aboutsummaryrefslogtreecommitdiff
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013, 2023 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2016, 2021 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017, 2018, 2019, 2021, 2022, 2023 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
;;; Copyright © 2020 Lars-Dominik Braun <ldb@leibniz-psychology.org>
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 Marius Bakke <marius@gnu.org>
;;; Copyright © 2023 Brian Cully <bjc@spork.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages openldap)
  #:use-module (gnu packages autotools)
  #:use-module (gnu packages bash)
  #:use-module (gnu packages check)
  #:use-module (gnu packages compression)
  #:use-module (gnu packages crypto)
  #:use-module (gnu packages cyrus-sasl)
  #:use-module (gnu packages databases)
  #:use-module (gnu packages dbm)
  #:use-module (gnu packages documentation)
  #:use-module (gnu packages gettext)
  #:use-module (gnu packages gnupg)
  #:use-module (gnu packages groff)
  #:use-module (gnu packages icu4c)
  #:use-module (gnu packages kerberos)
  #:use-module (gnu packages libevent)
  #:use-module (gnu packages linux)
  #:use-module (gnu packages networking)
  #:use-module (gnu packages nss)
  #:use-module (gnu packages password-utils)
  #:use-module (gnu packages pcre)
  #:use-module (gnu packages perl)
  #:use-module (gnu packages pkg-config)
  #:use-module (gnu packages python)
  #:use-module (gnu packages python-xyz)
  #:use-module (gnu packages rsync)
  #:use-module (gnu packages selinux)
  #:use-module (gnu packages time)
  #:use-module (gnu packages tls)
  #:use-module (gnu packages web)
  #:use-module (gnu packages)
  #:use-module ((guix licenses) #:select (openldap2.8 lgpl2.1+ gpl3+ psfl expat))
  #:use-module (guix packages)
  #:use-module (guix gexp)
  #:use-module (guix utils)
  #:use-module (guix download)
  #:use-module (guix git-download)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system python))

(define-public openldap
  (package
    (name "openldap")
    (version "2.6.4")
    (source (origin
              (method url-fetch)
              ;; See <http://www.openldap.org/software/download/> for a list of
              ;; mirrors.
              (uri (list (string-append
                          "http://repository.linagora.org/OpenLDAP"
                          "/openldap-release/openldap-" version ".tgz")
                         (string-append
                          "https://www.openldap.org/software/download/OpenLDAP/"
                          "openldap-release/openldap-" version ".tgz")
                         (string-append
                          "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
                          "openldap-release/openldap-" version ".tgz")))
              (sha256
               (base32
                "1489li52sjxm1f97v927jxaxzfk6v9sa32ixrw30qhvq07jh85ym"))))
    (build-system gnu-build-system)
    (inputs (list bdb-5.3 cyrus-sasl gnutls libgcrypt zlib))
    (native-inputs (list libtool groff bdb-5.3))
    (arguments
     (list
      #:tests? #f
      #:configure-flags
      #~(list "--disable-static"
              #$@(if (%current-target-system)
                     '("--with-yielding_select=yes"
                       "ac_cv_func_memcmp_working=yes")
                     '()))
      ;; Disable install stripping as it breaks cross-compiling.
      #:make-flags
      #~(list "STRIP=")
      #:phases
      #~(modify-phases %standard-phases
          #$@(if (%current-target-system)
                 '((add-before 'configure 'fix-cross-gcc
                     (lambda* (#:key target #:allow-other-keys)
                       (setenv "CC" (string-append target "-gcc"))
                       (setenv "STRIP" (string-append target "-strip")))))
                 '()))))
    (synopsis "Implementation of the Lightweight Directory Access Protocol")
    (description
     "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.")
    (license openldap2.8)
    (home-page "https://www.openldap.org/")))

;; This is an incompatible fork of openldap that adds types needed for
;; liblinphone.
(define-public openldap-for-linphone
  (hidden-package
   (package
     (inherit openldap)
     (name "openldap")
     (version "2.6.4")
     (source (origin
               (method git-fetch)
               (uri (git-reference
                     (url "https://gitlab.linphone.org/BC/public/external/openldap/")
                     (commit "8a885896a3fb88098d970ab96316c0b7f18367b8")))
               (file-name (git-file-name name version))
               (sha256
                (base32
                 "1yd3cnngr5z3nymnml8fynspxgdzap7y7glp601nbkdj67wyg0k8")))))))

(define-public nss-pam-ldapd
  (package
    (name "nss-pam-ldapd")
    (version "0.9.12")
    (source (origin
              (method url-fetch)
              (uri (string-append "https://arthurdejong.org/nss-pam-ldapd/"
                                  "nss-pam-ldapd-" version ".tar.gz"))
              (sha256
               (base32
                "050fzcmxmf6y15dlcffc4gxr3wkk7fliqqwhlwqzbjwk8vkn3mn6"))))
    (build-system gnu-build-system)
    (arguments
     `(#:configure-flags
       (list (string-append "--with-pam-seclib-dir="
                            (assoc-ref %outputs "out") "/lib/security/")
             ;; nslcd cannot be convinced to look at run-time for its
             ;; configuration file at a location that differs from the
             ;; configured location.
             "--with-ldap-conf-file=/etc/nslcd.conf")
       #:phases
       (modify-phases %standard-phases
         ;; This is necessary because we tell nslcd with configure flags that
         ;; it should look for its configuration file at /etc/nslcd.conf.  The
         ;; build system tries to install a default configuration to that very
         ;; location.
         (add-after 'unpack 'override-nslcd.conf-install-path
           (lambda* (#:key outputs #:allow-other-keys)
             (substitute* "Makefile.in"
               (("\\$\\(DESTDIR\\)\\$\\(NSLCD_CONF_PATH\\)")
                (string-append (assoc-ref outputs "out")
                               "/etc/nslcd.conf.example"))))))))
    (inputs
     (list linux-pam openldap mit-krb5 python))
    (home-page "https://arthurdejong.org/nss-pam-ldapd")
    (synopsis "NSS and PAM modules for LDAP")
    (description "nss-pam-ldapd provides a @dfn{Name Service Switch} (NSS)
module that allows your LDAP server to provide user account, group, host name,
alias, netgroup, and basically any other information that you would normally
get from @file{/etc} flat files or NIS.  It also provides a @dfn{Pluggable
Authentication Module} (PAM) to do identity and authentication management with
an LDAP server.")
    (license lgpl2.1+)))

(define-public python-ldap
  (package
    (name "python-ldap")
    (version "3.4.3")
    (source
     (origin
       (method url-fetch)
       (uri (pypi-uri "python-ldap" version))
       (sha256
        (base32
         "1872bvrakypb96wrsf932f3xflnbqniiyf8h58x48apgl0cwa9mb"))))
    (build-system python-build-system)
    (arguments
     '(#:phases
       (modify-phases %standard-phases
         (add-after 'unpack 'configure-openldap-locations
           (lambda* (#:key inputs #:allow-other-keys)
             (let ((slapd (search-input-file inputs "libexec/slapd"))
                   (schema (search-input-directory
                            inputs "etc/openldap/schema")))
               (setenv "SLAPD" slapd)
               (setenv "SCHEMA" schema)))))))
    (inputs
     (list openldap cyrus-sasl mit-krb5))
    (propagated-inputs
     (list python-pyasn1 python-pyasn1-modules))
    (home-page "https://www.python-ldap.org/")
    (synopsis "Python modules for implementing LDAP clients")
    (description
     "This package provides an object-oriented API to access LDAP directory
servers from Python programs.")
    (license psfl)))

(define-public 389-ds-base
  (package
    (name "389-ds-base")
    ;; More recent versions require rust.  That's not bad, but it's a
    ;; challenge to integrate three build systems.
    (version "2.2.2")
    (source (origin
              (method git-fetch)
              (uri (git-reference
                    (url "https://github.com/389ds/389-ds-base")
                    (commit (string-append "389-ds-base-" version))))
              (file-name (git-file-name name version))
              (sha256
               (base32
                "1sdvfbjfg0091f47562gw3gdc2vgvvhyhdi21lrpwnw9lqc8xdxk"))
              (modules '((guix build utils)))
              (snippet
               ;; Put '#define f_type' after '#include <sys/statvfs.h>' to
               ;; avoid name conflict.
               '(substitute* "ldap/servers/slapd/slap.h"
                  (("#include <sys/types\\.h>")
                   "#include <sys/types.h>
#include <sys/statvfs.h>")))))
    (build-system gnu-build-system)
    (arguments
     (list
      #:modules '((srfi srfi-1)
                  (guix build gnu-build-system)
                  ((guix build python-build-system)
                   #:select (add-installed-pythonpath python-version))
                  (guix build utils))
      #:imported-modules `((guix build python-build-system)
                           ,@%default-gnu-imported-modules)
      #:disallowed-references (list httpd)
      #:configure-flags
      #~(list "--enable-cmocka"
              (string-append "--with-db="
                             #$(this-package-input "bdb"))
              (string-append "--with-netsnmp="
                             #$(this-package-input "net-snmp"))
              (string-append "--with-selinux="
                             #$(this-package-input "libselinux"))
              "--localstatedir=/var"
              "--with-instconfigdir=/etc/dirsrv")
      #:phases
      #~(modify-phases %standard-phases
          (add-after 'unpack 'fix-references
            (lambda _
              ;; Avoid dependency on systemd-detect-virt
              (substitute* "src/lib389/lib389/instance/setup.py"
                (("container_result = subprocess.*") "container_result = 1\n")
                (("container_result.returncode") "container_result"))
              (substitute* "ldap/servers/plugins/sync/sync_persist.c"
                (("nspr4") "nspr"))
              (substitute* "src/lib389/lib389/utils.py"
                (("'/sbin/ip'")
                 (string-append "'" (which "ip") "'")))
              (substitute* "src/lib389/lib389/nss_ssl.py"
                (("'/usr/bin/certutil'")
                 (string-append "'" (which "certutil") "'"))
                (("'/usr/bin/openssl'")
                 (string-append "'" (which "openssl") "'")))))
          (add-after 'unpack 'overwrite-default-locations
            (lambda _
              (substitute* "src/lib389/lib389/paths.py"
                (("/usr/share/dirsrv/inf/defaults.inf")
                 (string-append #$output "/share/dirsrv/inf/defaults.inf")))
              ;; This directory can only be specified relative to sysconfdir.  This
              ;; is used to determine where to look for installed directory
              ;; servers, so in the absence of a search path it needs to be global.
              (substitute* "ldap/admin/src/defaults.inf.in"
                (("^initconfig_dir =.*")
                 "initconfig_dir = /etc/dirsrv/registry\n"))
              ;; This is used to determine where to write certificate files
              ;; when installing new directory server instances.
              (substitute* "src/lib389/lib389/instance/setup.py"
                (("etc_dirsrv_path = .*")
                 "etc_dirsrv_path = '/etc/dirsrv/'\n"))))
          (add-after 'unpack 'fix-install-location-of-python-tools
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let ((pythondir (string-append
                                #$output "/lib/python"
                                (python-version #$(this-package-input "python"))
                                "/site-packages/")))
                ;; Install directory must be on PYTHONPATH.
                (add-installed-pythonpath inputs outputs)
                ;; Install directory must exist.
                (mkdir-p pythondir)
                (setenv "INSTALL_PREFIX" #$output)
                (substitute* "Makefile.am"
                  (("setup.py install --skip-build" m)
                   (string-append
                    m " --prefix=" #$output
                    " --root=/ --single-version-externally-managed"))))))
          (add-after 'build 'build-python-tools
            (lambda* (#:key make-flags #:allow-other-keys)
              ;; Set DETERMINISTIC_BUILD to override the embedded mtime in pyc
              ;; files.
              (setenv "DETERMINISTIC_BUILD" "1")
              ;; Use deterministic hashes for strings, bytes, and datetime
              ;; objects.
              (setenv "PYTHONHASHSEED" "0")
              (apply invoke "make" "lib389" make-flags)))
          (add-after 'install 'install-python-tools
            (lambda* (#:key make-flags #:allow-other-keys)
              (apply invoke "make" "lib389-install" make-flags)))
          (add-after 'install-python-tools 'wrap-python-tools
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((pythonpath (getenv "GUIX_PYTHONPATH")))
                (for-each (lambda (file)
                            (wrap-program (string-append #$output file)
                              `("GUIX_PYTHONPATH" ":" prefix (,pythonpath))))
                          '("/sbin/dsconf"
                            "/sbin/dscreate"
                            "/sbin/dsctl"
                            "/sbin/dsidm"
                            "/bin/ds-logpipe.py"
                            "/bin/ds-replcheck"))))))))
    (inputs
     (list bash-minimal
           bdb
           cracklib
           cyrus-sasl
           gnutls
           icu4c
           iproute
           json-c
           libevent
           libselinux
           linux-pam
           libxcrypt
           lmdb
           mit-krb5
           net-snmp
           nspr
           nss
           (list nss "bin")             ;for certutil
           openldap
           openssl                      ;#included by net-snmp
           pcre
           python
           python-pyasn1
           python-pyasn1-modules
           python-pytest
           python-dateutil
           python-six
           python-argcomplete
           python-argparse-manpage
           python-ldap))
    (native-inputs
     (list autoconf
           automake
           cmocka
           doxygen
           gettext-minimal
           httpd
           libtool
           rsync
           pkg-config))
    (home-page "https://directory.fedoraproject.org")
    (synopsis "Enterprise-class LDAP server")
    (description "389ds is an enterprise-class LDAP server.  It is hardened by
real-world use, is full-featured, and supports multi-master replication.

Other features include:

@enumerate
@item Online, zero downtime, LDAP-based update of schema, configuration, and
  management including @dfn{Access Control Information} (ACIs);
@item Asynchronous Multi-Master Replication, to provide fault tolerance and
  high write performance;
@item Extensive documentation;
@item Secure authentication and transport (TLS, and SASL);
@item LDAPv3 compliant server.
@end enumerate\n")
    ;; GPLv3+ with OpenSSL linking exception.
    (license gpl3+)))

(define-public python-bonsai
  (package
    (name "python-bonsai")
    (version "1.2.0")
    (source
     (origin
       (method url-fetch)
       (uri (pypi-uri "bonsai" version))
       (sha256
        (base32
         "013bl6h1m3f7vg1lk89d4vi28wbf31zdcs4f9g8css7ngx63v6px"))))
    (build-system python-build-system)
    (inputs
     (list mit-krb5 cyrus-sasl openldap))
    ;; disabling tests, since they require docker and extensive setup
    (arguments `(#:tests? #f))
    (home-page "https://github.com/noirello/bonsai")
    (synopsis "Access LDAP directory servers from Python")
    (description
     "This is a module for handling LDAP operations in Python.  LDAP entries
are mapped to a special Python case-insensitive dictionary, tracking the
changes of the dictionary to modify the entry on the server easily.")
    (license expat)))