From 9866132d81a9d0a20f9d12f1f1b1e66227057bc3 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 16 Jan 2007 16:09:43 +0000 Subject: [PATCH] * Generate the LDAP configuration automatically. svn path=/nixos/trunk/; revision=7698 --- system/activate-configuration.sh | 2 +- system/etc.nix | 25 ++++++++++++++++++-- system/etc/ldap.conf.nix | 18 +++++++++++++++ system/options.nix | 39 ++++++++++++++++++++++++++++++++ system/system.nix | 5 ++-- 5 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 system/etc/ldap.conf.nix diff --git a/system/activate-configuration.sh b/system/activate-configuration.sh index f10db49da3c..16800cd8f3c 100644 --- a/system/activate-configuration.sh +++ b/system/activate-configuration.sh @@ -33,7 +33,7 @@ done # Various log directories. mkdir -m 0755 -p /var/run -echo -n > /var/run/utmp # must exist +touch /var/run/utmp # must exist chmod 644 /var/run/utmp mkdir -m 0755 -p /var/log diff --git a/system/etc.nix b/system/etc.nix index a850a19398b..d0978353d10 100644 --- a/system/etc.nix +++ b/system/etc.nix @@ -1,5 +1,12 @@ -{pkgs, upstartJobs, systemPath, wrapperDir}: +{config, pkgs, upstartJobs, systemPath, wrapperDir}: +let + + optional = option: file: + if config.get option then [file] else []; + +in + import ../helpers/make-etc.nix { inherit (pkgs) stdenv; @@ -68,14 +75,28 @@ import ../helpers/make-etc.nix { }; target = "profile"; } + ] + # LDAP configuration. + ++ (optional ["users" "ldap" "enable"] { + source = import etc/ldap.conf.nix { + inherit (pkgs) writeText; + inherit config; + }; + target = "ldap.conf"; + }) + # A bunch of PAM configuration files for various programs. ++ (map (program: { source = pkgs.substituteAll { src = ./etc/pam.d + ("/" + program); - inherit (pkgs) pam_unix2 pam_ldap; + inherit (pkgs) pam_unix2; + pam_ldap = + if config.get ["users" "ldap" "enable"] + then pkgs.pam_ldap + else "/no-such-path"; }; target = "pam.d/" + program; } diff --git a/system/etc/ldap.conf.nix b/system/etc/ldap.conf.nix new file mode 100644 index 00000000000..5a3b227e2d5 --- /dev/null +++ b/system/etc/ldap.conf.nix @@ -0,0 +1,18 @@ +{writeText, config}: + +# Careful: OpenLDAP seems to be very picky about the indentation of +# this file. Directives HAVE to start in the first column! + +writeText "ldap.conf" " + +uri ${config.get ["users" "ldap" "server"]} +base ${config.get ["users" "ldap" "base"]} + +${ +if config.get ["users" "ldap" "useTLS"] then " +ssl start_tls +tls_checkpeer no +" else "" +} + +" diff --git a/system/options.nix b/system/options.nix index 6216025c45b..0debe2f83de 100644 --- a/system/options.nix +++ b/system/options.nix @@ -533,4 +533,43 @@ } + { + name = ["users" "ldap" "enable"]; + default = false; + description = " + Whether to enable authentication against an LDAP server. + "; + } + + + { + name = ["users" "ldap" "server"]; + example = "ldap://ldap.example.org/"; + description = " + The URL of the LDAP server. + "; + } + + + { + name = ["users" "ldap" "base"]; + example = "dc=example,dc=org"; + description = " + The distinguished name of the search base. + "; + } + + + { + name = ["users" "ldap" "useTLS"]; + default = false; + description = " + If enabled, use TLS (encryption) over an LDAP (port 389) + connection. The alternative is to specify an LDAPS server (port + 636) in or to forego + security. + "; + } + + ] diff --git a/system/system.nix b/system/system.nix index 94e28b21626..e5a30e0d07f 100644 --- a/system/system.nix +++ b/system/system.nix @@ -116,7 +116,8 @@ rec { # NSS modules. Hacky! - nssModules = [pkgs.nss_ldap]; + nssModules = + if config.get ["users" "ldap" "enable"] then [pkgs.nss_ldap] else []; nssModulesPath = pkgs.lib.concatStrings (pkgs.lib.intersperse ":" (map (mod: mod + "/lib") nssModules)); @@ -130,7 +131,7 @@ rec { # The static parts of /etc. etc = import ./etc.nix { - inherit pkgs upstartJobs systemPath wrapperDir; + inherit config pkgs upstartJobs systemPath wrapperDir; };