Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openldap: enable sha2 and pbkdf2 modules #79286

Merged
merged 1 commit into from May 22, 2020
Merged

openldap: enable sha2 and pbkdf2 modules #79286

merged 1 commit into from May 22, 2020

Conversation

ju1m
Copy link
Contributor

@ju1m ju1m commented Feb 5, 2020

Motivation for this change

Being able to bind to LDAP using a SHA2 or PBKDF2 scheme in userPassword.

Things done

Build and install contrib/slapd-modules/passwd/{sha2,pbkdf2}/ already released within OpenLDAP.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot requested a review from lovek323 February 5, 2020 17:33
@FRidh FRidh added this to WIP in Staging via automation Feb 5, 2020
@FRidh FRidh moved this from WIP to Needs review in Staging Feb 5, 2020
@FRidh
Copy link
Member

FRidh commented Feb 16, 2020

@ju1m I suggest finding people that can review and approve this PR. Typically that's the maintainer(s) or other people that have made (recent) changes.

flokli
flokli reviewed Apr 28, 2020
View reviewed changes
pkgs/development/libraries/openldap/default.nix
@@ -51,9 +64,12 @@ stdenv.mkDerivation rec {

rm -rf $out/var
rm -r libraries/*/.libs
rm -r contrib/slapd-modules/passwd/*/.libs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this necessary?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a comment just above explaining it, which I'm naively following. Maybe this can be changed now that NixOS/patchelf#98 has been merged.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, I tried removing these three lines, but ran into

RPATH of binary /nix/store/3iwmkw16wvr5fcl7h3g49gh1jx5prsms-openldap-2.4.49/bin/ldapsearch contains a forbidden reference to /build/

So it's probably still necessary.

@flokli
Copy link
Contributor

flokli commented Apr 29, 2020

It seems nixosTests.ldap currently is broken (even before this PR, see #86305), so there's currently no easy way to verify this works. How did you test it?

@ju1m
Copy link
Contributor Author

ju1m commented Apr 29, 2020
edited

I've only tested it on my live system. But I've disabled it last February because it triggered the local build of too many reverse dependencies each time I was upgrading nixpkgs, which I could not afford.
Here's the module I'm using for that, important fields being ˋolcModule*ˋ and ˋolcPasswordHashˋ:

{ pkgs, lib, config, ... }:
let
  inherit (builtins) baseNameOf readFile;
  inherit (lib) types;
  inherit (config.services) openldap;
  inherit (config.users) ldap;
  unlines = lib.concatStringsSep "\n";
  unlinesAttrs = f: as: unlines (lib.mapAttrsToList f as);
in
{
options = {
services.openldap.cnConfig = lib.mkOption {
  type = types.lines;
  description = "The cn=config in LDIF";
  apply = lines: pkgs.writeText "cn=config.ldif"
    (lines + "\n" + unlinesAttrs (olcSuffix: {conf, olcDbDirectory, ...}:
      "include: file://" + pkgs.writeText "config.ldif" (conf + ''
        olcSuffix: ${olcSuffix}
        olcDbDirectory: ${olcDbDirectory}
      '')
    ) openldap.databases);
  default = ''
    dn: cn=config
    objectClass: olcGlobal
    olcLogLevel: none
    olcToolThreads: 1

    dn: cn={0}module,cn=config
    objectClass: olcModuleList
    olcModulePath: ${pkgs.openldap}/lib/modules
    olcModuleLoad: pw-sha2
    olcModuleLoad: pw-pbkdf2
    olcModuleLoad: back_mdb

    # The first database is the special frontend database
    # whose settings are applied globally to all the other databases.
    # Beware that cn={0}module,cn=config must appear before
    # for enabling password schemes provided by the modules in olcPasswordHash.
    dn: olcDatabase={-1}frontend,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcFrontendConfig
    olcSizeLimit: 500
    # Allow unlimited access to local connection from the local root user
    olcAccess: to *
      by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
      by * break
    # Allow unauthenticated read access for schema and base DN autodiscovery
    olcAccess: to dn.exact=""
      by * read
    olcAccess: to dn.base="cn=Subschema"
      by * read
    # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
    olcPasswordHash: {PBKDF2-SHA256}
    #olcPasswordHash: {SSHA}

    dn: olcDatabase={0}config,cn=config
    objectClass: olcDatabaseConfig
    olcRootDN: cn=admin,cn=config
    # Access to cn=config, system root can be manager
    # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
    olcAccess: to *
      by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
      by * break

    dn: cn=schema,cn=config
    objectClass: olcSchemaConfig

    include: file://${pkgs.openldap}/etc/schema/core.ldif
    include: file://${pkgs.openldap}/etc/schema/cosine.ldif
    include: file://${pkgs.openldap}/etc/schema/nis.ldif
    include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
  '';
};
services.openldap.databases = lib.mkOption {
  default = {};
  type = types.attrsOf (types.submodule ({name, options, config, ...}: {
    options = {
      conf = lib.mkOption {
        type = types.lines;
        description = "The database's config in LDIF.";
      };
      data = lib.mkOption {
        type = types.nullOr types.lines;
        description = "The database's data in LDIF.";
      };
      olcDbDirectory = lib.mkOption {
        type = types.str;
        description = "The directory where the database is stored.";
        default = "${openldap.dataDir}/${name}";
      };
    };
  }));
};
};
config = lib.mkIf openldap.enable {
systemd.services.openldap.preStart =
  # olcDbDirectory must be created before adding the config.
  ''
  set -e
  install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${openldap.configDir}"
  '' +
  unlinesAttrs (olcSuffix: {data, olcDbDirectory, ...}: lib.optionalString (data != null) ''
    rm -rf "${olcDbDirectory}"
    install -D -d -m 0700 -o "${openldap.user}" -g "${openldap.group}" "${olcDbDirectory}"
  '') openldap.databases
  # slapd is supposed to have been stopped by systemd
  # before entering this preStart,
  # hence slap* commands can safely be used.
  #
  # slapadd(8):
  # To populate the config database slapd-config(5),
  # use -n 0 as it is always the first database.
  # It must physically exist on the filesystem prior to this, however.
  + ''
  umask 0077
  rm -rf "${openldap.configDir}"/cn=config \
         "${openldap.configDir}"/cn=config.ldif
  ${pkgs.openldap}/bin/slapadd -n 0 \
   -F "${openldap.configDir}" \
   -l ${openldap.cnConfig}
  chown -R "${openldap.user}:${openldap.group}" "${openldap.configDir}"
  '' +
  unlinesAttrs (olcSuffix: {data, olcDbDirectory, ...}: lib.optionalString (data != null) ''
    ${pkgs.openldap}/bin/slapadd \
     -F "${openldap.configDir}" \
     -b ${olcSuffix} \
     -l ${pkgs.writeText "data.ldif" data}
    '' + ''
    test ! -e "${olcDbDirectory}" ||
    chown -R "${openldap.user}:${openldap.group}" "${olcDbDirectory}"
  '') openldap.databases;
};
}

@flokli
Copy link
Contributor

flokli commented Apr 29, 2020

@ju1m interesting - this looks similar to nixosTests.ldap. Maybe you could contribute to #86305?

I'd be fine with merging this PR, if you can test it once more, rebased on latest master.

@flokli
Copy link
Contributor

flokli commented May 22, 2020

Okay, let's merge this. If this unexpectedly breaks anything, it can be fixed in a follow-up PR.

@flokli flokli merged commit 98efbe9 into NixOS:master May 22, 2020
Staging automation moved this from Needs review to Done May 22, 2020
@marsam
Copy link
Contributor

marsam commented May 22, 2020
edited

This breaks openldap on darwin #88634

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flokli flokli flokli left review comments

@lovek323 lovek323 Awaiting requested review from lovek323

Assignees
No one assigned
Labels
10.rebuild-darwin: 101-500 10.rebuild-linux: 501+ 10.rebuild-linux: 1001-2500
Projects
Staging
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ju1m @FRidh @flokli @marsam