From c6f81ff7a6a527b5a14189a2c359b981ddba43bc Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Wed, 14 Dec 2022 20:48:11 +0100 Subject: gnu: Add directory-server-service-type. * gnu/services/ldap.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (LDAP Services): Document it. --- doc/guix.texi | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) (limited to 'doc/guix.texi') diff --git a/doc/guix.texi b/doc/guix.texi index 30674dab1e..f376fd2c9b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -28452,6 +28452,8 @@ Local accounts with lower values will silently fail to authenticate. @node LDAP Services @subsection LDAP Services @cindex LDAP + +@subsubheading Authentication against LDAP with nslcd @cindex nslcd, LDAP service The @code{(gnu services authentication)} module provides the @@ -28928,6 +28930,189 @@ Defaults to @samp{()}. @c %end of generated documentation for nslcd-configuration +@subsubheading LDAP Directory Server +@cindex LDAP, server + +The @code{(gnu services ldap)} module provides the +@code{directory-server-service-type}, which can be used to create and +launch an LDAP server instance. + +Here is an example configuration of the +@code{directory-server-service-type}: + +@lisp +(use-service-modules ldap) + +... +(operating-system + ... + (services + (cons + (service directory-server-service-type + (directory-server-instance-configuration + (slapd + (slapd-configuration + (root-password "@{PBKDF2_SHA256@}AAAgAG@dots{}ABSOLUTELYSECRET"))))) + %base-services))) +@end lisp + +The root password should be generated with the @command{pwdhash} utility +that is provided by the @code{389-ds-base} package. + +Note that changes to the directory server configuration will not be +applied to existing instances. You will need to back up and restore +server data manually. Only new directory server instances will be +created upon system reconfiguration. + +@c %start of generated documentation for directory-server-instance-configuration +@deftp {Data Type} directory-server-instance-configuration +Available @code{directory-server-instance-configuration} fields are: + +@table @asis +@item @code{package} (default: @code{389-ds-base}) (type: file-like) +The @code{389-ds-base} package. + +@item @code{config-version} (default: @code{2}) (type: number) +Sets the format version of the configuration file. To use the INF file +with @command{dscreate}, this parameter must be 2. + +@item @code{full-machine-name} (default: @code{"localhost"}) (type: string) +Sets the fully qualified hostname (FQDN) of this system. + +@item @code{selinux} (default: @code{#false}) (type: boolean) +Enables SELinux detection and integration during the installation of +this instance. If set to @code{#true}, @command{dscreate} auto-detects +whether SELinux is enabled. + +@item @code{strict-host-checking} (default: @code{#true}) (type: boolean) +Sets whether the server verifies the forward and reverse record set in +the @code{full-machine-name} parameter. When installing this instance with +GSSAPI authentication behind a load balancer, set this parameter to +@code{#false}. + +@item @code{systemd} (default: @code{#false}) (type: boolean) +Enables systemd platform features. If set to @code{#true}, +@command{dscreate} auto-detects whether systemd is installed. + +@item @code{slapd} (type: slapd-configuration) +Configuration of slapd. + +@deftp {Data Type} slapd-configuration +Available @code{slapd-configuration} fields are: + +@table @asis +@item @code{instance-name} (default: @code{"localhost"}) (type: string) +Sets the name of the instance. You can refer to this value in other +parameters of this INF file using the @code{@{instance_name@}} variable. +Note that this name cannot be changed after the installation! + +@item @code{user} (default: @code{"dirsrv"}) (type: string) +Sets the user name the ns-slapd process will use after the service +started. + +@item @code{group} (default: @code{"dirsrv"}) (type: string) +Sets the group name the ns-slapd process will use after the service +started. + +@item @code{port} (default: @code{389}) (type: number) +Sets the TCP port the instance uses for LDAP connections. + +@item @code{secure-port} (default: @code{636}) (type: number) +Sets the TCP port the instance uses for TLS-secured LDAP connections +(LDAPS). + +@item @code{root-dn} (default: @code{"cn=Directory Manager"}) (type: string) +Sets the @dfn{Distinquished Name} (DN) of the administrator account for this +instance. + +@item @code{root-password} (default: @code{"@{invalid@}YOU-SHOULD-CHANGE-THIS"}) (type: string) +Sets the password of the account specified in the @code{root-dn} +parameter. You can either set this parameter to a plain text password +@command{dscreate} hashes during the installation or to a +"@{algorithm@}hash" string generated by the @command{pwdhash} utility. +Note that setting a plain text password can be a security risk if +unprivileged users can read this INF file! + +@item @code{self-sign-cert} (default: @code{#true}) (type: boolean) +Sets whether the setup creates a self-signed certificate and enables TLS +encryption during the installation. This is not suitable for +production, but it enables administrators to use TLS right after the +installation. You can replace the self-signed certificate with a +certificate issued by a certificate authority. + +@item @code{self-sign-cert-valid-months} (default: @code{24}) (type: number) +Set the number of months the issued self-signed certificate will be +valid. + +@item @code{backup-dir} (default: @code{"/var/lib/dirsrv/slapd-@{instance_name@}/bak"}) (type: string) +Set the backup directory of the instance. + +@item @code{cert-dir} (default: @code{"/etc/dirsrv/slapd-@{instance_name@}"}) (type: string) +Sets the directory of the instance's Network Security Services (NSS) +database. + +@item @code{config-dir} (default: @code{"/etc/dirsrv/slapd-@{instance_name@}"}) (type: string) +Sets the configuration directory of the instance. + +@item @code{db-dir} (default: @code{"/var/lib/dirsrv/slapd-@{instance_name@}/db"}) (type: string) +Sets the database directory of the instance. + +@item @code{initconfig-dir} (default: @code{"/etc/dirsrv/registry"}) (type: string) +Sets the directory of the operating system's rc configuration directory. + +@item @code{ldif-dir} (default: @code{"/var/lib/dirsrv/slapd-@{instance_name@}/ldif"}) (type: string) +Sets the LDIF export and import directory of the instance. + +@item @code{lock-dir} (default: @code{"/var/lock/dirsrv/slapd-@{instance_name@}"}) (type: string) +Sets the lock directory of the instance. + +@item @code{log-dir} (default: @code{"/var/log/dirsrv/slapd-@{instance_name@}"}) (type: string) +Sets the log directory of the instance. + +@item @code{run-dir} (default: @code{"/var/run/dirsrv"}) (type: string) +Sets PID directory of the instance. + +@item @code{schema-dir} (default: @code{"/etc/dirsrv/slapd-@{instance_name@}/schema"}) (type: string) +Sets schema directory of the instance. + +@item @code{tmp-dir} (default: @code{"/tmp"}) (type: string) +Sets the temporary directory of the instance. +@end table +@end deftp + +@item @code{backend-userroot} (type: backend-userroot-configuration) +Configuration of the userroot backend. + +@deftp {Data Type} backend-userroot-configuration +Available @code{backend-userroot-configuration} fields are: + +@table @asis +@item @code{create-suffix-entry?} (default: @code{#false}) (type: boolean) +Set this parameter to @code{#true} to create a generic root node entry +for the suffix in the database. + +@item @code{require-index?} (default: @code{#false}) (type: boolean) +Set this parameter to @code{#true} to refuse unindexed searches in this +database. + +@item @code{sample-entries} (default: @code{"no"}) (type: string) +Set this parameter to @code{"yes"} to add latest version of sample +entries to this database. Or, use @code{"001003006"} to use the 1.3.6 +version sample entries. Use this option, for example, to create a +database for testing purposes. + +@item @code{suffix} (type: maybe-string) +Sets the root suffix stored in this database. If you do not set the +suffix attribute the install process will not create the backend/suffix. +You can also create multiple backends/suffixes by duplicating this +section. + +@end table +@end deftp +@end table +@end deftp +@c end of generated documentation for directory-server + @node Web Services @subsection Web Services -- cgit 1.4.1