nixos/ldap: rename password file options properly
users.ldap.daemon.rootpwmodpw -> users.ldap.daemon.rootpwmodpwFile users.ldap.bind.password -> users.ldap.bind.passwordFile as users.ldap.daemon.rootpwmodpw never was part of a release, no mkRenamedOptionModule is introduced.
This commit is contained in:
parent
2dc4153633
commit
0a1451afe3
@ -139,13 +139,13 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
rootpwmodpw = mkOption {
|
rootpwmodpwFile = mkOption {
|
||||||
default = "";
|
default = "";
|
||||||
example = "/run/keys/nslcd.rootpwmodpw";
|
example = "/run/keys/nslcd.rootpwmodpw";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = ''
|
description = ''
|
||||||
The path to a file containing the credentials with which
|
The path to a file containing the credentials with which to bind to
|
||||||
to bind to the LDAP server if the root user tries to change a user's password
|
the LDAP server if the root user tries to change a user's password.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -161,7 +161,7 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
password = mkOption {
|
passwordFile = mkOption {
|
||||||
default = "/etc/ldap/bind.password";
|
default = "/etc/ldap/bind.password";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = ''
|
description = ''
|
||||||
@ -224,10 +224,10 @@ in
|
|||||||
|
|
||||||
system.activationScripts = mkIf insertLdapPassword {
|
system.activationScripts = mkIf insertLdapPassword {
|
||||||
ldap = stringAfter [ "etc" "groups" "users" ] ''
|
ldap = stringAfter [ "etc" "groups" "users" ] ''
|
||||||
if test -f "${cfg.bind.password}" ; then
|
if test -f "${cfg.bind.passwordFile}" ; then
|
||||||
umask 0077
|
umask 0077
|
||||||
conf="$(mktemp)"
|
conf="$(mktemp)"
|
||||||
printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" |
|
printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
|
||||||
cat ${ldapConfig.source} - >"$conf"
|
cat ${ldapConfig.source} - >"$conf"
|
||||||
mv -fT "$conf" /etc/ldap.conf
|
mv -fT "$conf" /etc/ldap.conf
|
||||||
fi
|
fi
|
||||||
@ -260,10 +260,10 @@ in
|
|||||||
conf="$(mktemp)"
|
conf="$(mktemp)"
|
||||||
{
|
{
|
||||||
cat ${nslcdConfig.source}
|
cat ${nslcdConfig.source}
|
||||||
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' ||
|
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' ||
|
||||||
printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')"
|
printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')"
|
||||||
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' ||
|
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' ||
|
||||||
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')"
|
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')"
|
||||||
} >"$conf"
|
} >"$conf"
|
||||||
mv -fT "$conf" /etc/nslcd.conf
|
mv -fT "$conf" /etc/nslcd.conf
|
||||||
'';
|
'';
|
||||||
@ -287,4 +287,8 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
imports =
|
||||||
|
[ (mkRenamedOptionModule [ "users" "ldap" "bind" "password"] [ "users" "ldap" "bind" "passwordFile"])
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
@ -28,9 +28,8 @@ let
|
|||||||
users.ldap.daemon = {
|
users.ldap.daemon = {
|
||||||
enable = useDaemon;
|
enable = useDaemon;
|
||||||
rootpwmoddn = "cn=admin,${dbSuffix}";
|
rootpwmoddn = "cn=admin,${dbSuffix}";
|
||||||
rootpwmodpw = "/etc/nslcd.rootpwmodpw";
|
rootpwmodpwFile = "/etc/nslcd.rootpwmodpw";
|
||||||
};
|
};
|
||||||
# NOTE: password stored in clear in Nix's store, but this is a test.
|
|
||||||
environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd;
|
environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd;
|
||||||
users.ldap.loginPam = true;
|
users.ldap.loginPam = true;
|
||||||
users.ldap.nsswitch = true;
|
users.ldap.nsswitch = true;
|
||||||
@ -38,7 +37,7 @@ let
|
|||||||
users.ldap.base = "ou=posix,${dbSuffix}";
|
users.ldap.base = "ou=posix,${dbSuffix}";
|
||||||
users.ldap.bind = {
|
users.ldap.bind = {
|
||||||
distinguishedName = "cn=admin,${dbSuffix}";
|
distinguishedName = "cn=admin,${dbSuffix}";
|
||||||
password = "/etc/ldap/bind.password";
|
passwordFile = "/etc/ldap/bind.password";
|
||||||
};
|
};
|
||||||
# NOTE: password stored in clear in Nix's store, but this is a test.
|
# NOTE: password stored in clear in Nix's store, but this is a test.
|
||||||
environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd;
|
environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd;
|
||||||
|
Loading…
Reference in New Issue
Block a user