* Generate the LDAP configuration automatically.

svn path=/nixos/trunk/; revision=7698

system/activate-configuration.sh

@@ -33,7 +33,7 @@ done
 # Various log directories.
 mkdir -m 0755 -p /var/run
 
-echo -n > /var/run/utmp # must exist
+touch /var/run/utmp # must exist
 chmod 644 /var/run/utmp
 
 mkdir -m 0755 -p /var/log

system/etc.nix

@@ -1,4 +1,11 @@
-{pkgs, upstartJobs, systemPath, wrapperDir}:
+{config, pkgs, upstartJobs, systemPath, wrapperDir}:
+
+let 
+
+  optional = option: file:
+    if config.get option then [file] else [];
+
+in
     
 import ../helpers/make-etc.nix {
   inherit (pkgs) stdenv;
@@ -68,14 +75,28 @@ import ../helpers/make-etc.nix {
       };
       target = "profile";
     }
+
   ]
 
+  # LDAP configuration.
+  ++ (optional ["users" "ldap" "enable"] {
+    source = import etc/ldap.conf.nix {
+      inherit (pkgs) writeText;
+      inherit config;
+    };
+    target = "ldap.conf";
+  })
+    
   # A bunch of PAM configuration files for various programs.
   ++ (map
     (program:
       { source = pkgs.substituteAll {
           src = ./etc/pam.d + ("/" + program);
-          inherit (pkgs) pam_unix2 pam_ldap;
+          inherit (pkgs) pam_unix2;
+          pam_ldap =
+            if config.get ["users" "ldap" "enable"]
+            then pkgs.pam_ldap
+            else "/no-such-path";
         };
         target = "pam.d/" + program;
       }

system/etc/ldap.conf.nix

@@ -0,0 +1,18 @@
+{writeText, config}:
+
+# Careful: OpenLDAP seems to be very picky about the indentation of
+# this file.  Directives HAVE to start in the first column!
+
+writeText "ldap.conf" "
+
+uri ${config.get ["users" "ldap" "server"]}
+base ${config.get ["users" "ldap" "base"]}
+  
+${
+if config.get ["users" "ldap" "useTLS"] then "
+ssl start_tls
+tls_checkpeer no
+" else ""
+}
+
+"

system/options.nix

@@ -533,4 +533,43 @@
   }
 
   
+  {
+    name = ["users" "ldap" "enable"];
+    default = false;
+    description = "
+      Whether to enable authentication against an LDAP server.
+    ";
+  }
+
+  
+  {
+    name = ["users" "ldap" "server"];
+    example = "ldap://ldap.example.org/";
+    description = "
+      The URL of the LDAP server.
+    ";
+  }
+
+  
+  {
+    name = ["users" "ldap" "base"];
+    example = "dc=example,dc=org";
+    description = "
+      The distinguished name of the search base.
+    ";
+  }
+
+  
+  {
+    name = ["users" "ldap" "useTLS"];
+    default = false;
+    description = "
+      If enabled, use TLS (encryption) over an LDAP (port 389)
+      connection.  The alternative is to specify an LDAPS server (port
+      636) in <option>users.ldap.server</option> or to forego
+      security.
+    ";
+  }
+
+  
 ]

system/system.nix

@@ -116,7 +116,8 @@ rec {
 
 
   # NSS modules.  Hacky!
-  nssModules = [pkgs.nss_ldap];
+  nssModules =
+    if config.get ["users" "ldap" "enable"] then [pkgs.nss_ldap] else [];
 
   nssModulesPath = pkgs.lib.concatStrings (pkgs.lib.intersperse ":" 
     (map (mod: mod + "/lib") nssModules));
@@ -130,7 +131,7 @@ rec {
 
   # The static parts of /etc.
   etc = import ./etc.nix {
-    inherit pkgs upstartJobs systemPath wrapperDir;
+    inherit config pkgs upstartJobs systemPath wrapperDir;
   };