Don't create users if they don't have passwords

2024-01-07 17:51:23 -08:00 · 2024-01-07 17:51:23 -08:00 · 92be492607
parent f7a5a43d30
commit 92be492607
2 changed files with 8 additions and 2 deletions
--- a/lib/fudo/auth/kerberos/kdc.nix
+++ b/lib/fudo/auth/kerberos/kdc.nix
@ -339,6 +339,8 @@ let
                      "--keytab=${cfg.kdc.secondary.keytabs.hpropd}"
                    ]);
                in "${startScript}";
+                ExecStartPost =
+                  "chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}";
              };
              unitConfig.ConditionPathExists =
                [ cfg.kdc.database cfg.kdc.secondary.keytabs.hpropd ];
--- a/lib/fudo/ldap.nix
+++ b/lib/fudo/ldap.nix
@ -413,7 +413,11 @@ in {
        };
      };

-      declarativeContents = {
+      declarativeContents = let
+        usersWithPasswords =
+          filterAttrs (_: userOpts: userOpts.ldap-hashed-password != null)
+          cfg.users;
+      in {
        "${cfg.base}" = ''
          dn: ${cfg.base}
          objectClass: top
@ -436,7 +440,7 @@ in {

          ${systemUsersLdif cfg.base cfg.system-users}
          ${groupsLdif cfg.base cfg.groups}
-          ${usersLdif cfg.base cfg.groups cfg.users}
+          ${usersLdif cfg.base cfg.groups usersWithPasswords}
        '';
      };
    };