diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix
index e884098cb08..a67c61eb994 100644
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -7,8 +7,10 @@ let
cfg = config.services.openldap;
openldap = pkgs.openldap;
+ dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
configFile = pkgs.writeText "slapd.conf" cfg.extraConfig;
-
+ configOpts = if cfg.configDir == null then "-f ${configFile}"
+ else "-F ${cfg.configDir}";
in
{
@@ -81,6 +83,34 @@ in
'''
'';
};
+
+ declarativeContents = mkOption {
+ type = with types; nullOr lines;
+ default = null;
+ description = ''
+ Declarative contents for the LDAP database, in LDIF format.
+
+ Note a few facts when using it. First, the database
+ must be stored in the directory defined by
+ dataDir
. Second, all dataDir
will be erased
+ when starting the LDAP server. Third, modifications to the database
+ are not prevented, they are just dropped on the next reboot of the
+ server. Finally, performance-wise the database and indexes are rebuilt
+ on each server startup, so this will slow down server startup,
+ especially with large databases.
+ '';
+ example = ''
+ dn: dc=example,dc=org
+ objectClass: domain
+ dc: example
+
+ dn: ou=users,dc=example,dc=org
+ objectClass = organizationalUnit
+ ou: users
+
+ # ...
+ '';
+ };
};
};
@@ -88,7 +118,7 @@ in
###### implementation
- config = mkIf config.services.openldap.enable {
+ config = mkIf cfg.enable {
environment.systemPackages = [ openldap ];
@@ -98,11 +128,21 @@ in
after = [ "network.target" ];
preStart = ''
mkdir -p /var/run/slapd
- chown -R ${cfg.user}:${cfg.group} /var/run/slapd
- mkdir -p ${cfg.dataDir}
- chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
+ chown -R "${cfg.user}:${cfg.group}" /var/run/slapd
+ ${optionalString (cfg.declarativeContents != null) ''
+ rm -Rf "${cfg.dataDir}"
+ ''}
+ mkdir -p "${cfg.dataDir}"
+ ${optionalString (cfg.declarativeContents != null) ''
+ ${openldap.out}/bin/slapadd ${configOpts} -l ${dataFile}
+ ''}
+ chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}"
'';
- serviceConfig.ExecStart = "${openldap.out}/libexec/slapd -u ${cfg.user} -g ${cfg.group} -d 0 -h \"${concatStringsSep " " cfg.urlList}\" ${if cfg.configDir == null then "-f "+configFile else "-F "+cfg.configDir}";
+ serviceConfig.ExecStart =
+ "${openldap.out}/libexec/slapd -d 0 " +
+ "-u '${cfg.user}' -g '${cfg.group}' " +
+ "-h '${concatStringsSep " " cfg.urlList}' " +
+ "${configOpts}";
};
users.extraUsers.openldap =
diff --git a/nixos/release.nix b/nixos/release.nix
index 2d8b6c6b826..256f7d6fb0f 100644
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -325,6 +325,7 @@ in rec {
tests.leaps = callTest tests/leaps.nix { };
tests.nsd = callTest tests/nsd.nix {};
tests.openssh = callTest tests/openssh.nix {};
+ tests.openldap = callTest tests/openldap.nix {};
tests.owncloud = callTest tests/owncloud.nix {};
tests.pam-oath-login = callTest tests/pam-oath-login.nix {};
#tests.panamax = callTestOnTheseSystems ["x86_64-linux"] tests/panamax.nix {};
diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix
new file mode 100644
index 00000000000..1178701c609
--- /dev/null
+++ b/nixos/tests/openldap.nix
@@ -0,0 +1,35 @@
+import ./make-test.nix {
+ name = "dovecot";
+
+ machine = { pkgs, ... }: {
+ services.openldap = {
+ enable = true;
+ extraConfig = ''
+ include ${pkgs.openldap}/etc/schema/core.schema
+ include ${pkgs.openldap}/etc/schema/cosine.schema
+ include ${pkgs.openldap}/etc/schema/inetorgperson.schema
+ include ${pkgs.openldap}/etc/schema/nis.schema
+ database bdb
+ suffix dc=example
+ directory /var/db/openldap
+ rootdn cn=root,dc=example
+ rootpw notapassword
+ '';
+ declarativeContents = ''
+ dn: dc=example
+ objectClass: domain
+ dc: example
+
+ dn: ou=users,dc=example
+ objectClass: organizationalUnit
+ ou: users
+ '';
+ };
+ };
+
+ testScript = ''
+ $machine->succeed('systemctl status openldap.service');
+ $machine->waitForUnit('openldap.service');
+ $machine->succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"');
+ '';
+}