nixos/ldap: rename password file options properly

users.ldap.daemon.rootpwmodpw -> users.ldap.daemon.rootpwmodpwFile
users.ldap.bind.password -> users.ldap.bind.passwordFile

as users.ldap.daemon.rootpwmodpw never was part of a release, no
mkRenamedOptionModule is introduced.
This commit is contained in:
Florian Klink 2019-03-27 01:46:19 +01:00
parent 2dc4153633
commit 0a1451afe3
2 changed files with 16 additions and 13 deletions
nixos
modules/config
tests

View File

@ -139,13 +139,13 @@ in
''; '';
}; };
rootpwmodpw = mkOption { rootpwmodpwFile = mkOption {
default = ""; default = "";
example = "/run/keys/nslcd.rootpwmodpw"; example = "/run/keys/nslcd.rootpwmodpw";
type = types.str; type = types.str;
description = '' description = ''
The path to a file containing the credentials with which The path to a file containing the credentials with which to bind to
to bind to the LDAP server if the root user tries to change a user's password the LDAP server if the root user tries to change a user's password.
''; '';
}; };
}; };
@ -161,7 +161,7 @@ in
''; '';
}; };
password = mkOption { passwordFile = mkOption {
default = "/etc/ldap/bind.password"; default = "/etc/ldap/bind.password";
type = types.str; type = types.str;
description = '' description = ''
@ -224,10 +224,10 @@ in
system.activationScripts = mkIf insertLdapPassword { system.activationScripts = mkIf insertLdapPassword {
ldap = stringAfter [ "etc" "groups" "users" ] '' ldap = stringAfter [ "etc" "groups" "users" ] ''
if test -f "${cfg.bind.password}" ; then if test -f "${cfg.bind.passwordFile}" ; then
umask 0077 umask 0077
conf="$(mktemp)" conf="$(mktemp)"
printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" | printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
cat ${ldapConfig.source} - >"$conf" cat ${ldapConfig.source} - >"$conf"
mv -fT "$conf" /etc/ldap.conf mv -fT "$conf" /etc/ldap.conf
fi fi
@ -260,10 +260,10 @@ in
conf="$(mktemp)" conf="$(mktemp)"
{ {
cat ${nslcdConfig.source} cat ${nslcdConfig.source}
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' || test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' ||
printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')" printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')"
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' || test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' ||
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')" printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')"
} >"$conf" } >"$conf"
mv -fT "$conf" /etc/nslcd.conf mv -fT "$conf" /etc/nslcd.conf
''; '';
@ -287,4 +287,8 @@ in
}; };
}; };
imports =
[ (mkRenamedOptionModule [ "users" "ldap" "bind" "password"] [ "users" "ldap" "bind" "passwordFile"])
];
} }

View File

@ -28,9 +28,8 @@ let
users.ldap.daemon = { users.ldap.daemon = {
enable = useDaemon; enable = useDaemon;
rootpwmoddn = "cn=admin,${dbSuffix}"; rootpwmoddn = "cn=admin,${dbSuffix}";
rootpwmodpw = "/etc/nslcd.rootpwmodpw"; rootpwmodpwFile = "/etc/nslcd.rootpwmodpw";
}; };
# NOTE: password stored in clear in Nix's store, but this is a test.
environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd; environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd;
users.ldap.loginPam = true; users.ldap.loginPam = true;
users.ldap.nsswitch = true; users.ldap.nsswitch = true;
@ -38,7 +37,7 @@ let
users.ldap.base = "ou=posix,${dbSuffix}"; users.ldap.base = "ou=posix,${dbSuffix}";
users.ldap.bind = { users.ldap.bind = {
distinguishedName = "cn=admin,${dbSuffix}"; distinguishedName = "cn=admin,${dbSuffix}";
password = "/etc/ldap/bind.password"; passwordFile = "/etc/ldap/bind.password";
}; };
# NOTE: password stored in clear in Nix's store, but this is a test. # NOTE: password stored in clear in Nix's store, but this is a test.
environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd; environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd;