so. This can dramatically
418	reduce LDAP server load in situations where there are a great number of users
419	and/or groups. This option is not recommended for most configurations.")
420	(validnames
421	(maybe-string 'disabled)
422	"This option can be used to specify how user and group names are verified
423	within the system. This pattern is used to check all user and group names
424	that are requested and returned from LDAP.")
425	(ignorecase
426	(maybe-boolean 'disabled)
427	"This specifies whether or not to perform searches using case-insensitive
428	matching. Enabling this could open up the system to authorization bypass
429	vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow
430	denial of service.")
431	(pam-authc-ppolicy
432	(maybe-boolean 'disabled)
433	"This option specifies whether password policy controls are requested and
434	handled from the LDAP server when performing user authentication.")
435	(pam-authc-search
436	(maybe-string 'disabled)
437	"By default nslcd performs an LDAP search with the user's credentials after
438	BIND (authentication) to ensure that the BIND operation was successful. The
439	default search is a simple check to see if the user's DN exists. A search
440	filter can be specified that will be used instead. It should return at least
441	one entry.")
442	(pam-authz-search
443	(maybe-string 'disabled)
444	"This option allows flexible fine tuning of the authorisation check that
445	should be performed. The search filter specified is executed and if any
446	entries match, access is granted, otherwise access is denied.")
447	(pam-password-prohibit-message
448	(maybe-string 'disabled)
449	"If this option is set password modification using pam_ldap will be denied
450	and the specified message will be presented to the user instead. The message
451	can be used to direct the user to an alternative means of changing their
452	password.")
453
454	;; Options for extension of pam-root-service-type.
455	(pam-services
456	(list '())
457	"List of pam service names for which LDAP authentication should suffice."))
458
459	(define %nslcd-accounts
460	(list (user-group
461	(name "nslcd")
462	(system? #t))
463	(user-account
464	(name "nslcd")
465	(group "nslcd")
466	(comment "NSLCD service account")
467	(home-directory "/var/empty")
468	(shell (file-append shadow "/sbin/nologin"))
469	(system? #t))))
470
471	(define (nslcd-config-file config)
472	"Return an NSLCD configuration file."
473	(plain-file "nslcd.conf"
474	(with-output-to-string
475	(lambda ()
476	(serialize-configuration config nslcd-configuration-fields)
477	;; The file must end with a newline character.
478	(format #t "\n")))))
479
480	;; XXX: The file should only be readable by root if it contains a "bindpw"
481	;; declaration. Unfortunately, this etc-service-type extension does not
482	;; support setting file modes, so we do this in the activation service.
483	(define (nslcd-etc-service config)
484	`(("nslcd.conf" ,(nslcd-config-file config))))
485
486	(define (nslcd-shepherd-service config)
487	(list (shepherd-service
488	(documentation "Run the nslcd service for resolving names from LDAP.")
489	(provision '(nslcd))
490	(requirement '(networking user-processes))
491	(start #~(make-forkexec-constructor
492	(list (string-append #$(nslcd-configuration-nss-pam-ldapd config)
493	"/sbin/nslcd")
494	"--nofork")
495	#:pid-file "/var/run/nslcd/nslcd.pid"
496	#:environment-variables
497	(list (string-append "LD_LIBRARY_PATH="
498	#$(nslcd-configuration-nss-pam-ldapd config)
499	"/lib"))))
500	(stop #~(make-kill-destructor)))))
501
502	(define (pam-ldap-pam-service config)
503	"Return a PAM service for LDAP authentication."
504	(define pam-ldap-module
505	#~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
506	"/lib/security/pam_ldap.so"))
507	(lambda (pam)
508	(if (member (pam-service-name pam)
509	(nslcd-configuration-pam-services config))
510	(let ((sufficient
511	(pam-entry
512	(control "sufficient")
513	(module pam-ldap-module))))
514	(pam-service
515	(inherit pam)
516	(auth (cons sufficient (pam-service-auth pam)))
517	(session (cons sufficient (pam-service-session pam)))
518	(account (cons sufficient (pam-service-account pam)))))
519	pam)))
520
521	(define (pam-ldap-pam-services config)
522	(list (pam-ldap-pam-service config)))
523
524	(define nslcd-service-type
525	(service-type
526	(name 'nslcd)
527	(description "Run the NSLCD service for looking up names from LDAP.")
528	(extensions
529	(list (service-extension account-service-type
530	(const %nslcd-accounts))
531	(service-extension etc-service-type
532	nslcd-etc-service)
533	(service-extension activation-service-type
534	(const #~(begin
535	(use-modules (guix build utils))
536	(let ((rundir "/var/run/nslcd")
537	(user (getpwnam "nslcd")))
538	(mkdir-p rundir)
539	(chown rundir (passwd:uid user) (passwd:gid user))
540	(chmod rundir #o755)
541	(when (file-exists? "/etc/nslcd.conf")
542	(chmod "/etc/nslcd.conf" #o400))))))
543	(service-extension pam-root-service-type
544	pam-ldap-pam-services)
545	(service-extension nscd-service-type
546	(const (list nss-pam-ldapd)))
547	(service-extension shepherd-root-service-type
548	nslcd-shepherd-service)))
549	(default-value (nslcd-configuration))))
550
551	(define (generate-nslcd-documentation)
552	(generate-documentation
553	`((nslcd-configuration ,nslcd-configuration-fields))
554	'nslcd-configuration))