From 92be4926074fc06dbe677f3d6738f7a07a67efcf Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Sun, 7 Jan 2024 17:51:23 -0800
Subject: [PATCH] Don't create users if they don't have passwords

---
 lib/fudo/auth/kerberos/kdc.nix | 2 ++
 lib/fudo/ldap.nix              | 8 ++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/fudo/auth/kerberos/kdc.nix b/lib/fudo/auth/kerberos/kdc.nix
index 1a94bef..d7f5fa4 100644
--- a/lib/fudo/auth/kerberos/kdc.nix
+++ b/lib/fudo/auth/kerberos/kdc.nix
@@ -339,6 +339,8 @@ let
                       "--keytab=${cfg.kdc.secondary.keytabs.hpropd}"
                     ]);
                 in "${startScript}";
+                ExecStartPost =
+                  "chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}";
               };
               unitConfig.ConditionPathExists =
                 [ cfg.kdc.database cfg.kdc.secondary.keytabs.hpropd ];
diff --git a/lib/fudo/ldap.nix b/lib/fudo/ldap.nix
index 68fe77a..7c66ebc 100644
--- a/lib/fudo/ldap.nix
+++ b/lib/fudo/ldap.nix
@@ -413,7 +413,11 @@ in {
         };
       };
 
-      declarativeContents = {
+      declarativeContents = let
+        usersWithPasswords =
+          filterAttrs (_: userOpts: userOpts.ldap-hashed-password != null)
+          cfg.users;
+      in {
         "${cfg.base}" = ''
           dn: ${cfg.base}
           objectClass: top
@@ -436,7 +440,7 @@ in {
 
           ${systemUsersLdif cfg.base cfg.system-users}
           ${groupsLdif cfg.base cfg.groups}
-          ${usersLdif cfg.base cfg.groups cfg.users}
+          ${usersLdif cfg.base cfg.groups usersWithPasswords}
         '';
       };
     };