From 47a19416961e0367b929714fcb5251e4d13a1bd0 Mon Sep 17 00:00:00 2001
From: Nicolas Pierron <nicolas.b.pierron@gmail.com>
Date: Sun, 2 Oct 2011 13:24:10 +0000
Subject: [PATCH] LDAP non-anonymous bind.

Patch by Rickard Nilsson.

svn path=/nixos/trunk/; revision=29563
---
 modules/config/ldap.nix | 41 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/modules/config/ldap.nix b/modules/config/ldap.nix
index 56f693f362e..4c2924b5975 100644
--- a/modules/config/ldap.nix
+++ b/modules/config/ldap.nix
@@ -2,7 +2,7 @@
 
 ###### interface
 let
-  inherit (pkgs.lib) mkOption mkIf;
+  inherit (pkgs.lib) mkOption mkIf optionalString stringAfter;
 
   options = {
     users = {
@@ -39,6 +39,27 @@ let
           ";
         };
 
+        bind = {
+          distinguishedName = mkOption {
+            default = "";
+            example = "cn=admin,dc=example,dc=com";
+            type = with pkgs.lib.types; string;
+            description = "
+              The distinguished name to bind to the LDAP server with. If this
+              is not specified, an anonymous bind will be done.
+            ";
+          };
+
+          password = mkOption {
+            default = "/etc/ldap/bind.password";
+            type = with pkgs.lib.types; string;
+            description = "
+              The path to a file containing the credentials to use when binding
+              to the LDAP server (if not binding anonymously).
+            ";
+          };
+        };
+
       };
     };
   };
@@ -62,10 +83,14 @@ mkIf config.users.ldap.enable {
             uri ${config.users.ldap.server}
             base ${config.users.ldap.base}
 
-            ${if config.users.ldap.useTLS then ''
+            ${optionalString config.users.ldap.useTLS ''
               ssl start_tls
               tls_checkpeer no
-            '' else ""}
+            ''}
+
+            ${optionalString (config.users.ldap.bind.distinguishedName != "") ''
+              binddn ${config.users.ldap.bind.distinguishedName}
+            ''}
           '';
         target = "ldap.conf";
       }
@@ -73,4 +98,14 @@ mkIf config.users.ldap.enable {
     ];
   };
 
+  system.activationScripts.ldap = stringAfter [ "etc" ] (
+    optionalString (config.users.ldap.bind.distinguishedName != "") ''
+      if test -f "${config.users.ldap.bind.password}" ; then
+        echo "bindpw $(cat ${config.users.ldap.bind.password})" | cat /etc/ldap.conf - > /etc/ldap.conf.bindpw
+        mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf
+        chmod 600 /etc/ldap.conf
+      fi
+    ''
+  );
+
 }