summary refs log tree commit diff
diff options
context:
space:
mode:
authorKai Wohlfahrt <kai.wohlfahrt@gmail.com>2020-09-13 23:20:23 +0100
committerKai Wohlfahrt <kai.wohlfahrt@gmail.com>2020-11-21 16:13:03 +0000
commit3f892c2174d3e215be2e12d6dacede3cd4db392c (patch)
treee51751b5f860f64ab90cc0d9ba270abe43a0b2c9
parent2050376caee44dd52e7aaa00a9bfac6b644e5bff (diff)
downloadnixpkgs-3f892c2174d3e215be2e12d6dacede3cd4db392c.tar
nixpkgs-3f892c2174d3e215be2e12d6dacede3cd4db392c.tar.gz
nixpkgs-3f892c2174d3e215be2e12d6dacede3cd4db392c.tar.bz2
nixpkgs-3f892c2174d3e215be2e12d6dacede3cd4db392c.tar.lz
nixpkgs-3f892c2174d3e215be2e12d6dacede3cd4db392c.tar.xz
nixpkgs-3f892c2174d3e215be2e12d6dacede3cd4db392c.tar.zst
nixpkgs-3f892c2174d3e215be2e12d6dacede3cd4db392c.zip
nixos/openldap: Remove extraConfig options
Instead of deprecating, as per PR feedback
Diffstat
-rw-r--r--nixos/doc/manual/release-notes/rl-2103.xml18
-rw-r--r--nixos/modules/services/databases/openldap.nix152
-rw-r--r--nixos/tests/openldap.nix22
3 files changed, 51 insertions, 141 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml
index 845aa841504..55c1229a164 100644
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@@ -192,6 +192,24 @@
       to migrate. If you continue to use <literal>configDir</literal>, ensure that
       <literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>.
     </para>
+    <para>
+      As a result, <literal>extraConfig</literal> and <literal>extraDatabaseConfig</literal>
+      are removed. To help with migration, you can convert your <literal>slapd.conf</literal>
+      file to OLC configuration with the following script (find the location of this
+      configuration file by running <literal>systemctl status openldap</literal>, it is the
+      <literal>-f</literal> option.
+    </para>
+    <programlisting>
+      TMPDIR=$(mktemp -d)
+      slaptest -f /path/to/slapd.conf $TMPDIR
+      slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
+    </programlisting>
+    <para>
+      This will dump your current configuration in LDIF format, which should be
+      straightforward to convert into Nix settings. This does not show your schema
+      configuration, as this is unnecessarily verbose for users of the default schemas
+      and <literal>slaptest</literal> is buggy with schemas directly in the config file.
+    </para>
    </listitem>
   </itemizedlist>
  </section>
diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix
index 9de4c7fa41b..fb043df9d60 100644
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -4,27 +4,6 @@ with lib;
 let
   cfg = config.services.openldap;
   openldap = cfg.package;
-
-  configFile = pkgs.writeText "slapd.conf" ((optionalString (cfg.defaultSchemas != null && cfg.defaultSchemas) ''
-    include ${openldap}/etc/schema/core.schema
-    include ${openldap}/etc/schema/cosine.schema
-    include ${openldap}/etc/schema/inetorgperson.schema
-    include ${openldap}/etc/schema/nis.schema
-  '') + ''
-    pidfile /run/slapd/slapd.pid
-    ${if cfg.extraConfig != null then cfg.extraConfig else ""}
-    database ${cfg.database}
-    suffix ${cfg.suffix}
-    rootdn ${cfg.rootdn}
-    ${if (cfg.rootpw != null) then ''
-      rootpw ${cfg.rootpw}
-    '' else ''
-      include ${cfg.rootpwFile}
-    ''}
-    directory ${cfg.dataDir}
-    ${if cfg.extraDatabaseConfig != null then cfg.extraDatabaseConfig else ""}
-  '');
-
   configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d";
 
   ldapValueType = let
@@ -113,6 +92,12 @@ let
     lib.flatten (lib.mapAttrsToList (name: value: attrsToLdif "${name},${dn}" value) children)
   );
 in {
+  imports = let
+    deprecationNote = "This option is removed due to the deprecation of `slapd.conf` upstream. Please migrate to `services.openldap.settings`, see the release notes for advice with this process.";
+  in [
+    (lib.mkRemovedOptionModule [ "services" "openldap" "extraConfig" ] deprecationNote)
+    (lib.mkRemovedOptionModule [ "services" "openldap" "extraDatabaseConfig" ] deprecationNote)
+  ];
   options = {
     services.openldap = {
       enable = mkOption {
@@ -280,36 +265,13 @@ in {
         type = types.nullOr types.path;
         default = null;
         description = ''
-          Use this optional config directory instead of generating one from the
-          <literal>settings</literal> option.
+          Use this config directory instead of generating one from the
+          <literal>settings</literal> option. Overrides all NixOS settings. If
+          you use this option,ensure `olcPidFile` is set to `/run/slapd/slapd.conf`.
         '';
         example = "/var/db/slapd.d";
       };
 
-      # These options are deprecated
-      extraConfig = mkOption {
-        type = types.lines;
-        default = "";
-        description = "
-          slapd.conf configuration
-        ";
-        example = literalExample ''
-            '''
-            include ${openldap}/etc/schema/core.schema
-            include ${openldap}/etc/schema/cosine.schema
-            include ${openldap}/etc/schema/inetorgperson.schema
-            include ${openldap}/etc/schema/nis.schema
-
-            database bdb
-            suffix dc=example,dc=org
-            rootdn cn=admin,dc=example,dc=org
-            # NOTE: change after first start
-            rootpw secret
-            directory /var/db/openldap
-            '''
-          '';
-      };
-
       declarativeContents = mkOption {
         type = with types; either lines (attrsOf lines);
         default = {};
@@ -337,41 +299,7 @@ in {
           # ...
         '';
       };
-
-      extraDatabaseConfig = mkOption {
-        type = types.lines;
-        default = "";
-        description = ''
-          slapd.conf configuration after the database option.
-          This setting will be ignored if configDir is set.
-        '';
-        example = ''
-          # Indices to maintain for this directory
-          # unique id so equality match only
-          index uid eq
-          # allows general searching on commonname, givenname and email
-          index cn,gn,mail eq,sub
-          # allows multiple variants on surname searching
-          index sn eq,sub
-          # sub above includes subintial,subany,subfinal
-          # optimise department searches
-          index ou eq
-          # if searches will include objectClass uncomment following
-          # index objectClass eq
-          # shows use of default index parameter
-          index default eq,sub
-          # indices missing - uses default eq,sub
-          index telephonenumber
-
-          # other database parameters
-          # read more in slapd.conf reference section
-          cachesize 10000
-          checkpoint 128 15
-        '';
-      };
-
     };
-
   };
 
   meta = {
@@ -404,18 +332,7 @@ in {
           newValue = "{ path = \"${cfg.rootpwFile}\"; }";
           note = "The file should contain only the password (without \"rootpw \" as before)"; }
       ];
-    in (optional (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") ''
-      The options `extraConfig` and `extraDatabaseConfig` of `services.openldap`
-      are deprecated. This is due to the deprecation of `slapd.conf`
-      upstream. Please migrate to `services.openldap.settings`.
-
-      After deploying this configuration, you can run:
-        slapcat -F ${configDir} -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
-      on the same host to print your current configuration in LDIF format, which
-      should be straightforward to convert into Nix settings. This does not show
-      your schema configuration (as this is unnecessarily verbose users of the
-      default schemas), so be sure to migrate that as well.
-    '') ++ (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) ''
+    in (flatten (map (args@{old, new, ...}: lib.optional ((lib.hasAttr old cfg) && (lib.getAttr old cfg) != null) ''
       The attribute `services.openldap.${old}` is deprecated. Please set it to
       `null` and use the following option instead:
 
@@ -487,35 +404,32 @@ in {
         mkdir -p ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
         chown "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir} ${lib.escapeShellArgs (lib.attrValues dataDirs)}
 
-        ${lib.optionalString (cfg.configDir == null) (
-          if (cfg.extraConfig != "" || cfg.extraDatabaseConfig != "") then ''
-            rm -Rf ${configDir}/*
-            # -u disables config generation, so just ignore the return code
-            ${openldap}/bin/slaptest -f ${configFile} -F ${configDir} || true
-          '' else ''
-            rm -Rf ${configDir}/*
-            ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
-          ''
-        )}
+        ${lib.optionalString (cfg.configDir == null) (''
+          rm -Rf ${configDir}/*
+          ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
+        '')}
         chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg configDir}
 
-        ${if types.lines.check cfg.declarativeContents then (let
-          dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
-        in ''
-          rm -rf ${lib.escapeShellArg cfg.dataDir}/*
-          ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile}
-          chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir}
-        '') else (let
-          dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
-        in ''
-          ${lib.concatStrings (lib.mapAttrsToList (dn: file: let
-            dataDir = lib.escapeShellArg (getAttr dn dataDirs);
+        ${if types.lines.check cfg.declarativeContents
+          then (let
+            dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
           in ''
-            rm -rf ${dataDir}/*
-            ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file}
-            chown -R "${cfg.user}:${cfg.group}" ${dataDir}
-          '') dataFiles)}
-        '')}
+            rm -rf ${lib.escapeShellArg cfg.dataDir}/*
+            ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -l ${dataFile}
+            chown -R "${cfg.user}:${cfg.group}" ${lib.escapeShellArg cfg.dataDir}
+          '')
+          else (let
+            dataFiles = lib.mapAttrs (dn: contents: pkgs.writeText "${dn}.ldif" contents) cfg.declarativeContents;
+          in ''
+            ${lib.concatStrings (lib.mapAttrsToList (dn: file: let
+              dataDir = lib.escapeShellArg (getAttr dn dataDirs);
+            in ''
+              rm -rf ${dataDir}/*
+              ${openldap}/bin/slapadd -F ${lib.escapeShellArg configDir} -b ${dn} -l ${file}
+              chown -R "${cfg.user}:${cfg.group}" ${dataDir}
+            '') dataFiles)}
+          '')
+         }
 
         ${openldap}/bin/slaptest -u -F ${lib.escapeShellArg configDir}
       '';
diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix
index 0c40073735e..b6dd8f573d5 100644
--- a/nixos/tests/openldap.nix
+++ b/nixos/tests/openldap.nix
@@ -121,26 +121,4 @@ in {
       )
     '' + testScript;
   };
-
-  # extraConfig forces use of slapd.conf, test this until that option is removed
-  legacyConfig = import ./make-test-python.nix {
-    inherit testScript;
-    name = "openldap";
-
-    machine = { pkgs, ... }: {
-      services.openldap = {
-        enable = true;
-        suffix = "dc=example";
-        rootdn = "cn=root,dc=example";
-        rootpw = "notapassword";
-        extraConfig = ''
-          # No-op
-        '';
-        extraDatabaseConfig = ''
-          # No-op
-        '';
-        declarativeContents = dbContents;
-      };
-    };
-  };
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-03 07:13:03 +0000