|
|
@ -21,7 +21,7 @@
|
|
|
|
#:use-module (gnu packages perl)
|
|
|
|
#:use-module (gnu packages perl)
|
|
|
|
#:use-module (gnu packages tcl)
|
|
|
|
#:use-module (gnu packages tcl)
|
|
|
|
#:use-module (gnu packages readline)
|
|
|
|
#:use-module (gnu packages readline)
|
|
|
|
#:use-module (gnu packages slapd)
|
|
|
|
#:use-module (gnu packages openldap)
|
|
|
|
#:use-module (gnu services)
|
|
|
|
#:use-module (gnu services)
|
|
|
|
#:use-module (gnu services shepherd)
|
|
|
|
#:use-module (gnu services shepherd)
|
|
|
|
#:use-module (gnu services configuration)
|
|
|
|
#:use-module (gnu services configuration)
|
|
|
@ -45,7 +45,7 @@
|
|
|
|
(base32
|
|
|
|
(base32
|
|
|
|
"0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
|
|
|
|
"0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
|
|
|
|
(build-system gnu-build-system)
|
|
|
|
(build-system gnu-build-system)
|
|
|
|
(native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests
|
|
|
|
(native-inputs (list bison perl tcl openldap)) ;required for some tests
|
|
|
|
(inputs (list openssl readline))
|
|
|
|
(inputs (list openssl readline))
|
|
|
|
(arguments
|
|
|
|
(arguments
|
|
|
|
`( ;XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call
|
|
|
|
`( ;XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call
|
|
|
@ -64,7 +64,7 @@
|
|
|
|
"ac_cv_file__etc_environment=yes"
|
|
|
|
"ac_cv_file__etc_environment=yes"
|
|
|
|
"ac_cv_file__etc_TIMEZONE=no")
|
|
|
|
"ac_cv_file__etc_TIMEZONE=no")
|
|
|
|
#:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1"))
|
|
|
|
#:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1"))
|
|
|
|
'(#:configure-flags (list "--with-tls-impl=openssl" "--with-readline" "--with-ldap" "--localstatedir=/var")))
|
|
|
|
'(#:configure-flags (list "--with-readline" "--with-ldap" "--localstatedir=/var")))
|
|
|
|
#:phases (modify-phases %standard-phases
|
|
|
|
#:phases (modify-phases %standard-phases
|
|
|
|
(add-after 'unpack 'enter-source-directory
|
|
|
|
(add-after 'unpack 'enter-source-directory
|
|
|
|
(lambda _
|
|
|
|
(lambda _
|
|
|
@ -129,7 +129,7 @@ cryptography.")
|
|
|
|
(name (string "EXAMPLE.COM") "realm name" serialize-none)
|
|
|
|
(name (string "EXAMPLE.COM") "realm name" serialize-none)
|
|
|
|
(database_module maybe-string "database module")
|
|
|
|
(database_module maybe-string "database module")
|
|
|
|
(acl_file maybe-file-like "acl file")
|
|
|
|
(acl_file maybe-file-like "acl file")
|
|
|
|
(key_stash_file (string "/var/lib/kerberos/stash") "key stash file")
|
|
|
|
(key_stash_file maybe-string "key stash file")
|
|
|
|
(kdc_ports (list-of-ports '(750 88))
|
|
|
|
(kdc_ports (list-of-ports '(750 88))
|
|
|
|
"list of ports to listen on"
|
|
|
|
"list of ports to listen on"
|
|
|
|
realm-serialize-list-of-ports)
|
|
|
|
realm-serialize-list-of-ports)
|
|
|
@ -223,10 +223,6 @@ cryptography.")
|
|
|
|
(define-configuration kdc-configuration
|
|
|
|
(define-configuration kdc-configuration
|
|
|
|
(krb5 (file-like mit-krb5-ldap) "krb5 package to use"
|
|
|
|
(krb5 (file-like mit-krb5-ldap) "krb5 package to use"
|
|
|
|
serialize-none)
|
|
|
|
serialize-none)
|
|
|
|
(pkinit_anchors
|
|
|
|
|
|
|
|
(string "DIR:/run/current-system/profile/etc/ssl/certs/")
|
|
|
|
|
|
|
|
"CA certificate directory/file"
|
|
|
|
|
|
|
|
(serialize-field (lambda (x) x) " "))
|
|
|
|
|
|
|
|
(kdc_ports (list-of-ports '(750 88))
|
|
|
|
(kdc_ports (list-of-ports '(750 88))
|
|
|
|
"list of ports to listen on")
|
|
|
|
"list of ports to listen on")
|
|
|
|
(realms (list-of-kdc-realm-configuration '())
|
|
|
|
(realms (list-of-kdc-realm-configuration '())
|
|
|
@ -253,14 +249,14 @@ cryptography.")
|
|
|
|
(group "kerberos")
|
|
|
|
(group "kerberos")
|
|
|
|
(system? #t)
|
|
|
|
(system? #t)
|
|
|
|
(comment "kdc service account")
|
|
|
|
(comment "kdc service account")
|
|
|
|
(home-directory "/var/lib/kerberos/")
|
|
|
|
(home-directory "/var/lib/krb5kdc/")
|
|
|
|
(shell #~(string-append #$shadow "/sbin/nologin")))))
|
|
|
|
(shell #~(string-append #$shadow "/sbin/nologin")))))
|
|
|
|
|
|
|
|
|
|
|
|
(define (kdc-activation configuration)
|
|
|
|
(define (kdc-activation configuration)
|
|
|
|
#~(begin
|
|
|
|
#~(begin
|
|
|
|
(let ((user (getpw "kerberos"))
|
|
|
|
(let ((user (getpw "kerberos"))
|
|
|
|
(group (getgr "kerberos")))
|
|
|
|
(group (getgr "kerberos")))
|
|
|
|
(mkdir-p/perms "/var/lib/kerberos" user 488))))
|
|
|
|
(mkdir-p/perms "/var/lib/krb5kdc" user 488))))
|
|
|
|
|
|
|
|
|
|
|
|
(define (kdc-etc configuration)
|
|
|
|
(define (kdc-etc configuration)
|
|
|
|
`(("kdc.conf" ,(serialize-kdc-configuration configuration))))
|
|
|
|
`(("kdc.conf" ,(serialize-kdc-configuration configuration))))
|
|
|
@ -269,7 +265,7 @@ cryptography.")
|
|
|
|
; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
|
|
|
|
; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
|
|
|
|
(define (kdc-shepherd configuration)
|
|
|
|
(define (kdc-shepherd configuration)
|
|
|
|
(list (shepherd-service (documentation "")
|
|
|
|
(list (shepherd-service (documentation "")
|
|
|
|
(provision '(kdc))
|
|
|
|
(provision '(krb5kdc))
|
|
|
|
(requirement '(networking user-processes))
|
|
|
|
(requirement '(networking user-processes))
|
|
|
|
(start #~(make-forkexec-constructor (list #$(file-append
|
|
|
|
(start #~(make-forkexec-constructor (list #$(file-append
|
|
|
|
(kdc-configuration-krb5
|
|
|
|
(kdc-configuration-krb5
|
|
|
@ -283,27 +279,6 @@ cryptography.")
|
|
|
|
#$(kdc-configuration-krb5
|
|
|
|
#$(kdc-configuration-krb5
|
|
|
|
configuration)
|
|
|
|
configuration)
|
|
|
|
"/lib/krb5/plugins/kdb")
|
|
|
|
"/lib/krb5/plugins/kdb")
|
|
|
|
"SSL_CERT_DIR=/etc/ssl/certs"
|
|
|
|
|
|
|
|
"KRB5_KDC_PROFILE=/etc/kdc.conf")
|
|
|
|
|
|
|
|
#:user "root"
|
|
|
|
|
|
|
|
#:group "root"))
|
|
|
|
|
|
|
|
(stop #~(make-kill-destructor)))
|
|
|
|
|
|
|
|
(shepherd-service (documentation "")
|
|
|
|
|
|
|
|
(provision '(kadmind))
|
|
|
|
|
|
|
|
(requirement '(networking user-processes))
|
|
|
|
|
|
|
|
(start #~(make-forkexec-constructor (list #$(file-append
|
|
|
|
|
|
|
|
(kdc-configuration-krb5
|
|
|
|
|
|
|
|
configuration)
|
|
|
|
|
|
|
|
"/sbin/kadmind")
|
|
|
|
|
|
|
|
"-nofork" "-P"
|
|
|
|
|
|
|
|
"/run/kadmind.pid")
|
|
|
|
|
|
|
|
#:environment-variables
|
|
|
|
|
|
|
|
(list (string-append
|
|
|
|
|
|
|
|
"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:"
|
|
|
|
|
|
|
|
#$(kdc-configuration-krb5
|
|
|
|
|
|
|
|
configuration)
|
|
|
|
|
|
|
|
"/lib/krb5/plugins/kdb")
|
|
|
|
|
|
|
|
"SSL_CERT_DIR=/etc/ssl/certs"
|
|
|
|
|
|
|
|
"KRB5_KDC_PROFILE=/etc/kdc.conf")
|
|
|
|
"KRB5_KDC_PROFILE=/etc/kdc.conf")
|
|
|
|
#:user "root"
|
|
|
|
#:user "root"
|
|
|
|
#:group "root"))
|
|
|
|
#:group "root"))
|
|
|
@ -336,7 +311,7 @@ cryptography.")
|
|
|
|
(kldap-configuration
|
|
|
|
(kldap-configuration
|
|
|
|
(ldap_kdc_dn %kerberos-dn)
|
|
|
|
(ldap_kdc_dn %kerberos-dn)
|
|
|
|
(ldap_kadmind_dn %kerberos-dn)
|
|
|
|
(ldap_kadmind_dn %kerberos-dn)
|
|
|
|
(ldap_servers "ldaps://ldap.metznet.ca")
|
|
|
|
(ldap_servers "ldap://ldap.metznet.ca")
|
|
|
|
(ldap_service_password_file
|
|
|
|
(ldap_service_password_file
|
|
|
|
(plain-file
|
|
|
|
(plain-file
|
|
|
|
"service.keyfile"
|
|
|
|
"service.keyfile"
|
|
|
@ -345,6 +320,8 @@ cryptography.")
|
|
|
|
(name "METZNET.CA")
|
|
|
|
(name "METZNET.CA")
|
|
|
|
(database_module
|
|
|
|
(database_module
|
|
|
|
"openldap_ldapconf")
|
|
|
|
"openldap_ldapconf")
|
|
|
|
|
|
|
|
(key_stash_file
|
|
|
|
|
|
|
|
"/var/lib/krb5kdc/stash")
|
|
|
|
(default_principal_flags
|
|
|
|
(default_principal_flags
|
|
|
|
"+preauth")
|
|
|
|
"+preauth")
|
|
|
|
(acl_file (plain-file
|
|
|
|
(acl_file (plain-file
|
|
|
|