Added openldap user, group and configure service so its not running as root.

nixos/modules/misc/ids.nix

@@ -107,6 +107,7 @@
       redis = 96;
       haproxy = 97;
       mongodb = 98;
+      openldap = 99;
 
       # When adding a uid, make sure it doesn't match an existing gid.
 
@@ -194,6 +195,7 @@
       amule = 90;
       minidlna = 91;
       haproxy = 92;
+      openldap = 93;
 
       # When adding a gid, make sure it doesn't match an existing uid.
 

nixos/modules/services/databases/openldap.nix

@@ -26,6 +26,16 @@ in
         ";
       };
 
+      user = mkOption {
+        default = "openldap";
+        description = "User account under which slapd runs.";
+      };
+
+      group = mkOption {
+        default = "openldap";
+        description = "Group account under which slapd runs.";
+      };
+
       extraConfig = mkOption {
         default = "";
         description = "
@@ -49,10 +59,23 @@ in
       after = [ "network.target" ];
       preStart = ''
         mkdir -p /var/run/slapd
+        chown -R ${cfg.user}:${cfg.group} /var/run/slapd
+        mkdir -p /var/db/openldap
+        chown -R ${cfg.user}:${cfg.group} /var/db/openldap
       '';
-      serviceConfig.ExecStart = "${openldap}/libexec/slapd -d 0 -f ${configFile}";
+      serviceConfig.ExecStart = "${openldap}/libexec/slapd -u openldap -g openldap -d 0 -f ${configFile}";
     };
 
-  };
+    users.extraUsers = optionalAttrs (cfg.user == "openldap") (singleton
+      { name = "openldap";
+        group = "openldap";
+        uid = config.ids.uids.openldap;
+      });
 
+    users.extraGroups = optionalAttrs (cfg.group == "openldap") (singleton
+      { name = "openldap";
+        gid = config.ids.gids.openldap;
+     });
+
+  };
 }