From db5bb4e26bb1cdc8a79dd639c2585722fdf2ce18 Mon Sep 17 00:00:00 2001 From: Kai Wohlfahrt Date: Sun, 27 Sep 2020 23:19:01 +0100 Subject: [PATCH] nixos/openldap: Fix sssd-ldap test Use this as a test of the migration warnings/functionality. --- nixos/modules/services/databases/openldap.nix | 49 ++++++++--------- nixos/tests/openldap.nix | 1 - nixos/tests/sssd-ldap.nix | 52 ++++++++++--------- 3 files changed, 50 insertions(+), 52 deletions(-) diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index aedf3873b04..94a5c573768 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -3,6 +3,7 @@ with lib; let cfg = config.services.openldap; + legacyOptions = [ "rootpwFile" "suffix" "dataDir" "rootdn" "rootpw" ]; openldap = cfg.package; configDir = if cfg.configDir != null then cfg.configDir else "/etc/openldap/slapd.d"; @@ -77,6 +78,12 @@ let in { imports = let deprecationNote = "This option is removed due to the deprecation of `slapd.conf` upstream. Please migrate to `services.openldap.settings`, see the release notes for advice with this process."; + mkDatabaseOption = old: new: + lib.mkChangedOptionModule [ "services" "openldap" old ] [ "services" "openldap" "settings" "children" ] + (config: let + database = lib.getAttrFromPath [ "services" "openldap" "database" ] config; + value = lib.getAttrFromPath [ "services" "openldap" old ] config; + in lib.setAttrByPath ([ "olcDatabase={1}${database}" "attrs" ] ++ new) value); in [ (lib.mkRemovedOptionModule [ "services" "openldap" "extraConfig" ] deprecationNote) (lib.mkRemovedOptionModule [ "services" "openldap" "extraDatabaseConfig" ] deprecationNote) @@ -85,7 +92,7 @@ in { (config: lib.splitString " " (lib.getAttrFromPath [ "services" "openldap" "logLevel" ] config))) (lib.mkChangedOptionModule [ "services" "openldap" "defaultSchemas" ] [ "services" "openldap" "settings" "children" "cn=schema" "includes"] (config: lib.optionals (lib.getAttrFromPath [ "services" "openldap" "defaultSchemas" ] config) ( - map (schema: "${pkgs.openldap}/etc/schema/${schema}.ldif") [ "core" "cosine" "inetorgperson" "nis" ]))) + map (schema: "${openldap}/etc/schema/${schema}.ldif") [ "core" "cosine" "inetorgperson" "nis" ]))) (lib.mkChangedOptionModule [ "services" "openldap" "database" ] [ "services" "openldap" "settings" "children" ] (config: let @@ -97,17 +104,15 @@ in { olcDatabase = "{1}${database}"; olcDbDirectory = lib.mkDefault "/var/db/openldap"; }; + "cn=schema".includes = lib.mkDefault ( + map (schema: "${openldap}/etc/schema/${schema}.ldif") [ "core" "cosine" "inetorgperson" "nis" ] + ); })) - (lib.mkRenamedOptionModule [ "services" "openldap" "rootpwFile" ] - [ "services" "openldap" "settings" "children" "olcDatabase={1}${cfg.database}" "attrs" "olcRootPW" "path"]) - (lib.mkRenamedOptionModule [ "services" "openldap" "suffix" ] - [ "services" "openldap" "settings" "children" "olcDatabase={1}${cfg.database}" "attrs" "olcSuffix"]) - (lib.mkRenamedOptionModule [ "services" "openldap" "dataDir" ] - [ "services" "openldap" "settings" "children" "olcDatabase={1}${cfg.database}" "attrs" "olcDbDirectory"]) - (lib.mkRenamedOptionModule [ "services" "openldap" "rootdn" ] - [ "services" "openldap" "settings" "children" "olcDatabase={1}${cfg.database}" "attrs" "olcRootDN"]) - (lib.mkRenamedOptionModule [ "services" "openldap" "rootpw" ] - [ "services" "openldap" "settings" "children" "olcDatabase={1}${cfg.database}" "attrs" "olcRootPW"]) + (mkDatabaseOption "rootpwFile" [ "olcRootPW" "path" ]) + (mkDatabaseOption "suffix" [ "olcSuffix" ]) + (mkDatabaseOption "dataDir" [ "olcDbDirectory" ]) + (mkDatabaseOption "rootdn" [ "olcRootDN" ]) + (mkDatabaseOption "rootpw" [ "olcRootPW" ]) ]; options = { services.openldap = { @@ -242,14 +247,10 @@ in { meta.maintainers = with lib.maintainters; [ mic92 kwohlfahrt ]; config = mkIf cfg.enable { - assertions = [{ - assertion = lib.length (lib.attrNames cfg.settings.children) >= 2 || cfg ? database; - message = '' - No OpenLDAP database is defined. Configure one with `services.openldap.settings` - or `services.openldap.database` (legacy). - ''; - }]; - + assertions = map (opt: { + assertion = ((getAttr opt cfg) != "_mkMergedOptionModule") -> (cfg.database != "_mkMergedOptionModule"); + message = "Legacy OpenLDAP option `services.openldap.${opt}` requires `services.openldap.database` (use value \"mdb\" if unsure)"; + }) legacyOptions; environment.systemPackages = [ openldap ]; # Literal attributes must always be set @@ -259,13 +260,9 @@ in { cn = "config"; olcPidFile = "/run/slapd/slapd.pid"; }; - children = { - "cn=schema" = { - attrs = { - cn = "schema"; - objectClass = "olcSchemaConfig"; - }; - }; + children."cn=schema".attrs = { + cn = "schema"; + objectClass = "olcSchemaConfig"; }; }; diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index ac1e1a7596f..e9339523ca9 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -71,7 +71,6 @@ in { suffix = "dc=example"; rootdn = "cn=root,dc=example"; rootpw = "notapassword"; - dataDir = "/var/db/openldap"; declarativeContents."dc=example" = dbContents; }; }; diff --git a/nixos/tests/sssd-ldap.nix b/nixos/tests/sssd-ldap.nix index b68403a0102..8cb398d0e17 100644 --- a/nixos/tests/sssd-ldap.nix +++ b/nixos/tests/sssd-ldap.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +({ pkgs, ... }: let dbDomain = "example.org"; dbSuffix = "dc=example,dc=org"; @@ -7,8 +7,7 @@ import ./make-test-python.nix ({ pkgs, ... }: ldapRootPassword = "foobar"; testUser = "alice"; - in - { + in import ./make-test-python.nix { name = "sssd-ldap"; meta = with pkgs.stdenv.lib.maintainers; { @@ -18,34 +17,37 @@ import ./make-test-python.nix ({ pkgs, ... }: machine = { pkgs, ... }: { services.openldap = { enable = true; + database = "mdb"; rootdn = "cn=${ldapRootUser},${dbSuffix}"; rootpw = ldapRootPassword; suffix = dbSuffix; - declarativeContents = '' - dn: ${dbSuffix} - objectClass: top - objectClass: dcObject - objectClass: organization - o: ${dbDomain} + declarativeContents = { + ${dbSuffix} = '' + dn: ${dbSuffix} + objectClass: top + objectClass: dcObject + objectClass: organization + o: ${dbDomain} - dn: ou=posix,${dbSuffix} - objectClass: top - objectClass: organizationalUnit + dn: ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit - dn: ou=accounts,ou=posix,${dbSuffix} - objectClass: top - objectClass: organizationalUnit + dn: ou=accounts,ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit - dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} - objectClass: person - objectClass: posixAccount - # userPassword: somePasswordHash - homeDirectory: /home/${testUser} - uidNumber: 1234 - gidNumber: 1234 - cn: "" - sn: "" - ''; + dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} + objectClass: person + objectClass: posixAccount + # userPassword: somePasswordHash + homeDirectory: /home/${testUser} + uidNumber: 1234 + gidNumber: 1234 + cn: "" + sn: "" + ''; + }; }; services.sssd = {