pyrox.dev / nixpkgs
lol
fork atom

openldap: load client config from /etc, not the nix store

We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.

Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.

Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.

This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)

Fixes #181937.

authored by Dan Callaghan and committed by Martin Weinelt b30534eb df9f22a8

+20 -6
unified split
+18 -5
nixos/tests/openldap.nix
··· 39 39 olcRootDN: cn=root,dc=example 40 40 olcRootPW: notapassword 41 41 ''; 42 + 43 + ldapClientConfig = { 44 + enable = true; 45 + loginPam = false; 46 + nsswitch = false; 47 + server = "ldap://"; 48 + base = "dc=example"; 49 + }; 50 + 42 51 in { 43 52 name = "openldap"; 44 53 45 54 nodes.machine = { pkgs, ... }: { 46 55 environment.etc."openldap/root_password".text = "notapassword"; 56 + 57 + users.ldap = ldapClientConfig; 58 + 47 59 services.openldap = { 48 60 enable = true; 49 61 urlList = [ "ldapi:///" "ldap://" ]; ··· 96 108 manualConfigDir = { 97 109 inheritParentConfig = false; 98 110 configuration = { ... }: { 111 + users.ldap = ldapClientConfig; 99 112 services.openldap = { 100 113 enable = true; 101 114 configDir = "/var/db/slapd.d"; ··· 119 132 with subtest("declarative contents"): 120 133 machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test') 121 134 machine.wait_for_unit("openldap.service") 122 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') 135 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 123 136 machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 124 137 125 138 with subtest("mutable config"): 126 139 machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test') 127 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') 140 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 128 141 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 129 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"') 142 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') 130 143 131 144 with subtest("manual config dir"): 132 145 machine.succeed( ··· 136 149 'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap', 137 150 '${specializations}/manualConfigDir/bin/switch-to-configuration test', 138 151 ) 139 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') 152 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 140 153 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 141 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"') 154 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') 142 155 ''; 143 156 })
+2 -1
pkgs/development/libraries/openldap/default.nix
··· 67 67 "STRIP=" # Disable install stripping as it breaks cross-compiling. We strip binaries anyway in fixupPhase. 68 68 "STRIP_OPTS=" 69 69 "prefix=${placeholder "out"}" 70 - "sysconfdir=${placeholder "out"}/etc" 70 + "sysconfdir=/etc" 71 71 "systemdsystemunitdir=${placeholder "out"}/lib/systemd/system" 72 72 # contrib modules require these 73 73 "moduledir=${placeholder "out"}/lib/modules" ··· 101 101 102 102 installFlags = [ 103 103 "prefix=${placeholder "out"}" 104 + "sysconfdir=${placeholder "out"}/etc" 104 105 "moduledir=${placeholder "out"}/lib/modules" 105 106 "INSTALL=install" 106 107 ];