diff options
-rw-r--r-- | doc/guix.texi | 479 | ||||
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/services/authentication.scm | 511 | ||||
-rw-r--r-- | gnu/tests/ldap.scm | 160 |
4 files changed, 1150 insertions, 1 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index bb344e1625..94d7a29bdf 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11139,6 +11139,7 @@ declaration. * Telephony Services:: Telephony services. * Monitoring Services:: Monitoring services. * Kerberos Services:: Kerberos services. +* LDAP Services:: LDAP services. * Web Services:: Web servers. * Certificate Services:: TLS certificates via Let's Encrypt. * DNS Services:: DNS daemons. @@ -17685,6 +17686,484 @@ Local accounts with lower values will silently fail to authenticate. @end deftp +@node LDAP Services +@subsection LDAP Services +@cindex LDAP +@cindex nslcd, LDAP service + +The @code{(gnu services authentication)} module provides the +@code{nslcd-service-type}, which can be used to authenticate against an LDAP +server. In addition to configuring the service itself, you may want to add +@code{ldap} as a name service to the Name Service Switch. @xref{Name Service +Switch} for detailed information. + +Here is a simple operating system declaration with a default configuration of +the @code{nslcd-service-type} and a Name Service Switch configuration that +consults the @code{ldap} name service last: + +@example +(use-service-modules authentication) +(use-modules (gnu system nss)) +... +(operating-system + ... + (services + (cons* + (service nslcd-service-type) + (service dhcp-client-service-type) + %base-services)) + (name-service-switch + (let ((services (list (name-service (name "db")) + (name-service (name "files")) + (name-service (name "ldap"))))) + (name-service-switch + (inherit %mdns-host-lookup-nss) + (password services) + (shadow services) + (group services) + (netgroup services) + (gshadow services))))) +@end example + +@c %start of generated documentation for nslcd-configuration + +Available @code{nslcd-configuration} fields are: + +@deftypevr {@code{nslcd-configuration} parameter} package nss-pam-ldapd +The @code{nss-pam-ldapd} package to use. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number threads +The number of threads to start that can handle requests and perform LDAP +queries. Each thread opens a separate connection to the LDAP server. +The default is to start 5 threads. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} string uid +This specifies the user id with which the daemon should be run. + +Defaults to @samp{"nslcd"}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} string gid +This specifies the group id with which the daemon should be run. + +Defaults to @samp{"nslcd"}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} log-option log +This option controls the way logging is done via a list containing +SCHEME and LEVEL. The SCHEME argument may either be the symbols "none" +or "syslog", or an absolute file name. The LEVEL argument is optional +and specifies the log level. The log level may be one of the following +symbols: "crit", "error", "warning", "notice", "info" or "debug". All +messages with the specified log level or higher are logged. + +Defaults to @samp{("/var/log/nslcd" info)}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} list uri +The list of LDAP server URIs. Normally, only the first server will be +used with the following servers as fall-back. + +Defaults to @samp{("ldap://localhost:389/")}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string ldap-version +The version of the LDAP protocol to use. The default is to use the +maximum version supported by the LDAP library. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string binddn +Specifies the distinguished name with which to bind to the directory +server for lookups. The default is to bind anonymously. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string bindpw +Specifies the credentials with which to bind. This option is only +applicable when used with binddn. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string rootpwmoddn +Specifies the distinguished name to use when the root user tries to +modify a user's password using the PAM module. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string rootpwmodpw +Specifies the credentials with which to bind if the root user tries to +change a user's password. This option is only applicable when used with +rootpwmoddn + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-mech +Specifies the SASL mechanism to be used when performing SASL +authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-realm +Specifies the SASL realm to be used when performing SASL authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-authcid +Specifies the authentication identity to be used when performing SASL +authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-authzid +Specifies the authorization identity to be used when performing SASL +authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean sasl-canonicalize? +Determines whether the LDAP server host name should be canonicalised. If +this is enabled the LDAP library will do a reverse host name lookup. By +default, it is left up to the LDAP library whether this check is +performed or not. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string krb5-ccname +Set the name for the GSS-API Kerberos credentials cache. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} string base +The directory search base. + +Defaults to @samp{"dc=example,dc=com"}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} scope-option scope +Specifies the search scope (subtree, onelevel, base or children). The +default scope is subtree; base scope is almost never useful for name +service lookups; children scope is not supported on all servers. + +Defaults to @samp{(subtree)}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-deref-option deref +Specifies the policy for dereferencing aliases. The default policy is +to never dereference aliases. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean referrals +Specifies whether automatic referral chasing should be enabled. The +default behaviour is to chase referrals. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} list-of-map-entries maps +This option allows for custom attributes to be looked up instead of the +default RFC 2307 attributes. It is a list of maps, each consisting of +the name of a map, the RFC 2307 attribute to match and the query +expression for the attribute as it is available in the directory. + +Defaults to @samp{()}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} list-of-filter-entries filters +A list of filters consisting of the name of a map to which the filter +applies and an LDAP search filter expression. + +Defaults to @samp{()}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number bind-timelimit +Specifies the time limit in seconds to use when connecting to the +directory server. The default value is 10 seconds. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number timelimit +Specifies the time limit (in seconds) to wait for a response from the +LDAP server. A value of zero, which is the default, is to wait +indefinitely for searches to be completed. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number idle-timelimit +Specifies the period if inactivity (in seconds) after which the con‐ +nection to the LDAP server will be closed. The default is not to time +out connections. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number reconnect-sleeptime +Specifies the number of seconds to sleep when connecting to all LDAP +servers fails. By default one second is waited between the first +failure and the first retry. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number reconnect-retrytime +Specifies the time after which the LDAP server is considered to be +permanently unavailable. Once this time is reached retries will be done +only once per this time period. The default value is 10 seconds. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-ssl-option ssl +Specifies whether to use SSL/TLS or not (the default is not to). If +'start-tls is specified then StartTLS is used rather than raw LDAP over +SSL. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-tls-reqcert-option tls-reqcert +Specifies what checks to perform on a server-supplied certificate. The +meaning of the values is described in the ldap.conf(5) manual page. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cacertdir +Specifies the directory containing X.509 certificates for peer authen‐ +tication. This parameter is ignored when using GnuTLS. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cacertfile +Specifies the path to the X.509 certificate for peer authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-randfile +Specifies the path to an entropy source. This parameter is ignored when +using GnuTLS. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-ciphers +Specifies the ciphers to use for TLS as a string. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cert +Specifies the path to the file containing the local certificate for +client TLS authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-key +Specifies the path to the file containing the private key for client TLS +authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number pagesize +Set this to a number greater than 0 to request paged results from the +LDAP server in accordance with RFC2696. The default (0) is to not +request paged results. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-ignore-users-option nss-initgroups-ignoreusers +This option prevents group membership lookups through LDAP for the +specified users. Alternatively, the value 'all-local may be used. With +that value nslcd builds a full list of non-LDAP users on startup. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-min-uid +This option ensures that LDAP users with a numeric user id lower than +the specified value are ignored. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-uid-offset +This option specifies an offset that is added to all LDAP numeric user +ids. This can be used to avoid user id collisions with local users. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-gid-offset +This option specifies an offset that is added to all LDAP numeric group +ids. This can be used to avoid user id collisions with local groups. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-nested-groups +If this option is set, the member attribute of a group may point to +another group. Members of nested groups are also returned in the higher +level group and parent groups are returned when finding groups for a +specific user. The default is not to perform extra searches for nested +groups. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-getgrent-skipmembers +If this option is set, the group member list is not retrieved when +looking up groups. Lookups for finding which groups a user belongs to +will remain functional so the user will likely still get the correct +groups assigned on login. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-disable-enumeration +If this option is set, functions which cause all user/group entries to +be loaded from the directory will not succeed in doing so. This can +dramatically reduce LDAP server load in situations where there are a +great number of users and/or groups. This option is not recommended for +most configurations. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string validnames +This option can be used to specify how user and group names are verified +within the system. This pattern is used to check all user and group +names that are requested and returned from LDAP. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean ignorecase +This specifies whether or not to perform searches using case-insensitive +matching. Enabling this could open up the system to authorization +bypass vulnerabilities and introduce nscd cache poisoning +vulnerabilities which allow denial of service. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean pam-authc-ppolicy +This option specifies whether password policy controls are requested and +handled from the LDAP server when performing user authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-authc-search +By default nslcd performs an LDAP search with the user's credentials +after BIND (authentication) to ensure that the BIND operation was +successful. The default search is a simple check to see if the user's +DN exists. A search filter can be specified that will be used instead. +It should return at least one entry. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-authz-search +This option allows flexible fine tuning of the authorisation check that +should be performed. The search filter specified is executed and if any +entries match, access is granted, otherwise access is denied. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-password-prohibit-message +If this option is set password modification using pam_ldap will be +denied and the specified message will be presented to the user instead. +The message can be used to direct the user to an alternative means of +changing their password. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} list pam-services +List of pam service names for which LDAP authentication should suffice. + +Defaults to @samp{()}. + +@end deftypevr + +@c %end of generated documentation for nslcd-configuration + + @node Web Services @subsection Web Services diff --git a/gnu/local.mk b/gnu/local.mk index c32876cdcf..a5a2f11538 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -569,6 +569,7 @@ GNU_SYSTEM_MODULES = \ %D%/tests/monitoring.scm \ %D%/tests/nfs.scm \ %D%/tests/install.scm \ + %D%/tests/ldap.scm \ %D%/tests/mail.scm \ %D%/tests/messaging.scm \ %D%/tests/networking.scm \ diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm index 1a2629d475..ab54aaf698 100644 --- a/gnu/services/authentication.scm +++ b/gnu/services/authentication.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org> +;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -18,13 +19,28 @@ (define-module (gnu services authentication) #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services configuration) #:use-module (gnu services dbus) + #:use-module (gnu services shepherd) + #:use-module (gnu system pam) + #:use-module (gnu system shadow) + #:use-module (gnu packages admin) #:use-module (gnu packages freedesktop) + #:use-module (gnu packages openldap) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (guix packages) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-26) #:export (fprintd-configuration fprintd-configuration? - fprintd-service-type)) + fprintd-service-type + + nslcd-configuration + nslcd-configuration? + nslcd-service-type)) (define-record-type* <fprintd-configuration> fprintd-configuration make-fprintd-configuration @@ -39,3 +55,496 @@ list))) (description "Run fprintd, a fingerprint management daemon."))) + + +;;; +;;; NSS Pam LDAP service (nslcd) +;;; + +(define (uglify-field-name name) + (match name + ('filters "filter") + ('maps "map") + (_ (string-map (match-lambda + (#\- #\_) + (chr chr)) + (symbol->string name))))) + +(define (value->string val) + (cond + ((boolean? val) + (if val "on" "off")) + ((number? val) + (number->string val)) + ((symbol? val) + (string-map (match-lambda + (#\- #\_) + (chr chr)) + (symbol->string val))) + (else val))) + +(define (serialize-field field-name val) + (if (eq? field-name 'pam-services) + #t + (format #t "~a ~a\n" + (uglify-field-name field-name) + (value->string val)))) + +(define serialize-string serialize-field) +(define serialize-boolean serialize-field) +(define serialize-number serialize-field) +(define (serialize-list field-name val) + (map (cut serialize-field field-name <>) val)) +(define-maybe string) +(define-maybe boolean) +(define-maybe number) + +(define (ssl-option? val) + (or (boolean? val) + (eq? val 'start-tls))) +(define serialize-ssl-option serialize-field) +(define-maybe ssl-option) + +(define (tls-reqcert-option? val) + (member val '(never allow try demand hard))) +(define serialize-tls-reqcert-option serialize-field) +(define-maybe tls-reqcert-option) + +(define (deref-option? val) + (member val '(never searching finding always))) +(define serialize-deref-option serialize-field) +(define-maybe deref-option) + +(define (comma-separated-list-of-strings? val) + (and (list? val) + (every string? val))) +(define (ignore-users-option? val) + (or (comma-separated-list-of-strings? val) + (eq? 'all-local val))) +(define (serialize-ignore-users-option field-name val) + (serialize-field field-name (if (eq? 'all-local val) + val + (string-join val ",")))) +(define-maybe ignore-users-option) + +(define (log-option? val) + (let ((valid-scheme? (lambda (scheme) + (or (string? scheme) + (member scheme '(none syslog)))))) + (match val + ((scheme level) + (and (valid-scheme? scheme) + (member level '(crit error warning notice info debug)))) + ((scheme) + (valid-scheme? scheme))))) +(define (serialize-log-option field-name val) + (serialize-field field-name + (string-join (map (cut format #f "~a" <>) val)))) + +(define (valid-map? val) + "Is VAL a supported map name?" + (member val + '(alias aliases ether ethers group host hosts netgroup network networks + passwd protocol protocols rpc service services shadow))) + +(define (scope-option? val) + (let ((valid-scopes '(subtree onelevel base children))) + (match val + ((map-name scope) + (and (valid-map? map-name) + (member scope valid-scopes))) + ((scope) + (member scope valid-scopes))))) +(define (serialize-scope-option field-name val) + (serialize-field field-name + (string-join (map (cut format #f "~a" <>) val)))) + +(define (map-entry? val) + (match val + (((? valid-map? map-name) + (? string? attribute) + (? string? new-attribute)) #t) + (_ #f))) + +(define (list-of-map-entries? val) + (and (list? val) + (every map-entry? val))) + +(define (filter-entry? val) + (match val + (((? valid-map? map-name) + (? string? filter-expression)) #t) + (_ #f))) + +(define (list-of-filter-entries? val) + (and (list? val) + (every filter-entry? val))) + +(define (serialize-filter-entry field-name val) + (serialize-field 'filter + (match val + (((? valid-map? map-name) + (? string? filter-expression)) + (string-append (symbol->string map-name) + " " filter-expression))))) + +(define (serialize-list-of-filter-entries field-name val) + (for-each (cut serialize-filter-entry field-name <>) val)) + +(define (serialize-map-entry field-name val) + (serialize-field 'map + (match val + (((? valid-map? map-name) + (? string? attribute) + (? string? new-attribute)) + (string-append (symbol->string map-name) + " " attribute + " " new-attribute))))) + +(define (serialize-list-of-map-entries field-name val) + (for-each (cut serialize-map-entry field-name <>) val)) + + +(define-configuration nslcd-configuration + (nss-pam-ldapd + (package nss-pam-ldapd) + "The NSS-PAM-LDAPD package to use.") + + ;; Runtime options + (threads + (maybe-number 'disabled) + "The number of threads to start that can handle requests and perform LDAP +queries. Each thread opens a separate connection to the LDAP server. The +default is to start 5 threads.") + (uid + (string "nslcd") + "This specifies the user id with which the daemon should be run.") + (gid + (string "nslcd") + "This specifies the group id with which the daemon should be run.") + (log + (log-option '("/var/log/nslcd" info)) + "This option controls the way logging is done via a list containing SCHEME +and LEVEL. The SCHEME argument may either be the symbols \"none\" or +\"syslog\", or an absolute file name. The LEVEL argument is optional and +specifies the log level. The log level may be one of the following symbols: +\"crit\", \"error\", \"warning\", \"notice\", \"info\" or \"debug\". All +messages with the specified log level or higher are logged.") + + ;; LDAP connection settings + (uri + (list '("ldap://localhost:389/")) + "The list of LDAP server URIs. Normally, only the first server will be +used with the following servers as fall-back.") + (ldap-version + (maybe-string 'disabled) + "The version of the LDAP protocol to use. The default is to use the +maximum version supported by the LDAP library.") + (binddn + (maybe-string 'disabled) + "Specifies the distinguished name with which to bind to the directory +server for lookups. The default is to bind anonymously.") + (bindpw + (maybe-string 'disabled) + "Specifies the credentials with which to bind. This option is only +applicable when used with binddn.") + (rootpwmoddn + (maybe-string 'disabled) + "Specifies the distinguished name to use when the root user tries to modify +a user's password using the PAM module.") + (rootpwmodpw + (maybe-string 'disabled) + "Specifies the credentials with which to bind if the root user tries to +change a user's password. This option is only applicable when used with +rootpwmoddn") + + ;; SASL authentication options + (sasl-mech + (maybe-string 'disabled) + "Specifies the SASL mechanism to be used when performing SASL +authentication.") + (sasl-realm + (maybe-string 'disabled) + "Specifies the SASL realm to be used when performing SASL authentication.") + (sasl-authcid + (maybe-string 'disabled) + "Specifies the authentication identity to be used when performing SASL +authentication.") + (sasl-authzid + (maybe-string 'disabled) + "Specifies the authorization identity to be used when performing SASL +authentication.") + (sasl-canonicalize? + (maybe-boolean 'disabled) + "Determines whether the LDAP server host name should be canonicalised. If +this is enabled the LDAP library will do a reverse host name lookup. By +default, it is left up to the LDAP library whether this check is performed or +not.") + + ;; Kerberos authentication options + (krb5-ccname + (maybe-string 'disabled) + "Set the name for the GSS-API Kerberos credentials cache.") + + ;; Search / mapping options + (base + (string "dc=example,dc=com") + "The directory search base.") + (scope + (scope-option '(subtree)) + "Specifies the search scope (subtree, onelevel, base or children). The +default scope is subtree; base scope is almost never useful for name service +lookups; children scope is not supported on all servers.") + (deref + (maybe-deref-option 'disabled) + "Specifies the policy for dereferencing aliases. The default policy is to +never dereference aliases.") + (referrals + (maybe-boolean 'disabled) + "Specifies whether automatic referral chasing should be enabled. The +default behaviour is to chase referrals.") + (maps + (list-of-map-entries '()) + "This option allows for custom attributes to be looked up instead of the +default RFC 2307 attributes. It is a list of maps, each consisting of the +name of a map, the RFC 2307 attribute to match and the query expression for +the attribute as it is available in the directory.") + (filters + (list-of-filter-entries '()) + "A list of filters consisting of the name of a map to which the filter +applies and an LDAP search filter expression.") + + ;; Timing / reconnect options + (bind-timelimit + (maybe-number 'disabled) + "Specifies the time limit in seconds to use when connecting to the +directory server. The default value is 10 seconds.") + (timelimit + (maybe-number 'disabled) + "Specifies the time limit (in seconds) to wait for a response from the LDAP +server. A value of zero, which is the default, is to wait indefinitely for +searches to be completed.") + (idle-timelimit + (maybe-number 'disabled) + "Specifies the period if inactivity (in seconds) after which the con‐ +nection to the LDAP server will be closed. The default is not to time out +connections.") + (reconnect-sleeptime + (maybe-number 'disabled) + "Specifies the number of seconds to sleep when connecting to all LDAP +servers fails. By default one second is waited between the first failure and +the first retry.") + (reconnect-retrytime + (maybe-number 'disabled) + "Specifies the time after which the LDAP server is considered to be +permanently unavailable. Once this time is reached retries will be done only +once per this time period. The default value is 10 seconds.") + + ;; TLS options + (ssl + (maybe-ssl-option 'disabled) + "Specifies whether to use SSL/TLS or not (the default is not to). If +'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.") + (tls-reqcert + (maybe-tls-reqcert-option 'disabled) + "Specifies what checks to perform on a server-supplied certificate. +The meaning of the values is described in the ldap.conf(5) manual page.") + (tls-cacertdir + (maybe-string 'disabled) + "Specifies the directory containing X.509 certificates for peer authen‐ +tication. This parameter is ignored when using GnuTLS.") + (tls-cacertfile + (maybe-string 'disabled) + "Specifies the path to the X.509 certificate for peer authentication.") + (tls-randfile + (maybe-string 'disabled) + "Specifies the path to an entropy source. This parameter is ignored when +using GnuTLS.") + (tls-ciphers + (maybe-string 'disabled) + "Specifies the ciphers to use for TLS as a string.") + (tls-cert + (maybe-string 'disabled) + "Specifies the path to the file containing the local certificate for client +TLS authentication.") + (tls-key + (maybe-string 'disabled) + "Specifies the path to the file containing the private key for client TLS +authentication.") + + ;; Other options + (pagesize + (maybe-number 'disabled) + "Set this to a number greater than 0 to request paged results from the LDAP +server in accordance with RFC2696. The default (0) is to not request paged +results.") + (nss-initgroups-ignoreusers + (maybe-ignore-users-option 'disabled) + "This option prevents group membership lookups through LDAP for the +specified users. Alternatively, the value 'all-local may be used. With that +value nslcd builds a full list of non-LDAP users on startup.") + (nss-min-uid + (maybe-number 'disabled) + "This option ensures that LDAP users with a numeric user id lower than the +specified value are ignored.") + (nss-uid-offset + (maybe-number 'disabled) + "This option specifies an offset that is added to all LDAP numeric user +ids. This can be used to avoid user id collisions with local users.") + (nss-gid-offset + (maybe-number 'disabled) + "This option specifies an offset that is added to all LDAP numeric group +ids. This can be used to avoid user id collisions with local groups.") + (nss-nested-groups + (maybe-boolean 'disabled) + "If this option is set, the member attribute of a group may point to +another group. Members of nested groups are also returned in the higher level +group and parent groups are returned when finding groups for a specific user. +The default is not to perform extra searches for nested groups.") + (nss-getgrent-skipmembers + (maybe-boolean 'disabled) + "If this option is set, the group member list is not retrieved when looking +up groups. Lookups for finding which groups a user belongs to will remain +functional so the user will likely still get the correct groups assigned on +login.") + (nss-disable-enumeration + (maybe-boolean 'disabled) + "If this option is set, functions which cause all user/group entries to be +loaded from the directory will not succeed in doing so. This can dramatically +reduce LDAP server load in situations where there are a great number of users +and/or groups. This option is not recommended for most configurations.") + (validnames + (maybe-string 'disabled) + "This option can be used to specify how user and group names are verified +within the system. This pattern is used to check all user and group names +that are requested and returned from LDAP.") + (ignorecase + (maybe-boolean 'disabled) + "This specifies whether or not to perform searches using case-insensitive +matching. Enabling this could open up the system to authorization bypass +vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow +denial of service.") + (pam-authc-ppolicy + (maybe-boolean 'disabled) + "This option specifies whether password policy controls are requested and +handled from the LDAP server when performing user authentication.") + (pam-authc-search + (maybe-string 'disabled) + "By default nslcd performs an LDAP search with the user's credentials after +BIND (authentication) to ensure that the BIND operation was successful. The +default search is a simple check to see if the user's DN exists. A search +filter can be specified that will be used instead. It should return at least +one entry.") + (pam-authz-search + (maybe-string 'disabled) + "This option allows flexible fine tuning of the authorisation check that +should be performed. The search filter specified is executed and if any +entries match, access is granted, otherwise access is denied.") + (pam-password-prohibit-message + (maybe-string 'disabled) + "If this option is set password modification using pam_ldap will be denied +and the specified message will be presented to the user instead. The message +can be used to direct the user to an alternative means of changing their +password.") + + ;; Options for extension of pam-root-service-type. + (pam-services + (list '()) + "List of pam service names for which LDAP authentication should suffice.")) + +(define %nslcd-accounts + (list (user-group + (name "nslcd") + (system? #t)) + (user-account + (name "nslcd") + (group "nslcd") + (comment "NSLCD service account") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (system? #t)))) + +(define (nslcd-config-file config) + "Return an NSLCD configuration file." + (plain-file "nslcd.conf" + (with-output-to-string + (lambda () + (serialize-configuration config nslcd-configuration-fields) + ;; The file must end with a newline character. + (format #t "\n"))))) + +;; XXX: The file should only be readable by root if it contains a "bindpw" +;; declaration. Unfortunately, this etc-service-type extension does not +;; support setting file modes, so we do this in the activation service. +(define (nslcd-etc-service config) + `(("nslcd.conf" ,(nslcd-config-file config)))) + +(define (nslcd-shepherd-service config) + (list (shepherd-service + (documentation "Run the nslcd service for resolving names from LDAP.") + (provision '(nslcd)) + (requirement '(networking user-processes)) + (start #~(make-forkexec-constructor + (list (string-append #$(nslcd-configuration-nss-pam-ldapd config) + "/sbin/nslcd") + "--nofork") + #:pid-file "/var/run/nslcd/nslcd.pid" + #:environment-variables + (list (string-append "LD_LIBRARY_PATH=" + #$(nslcd-configuration-nss-pam-ldapd config) + "/lib")))) + (stop #~(make-kill-destructor))))) + +(define (pam-ldap-pam-service config) + "Return a PAM service for LDAP authentication." + (define pam-ldap-module + #~(string-append #$(nslcd-configuration-nss-pam-ldapd config) + "/lib/security/pam_ldap.so")) + (lambda (pam) + (if (member (pam-service-name pam) + (nslcd-configuration-pam-services config)) + (let ((sufficient + (pam-entry + (control "sufficient") + (module pam-ldap-module)))) + (pam-service + (inherit pam) + (auth (cons sufficient (pam-service-auth pam))) + (session (cons sufficient (pam-service-session pam))) + (account (cons sufficient (pam-service-account pam))))) + pam))) + +(define (pam-ldap-pam-services config) + (list (pam-ldap-pam-service config))) + +(define nslcd-service-type + (service-type + (name 'nslcd) + (description "Run the NSLCD service for looking up names from LDAP.") + (extensions + (list (service-extension account-service-type + (const %nslcd-accounts)) + (service-extension etc-service-type + nslcd-etc-service) + (service-extension activation-service-type + (const #~(begin + (use-modules (guix build utils)) + (let ((rundir "/var/run/nslcd") + (user (getpwnam "nslcd"))) + (mkdir-p rundir) + (chown rundir (passwd:uid user) (passwd:gid user)) + (chmod rundir #o755) + (when (file-exists? "/etc/nslcd.conf") + (chmod "/etc/nslcd.conf" #o400)))))) + (service-extension pam-root-service-type + pam-ldap-pam-services) + (service-extension nscd-service-type + (const (list nss-pam-ldapd))) + (service-extension shepherd-root-service-type + nslcd-shepherd-service))) + (default-value (nslcd-configuration)))) + +(define (generate-nslcd-documentation) + (generate-documentation + `((nslcd-configuration ,nslcd-configuration-fields)) + 'nslcd-configuration)) diff --git a/gnu/tests/ldap.scm b/gnu/tests/ldap.scm new file mode 100644 index 0000000000..2d4f15fb3c --- /dev/null +++ b/gnu/tests/ldap.scm @@ -0,0 +1,160 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu tests ldap) + #:use-module (gnu tests) + #:use-module (gnu system) + #:use-module (gnu system nss) + #:use-module (gnu system vm) + #:use-module (gnu services) + #:use-module (gnu services authentication) + #:use-module (gnu services networking) + #:use-module (gnu packages base) + #:use-module (gnu packages openldap) + #:use-module (guix gexp) + #:use-module (guix store) + #:export (%test-ldap)) + +(define %ldap-os + (let ((simple + (simple-operating-system + (service dhcp-client-service-type) + (service nslcd-service-type)))) + (operating-system + (inherit simple) + (name-service-switch + (let ((services (list (name-service (name "db")) + (name-service (name "files")) + (name-service (name "ldap"))))) + (name-service-switch + (inherit %mdns-host-lookup-nss) + (password services) + (shadow services) + (group services) + (netgroup services) + (gshadow services))))))) + +(define (run-ldap-test) + "Run tests in %LDAP-OS." + (define os + (marionette-operating-system + %ldap-os + #:imported-modules '((gnu services herd) + (guix combinators)))) + + (define vm + (virtual-machine os)) + + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (srfi srfi-11) (srfi srfi-64) + (gnu build marionette)) + + (define marionette + (make-marionette (list #$vm))) + + (mkdir #$output) + (chdir #$output) + + (test-begin "ldap") + + ;; Set up LDAP directory server + (test-assert "LDAP server instance running" + (marionette-eval + '(begin + (with-output-to-file "instance.inf" + (lambda () + (display "[general] +config_version = 2 + +\n[slapd] +root_password = SECRET +user = root +group = root + +\n[backend-userroot] +sample_entries = yes +suffix = dc=example,dc=com"))) + (and + ;; Create instance + (zero? (system* #$(file-append 389-ds-base "/sbin/dscreate") + "-v" "from-file" "instance.inf")) + ;; Start instance + (zero? (system* #$(file-append 389-ds-base "/sbin/dsctl") + "localhost" "start")) + ;; Create user account + (zero? (system* #$(file-append 389-ds-base "/sbin/dsidm") + "-b" "dc=example,dc=com" + "localhost" "user" "create" + "--uid" "eva" "--cn" "Eva Lu Ator" + "--displayName" "Eva Lu Ator" + "--uidNumber" "1234" "--gidNumber" "2345" + "--homeDirectory" "/home/eva")))) + marionette)) + + (test-assert "Manager can bind to LDAP server instance" + (marionette-eval + '(zero? (system* #$(file-append openldap "/bin/ldapwhoami") + "-H" "ldap://localhost" "-D" + "cn=Directory Manager" "-w" "SECRET")) + marionette)) + + ;; Wait for nslcd to be up and running. + (test-assert "nslcd service running" + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (match (start-service 'nslcd) + (#f #f) + (('service response-parts ...) + (match (assq-ref response-parts 'running) + ((pid) (number? pid)))))) + marionette)) + + (test-assert "nslcd produces a log file" + (marionette-eval + '(file-exists? "/var/log/nslcd") + marionette)) + + (test-assert "Can query LDAP user accounts" + (marionette-eval + '(begin + ;; TODO: This shouldn't be necessary, but unfortunately it + ;; really is needed to discover LDAP accounts with "id". + (setenv "LD_LIBRARY_PATH" + #$(file-append nss-pam-ldapd "/lib")) + (zero? (system* #$(file-append coreutils "/bin/id") "eva"))) + marionette)) + + (test-assert "Can become LDAP user" + (marionette-eval + '(zero? (system* "/run/setuid-programs/su" "eva" "-c" + #$(file-append coreutils "/bin/true"))) + marionette)) + + (test-end) + (exit (= (test-runner-fail-count (test-runner-current)) 0))))) + + (gexp->derivation "ldap-test" test)) + +(define %test-ldap + (system-test + (name "ldap") + (description "Run an LDAP directory server and authenticate against it.") + (value (run-ldap-test)))) |