From 3f892c2174d3e215be2e12d6dacede3cd4db392c Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 13 Sep 2020 23:20:23 +0100 Subject: [PATCH] nixos/openldap: Remove extraConfig options Instead of deprecating, as per PR feedback --- nixos/doc/manual/release-notes/rl-2103.xml | 18 +++ nixos/modules/services/databases/openldap.nix | 152 ++++-------------- nixos/tests/openldap.nix | 22 --- 3 files changed, 51 insertions(+), 141 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 845aa8415040..55c1229a164d 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -192,6 +192,24 @@ to migrate. If you continue to use configDir, ensure that olcPidFile is set to /run/slapd/slapd.pid. + + As a result, extraConfig and extraDatabaseConfig + are removed. To help with migration, you can convert your slapd.conf + file to OLC configuration with the following script (find the location of this + configuration file by running systemctl status openldap, it is the + -f option. + + + TMPDIR=$(mktemp -d) + slaptest -f /path/to/slapd.conf $TMPDIR + slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' + + + This will dump your current configuration in LDIF format, which should be + straightforward to convert into Nix settings. This does not show your schema + configuration, as this is unnecessarily verbose for users of the default schemas + and slaptest is buggy with schemas directly in the config file. + diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index 9de4c7fa41be..fb043df9d60f 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -4,27 +4,6 @@ with lib; let cfg = config.services.openldap; openldap = cfg.package; - - configFile = pkgs.writeText "slapd.conf" ((optionalString (cfg.defaultSchemas != null && cfg.defaultSchemas) '' - include ${openldap}/etc/schema/core.schema - include ${openldap}/etc/schema/cosine.schema - include ${openldap}/etc/schema/inetorgperson.schema - include ${openldap}/etc/schema/nis.schema - '') + '' - pidfile /run/slapd/slapd.pid - ${if cfg.extraConfig != null then cfg.extraConfig else ""} - database ${cfg.database} - suffix ${cfg.suffix} - rootdn ${cfg.rootdn} - ${if (cfg.rootpw != null) then '' - rootpw ${cfg.rootpw} - '' else '' - include ${cfg.rootpwFile} - ''} - directory ${cfg.dataDir} - ${if cfg.extraDatabaseConfig != null then cfg.extraDatabaseConfig else ""} - ''); - configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d"; ldapValueType = let @@ -113,6 +92,12 @@ let lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children) ); in { + imports = let + deprecationNote = "This option is removed due to the deprecation of `slapd.conf` upstream. Please migrate to `services.openldap.settings`, see the release notes for advice with this process."; + in [ + (lib.mkRemovedOptionModule [ "services" "openldap" "extraConfig" ] deprecationNote) + (lib.mkRemovedOptionModule [ "services" "openldap" "extraDatabaseConfig" ] deprecationNote) + ]; options = { services.openldap = { enable = mkOption { @@ -280,36 +265,13 @@ in { type = types.nullOr types.path; default = null; description = '' - Use this optional config directory instead of generating one from the - settings option. + Use this config directory instead of generating one from the + settings option. Overrides all NixOS settings. If + you use this option,ensure `olcPidFile` is set to `/run/slapd/slapd.conf`. ''; example = "/var/db/slapd.d"; }; - # These options are deprecated - extraConfig = mkOption { - type = types.lines; - default = ""; - description = " - slapd.conf configuration - "; - example = literalExample '' - ''' - include ${openldap}/etc/schema/core.schema - include ${openldap}/etc/schema/cosine.schema - include ${openldap}/etc/schema/inetorgperson.schema - include ${openldap}/etc/schema/nis.schema - - database bdb - suffix dc=example,dc=org - rootdn cn=admin,dc=example,dc=org - # NOTE: change after first start - rootpw secret - directory /var/db/openldap - ''' - ''; - }; - declarativeContents = mkOption { type = with types; either lines (attrsOf lines); default = {}; @@ -337,41 +299,7 @@ in { # ... ''; }; - - extraDatabaseConfig = mkOption { - type = types.lines; - default = ""; - description = '' - slapd.conf configuration after the database option. - This setting will be ignored if configDir is set. - ''; - example = '' - # Indices to maintain for this directory - # unique id so equality match only - index uid eq - # allows general searching on commonname, givenname and email - index cn,gn,mail eq,sub - # allows multiple variants on surname searching - index sn eq,sub - # sub above includes subintial,subany,subfinal - # optimise department searches - index ou eq - # if searches will include objectClass uncomment following - # index objectClass eq - # shows use of default index parameter - index default eq,sub - # indices missing - uses default eq,sub - index telephonenumber - - # other database parameters - # read more in slapd.conf reference section - cachesize 10000 - checkpoint 128 15 - ''; - }; - }; - }; meta = { @@ -404,18 +332,7 @@ in { newValue = "{ path = \"${cfg.rootpwFile}\"; }"; note = "The file should contain only the password (without \"rootpw \" as before)"; } ]; - in (optional (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") '' - The options `extraConfig` and `extraDatabaseConfig` of `services.openldap` - are deprecated. This is due to the deprecation of `slapd.conf` - upstream. Please migrate to `services.openldap.settings`. - - After deploying this configuration, you can run: - slapcat -F ${configDir} -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' - on the same host to print your current configuration in LDIF format, which - should be straightforward to convert into Nix settings. This does not show - your schema configuration (as this is unnecessarily verbose users of the - default schemas), so be sure to migrate that as well. - '') ++ (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) '' + in (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) '' The attribute `services.openldap.${old}` is deprecated. Please set it to `null` and use the following option instead: @@ -487,35 +404,32 @@ in { mkdir -p ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)} chown "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)} - ${lib.optionalString (cfg.configDir == null) ( - if (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") then '' - rm -Rf ${configDir}/* - # -u disables config generation, so just ignore the return code - ${openldap}/bin/slaptest -f ${configFile} -F ${configDir} || true - '' else '' - rm -Rf ${configDir}/* - ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile} - '' - )} + ${lib.optionalString (cfg.configDir == null) ('' + rm -Rf ${configDir}/* + ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile} + '')} chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} - ${if types.lines.check cfg.declarativeContents then (let - dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents; - in '' - rm -rf ${lib.escapeShellArg cfg.dataDir}/* - ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile} - chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir} - '') else (let - dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents; - in '' - ${lib.concatStrings (lib.mapAttrsToList (dn: file: let - dataDir = lib.escapeShellArg (getAttr dn dataDirs); + ${if types.lines.check cfg.declarativeContents + then (let + dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents; in '' - rm -rf ${dataDir}/* - ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file} - chown -R "${cfg.user}:${cfg.group}" ${dataDir} - '') dataFiles)} - '')} + rm -rf ${lib.escapeShellArg cfg.dataDir}/* + ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile} + chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir} + '') + else (let + dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents; + in '' + ${lib.concatStrings (lib.mapAttrsToList (dn: file: let + dataDir = lib.escapeShellArg (getAttr dn dataDirs); + in '' + rm -rf ${dataDir}/* + ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file} + chown -R "${cfg.user}:${cfg.group}" ${dataDir} + '') dataFiles)} + '') + } ${openldap}/bin/slaptest -u -F ${lib.escapeShellArg configDir} ''; diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index 0c40073735eb..b6dd8f573d5d 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -121,26 +121,4 @@ in { ) '' + testScript; }; - - # extraConfig forces use of slapd.conf, test this until that option is removed - legacyConfig = import ./make-test-python.nix { - inherit testScript; - name = "openldap"; - - machine = { pkgs, ... }: { - services.openldap = { - enable = true; - suffix = "dc=example"; - rootdn = "cn=root,dc=example"; - rootpw = "notapassword"; - extraConfig = '' - # No-op - ''; - extraDatabaseConfig = '' - # No-op - ''; - declarativeContents = dbContents; - }; - }; - }; }