From 0a1451afe366873890c1df7a2fc6532ccc39f6bf Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 27 Mar 2019 01:46:19 +0100 Subject: [PATCH 1/2] nixos/ldap: rename password file options properly users.ldap.daemon.rootpwmodpw -> users.ldap.daemon.rootpwmodpwFile users.ldap.bind.password -> users.ldap.bind.passwordFile as users.ldap.daemon.rootpwmodpw never was part of a release, no mkRenamedOptionModule is introduced. --- nixos/modules/config/ldap.nix | 24 ++++++++++++++---------- nixos/tests/ldap.nix | 5 ++--- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index f65a3fc50d54..b5f6702f1c68 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -139,13 +139,13 @@ in ''; }; - rootpwmodpw = mkOption { + rootpwmodpwFile = mkOption { default = ""; example = "/run/keys/nslcd.rootpwmodpw"; type = types.str; description = '' - The path to a file containing the credentials with which - to bind to the LDAP server if the root user tries to change a user's password + The path to a file containing the credentials with which to bind to + the LDAP server if the root user tries to change a user's password. ''; }; }; @@ -161,7 +161,7 @@ in ''; }; - password = mkOption { + passwordFile = mkOption { default = "/etc/ldap/bind.password"; type = types.str; description = '' @@ -224,10 +224,10 @@ in system.activationScripts = mkIf insertLdapPassword { ldap = stringAfter [ "etc" "groups" "users" ] '' - if test -f "${cfg.bind.password}" ; then + if test -f "${cfg.bind.passwordFile}" ; then umask 0077 conf="$(mktemp)" - printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" | + printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" | cat ${ldapConfig.source} - >"$conf" mv -fT "$conf" /etc/ldap.conf fi @@ -260,10 +260,10 @@ in conf="$(mktemp)" { cat ${nslcdConfig.source} - test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' || - printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')" - test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' || - printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')" + test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || + printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" + test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || + printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" } >"$conf" mv -fT "$conf" /etc/nslcd.conf ''; @@ -287,4 +287,8 @@ in }; }; + + imports = + [ (mkRenamedOptionModule [ "users" "ldap" "bind" "password"] [ "users" "ldap" "bind" "passwordFile"]) + ]; } diff --git a/nixos/tests/ldap.nix b/nixos/tests/ldap.nix index b3fd42e75886..18a6a2e89feb 100644 --- a/nixos/tests/ldap.nix +++ b/nixos/tests/ldap.nix @@ -28,9 +28,8 @@ let users.ldap.daemon = { enable = useDaemon; rootpwmoddn = "cn=admin,${dbSuffix}"; - rootpwmodpw = "/etc/nslcd.rootpwmodpw"; + rootpwmodpwFile = "/etc/nslcd.rootpwmodpw"; }; - # NOTE: password stored in clear in Nix's store, but this is a test. environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd; users.ldap.loginPam = true; users.ldap.nsswitch = true; @@ -38,7 +37,7 @@ let users.ldap.base = "ou=posix,${dbSuffix}"; users.ldap.bind = { distinguishedName = "cn=admin,${dbSuffix}"; - password = "/etc/ldap/bind.password"; + passwordFile = "/etc/ldap/bind.password"; }; # NOTE: password stored in clear in Nix's store, but this is a test. environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd; From 8817bbefdbe9f54f7ee42e5cef00f386e227bf5d Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 27 Mar 2019 02:27:57 +0100 Subject: [PATCH 2/2] nixos/ldap: set proper User= and Group= for nslcd service eb90d9700958aefbc7b886f2b524c6d04dc1d80d broke nslcd, as /run/nslcd was created/chowned as root user, while nslcd wants to do parts as nslcd user. This commit changes the nslcd to run with the proper uid/gid from the start (through User= and Group=), so the RuntimeDirectory has proper permissions, too. In some cases, secrets are baked into nslcd's config file during startup (so we don't want to provide it from the store). This config file is normally hard-wired to /etc/nslcd.conf, but we don't want to use PermissionsStartOnly anymore (#56265), and activation scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf, which now gets provisioned inside ExecStartPre=. This change requires the files referenced to in users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be readable by the nslcd user (in the non-nslcd case, this was already the case for users.ldap.bind.passwordFile) fixes #57783 --- nixos/doc/manual/release-notes/rl-1903.xml | 7 +++ nixos/modules/config/ldap.nix | 63 +++++++++++----------- nixos/tests/ldap.nix | 4 +- 3 files changed, 40 insertions(+), 34 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index 7d40637df931..bbd3cf2e9db5 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -516,6 +516,13 @@ Graylog for details. + + + The option users.ldap.bind.password was renamed to users.ldap.bind.passwordFile, + and needs to be readable by the nslcd user. + Same applies to the new users.ldap.daemon.rootpwmodpwFile option. + + diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index b5f6702f1c68..e008497a2a6e 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -27,25 +27,29 @@ let ''; }; - nslcdConfig = { - target = "nslcd.conf"; - source = writeText "nslcd.conf" '' - uid nslcd - gid nslcd - uri ${cfg.server} - base ${cfg.base} - timelimit ${toString cfg.timeLimit} - bind_timelimit ${toString cfg.bind.timeLimit} - ${optionalString (cfg.bind.distinguishedName != "") - "binddn ${cfg.bind.distinguishedName}" } - ${optionalString (cfg.daemon.rootpwmoddn != "") - "rootpwmoddn ${cfg.daemon.rootpwmoddn}" } - ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig } - ''; - }; + nslcdConfig = writeText "nslcd.conf" '' + uid nslcd + gid nslcd + uri ${cfg.server} + base ${cfg.base} + timelimit ${toString cfg.timeLimit} + bind_timelimit ${toString cfg.bind.timeLimit} + ${optionalString (cfg.bind.distinguishedName != "") + "binddn ${cfg.bind.distinguishedName}" } + ${optionalString (cfg.daemon.rootpwmoddn != "") + "rootpwmoddn ${cfg.daemon.rootpwmoddn}" } + ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig } + ''; - insertLdapPassword = !config.users.ldap.daemon.enable && - config.users.ldap.bind.distinguishedName != ""; + # nslcd normally reads configuration from /etc/nslcd.conf. + # this file might contain secrets. We append those at runtime, + # so redirect its location to something more temporary. + nslcdWrapped = runCommandNoCC "nslcd-wrapped" { nativeBuildInputs = [ makeWrapper ]; } '' + mkdir -p $out/bin + makeWrapper ${nss_pam_ldapd}/sbin/nslcd $out/bin/nslcd \ + --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \ + --set NIX_REDIRECTS "/etc/nslcd.conf=/run/nslcd/nslcd.conf" + ''; in @@ -220,9 +224,9 @@ in config = mkIf cfg.enable { - environment.etc = if cfg.daemon.enable then [nslcdConfig] else [ldapConfig]; + environment.etc = optional (!cfg.daemon.enable) ldapConfig; - system.activationScripts = mkIf insertLdapPassword { + system.activationScripts = mkIf (!cfg.daemon.enable) { ldap = stringAfter [ "etc" "groups" "users" ] '' if test -f "${cfg.bind.passwordFile}" ; then umask 0077 @@ -251,7 +255,6 @@ in }; systemd.services = mkIf cfg.daemon.enable { - nslcd = { wantedBy = [ "multi-user.target" ]; @@ -259,28 +262,24 @@ in umask 0077 conf="$(mktemp)" { - cat ${nslcdConfig.source} + cat ${nslcdConfig} test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' || printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')" test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' || printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')" } >"$conf" - mv -fT "$conf" /etc/nslcd.conf + mv -fT "$conf" /run/nslcd/nslcd.conf ''; - - # NOTE: because one cannot pass a custom config path to `nslcd` - # (which is only able to use `/etc/nslcd.conf`) - # changes in `nslcdConfig` won't change `serviceConfig`, - # and thus won't restart `nslcd`. - # Therefore `restartTriggers` is used on `/etc/nslcd.conf`. - restartTriggers = [ nslcdConfig.source ]; + restartTriggers = [ "/run/nslcd/nslcd.conf" ]; serviceConfig = { - ExecStart = "${nss_pam_ldapd}/sbin/nslcd"; + ExecStart = "${nslcdWrapped}/bin/nslcd"; Type = "forking"; - PIDFile = "/run/nslcd/nslcd.pid"; Restart = "always"; + User = "nslcd"; + Group = "nslcd"; RuntimeDirectory = [ "nslcd" ]; + PIDFile = "/run/nslcd/nslcd.pid"; }; }; diff --git a/nixos/tests/ldap.nix b/nixos/tests/ldap.nix index 18a6a2e89feb..fe859876ed25 100644 --- a/nixos/tests/ldap.nix +++ b/nixos/tests/ldap.nix @@ -30,7 +30,6 @@ let rootpwmoddn = "cn=admin,${dbSuffix}"; rootpwmodpwFile = "/etc/nslcd.rootpwmodpw"; }; - environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd; users.ldap.loginPam = true; users.ldap.nsswitch = true; users.ldap.server = "ldap://server"; @@ -39,8 +38,9 @@ let distinguishedName = "cn=admin,${dbSuffix}"; passwordFile = "/etc/ldap/bind.password"; }; - # NOTE: password stored in clear in Nix's store, but this is a test. + # NOTE: passwords stored in clear in Nix's store, but this is a test. environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd; + environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd; }; in