diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml
index 845aa8415040..55c1229a164d 100644
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@@ -192,6 +192,24 @@
to migrate. If you continue to use configDir, ensure that
olcPidFile is set to /run/slapd/slapd.pid.
+ As a result, extraConfig and extraDatabaseConfig
+ are removed. To help with migration, you can convert your slapd.conf
+ file to OLC configuration with the following script (find the location of this
+ configuration file by running systemctl status openldap, it is the
+ -f option.
+ TMPDIR=$(mktemp -d)
+ slaptest -f /path/to/slapd.conf $TMPDIR
+ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
+ This will dump your current configuration in LDIF format, which should be
+ straightforward to convert into Nix settings. This does not show your schema
+ configuration, as this is unnecessarily verbose for users of the default schemas
+ and slaptest is buggy with schemas directly in the config file.
diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix
index 9de4c7fa41be..fb043df9d60f 100644
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -4,27 +4,6 @@ with lib;
cfg = config.services.openldap;
openldap = cfg.package;
- configFile = pkgs.writeText "slapd.conf" ((optionalString (cfg.defaultSchemas != null && cfg.defaultSchemas) ''
- include ${openldap}/etc/schema/core.schema
- include ${openldap}/etc/schema/cosine.schema
- include ${openldap}/etc/schema/inetorgperson.schema
- include ${openldap}/etc/schema/nis.schema
- '') + ''
- pidfile /run/slapd/slapd.pid
- ${if cfg.extraConfig != null then cfg.extraConfig else ""}
- database ${cfg.database}
- suffix ${cfg.suffix}
- rootdn ${cfg.rootdn}
- ${if (cfg.rootpw != null) then ''
- rootpw ${cfg.rootpw}
- '' else ''
- include ${cfg.rootpwFile}
- ''}
- directory ${cfg.dataDir}
- ${if cfg.extraDatabaseConfig != null then cfg.extraDatabaseConfig else ""}
- '');
configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d";
ldapValueType = let
@@ -113,6 +92,12 @@ let
lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children)
in {
+ imports = let
+ deprecationNote = "This option is removed due to the deprecation of `slapd.conf` upstream. Please migrate to `services.openldap.settings`, see the release notes for advice with this process.";
+ in [
+ (lib.mkRemovedOptionModule [ "services" "openldap" "extraConfig" ] deprecationNote)
+ (lib.mkRemovedOptionModule [ "services" "openldap" "extraDatabaseConfig" ] deprecationNote)
+ ];
options = {
services.openldap = {
enable = mkOption {
@@ -280,36 +265,13 @@ in {
type = types.nullOr types.path;
default = null;
description = ''
- Use this optional config directory instead of generating one from the
- settings option.
+ Use this config directory instead of generating one from the
+ settings option. Overrides all NixOS settings. If
+ you use this option,ensure `olcPidFile` is set to `/run/slapd/slapd.conf`.
example = "/var/db/slapd.d";
- # These options are deprecated
- extraConfig = mkOption {
- type = types.lines;
- default = "";
- description = "
- slapd.conf configuration
- ";
- example = literalExample ''
- '''
- include ${openldap}/etc/schema/core.schema
- include ${openldap}/etc/schema/cosine.schema
- include ${openldap}/etc/schema/inetorgperson.schema
- include ${openldap}/etc/schema/nis.schema
- database bdb
- suffix dc=example,dc=org
- rootdn cn=admin,dc=example,dc=org
- # NOTE: change after first start
- rootpw secret
- directory /var/db/openldap
- '''
- '';
- };
declarativeContents = mkOption {
type = with types; either lines (attrsOf lines);
default = {};
@@ -337,41 +299,7 @@ in {
# ...
- extraDatabaseConfig = mkOption {
- type = types.lines;
- default = "";
- description = ''
- slapd.conf configuration after the database option.
- This setting will be ignored if configDir is set.
- '';
- example = ''
- # Indices to maintain for this directory
- # unique id so equality match only
- index uid eq
- # allows general searching on commonname, givenname and email
- index cn,gn,mail eq,sub
- # allows multiple variants on surname searching
- index sn eq,sub
- # sub above includes subintial,subany,subfinal
- # optimise department searches
- index ou eq
- # if searches will include objectClass uncomment following
- # index objectClass eq
- # shows use of default index parameter
- index default eq,sub
- # indices missing - uses default eq,sub
- index telephonenumber
- # other database parameters
- # read more in slapd.conf reference section
- cachesize 10000
- checkpoint 128 15
- '';
- };
meta = {
@@ -404,18 +332,7 @@ in {
newValue = "{ path = \"${cfg.rootpwFile}\"; }";
note = "The file should contain only the password (without \"rootpw \" as before)"; }
- in (optional (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") ''
- The options `extraConfig` and `extraDatabaseConfig` of `services.openldap`
- are deprecated. This is due to the deprecation of `slapd.conf`
- upstream. Please migrate to `services.openldap.settings`.
- After deploying this configuration, you can run:
- slapcat -F ${configDir} -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
- on the same host to print your current configuration in LDIF format, which
- should be straightforward to convert into Nix settings. This does not show
- your schema configuration (as this is unnecessarily verbose users of the
- default schemas), so be sure to migrate that as well.
- '') ++ (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) ''
+ in (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) ''
The attribute `services.openldap.${old}` is deprecated. Please set it to
`null` and use the following option instead:
@@ -487,35 +404,32 @@ in {
mkdir -p ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
chown "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
- ${lib.optionalString (cfg.configDir == null) (
- if (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") then ''
- rm -Rf ${configDir}/*
- # -u disables config generation, so just ignore the return code
- ${openldap}/bin/slaptest -f ${configFile} -F ${configDir} || true
- '' else ''
- rm -Rf ${configDir}/*
- ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
- ''
- )}
+ ${lib.optionalString (cfg.configDir == null) (''
+ rm -Rf ${configDir}/*
+ ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
+ '')}
chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir}
- ${if types.lines.check cfg.declarativeContents then (let
- dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
- in ''
- rm -rf ${lib.escapeShellArg cfg.dataDir}/*
- ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile}
- chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir}
- '') else (let
- dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
- in ''
- ${lib.concatStrings (lib.mapAttrsToList (dn: file: let
- dataDir = lib.escapeShellArg (getAttr dn dataDirs);
+ ${if types.lines.check cfg.declarativeContents
+ then (let
+ dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
in ''
- rm -rf ${dataDir}/*
- ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file}
- chown -R "${cfg.user}:${cfg.group}" ${dataDir}
- '') dataFiles)}
- '')}
+ rm -rf ${lib.escapeShellArg cfg.dataDir}/*
+ ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile}
+ chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir}
+ '')
+ else (let
+ dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
+ in ''
+ ${lib.concatStrings (lib.mapAttrsToList (dn: file: let
+ dataDir = lib.escapeShellArg (getAttr dn dataDirs);
+ in ''
+ rm -rf ${dataDir}/*
+ ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file}
+ chown -R "${cfg.user}:${cfg.group}" ${dataDir}
+ '') dataFiles)}
+ '')
+ }
${openldap}/bin/slaptest -u -F ${lib.escapeShellArg configDir}
diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix
index 0c40073735eb..b6dd8f573d5d 100644
--- a/nixos/tests/openldap.nix
+++ b/nixos/tests/openldap.nix
@@ -121,26 +121,4 @@ in {
'' + testScript;
- # extraConfig forces use of slapd.conf, test this until that option is removed
- legacyConfig = import ./make-test-python.nix {
- inherit testScript;
- name = "openldap";
- machine = { pkgs, ... }: {
- services.openldap = {
- enable = true;
- suffix = "dc=example";
- rootdn = "cn=root,dc=example";
- rootpw = "notapassword";
- extraConfig = ''
- # No-op
- '';
- extraDatabaseConfig = ''
- # No-op
- '';
- declarativeContents = dbContents;
- };
- };
- };