alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

nixos/openldap: Remove extraConfig options

Browse source 
Instead of deprecating, as per PR feedback
This commit is contained in:
Kai Wohlfahrt 2020-09-13 23:20:23 +01:00
parent 2050376cae
commit 3f892c2174
3 changed files with 51 additions and 141 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
nixos/doc/manual/release-notes/rl-2103.xml
View file

@ -192,6 +192,24 @@
to migrate. If you continue to use <literal>configDir</literal>, ensure that to migrate. If you continue to use <literal>configDir</literal>, ensure that
<literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>. <literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>.
</para> </para>
<para>
As a result, <literal>extraConfig</literal> and <literal>extraDatabaseConfig</literal>
are removed. To help with migration, you can convert your <literal>slapd.conf</literal>
file to OLC configuration with the following script (find the location of this
configuration file by running <literal>systemctl status openldap</literal>, it is the
<literal>-f</literal> option.
</para>
<programlisting>
TMPDIR=$(mktemp -d)
slaptest -f /path/to/slapd.conf $TMPDIR
slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
</programlisting>
<para>
This will dump your current configuration in LDIF format, which should be
straightforward to convert into Nix settings. This does not show your schema
configuration, as this is unnecessarily verbose for users of the default schemas
and <literal>slaptest</literal> is buggy with schemas directly in the config file.
</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

152
nixos/modules/services/databases/openldap.nix
View file

@ -4,27 +4,6 @@ with lib;
let let
cfg = config.services.openldap; cfg = config.services.openldap;
openldap = cfg.package; openldap = cfg.package;
configFile = pkgs.writeText "slapd.conf" ((optionalString (cfg.defaultSchemas != null && cfg.defaultSchemas) ''
include ${openldap}/etc/schema/core.schema
include ${openldap}/etc/schema/cosine.schema
include ${openldap}/etc/schema/inetorgperson.schema
include ${openldap}/etc/schema/nis.schema
'') + ''
pidfile /run/slapd/slapd.pid
${if cfg.extraConfig != null then cfg.extraConfig else ""}
database ${cfg.database}
suffix ${cfg.suffix}
rootdn ${cfg.rootdn}
${if (cfg.rootpw != null) then ''
rootpw ${cfg.rootpw}
'' else ''
include ${cfg.rootpwFile}
''}
directory ${cfg.dataDir}
${if cfg.extraDatabaseConfig != null then cfg.extraDatabaseConfig else ""}
'');
configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d"; configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d";
ldapValueType = let ldapValueType = let
@ -113,6 +92,12 @@ let
lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children) lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children)
); );
in { in {
imports = let
deprecationNote = "This option is removed due to the deprecation of `slapd.conf` upstream. Please migrate to `services.openldap.settings`, see the release notes for advice with this process.";
in [
(lib.mkRemovedOptionModule [ "services" "openldap" "extraConfig" ] deprecationNote)
(lib.mkRemovedOptionModule [ "services" "openldap" "extraDatabaseConfig" ] deprecationNote)
];
options = { options = {
services.openldap = { services.openldap = {
enable = mkOption { enable = mkOption {
@ -280,36 +265,13 @@ in {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
description = '' description = ''
Use this optional config directory instead of generating one from the Use this config directory instead of generating one from the
<literal>settings</literal> option. <literal>settings</literal> option. Overrides all NixOS settings. If
you use this option,ensure `olcPidFile` is set to `/run/slapd/slapd.conf`.
''; '';
example = "/var/db/slapd.d"; example = "/var/db/slapd.d";
}; };
# These options are deprecated
extraConfig = mkOption {
type = types.lines;
default = "";
description = "
slapd.conf configuration
";
example = literalExample ''
'''
include ${openldap}/etc/schema/core.schema
include ${openldap}/etc/schema/cosine.schema
include ${openldap}/etc/schema/inetorgperson.schema
include ${openldap}/etc/schema/nis.schema
database bdb
suffix dc=example,dc=org
rootdn cn=admin,dc=example,dc=org
# NOTE: change after first start
rootpw secret
directory /var/db/openldap
'''
'';
};
declarativeContents = mkOption { declarativeContents = mkOption {
type = with types; either lines (attrsOf lines); type = with types; either lines (attrsOf lines);
default = {}; default = {};
@ -337,41 +299,7 @@ in {
# ... # ...
''; '';
}; };
extraDatabaseConfig = mkOption {
type = types.lines;
default = "";
description = ''
slapd.conf configuration after the database option.
This setting will be ignored if configDir is set.
'';
example = ''
# Indices to maintain for this directory
# unique id so equality match only
index uid eq
# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber
# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15
'';
};
}; };
}; };
meta = { meta = {
@ -404,18 +332,7 @@ in {
newValue = "{ path = \"${cfg.rootpwFile}\"; }"; newValue = "{ path = \"${cfg.rootpwFile}\"; }";
note = "The file should contain only the password (without \"rootpw \" as before)"; } note = "The file should contain only the password (without \"rootpw \" as before)"; }
]; ];
in (optional (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") '' in (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) ''
The options `extraConfig` and `extraDatabaseConfig` of `services.openldap`
are deprecated. This is due to the deprecation of `slapd.conf`
upstream. Please migrate to `services.openldap.settings`.
After deploying this configuration, you can run:
slapcat -F ${configDir} -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
on the same host to print your current configuration in LDIF format, which
should be straightforward to convert into Nix settings. This does not show
your schema configuration (as this is unnecessarily verbose users of the
default schemas), so be sure to migrate that as well.
'') ++ (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) ''
The attribute `services.openldap.${old}` is deprecated. Please set it to The attribute `services.openldap.${old}` is deprecated. Please set it to
`null` and use the following option instead: `null` and use the following option instead:
@ -487,35 +404,32 @@ in {
mkdir -p ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)} mkdir -p ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
chown "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)} chown "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
${lib.optionalString (cfg.configDir == null) ( ${lib.optionalString (cfg.configDir == null) (''
if (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") then '' rm -Rf ${configDir}/*
rm -Rf ${configDir}/* ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
# -u disables config generation, so just ignore the return code '')}
${openldap}/bin/slaptest -f ${configFile} -F ${configDir} || true
'' else ''
rm -Rf ${configDir}/*
${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
''
)}
chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir}
${if types.lines.check cfg.declarativeContents then (let ${if types.lines.check cfg.declarativeContents
dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents; then (let
in '' dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
rm -rf ${lib.escapeShellArg cfg.dataDir}/*
${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile}
chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir}
'') else (let
dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
in ''
${lib.concatStrings (lib.mapAttrsToList (dn: file: let
dataDir = lib.escapeShellArg (getAttr dn dataDirs);
in '' in ''
rm -rf ${dataDir}/* rm -rf ${lib.escapeShellArg cfg.dataDir}/*
${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file} ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile}
chown -R "${cfg.user}:${cfg.group}" ${dataDir} chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir}
'') dataFiles)} '')
'')} else (let
dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
in ''
${lib.concatStrings (lib.mapAttrsToList (dn: file: let
dataDir = lib.escapeShellArg (getAttr dn dataDirs);
in ''
rm -rf ${dataDir}/*
${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file}
chown -R "${cfg.user}:${cfg.group}" ${dataDir}
'') dataFiles)}
'')
}
${openldap}/bin/slaptest -u -F ${lib.escapeShellArg configDir} ${openldap}/bin/slaptest -u -F ${lib.escapeShellArg configDir}
''; '';

22
nixos/tests/openldap.nix
View file

@ -121,26 +121,4 @@ in {
) )
'' + testScript; '' + testScript;
}; };
# extraConfig forces use of slapd.conf, test this until that option is removed
legacyConfig = import ./make-test-python.nix {
inherit testScript;
name = "openldap";
machine = { pkgs, ... }: {
services.openldap = {
enable = true;
suffix = "dc=example";
rootdn = "cn=root,dc=example";
rootpw = "notapassword";
extraConfig = ''
# No-op
'';
extraDatabaseConfig = ''
# No-op
'';
declarativeContents = dbContents;
};
};
};
} }