forked from mirrors/nixpkgs
nixos/openldap: Remove extraConfig options
Instead of deprecating, as per PR feedback
This commit is contained in:
Kai Wohlfahrt
parent
2050376cae
commit
3f892c2174
|
|
@ -192,6 +192,24 @@
|
|||
to migrate. If you continue to use <literal>configDir</literal>, ensure that
|
||||
<literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>.
|
||||
</para>
|
||||
<para>
|
||||
As a result, <literal>extraConfig</literal> and <literal>extraDatabaseConfig</literal>
|
||||
are removed. To help with migration, you can convert your <literal>slapd.conf</literal>
|
||||
file to OLC configuration with the following script (find the location of this
|
||||
configuration file by running <literal>systemctl status openldap</literal>, it is the
|
||||
<literal>-f</literal> option.
|
||||
</para>
|
||||
<programlisting>
|
||||
TMPDIR=$(mktemp -d)
|
||||
slaptest -f /path/to/slapd.conf $TMPDIR
|
||||
slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
|
||||
</programlisting>
|
||||
<para>
|
||||
This will dump your current configuration in LDIF format, which should be
|
||||
straightforward to convert into Nix settings. This does not show your schema
|
||||
configuration, as this is unnecessarily verbose for users of the default schemas
|
||||
and <literal>slaptest</literal> is buggy with schemas directly in the config file.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
|
|
|||
|
|
@ -4,27 +4,6 @@ with lib;
|
|||
let
|
||||
cfg = config.services.openldap;
|
||||
openldap = cfg.package;
|
||||
|
||||
configFile = pkgs.writeText "slapd.conf" ((optionalString (cfg.defaultSchemas != null && cfg.defaultSchemas) ''
|
||||
include ${openldap}/etc/schema/core.schema
|
||||
include ${openldap}/etc/schema/cosine.schema
|
||||
include ${openldap}/etc/schema/inetorgperson.schema
|
||||
include ${openldap}/etc/schema/nis.schema
|
||||
'') + ''
|
||||
pidfile /run/slapd/slapd.pid
|
||||
${if cfg.extraConfig != null then cfg.extraConfig else ""}
|
||||
database ${cfg.database}
|
||||
suffix ${cfg.suffix}
|
||||
rootdn ${cfg.rootdn}
|
||||
${if (cfg.rootpw != null) then ''
|
||||
rootpw ${cfg.rootpw}
|
||||
'' else ''
|
||||
include ${cfg.rootpwFile}
|
||||
''}
|
||||
directory ${cfg.dataDir}
|
||||
${if cfg.extraDatabaseConfig != null then cfg.extraDatabaseConfig else ""}
|
||||
'');
|
||||
|
||||
configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d";
|
||||
|
||||
ldapValueType = let
|
||||
|
|
@ -113,6 +92,12 @@ let
|
|||
lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children)
|
||||
);
|
||||
in {
|
||||
imports = let
|
||||
deprecationNote = "This option is removed due to the deprecation of `slapd.conf` upstream. Please migrate to `services.openldap.settings`, see the release notes for advice with this process.";
|
||||
in [
|
||||
(lib.mkRemovedOptionModule [ "services" "openldap" "extraConfig" ] deprecationNote)
|
||||
(lib.mkRemovedOptionModule [ "services" "openldap" "extraDatabaseConfig" ] deprecationNote)
|
||||
];
|
||||
options = {
|
||||
services.openldap = {
|
||||
enable = mkOption {
|
||||
|
|
@ -280,36 +265,13 @@ in {
|
|||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Use this optional config directory instead of generating one from the
|
||||
<literal>settings</literal> option.
|
||||
Use this config directory instead of generating one from the
|
||||
<literal>settings</literal> option. Overrides all NixOS settings. If
|
||||
you use this option,ensure `olcPidFile` is set to `/run/slapd/slapd.conf`.
|
||||
'';
|
||||
example = "/var/db/slapd.d";
|
||||
};
|
||||
|
||||
# These options are deprecated
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = "
|
||||
slapd.conf configuration
|
||||
";
|
||||
example = literalExample ''
|
||||
'''
|
||||
include ${openldap}/etc/schema/core.schema
|
||||
include ${openldap}/etc/schema/cosine.schema
|
||||
include ${openldap}/etc/schema/inetorgperson.schema
|
||||
include ${openldap}/etc/schema/nis.schema
|
||||
|
||||
database bdb
|
||||
suffix dc=example,dc=org
|
||||
rootdn cn=admin,dc=example,dc=org
|
||||
# NOTE: change after first start
|
||||
rootpw secret
|
||||
directory /var/db/openldap
|
||||
'''
|
||||
'';
|
||||
};
|
||||
|
||||
declarativeContents = mkOption {
|
||||
type = with types; either lines (attrsOf lines);
|
||||
default = {};
|
||||
|
|
@ -337,41 +299,7 @@ in {
|
|||
# ...
|
||||
'';
|
||||
};
|
||||
|
||||
extraDatabaseConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
slapd.conf configuration after the database option.
|
||||
This setting will be ignored if configDir is set.
|
||||
'';
|
||||
example = ''
|
||||
# Indices to maintain for this directory
|
||||
# unique id so equality match only
|
||||
index uid eq
|
||||
# allows general searching on commonname, givenname and email
|
||||
index cn,gn,mail eq,sub
|
||||
# allows multiple variants on surname searching
|
||||
index sn eq,sub
|
||||
# sub above includes subintial,subany,subfinal
|
||||
# optimise department searches
|
||||
index ou eq
|
||||
# if searches will include objectClass uncomment following
|
||||
# index objectClass eq
|
||||
# shows use of default index parameter
|
||||
index default eq,sub
|
||||
# indices missing - uses default eq,sub
|
||||
index telephonenumber
|
||||
|
||||
# other database parameters
|
||||
# read more in slapd.conf reference section
|
||||
cachesize 10000
|
||||
checkpoint 128 15
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
meta = {
|
||||
|
|
@ -404,18 +332,7 @@ in {
|
|||
newValue = "{ path = \"${cfg.rootpwFile}\"; }";
|
||||
note = "The file should contain only the password (without \"rootpw \" as before)"; }
|
||||
];
|
||||
in (optional (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") ''
|
||||
The options `extraConfig` and `extraDatabaseConfig` of `services.openldap`
|
||||
are deprecated. This is due to the deprecation of `slapd.conf`
|
||||
upstream. Please migrate to `services.openldap.settings`.
|
||||
|
||||
After deploying this configuration, you can run:
|
||||
slapcat -F ${configDir} -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
|
||||
on the same host to print your current configuration in LDIF format, which
|
||||
should be straightforward to convert into Nix settings. This does not show
|
||||
your schema configuration (as this is unnecessarily verbose users of the
|
||||
default schemas), so be sure to migrate that as well.
|
||||
'') ++ (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) ''
|
||||
in (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) ''
|
||||
The attribute `services.openldap.${old}` is deprecated. Please set it to
|
||||
`null` and use the following option instead:
|
||||
|
||||
|
|
@ -487,35 +404,32 @@ in {
|
|||
mkdir -p ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
|
||||
chown "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
|
||||
|
||||
${lib.optionalString (cfg.configDir == null) (
|
||||
if (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") then ''
|
||||
rm -Rf ${configDir}/*
|
||||
# -u disables config generation, so just ignore the return code
|
||||
${openldap}/bin/slaptest -f ${configFile} -F ${configDir} || true
|
||||
'' else ''
|
||||
rm -Rf ${configDir}/*
|
||||
${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
|
||||
''
|
||||
)}
|
||||
${lib.optionalString (cfg.configDir == null) (''
|
||||
rm -Rf ${configDir}/*
|
||||
${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
|
||||
'')}
|
||||
chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir}
|
||||
|
||||
${if types.lines.check cfg.declarativeContents then (let
|
||||
dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
|
||||
in ''
|
||||
rm -rf ${lib.escapeShellArg cfg.dataDir}/*
|
||||
${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile}
|
||||
chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir}
|
||||
'') else (let
|
||||
dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
|
||||
in ''
|
||||
${lib.concatStrings (lib.mapAttrsToList (dn: file: let
|
||||
dataDir = lib.escapeShellArg (getAttr dn dataDirs);
|
||||
${if types.lines.check cfg.declarativeContents
|
||||
then (let
|
||||
dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
|
||||
in ''
|
||||
rm -rf ${dataDir}/*
|
||||
${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file}
|
||||
chown -R "${cfg.user}:${cfg.group}" ${dataDir}
|
||||
'') dataFiles)}
|
||||
'')}
|
||||
rm -rf ${lib.escapeShellArg cfg.dataDir}/*
|
||||
${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile}
|
||||
chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir}
|
||||
'')
|
||||
else (let
|
||||
dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
|
||||
in ''
|
||||
${lib.concatStrings (lib.mapAttrsToList (dn: file: let
|
||||
dataDir = lib.escapeShellArg (getAttr dn dataDirs);
|
||||
in ''
|
||||
rm -rf ${dataDir}/*
|
||||
${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file}
|
||||
chown -R "${cfg.user}:${cfg.group}" ${dataDir}
|
||||
'') dataFiles)}
|
||||
'')
|
||||
}
|
||||
|
||||
${openldap}/bin/slaptest -u -F ${lib.escapeShellArg configDir}
|
||||
'';
|
||||
|
|
|
|||
|
|
@ -121,26 +121,4 @@ in {
|
|||
)
|
||||
'' + testScript;
|
||||
};
|
||||
|
||||
# extraConfig forces use of slapd.conf, test this until that option is removed
|
||||
legacyConfig = import ./make-test-python.nix {
|
||||
inherit testScript;
|
||||
name = "openldap";
|
||||
|
||||
machine = { pkgs, ... }: {
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
suffix = "dc=example";
|
||||
rootdn = "cn=root,dc=example";
|
||||
rootpw = "notapassword";
|
||||
extraConfig = ''
|
||||
# No-op
|
||||
'';
|
||||
extraDatabaseConfig = ''
|
||||
# No-op
|
||||
'';
|
||||
declarativeContents = dbContents;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue