commit b30534eb02796423cec9fbda8f7aea535c932e3e · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

openldap: load client config from /etc, not the nix store

We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.

Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.

Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.

This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)

Fixes #181937.

authored by Dan Callaghan and committed by Martin Weinelt 3 years ago b30534eb df9f22a8

+20 -6

2 changed files

expand all

unified split

nixos

tests

openldap.nix

pkgs

development

libraries

openldap

default.nix

+18 -5

nixos/tests/openldap.nix

··· 39 olcRootDN: cn=root,dc=example 40 olcRootPW: notapassword 41 ''; 42 in { 43 name = "openldap"; 44 45 nodes.machine = { pkgs, ... }: { 46 environment.etc."openldap/root_password".text = "notapassword"; 47 services.openldap = { 48 enable = true; 49 urlList = [ "ldapi:///" "ldap://" ]; ··· 96 manualConfigDir = { 97 inheritParentConfig = false; 98 configuration = { ... }: { 99 services.openldap = { 100 enable = true; 101 configDir = "/var/db/slapd.d"; ··· 119 with subtest("declarative contents"): 120 machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test') 121 machine.wait_for_unit("openldap.service") 122 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') 123 machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 124 125 with subtest("mutable config"): 126 machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test') 127 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') 128 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 129 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"') 130 131 with subtest("manual config dir"): 132 machine.succeed( ··· 136 'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap', 137 '${specializations}/manualConfigDir/bin/switch-to-configuration test', 138 ) 139 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"') 140 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 141 - machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"') 142 ''; 143 })

··· 39 olcRootDN: cn=root,dc=example 40 olcRootPW: notapassword 41 ''; 42 + 43 + ldapClientConfig = { 44 + enable = true; 45 + loginPam = false; 46 + nsswitch = false; 47 + server = "ldap://"; 48 + base = "dc=example"; 49 + }; 50 + 51 in { 52 name = "openldap"; 53 54 nodes.machine = { pkgs, ... }: { 55 environment.etc."openldap/root_password".text = "notapassword"; 56 + 57 + users.ldap = ldapClientConfig; 58 + 59 services.openldap = { 60 enable = true; 61 urlList = [ "ldapi:///" "ldap://" ]; ··· 108 manualConfigDir = { 109 inheritParentConfig = false; 110 configuration = { ... }: { 111 + users.ldap = ldapClientConfig; 112 services.openldap = { 113 enable = true; 114 configDir = "/var/db/slapd.d"; ··· 132 with subtest("declarative contents"): 133 machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test') 134 machine.wait_for_unit("openldap.service") 135 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 136 machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 137 138 with subtest("mutable config"): 139 machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test') 140 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 141 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 142 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') 143 144 with subtest("manual config dir"): 145 machine.succeed( ··· 149 'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap', 150 '${specializations}/manualConfigDir/bin/switch-to-configuration test', 151 ) 152 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 153 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 154 + machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') 155 ''; 156 })

+2 -1

pkgs/development/libraries/openldap/default.nix

··· 67 "STRIP=" # Disable install stripping as it breaks cross-compiling. We strip binaries anyway in fixupPhase. 68 "STRIP_OPTS=" 69 "prefix=${placeholder "out"}" 70 - "sysconfdir=${placeholder "out"}/etc" 71 "systemdsystemunitdir=${placeholder "out"}/lib/systemd/system" 72 # contrib modules require these 73 "moduledir=${placeholder "out"}/lib/modules" ··· 101 102 installFlags = [ 103 "prefix=${placeholder "out"}" 104 "moduledir=${placeholder "out"}/lib/modules" 105 "INSTALL=install" 106 ];

··· 67 "STRIP=" # Disable install stripping as it breaks cross-compiling. We strip binaries anyway in fixupPhase. 68 "STRIP_OPTS=" 69 "prefix=${placeholder "out"}" 70 + "sysconfdir=/etc" 71 "systemdsystemunitdir=${placeholder "out"}/lib/systemd/system" 72 # contrib modules require these 73 "moduledir=${placeholder "out"}/lib/modules" ··· 101 102 installFlags = [ 103 "prefix=${placeholder "out"}" 104 + "sysconfdir=${placeholder "out"}/etc" 105 "moduledir=${placeholder "out"}/lib/modules" 106 "INSTALL=install" 107 ];