nixos/openldap: add new options

2 files changed, 98 insertions, 10 deletions

diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix
index 5c302752781..bb658918cb0 100644
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -8,7 +8,20 @@ let
   openldap = pkgs.openldap;
 
   dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
-  configFile = pkgs.writeText "slapd.conf" cfg.extraConfig;
+  configFile = pkgs.writeText "slapd.conf" ((optionalString cfg.defaultSchemas ''
+    include ${pkgs.openldap.out}/etc/schema/core.schema
+    include ${pkgs.openldap.out}/etc/schema/cosine.schema
+    include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema
+    include ${pkgs.openldap.out}/etc/schema/nis.schema
+  '') + ''
+    ${cfg.extraConfig}
+    database ${cfg.database}
+    suffix ${cfg.suffix}
+    rootdn ${cfg.rootdn}
+    rootpw ${cfg.rootpw}
+    directory ${cfg.dataDir}
+    ${cfg.extraDatabaseConfig}
+  '');
   configOpts = if cfg.configDir == null then "-f ${configFile}"
                else "-F ${cfg.configDir}";
 in
@@ -54,6 +67,52 @@ in
         description = "The database directory.";
       };
 
+      defaultSchemas = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Include the default schemas core, cosine, inetorgperson and nis.
+          This setting will be ignored if configDir is set.
+        '';
+      };
+
+      database = mkOption {
+        type = types.str;
+        default = "mdb";
+        description = ''
+          Database type to use for the LDAP.
+          This setting will be ignored if configDir is set.
+        '';
+      };
+
+      suffix = mkOption {
+        type = types.str;
+        example = "dc=example,dc=org";
+        description = ''
+          Specify the DN suffix of queries that will be passed to this backend
+          database.
+          This setting will be ignored if configDir is set.
+        '';
+      };
+
+      rootdn = mkOption {
+        type = types.str;
+        example = "cn=admin,dc=example,dc=org";
+        description = ''
+          Specify the distinguished name that is not subject to access control
+          or administrative limit restrictions for operations on this database.
+          This setting will be ignored if configDir is set.
+        '';
+      };
+
+      rootpw = mkOption {
+        type = types.str;
+        description = ''
+          Password for the root user.
+          This setting will be ignored if configDir is set.
+        '';
+      };
+
       logLevel = mkOption {
         type = types.str;
         default = "0";
@@ -118,6 +177,39 @@ in
           # ...
         '';
       };
+
+      extraDatabaseConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          slapd.conf configuration after the database option.
+          This setting will be ignored if configDir is set.
+        '';
+        example = ''
+          # Indices to maintain for this directory
+          # unique id so equality match only
+          index uid eq
+          # allows general searching on commonname, givenname and email
+          index cn,gn,mail eq,sub
+          # allows multiple variants on surname searching
+          index sn eq,sub
+          # sub above includes subintial,subany,subfinal
+          # optimise department searches
+          index ou eq
+          # if searches will include objectClass uncomment following
+          # index objectClass eq
+          # shows use of default index parameter
+          index default eq,sub
+          # indices missing - uses default eq,sub
+          index telephonenumber
+
+          # other database parameters
+          # read more in slapd.conf reference section
+          cachesize 10000
+          checkpoint 128 15
+        '';
+      };
+
     };
 
   };
diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix
index 1eaf87a8eaa..3ef90e18347 100644
--- a/nixos/tests/openldap.nix
+++ b/nixos/tests/openldap.nix
@@ -4,16 +4,12 @@ import ./make-test.nix {
   machine = { pkgs, ... }: {
     services.openldap = {
       enable = true;
-      extraConfig = ''
-        include ${pkgs.openldap}/etc/schema/core.schema
-        include ${pkgs.openldap}/etc/schema/cosine.schema
-        include ${pkgs.openldap}/etc/schema/inetorgperson.schema
-        include ${pkgs.openldap}/etc/schema/nis.schema
-        database bdb
-        suffix dc=example
+      suffix = "dc=example";
+      rootdn = "cn=root,dc=example";
+      rootpw = "notapassword";
+      database = "bdb";
+      extraDatabaseConfig = ''
         directory /var/db/openldap
-        rootdn cn=root,dc=example
-        rootpw notapassword
       '';
       declarativeContents = ''
         dn: dc=example