summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nixos/modules/services/databases/openldap.nix33
-rw-r--r--nixos/tests/openldap.nix11
2 files changed, 17 insertions, 27 deletions
diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix
index 6f1ac3ed717..c333f817d03 100644
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -7,31 +7,14 @@ let
   configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d";
 
   ldapValueType = let
-    singleLdapValueType = types.oneOf [
-      types.str
-      (types.submodule {
-        options = {
-          path = mkOption {
-            type = types.path;
-            description = ''
-              A path containing the LDAP attribute. This is included at run-time, so
-              is recommended for storing secrets.
-            '';
-          };
-        };
-      })
-      (types.submodule {
-        options = {
-          base64 = mkOption {
-            type = types.str;
-            description = ''
-              A base64-encoded LDAP attribute. Useful for storing values which
-              contain special characters (e.g. newlines) in LDIF files.
-            '';
-          };
-        };
-      })
-    ];
+    # Can't do types.either with multiple non-overlapping submodules, so define our own
+    singleLdapValueType = lib.mkOptionType rec {
+      name = "LDAP";
+      description = "LDAP value";
+      check = x: lib.isString x || (lib.isAttrs x && (x ? "path" || x ? "base64"));
+      merge = lib.mergeEqualOption;
+    };
+    # We don't coerce to lists of single values, as some values must be unique
   in types.either singleLdapValueType (types.listOf singleLdapValueType);
 
   ldapAttrsType =
diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix
index b6dd8f573d5..beaff916474 100644
--- a/nixos/tests/openldap.nix
+++ b/nixos/tests/openldap.nix
@@ -21,6 +21,7 @@ in {
     name = "openldap";
 
     machine = { pkgs, ... }: {
+      environment.etc."openldap/root_password".text = "notapassword";
       services.openldap = {
         enable = true;
         defaultSchemas = null;
@@ -37,13 +38,19 @@ in {
               ];
             };
             "olcDatabase={1}mdb" = {
+              # This tests string, base64 and path values, as well as lists of string values
               attrs = {
                 objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
                 olcDatabase = "{1}mdb";
                 olcDbDirectory = "/var/db/openldap";
                 olcSuffix = "dc=example";
-                olcRootDN = "cn=root,dc=example";
-                olcRootPW = "notapassword";
+                olcRootDN = {
+                  # cn=root,dc=example
+                  base64 = "Y249cm9vdCxkYz1leGFtcGxl";
+                };
+                olcRootPW = {
+                  path = "/etc/openldap/root_password";
+                };
               };
             };
           };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-03 09:31:34 +0000