From cca9ec2a6649c48dc308b0879728c6e108bd40f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Gaspard?= Date: Sat, 3 Mar 2018 15:33:01 +0100 Subject: [PATCH 1/3] openldap module: cleanup --- nixos/modules/services/databases/openldap.nix | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index e884098cb08..9c6b33a16bf 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -8,7 +8,8 @@ let openldap = pkgs.openldap; configFile = pkgs.writeText "slapd.conf" cfg.extraConfig; - + configOpts = if cfg.configDir == null then "-f ${configFile}" + else "-F ${cfg.configDir}"; in { @@ -88,7 +89,7 @@ in ###### implementation - config = mkIf config.services.openldap.enable { + config = mkIf cfg.enable { environment.systemPackages = [ openldap ]; @@ -98,11 +99,15 @@ in after = [ "network.target" ]; preStart = '' mkdir -p /var/run/slapd - chown -R ${cfg.user}:${cfg.group} /var/run/slapd - mkdir -p ${cfg.dataDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + chown -R "${cfg.user}:${cfg.group}" /var/run/slapd + mkdir -p "${cfg.dataDir}" + chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}" ''; - serviceConfig.ExecStart = "${openldap.out}/libexec/slapd -u ${cfg.user} -g ${cfg.group} -d 0 -h \"${concatStringsSep " " cfg.urlList}\" ${if cfg.configDir == null then "-f "+configFile else "-F "+cfg.configDir}"; + serviceConfig.ExecStart = + "${openldap.out}/libexec/slapd -d 0 " + + "-u '${cfg.user}' -g '${cfg.group}' " + + "-h '${concatStringsSep " " cfg.urlList}' " + + "${configOpts}"; }; users.extraUsers.openldap = From aeef7c91f14bfbf0db7527acd36fc550cd37ea65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Gaspard?= Date: Sat, 3 Mar 2018 15:33:23 +0100 Subject: [PATCH 2/3] openldap module: allow defining contents declaratively --- nixos/modules/services/databases/openldap.nix | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 9c6b33a16bf..a67c61eb994 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -7,6 +7,7 @@ let cfg = config.services.openldap; openldap = pkgs.openldap; + dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents; configFile = pkgs.writeText "slapd.conf" cfg.extraConfig; configOpts = if cfg.configDir == null then "-f ${configFile}" else "-F ${cfg.configDir}"; @@ -82,6 +83,34 @@ in ''' ''; }; + + declarativeContents = mkOption { + type = with types; nullOr lines; + default = null; + description = '' + Declarative contents for the LDAP database, in LDIF format. + + Note a few facts when using it. First, the database + must be stored in the directory defined by + dataDir. Second, all dataDir will be erased + when starting the LDAP server. Third, modifications to the database + are not prevented, they are just dropped on the next reboot of the + server. Finally, performance-wise the database and indexes are rebuilt + on each server startup, so this will slow down server startup, + especially with large databases. + ''; + example = '' + dn: dc=example,dc=org + objectClass: domain + dc: example + + dn: ou=users,dc=example,dc=org + objectClass = organizationalUnit + ou: users + + # ... + ''; + }; }; }; @@ -100,7 +129,13 @@ in preStart = '' mkdir -p /var/run/slapd chown -R "${cfg.user}:${cfg.group}" /var/run/slapd + ${optionalString (cfg.declarativeContents != null) '' + rm -Rf "${cfg.dataDir}" + ''} mkdir -p "${cfg.dataDir}" + ${optionalString (cfg.declarativeContents != null) '' + ${openldap.out}/bin/slapadd ${configOpts} -l ${dataFile} + ''} chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}" ''; serviceConfig.ExecStart = From b2acbe58b2423c35aa5d20ce3e7ac8135b3a830f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 3 Mar 2018 18:53:16 +0000 Subject: [PATCH 3/3] nixos/openldap: add test --- nixos/release.nix | 1 + nixos/tests/openldap.nix | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 nixos/tests/openldap.nix diff --git a/nixos/release.nix b/nixos/release.nix index ee7dcd985a3..1cc93248979 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -322,6 +322,7 @@ in rec { tests.leaps = callTest tests/leaps.nix { }; tests.nsd = callTest tests/nsd.nix {}; tests.openssh = callTest tests/openssh.nix {}; + tests.openldap = callTest tests/openldap.nix {}; tests.owncloud = callTest tests/owncloud.nix {}; tests.pam-oath-login = callTest tests/pam-oath-login.nix {}; #tests.panamax = callTestOnTheseSystems ["x86_64-linux"] tests/panamax.nix {}; diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix new file mode 100644 index 00000000000..1178701c609 --- /dev/null +++ b/nixos/tests/openldap.nix @@ -0,0 +1,35 @@ +import ./make-test.nix { + name = "dovecot"; + + machine = { pkgs, ... }: { + services.openldap = { + enable = true; + extraConfig = '' + include ${pkgs.openldap}/etc/schema/core.schema + include ${pkgs.openldap}/etc/schema/cosine.schema + include ${pkgs.openldap}/etc/schema/inetorgperson.schema + include ${pkgs.openldap}/etc/schema/nis.schema + database bdb + suffix dc=example + directory /var/db/openldap + rootdn cn=root,dc=example + rootpw notapassword + ''; + declarativeContents = '' + dn: dc=example + objectClass: domain + dc: example + + dn: ou=users,dc=example + objectClass: organizationalUnit + ou: users + ''; + }; + }; + + testScript = '' + $machine->succeed('systemctl status openldap.service'); + $machine->waitForUnit('openldap.service'); + $machine->succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"'); + ''; +}