1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org>
3 ;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
4 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
6 ;;; This file is part of GNU Guix.
8 ;;; GNU Guix is free software; you can redistribute it and/or modify it
9 ;;; under the terms of the GNU General Public License as published by
10 ;;; the Free Software Foundation; either version 3 of the License, or (at
11 ;;; your option) any later version.
13 ;;; GNU Guix is distributed in the hope that it will be useful, but
14 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
15 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 ;;; GNU General Public License for more details.
18 ;;; You should have received a copy of the GNU General Public License
19 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
21 (define-module (gnu services authentication)
22 #:use-module (gnu services)
23 #:use-module (gnu services base)
24 #:use-module (gnu services configuration)
25 #:use-module (gnu services dbus)
26 #:use-module (gnu services shepherd)
27 #:use-module (gnu system pam)
28 #:use-module (gnu system shadow)
29 #:use-module (gnu packages admin)
30 #:use-module (gnu packages freedesktop)
31 #:use-module (gnu packages openldap)
32 #:use-module (guix gexp)
33 #:use-module (guix records)
34 #:use-module (guix packages)
35 #:use-module (guix modules)
36 #:use-module (ice-9 match)
37 #:use-module (srfi srfi-1)
38 #:use-module (srfi srfi-26)
39 #:export (fprintd-configuration
40 fprintd-configuration?
47 (define-configuration fprintd-configuration
48 (fprintd (package fprintd)
49 "The fprintd package"))
51 (define (fprintd-dbus-service config)
52 (list (fprintd-configuration-fprintd config)))
54 (define fprintd-service-type
55 (service-type (name 'fprintd)
57 (list (service-extension dbus-root-service-type
59 (service-extension polkit-service-type
60 fprintd-dbus-service)))
61 (default-value (fprintd-configuration))
63 "Run fprintd, a fingerprint management daemon.")))
67 ;;; NSS Pam LDAP service (nslcd)
70 (define (uglify-field-name name)
74 (_ (string-map (match-lambda
77 (symbol->string name)))))
79 (define (value->string val)
86 (string-map (match-lambda
89 (symbol->string val)))
92 (define (serialize-field field-name val)
93 (if (eq? field-name 'pam-services)
96 (uglify-field-name field-name)
97 (value->string val))))
99 (define serialize-string serialize-field)
100 (define serialize-boolean serialize-field)
101 (define serialize-number serialize-field)
102 (define (serialize-list field-name val)
103 (map (cut serialize-field field-name <>) val))
104 (define-maybe string)
105 (define-maybe boolean)
106 (define-maybe number)
108 (define (ssl-option? val)
110 (eq? val 'start-tls)))
111 (define serialize-ssl-option serialize-field)
112 (define-maybe ssl-option)
114 (define (tls-reqcert-option? val)
115 (member val '(never allow try demand hard)))
116 (define serialize-tls-reqcert-option serialize-field)
117 (define-maybe tls-reqcert-option)
119 (define (deref-option? val)
120 (member val '(never searching finding always)))
121 (define serialize-deref-option serialize-field)
122 (define-maybe deref-option)
124 (define (comma-separated-list-of-strings? val)
126 (every string? val)))
127 (define (ignore-users-option? val)
128 (or (comma-separated-list-of-strings? val)
129 (eq? 'all-local val)))
130 (define (serialize-ignore-users-option field-name val)
131 (serialize-field field-name (if (eq? 'all-local val)
133 (string-join val ","))))
134 (define-maybe ignore-users-option)
136 (define (log-option? val)
137 (let ((valid-scheme? (lambda (scheme)
139 (member scheme '(none syslog))))))
142 (and (valid-scheme? scheme)
143 (member level '(crit error warning notice info debug))))
145 (valid-scheme? scheme)))))
146 (define (serialize-log-option field-name val)
147 (serialize-field field-name
148 (string-join (map (cut format #f "~a" <>) val))))
150 (define (valid-map? val)
151 "Is VAL a supported map name?"
153 '(alias aliases ether ethers group host hosts netgroup network networks
154 passwd protocol protocols rpc service services shadow)))
156 (define (scope-option? val)
157 (let ((valid-scopes '(subtree onelevel base children)))
160 (and (valid-map? map-name)
161 (member scope valid-scopes)))
163 (member scope valid-scopes)))))
164 (define (serialize-scope-option field-name val)
165 (serialize-field field-name
166 (string-join (map (cut format #f "~a" <>) val))))
168 (define (map-entry? val)
170 (((? valid-map? map-name)
171 (? string? attribute)
172 (? string? new-attribute)) #t)
175 (define (list-of-map-entries? val)
177 (every map-entry? val)))
179 (define (filter-entry? val)
181 (((? valid-map? map-name)
182 (? string? filter-expression)) #t)
185 (define (list-of-filter-entries? val)
187 (every filter-entry? val)))
189 (define (serialize-filter-entry field-name val)
190 (serialize-field 'filter
192 (((? valid-map? map-name)
193 (? string? filter-expression))
194 (string-append (symbol->string map-name)
195 " " filter-expression)))))
197 (define (serialize-list-of-filter-entries field-name val)
198 (for-each (cut serialize-filter-entry field-name <>) val))
200 (define (serialize-map-entry field-name val)
201 (serialize-field 'map
203 (((? valid-map? map-name)
204 (? string? attribute)
205 (? string? new-attribute))
206 (string-append (symbol->string map-name)
208 " " new-attribute)))))
210 (define (serialize-list-of-map-entries field-name val)
211 (for-each (cut serialize-map-entry field-name <>) val))
214 (define-configuration nslcd-configuration
216 (package nss-pam-ldapd)
217 "The NSS-PAM-LDAPD package to use.")
221 (maybe-number 'disabled)
222 "The number of threads to start that can handle requests and perform LDAP
223 queries. Each thread opens a separate connection to the LDAP server. The
224 default is to start 5 threads.")
227 "This specifies the user id with which the daemon should be run.")
230 "This specifies the group id with which the daemon should be run.")
232 (log-option '("/var/log/nslcd" info))
233 "This option controls the way logging is done via a list containing SCHEME
234 and LEVEL. The SCHEME argument may either be the symbols \"none\" or
235 \"syslog\", or an absolute file name. The LEVEL argument is optional and
236 specifies the log level. The log level may be one of the following symbols:
237 \"crit\", \"error\", \"warning\", \"notice\", \"info\" or \"debug\". All
238 messages with the specified log level or higher are logged.")
240 ;; LDAP connection settings
242 (list '("ldap://localhost:389/"))
243 "The list of LDAP server URIs. Normally, only the first server will be
244 used with the following servers as fall-back.")
246 (maybe-string 'disabled)
247 "The version of the LDAP protocol to use. The default is to use the
248 maximum version supported by the LDAP library.")
250 (maybe-string 'disabled)
251 "Specifies the distinguished name with which to bind to the directory
252 server for lookups. The default is to bind anonymously.")
254 (maybe-string 'disabled)
255 "Specifies the credentials with which to bind. This option is only
256 applicable when used with binddn.")
258 (maybe-string 'disabled)
259 "Specifies the distinguished name to use when the root user tries to modify
260 a user's password using the PAM module.")
262 (maybe-string 'disabled)
263 "Specifies the credentials with which to bind if the root user tries to
264 change a user's password. This option is only applicable when used with
267 ;; SASL authentication options
269 (maybe-string 'disabled)
270 "Specifies the SASL mechanism to be used when performing SASL
273 (maybe-string 'disabled)
274 "Specifies the SASL realm to be used when performing SASL authentication.")
276 (maybe-string 'disabled)
277 "Specifies the authentication identity to be used when performing SASL
280 (maybe-string 'disabled)
281 "Specifies the authorization identity to be used when performing SASL
284 (maybe-boolean 'disabled)
285 "Determines whether the LDAP server host name should be canonicalised. If
286 this is enabled the LDAP library will do a reverse host name lookup. By
287 default, it is left up to the LDAP library whether this check is performed or
290 ;; Kerberos authentication options
292 (maybe-string 'disabled)
293 "Set the name for the GSS-API Kerberos credentials cache.")
295 ;; Search / mapping options
297 (string "dc=example,dc=com")
298 "The directory search base.")
300 (scope-option '(subtree))
301 "Specifies the search scope (subtree, onelevel, base or children). The
302 default scope is subtree; base scope is almost never useful for name service
303 lookups; children scope is not supported on all servers.")
305 (maybe-deref-option 'disabled)
306 "Specifies the policy for dereferencing aliases. The default policy is to
307 never dereference aliases.")
309 (maybe-boolean 'disabled)
310 "Specifies whether automatic referral chasing should be enabled. The
311 default behaviour is to chase referrals.")
313 (list-of-map-entries '())
314 "This option allows for custom attributes to be looked up instead of the
315 default RFC 2307 attributes. It is a list of maps, each consisting of the
316 name of a map, the RFC 2307 attribute to match and the query expression for
317 the attribute as it is available in the directory.")
319 (list-of-filter-entries '())
320 "A list of filters consisting of the name of a map to which the filter
321 applies and an LDAP search filter expression.")
323 ;; Timing / reconnect options
325 (maybe-number 'disabled)
326 "Specifies the time limit in seconds to use when connecting to the
327 directory server. The default value is 10 seconds.")
329 (maybe-number 'disabled)
330 "Specifies the time limit (in seconds) to wait for a response from the LDAP
331 server. A value of zero, which is the default, is to wait indefinitely for
332 searches to be completed.")
334 (maybe-number 'disabled)
335 "Specifies the period if inactivity (in seconds) after which the con‐
336 nection to the LDAP server will be closed. The default is not to time out
339 (maybe-number 'disabled)
340 "Specifies the number of seconds to sleep when connecting to all LDAP
341 servers fails. By default one second is waited between the first failure and
344 (maybe-number 'disabled)
345 "Specifies the time after which the LDAP server is considered to be
346 permanently unavailable. Once this time is reached retries will be done only
347 once per this time period. The default value is 10 seconds.")
351 (maybe-ssl-option 'disabled)
352 "Specifies whether to use SSL/TLS or not (the default is not to). If
353 'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.")
355 (maybe-tls-reqcert-option 'disabled)
356 "Specifies what checks to perform on a server-supplied certificate.
357 The meaning of the values is described in the ldap.conf(5) manual page.")
359 (maybe-string 'disabled)
360 "Specifies the directory containing X.509 certificates for peer authen‐
361 tication. This parameter is ignored when using GnuTLS.")
363 (maybe-string 'disabled)
364 "Specifies the path to the X.509 certificate for peer authentication.")
366 (maybe-string 'disabled)
367 "Specifies the path to an entropy source. This parameter is ignored when
370 (maybe-string 'disabled)
371 "Specifies the ciphers to use for TLS as a string.")
373 (maybe-string 'disabled)
374 "Specifies the path to the file containing the local certificate for client
375 TLS authentication.")
377 (maybe-string 'disabled)
378 "Specifies the path to the file containing the private key for client TLS
383 (maybe-number 'disabled)
384 "Set this to a number greater than 0 to request paged results from the LDAP
385 server in accordance with RFC2696. The default (0) is to not request paged
387 (nss-initgroups-ignoreusers
388 (maybe-ignore-users-option 'disabled)
389 "This option prevents group membership lookups through LDAP for the
390 specified users. Alternatively, the value 'all-local may be used. With that
391 value nslcd builds a full list of non-LDAP users on startup.")
393 (maybe-number 'disabled)
394 "This option ensures that LDAP users with a numeric user id lower than the
395 specified value are ignored.")
397 (maybe-number 'disabled)
398 "This option specifies an offset that is added to all LDAP numeric user
399 ids. This can be used to avoid user id collisions with local users.")
401 (maybe-number 'disabled)
402 "This option specifies an offset that is added to all LDAP numeric group
403 ids. This can be used to avoid user id collisions with local groups.")
405 (maybe-boolean 'disabled)
406 "If this option is set, the member attribute of a group may point to
407 another group. Members of nested groups are also returned in the higher level
408 group and parent groups are returned when finding groups for a specific user.
409 The default is not to perform extra searches for nested groups.")
410 (nss-getgrent-skipmembers
411 (maybe-boolean 'disabled)
412 "If this option is set, the group member list is not retrieved when looking
413 up groups. Lookups for finding which groups a user belongs to will remain
414 functional so the user will likely still get the correct groups assigned on
416 (nss-disable-enumeration
417 (maybe-boolean 'disabled)
418 "If this option is set, functions which cause all user/group entries to be
419 loaded from the directory will not succeed in doing so. This can dramatically
420 reduce LDAP server load in situations where there are a great number of users
421 and/or groups. This option is not recommended for most configurations.")
423 (maybe-string 'disabled)
424 "This option can be used to specify how user and group names are verified
425 within the system. This pattern is used to check all user and group names
426 that are requested and returned from LDAP.")
428 (maybe-boolean 'disabled)
429 "This specifies whether or not to perform searches using case-insensitive
430 matching. Enabling this could open up the system to authorization bypass
431 vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow
434 (maybe-boolean 'disabled)
435 "This option specifies whether password policy controls are requested and
436 handled from the LDAP server when performing user authentication.")
438 (maybe-string 'disabled)
439 "By default nslcd performs an LDAP search with the user's credentials after
440 BIND (authentication) to ensure that the BIND operation was successful. The
441 default search is a simple check to see if the user's DN exists. A search
442 filter can be specified that will be used instead. It should return at least
445 (maybe-string 'disabled)
446 "This option allows flexible fine tuning of the authorisation check that
447 should be performed. The search filter specified is executed and if any
448 entries match, access is granted, otherwise access is denied.")
449 (pam-password-prohibit-message
450 (maybe-string 'disabled)
451 "If this option is set password modification using pam_ldap will be denied
452 and the specified message will be presented to the user instead. The message
453 can be used to direct the user to an alternative means of changing their
456 ;; Options for extension of pam-root-service-type.
459 "List of pam service names for which LDAP authentication should suffice."))
461 (define %nslcd-accounts
468 (comment "NSLCD service account")
469 (home-directory "/var/empty")
470 (shell (file-append shadow "/sbin/nologin"))
473 (define (nslcd-config-file config)
474 "Return an NSLCD configuration file."
475 (plain-file "nslcd.conf"
476 (with-output-to-string
478 (serialize-configuration config nslcd-configuration-fields)
479 ;; The file must end with a newline character.
482 ;; XXX: The file should only be readable by root if it contains a "bindpw"
483 ;; declaration. Unfortunately, this etc-service-type extension does not
484 ;; support setting file modes, so we do this in the activation service.
485 (define (nslcd-etc-service config)
486 `(("nslcd.conf" ,(nslcd-config-file config))))
488 (define (nslcd-shepherd-service config)
489 (list (shepherd-service
490 (documentation "Run the nslcd service for resolving names from LDAP.")
492 (requirement '(networking user-processes))
493 (start #~(make-forkexec-constructor
494 (list (string-append #$(nslcd-configuration-nss-pam-ldapd config)
497 #:pid-file "/var/run/nslcd/nslcd.pid"
498 #:environment-variables
499 (list (string-append "LD_LIBRARY_PATH="
500 #$(nslcd-configuration-nss-pam-ldapd config)
502 (stop #~(make-kill-destructor)))))
504 (define (pam-ldap-pam-service config)
505 "Return a PAM service for LDAP authentication."
506 (define pam-ldap-module
507 #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
508 "/lib/security/pam_ldap.so"))
510 (if (member (pam-service-name pam)
511 (nslcd-configuration-pam-services config))
514 (control "sufficient")
515 (module pam-ldap-module))))
518 (auth (cons sufficient (pam-service-auth pam)))
519 (session (cons sufficient (pam-service-session pam)))
520 (account (cons sufficient (pam-service-account pam)))))
523 (define (pam-ldap-pam-services config)
524 (list (pam-ldap-pam-service config)))
526 (define %nslcd-activation
527 (with-imported-modules (source-module-closure '((gnu build activation)))
529 (use-modules (gnu build activation))
530 (let ((rundir "/var/run/nslcd")
531 (user (getpwnam "nslcd")))
532 (mkdir-p/perms rundir user #o755)
533 (when (file-exists? "/etc/nslcd.conf")
534 (chmod "/etc/nslcd.conf" #o400))))))
536 (define nslcd-service-type
539 (description "Run the NSLCD service for looking up names from LDAP.")
541 (list (service-extension account-service-type
542 (const %nslcd-accounts))
543 (service-extension etc-service-type
545 (service-extension activation-service-type
546 (const %nslcd-activation))
547 (service-extension pam-root-service-type
548 pam-ldap-pam-services)
549 (service-extension nscd-service-type
550 (const (list nss-pam-ldapd)))
551 (service-extension shepherd-root-service-type
552 nslcd-shepherd-service)))
553 (default-value (nslcd-configuration))))
555 (define (generate-nslcd-documentation)
556 (generate-documentation
557 `((nslcd-configuration ,nslcd-configuration-fields))
558 'nslcd-configuration))