Don't create users if they don't have passwords

lib/fudo/auth/kerberos/kdc.nix

@@ -339,6 +339,8 @@ let
                       "--keytab=${cfg.kdc.secondary.keytabs.hpropd}"
                     ]);
                 in "${startScript}";
+                ExecStartPost =
+                  "chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}";
               };
               unitConfig.ConditionPathExists =
                 [ cfg.kdc.database cfg.kdc.secondary.keytabs.hpropd ];

lib/fudo/ldap.nix

@@ -413,7 +413,11 @@ in {
         };
       };
 
-      declarativeContents = {
+      declarativeContents = let
+        usersWithPasswords =
+          filterAttrs (_: userOpts: userOpts.ldap-hashed-password != null)
+          cfg.users;
+      in {
         "${cfg.base}" = ''
           dn: ${cfg.base}
           objectClass: top
@@ -436,7 +440,7 @@ in {
 
           ${systemUsersLdif cfg.base cfg.system-users}
           ${groupsLdif cfg.base cfg.groups}
-          ${usersLdif cfg.base cfg.groups cfg.users}
+          ${usersLdif cfg.base cfg.groups usersWithPasswords}
         '';
       };
     };