|
|
|
|
@ -27,25 +27,24 @@
|
|
|
|
|
#:use-module (gnu services configuration)
|
|
|
|
|
#:use-module (gnu services certbot)
|
|
|
|
|
|
|
|
|
|
#:export (kerberos.metznet.ca))
|
|
|
|
|
#:export (kerberos.metznet.ca kerberos-services))
|
|
|
|
|
|
|
|
|
|
(define-public mit-krb5-ldap
|
|
|
|
|
(package
|
|
|
|
|
(name "mit-krb5-ldap")
|
|
|
|
|
(version "1.20")
|
|
|
|
|
(source (origin
|
|
|
|
|
(method url-fetch)
|
|
|
|
|
(uri (list (string-append
|
|
|
|
|
"https://web.mit.edu/kerberos/dist/krb5/"
|
|
|
|
|
(version-major+minor version) "/krb5-" version
|
|
|
|
|
".tar.gz")
|
|
|
|
|
(string-append "https://kerberos.org/dist/krb5/"
|
|
|
|
|
(version-major+minor version) "/krb5-"
|
|
|
|
|
version ".tar.gz")))
|
|
|
|
|
(patches (search-patches "mit-krb5-hurd.patch"))
|
|
|
|
|
(sha256
|
|
|
|
|
(base32
|
|
|
|
|
"0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
|
|
|
|
|
(source
|
|
|
|
|
(origin
|
|
|
|
|
(method url-fetch)
|
|
|
|
|
(uri (list (string-append "https://web.mit.edu/kerberos/dist/krb5/"
|
|
|
|
|
(version-major+minor version) "/krb5-"
|
|
|
|
|
version ".tar.gz")
|
|
|
|
|
(string-append "https://kerberos.org/dist/krb5/"
|
|
|
|
|
(version-major+minor version) "/krb5-"
|
|
|
|
|
version ".tar.gz")))
|
|
|
|
|
(patches (search-patches "mit-krb5-hurd.patch"))
|
|
|
|
|
(sha256
|
|
|
|
|
(base32 "0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
|
|
|
|
|
(build-system gnu-build-system)
|
|
|
|
|
(native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests
|
|
|
|
|
(inputs (list openssl readline))
|
|
|
|
|
@ -130,27 +129,20 @@
|
|
|
|
|
"")
|
|
|
|
|
|
|
|
|
|
(define-configuration kdc-realm-configuration
|
|
|
|
|
(name (string "EXAMPLE.COM") "realm name" serialize-none)
|
|
|
|
|
(database_module maybe-string "database module")
|
|
|
|
|
(acl_file maybe-file-like "acl file")
|
|
|
|
|
(key_stash_file (string "/var/lib/kerberos/stash")
|
|
|
|
|
"key stash file")
|
|
|
|
|
(kdc_ports (list-of-ports '(750 88))
|
|
|
|
|
"list of ports to listen on"
|
|
|
|
|
realm-serialize-list-of-ports)
|
|
|
|
|
(kadmind_ports (list-of-ports '(749))
|
|
|
|
|
"list of ports to listen on for kadmin connections"
|
|
|
|
|
realm-serialize-list-of-ports)
|
|
|
|
|
(max_life (string "10h 0m 0s")
|
|
|
|
|
"maximum life of granted tickets")
|
|
|
|
|
(max_renewable_type (string "7d 0h 0m 0s")
|
|
|
|
|
"maximum time to renew ticket")
|
|
|
|
|
(master_key_type (string "des3-hmac-sha1")
|
|
|
|
|
"master key type")
|
|
|
|
|
(supported_enctypes maybe-string
|
|
|
|
|
"supported encryption types")
|
|
|
|
|
(default_principal_flags maybe-string
|
|
|
|
|
"default flag for new principals"))
|
|
|
|
|
(name (string "EXAMPLE.COM") "realm name" serialize-none)
|
|
|
|
|
(database_module maybe-string "database module")
|
|
|
|
|
(acl_file maybe-file-like "acl file")
|
|
|
|
|
(key_stash_file (string "/var/lib/kerberos/stash") "key stash file")
|
|
|
|
|
(kdc_ports (list-of-ports '(750 88)) "list of ports to listen on"
|
|
|
|
|
realm-serialize-list-of-ports)
|
|
|
|
|
(kadmind_ports (list-of-ports '(749))
|
|
|
|
|
"list of ports to listen on for kadmin connections"
|
|
|
|
|
realm-serialize-list-of-ports)
|
|
|
|
|
(max_life (string "10h 0m 0s") "maximum life of granted tickets")
|
|
|
|
|
(max_renewable_type (string "7d 0h 0m 0s") "maximum time to renew ticket")
|
|
|
|
|
(master_key_type (string "des3-hmac-sha1") "master key type")
|
|
|
|
|
(supported_enctypes maybe-string "supported encryption types")
|
|
|
|
|
(default_principal_flags maybe-string "default flag for new principals"))
|
|
|
|
|
|
|
|
|
|
(define list-of-kdc-realm-configuration?
|
|
|
|
|
(list-of kdc-realm-configuration?))
|
|
|
|
|
@ -169,20 +161,17 @@
|
|
|
|
|
(serialize-field number->string " "))
|
|
|
|
|
|
|
|
|
|
(define-configuration kldap-configuration
|
|
|
|
|
(db_library (string "kldap") "db library to use")
|
|
|
|
|
(disable_last_success (boolean #f)
|
|
|
|
|
"disable last success field")
|
|
|
|
|
(disable_lockout (boolean #f) "disable lockout field")
|
|
|
|
|
(ldap_kdc_dn (string "uid=kdc,dc=example,dc=com")
|
|
|
|
|
"dn to bind for kdc operations")
|
|
|
|
|
(ldap_kadmind_dn (string "uid=kadmind,dc=example,dc=com")
|
|
|
|
|
"dn to bind for kadmin operations")
|
|
|
|
|
(ldap_service_password_file maybe-file-like
|
|
|
|
|
"file that stores the passwords for the ldap bind dns")
|
|
|
|
|
(ldap_servers (string "ldap://example.com")
|
|
|
|
|
"ldap server url")
|
|
|
|
|
(ldap_conns_per_server (number 5)
|
|
|
|
|
"number of connections per ldap server"))
|
|
|
|
|
(db_library (string "kldap") "db library to use")
|
|
|
|
|
(disable_last_success (boolean #f) "disable last success field")
|
|
|
|
|
(disable_lockout (boolean #f) "disable lockout field")
|
|
|
|
|
(ldap_kdc_dn (string "uid=kdc,dc=example,dc=com")
|
|
|
|
|
"dn to bind for kdc operations")
|
|
|
|
|
(ldap_kadmind_dn (string "uid=kadmind,dc=example,dc=com")
|
|
|
|
|
"dn to bind for kadmin operations")
|
|
|
|
|
(ldap_service_password_file maybe-file-like
|
|
|
|
|
"file that stores the passwords for the ldap bind dns")
|
|
|
|
|
(ldap_servers (string "ldap://example.com") "ldap server url")
|
|
|
|
|
(ldap_conns_per_server (number 5) "number of connections per ldap server"))
|
|
|
|
|
|
|
|
|
|
(define (serialize-list-of-kdc-realm-configuration field-name value)
|
|
|
|
|
#~(string-join (list "[realms]"
|
|
|
|
|
@ -226,22 +215,17 @@
|
|
|
|
|
(define-maybe list-of-strings)
|
|
|
|
|
|
|
|
|
|
(define-configuration kdc-configuration
|
|
|
|
|
(krb5 (file-like mit-krb5-ldap) "krb5 package to use"
|
|
|
|
|
serialize-none)
|
|
|
|
|
(pkinit_anchors (string
|
|
|
|
|
"DIR:/run/current-system/profile/etc/ssl/certs/")
|
|
|
|
|
"CA certificate directory/file"
|
|
|
|
|
(serialize-field (lambda (x)
|
|
|
|
|
x) " "))
|
|
|
|
|
(kdc_ports (list-of-ports '(750 88))
|
|
|
|
|
"list of ports to listen on")
|
|
|
|
|
(realms (list-of-kdc-realm-configuration '())
|
|
|
|
|
"Realms to configure the KDC with")
|
|
|
|
|
(logging maybe-list-of-strings "extra logging lines")
|
|
|
|
|
(dbdefaults maybe-list-of-strings
|
|
|
|
|
"extra dbdefault lines")
|
|
|
|
|
(dbmodules (list-of-dbmodules '())
|
|
|
|
|
"dbmodules to configure"))
|
|
|
|
|
(krb5 (file-like mit-krb5-ldap) "krb5 package to use" serialize-none)
|
|
|
|
|
(pkinit_anchors (string "DIR:/run/current-system/profile/etc/ssl/certs/")
|
|
|
|
|
"CA certificate directory/file"
|
|
|
|
|
(serialize-field (lambda (x)
|
|
|
|
|
x) " "))
|
|
|
|
|
(kdc_ports (list-of-ports '(750 88)) "list of ports to listen on")
|
|
|
|
|
(realms (list-of-kdc-realm-configuration '())
|
|
|
|
|
"Realms to configure the KDC with")
|
|
|
|
|
(logging maybe-list-of-strings "extra logging lines")
|
|
|
|
|
(dbdefaults maybe-list-of-strings "extra dbdefault lines")
|
|
|
|
|
(dbmodules (list-of-dbmodules '()) "dbmodules to configure"))
|
|
|
|
|
|
|
|
|
|
(define (serialize-kdc-configuration configuration)
|
|
|
|
|
(mixed-text-file "kdc.conf"
|
|
|
|
|
@ -328,40 +312,43 @@
|
|
|
|
|
(define %kerberos-dn
|
|
|
|
|
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca")
|
|
|
|
|
|
|
|
|
|
(define-public kerberos-services
|
|
|
|
|
(append (list (service kdc-service-type
|
|
|
|
|
(kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
|
|
|
|
|
(logging '("kdc = SYSLOG:DEBUG:DAEMON"))
|
|
|
|
|
(dbmodules (list (cons
|
|
|
|
|
"openldap_ldapconf"
|
|
|
|
|
(kldap-configuration
|
|
|
|
|
(ldap_kdc_dn
|
|
|
|
|
%kerberos-dn)
|
|
|
|
|
(ldap_kadmind_dn
|
|
|
|
|
%kerberos-dn)
|
|
|
|
|
(ldap_servers
|
|
|
|
|
"ldaps://ldap.metznet.ca")
|
|
|
|
|
(ldap_service_password_file
|
|
|
|
|
(plain-file
|
|
|
|
|
"service.keyfile"
|
|
|
|
|
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139
|
|
|
|
|
"))))))
|
|
|
|
|
(realms (list (kdc-realm-configuration
|
|
|
|
|
(name "METZNET.CA")
|
|
|
|
|
(database_module
|
|
|
|
|
"openldap_ldapconf")
|
|
|
|
|
(default_principal_flags
|
|
|
|
|
"+preauth")
|
|
|
|
|
(acl_file (plain-file
|
|
|
|
|
"kadm5.acl"
|
|
|
|
|
"*/admin@METZNET.CA *\n")))))))
|
|
|
|
|
(service certbot-service-type
|
|
|
|
|
(certbot-configuration (email "admin@metznet.ca")
|
|
|
|
|
(certificates (list (certificate-configuration
|
|
|
|
|
(domains '
|
|
|
|
|
("kerberos.guix.metznet.ca"))))))))
|
|
|
|
|
%metznet-server-services))
|
|
|
|
|
|
|
|
|
|
(define-public kerberos.metznet.ca
|
|
|
|
|
(operating-system
|
|
|
|
|
(inherit %metznet-base-server-system)
|
|
|
|
|
(host-name "kerberos.guix.metznet.ca")
|
|
|
|
|
(services
|
|
|
|
|
(append (list (service kdc-service-type
|
|
|
|
|
(kdc-configuration (dbdefaults '("ldap_kerberos_container_dn = cn=kerberos,dc=metznet,dc=ca"))
|
|
|
|
|
(logging '("kdc = SYSLOG:DEBUG:DAEMON"))
|
|
|
|
|
(dbmodules (list (cons
|
|
|
|
|
"openldap_ldapconf"
|
|
|
|
|
(kldap-configuration
|
|
|
|
|
(ldap_kdc_dn
|
|
|
|
|
%kerberos-dn)
|
|
|
|
|
(ldap_kadmind_dn
|
|
|
|
|
%kerberos-dn)
|
|
|
|
|
(ldap_servers
|
|
|
|
|
"ldaps://ldap.metznet.ca")
|
|
|
|
|
(ldap_service_password_file
|
|
|
|
|
(plain-file
|
|
|
|
|
"service.keyfile"
|
|
|
|
|
"uid=kerberos,ou=system,ou=accounts,dc=metznet,dc=ca#{HEX}594459525a793139\n"))))))
|
|
|
|
|
(realms (list (kdc-realm-configuration
|
|
|
|
|
(name
|
|
|
|
|
"METZNET.CA")
|
|
|
|
|
(database_module
|
|
|
|
|
"openldap_ldapconf")
|
|
|
|
|
(default_principal_flags
|
|
|
|
|
"+preauth")
|
|
|
|
|
(acl_file (plain-file
|
|
|
|
|
"kadm5.acl"
|
|
|
|
|
"*/admin@METZNET.CA *\n")))))))
|
|
|
|
|
(service certbot-service-type
|
|
|
|
|
(certbot-configuration (email "admin@metznet.ca")
|
|
|
|
|
(certificates (list (certificate-configuration
|
|
|
|
|
(domains '
|
|
|
|
|
("kerberos.guix.metznet.ca"))))))))
|
|
|
|
|
%metznet-server-services))))
|
|
|
|
|
kerberos-services)))
|
|
|
|
|
|
