lldap: update patches

This commit is contained in:
ibizaman 2025-08-31 21:48:26 +02:00 committed by Pierre Penninckx
parent ee93203a08
commit 7e8fc8cd56
5 changed files with 104 additions and 575 deletions

View file

@ -16,10 +16,7 @@
originPkgs = nixpkgs.legacyPackages.${system};
shbPatches = originPkgs.lib.optionals (system == "x86_64-linux") [
# Get rid of lldap patches when https://github.com/NixOS/nixpkgs/pull/425923 is merged.
./patches/0001-lldap-add-options-to-set-important-secrets.patch
./patches/0002-lldap-lldap-0.6.1-0.6.2.patch
./patches/0003-lldap-bootstrap-init-0.6.2.patch
./patches/0004-lldap-add-ensure-options.patch
./patches/lldap.patch
# Leaving commented out as an example.
# (originPkgs.fetchpatch {

View file

@ -1,197 +0,0 @@
From 3b7d45e30f3dbf329abfb6ba659d10357761e2ab Mon Sep 17 00:00:00 2001
From: ibizaman <ibizaman@tiserbox.com>
Date: Wed, 16 Jul 2025 03:04:44 +0200
Subject: [PATCH 1/4] lldap: add options to set important secrets
---
nixos/modules/services/databases/lldap.nix | 71 +++++++++++++++++++++
nixos/tests/lldap.nix | 72 +++++++++++++++++++---
2 files changed, 134 insertions(+), 9 deletions(-)
diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix
index a9fbe8f7e11a..1607754d7d9c 100644
--- a/nixos/modules/services/databases/lldap.nix
+++ b/nixos/modules/services/databases/lldap.nix
@@ -102,12 +102,83 @@ in
default = "sqlite://./users.db?mode=rwc";
example = "postgres://postgres-user:password@postgres-server/my-database";
};
+
+ ldap_user_pass_file = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ description = ''
+ Path to a file containing the default admin password.
+
+ If you want to update the default admin password through this setting,
+ you must set `force_ldap_user_pass_reset` to `true`.
+ Otherwise changing this setting will have no effect
+ unless this is the very first time LLDAP is started and its database is still empty.
+ '';
+ };
+
+ force_ldap_user_pass_reset = mkOption {
+ type = types.oneOf [
+ types.bool
+ (types.enum [ "always" ])
+ ];
+ default = false;
+ description = ''
+ Force reset of the admin password.
+
+ Set this setting to `"always"` to update the admin password when `ldap_user_pass_file` changes.
+ Setting to `"always"` also means any password update in the UI will be overwritten next time the service restarts.
+
+ The difference between `true` and `"always"` is the former is intended for a one time fix
+ while the latter is intended for a declarative workflow. In practice, the result
+ is the same: the password gets reset. The only practical difference is the former
+ outputs a warning message while the latter outputs an info message.
+ '';
+ };
+
+ jwt_secret_file = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ description = ''
+ Path to a file containing the JWT secret.
+ '';
+ };
};
};
+
+ # TOML does not allow null values, so we use null to omit those fields
+ apply = lib.filterAttrsRecursive (_: v: v != null);
+ };
+
+ silenceForceUserPassResetWarning = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Disable warning when the admin password is set declaratively with the `ldap_user_pass_file` setting
+ but the `force_ldap_user_pass_reset` is set to `false`.
+
+ This can lead to the admin password to drift from the one given declaratively.
+ If that is okay for you and you want to silence the warning, set this option to `true`.
+ '';
};
};
config = lib.mkIf cfg.enable {
+ warnings =
+ lib.optionals
+ (
+ (cfg.settings.ldap_user_pass_file or null) != null
+ && cfg.settings.force_ldap_user_pass_reset == false
+ && cfg.silenceForceUserPassResetWarning == false
+ )
+ [
+ ''
+ lldap: The default admin password is declared with the setting `ldap_user_pass_file`, but `force_ldap_user_pass_reset` is set to `false`.
+ This means the admin password can be changed through the UI and will drift from the one defined in your nix config.
+ It also means changing the setting `ldap_user_pass_file` will have no effect on the admin password.
+ Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
+ ''
+ ];
+
systemd.services.lldap = {
description = "Lightweight LDAP server (lldap)";
wants = [ "network-online.target" ];
diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix
index c2e48525a5f3..aea6b2058727 100644
--- a/nixos/tests/lldap.nix
+++ b/nixos/tests/lldap.nix
@@ -1,4 +1,7 @@
{ ... }:
+let
+ adminPassword = "mySecretPassword";
+in
{
name = "lldap";
@@ -7,23 +10,74 @@
{
services.lldap = {
enable = true;
+
settings = {
verbose = true;
ldap_base_dn = "dc=example,dc=com";
};
};
environment.systemPackages = [ pkgs.openldap ];
+
+ specialisation = {
+ differentAdminPassword.configuration =
+ { ... }:
+ {
+ services.lldap.settings = {
+ ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" adminPassword);
+ force_ldap_user_pass_reset = "always";
+ };
+ };
+
+ changeAdminPassword.configuration =
+ { ... }:
+ {
+ services.lldap.settings = {
+ ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" "password");
+ force_ldap_user_pass_reset = false;
+ };
+ };
+ };
};
- testScript = ''
- machine.wait_for_unit("lldap.service")
- machine.wait_for_open_port(3890)
- machine.wait_for_open_port(17170)
+ testScript =
+ { nodes, ... }:
+ let
+ specializations = "${nodes.machine.system.build.toplevel}/specialisation";
+ in
+ ''
+ machine.wait_for_unit("lldap.service")
+ machine.wait_for_open_port(3890)
+ machine.wait_for_open_port(17170)
+
+ machine.succeed("curl --location --fail http://localhost:17170/")
+
+ adminPassword="${adminPassword}"
+
+ def try_login(user, password, expect_success=True):
+ cmd = f'ldapsearch -H ldap://localhost:3890 -D uid={user},ou=people,dc=example,dc=com -b "ou=people,dc=example,dc=com" -w {password}'
+ code, response = machine.execute(cmd)
+ print(cmd)
+ print(response)
+ if expect_success:
+ if code != 0:
+ raise Exception(f"Expected success, had failure {code}")
+ else:
+ if code == 0:
+ raise Exception("Expected failure, had success")
+ return response
+
+ with subtest("default admin password"):
+ try_login("admin", "password", expect_success=True)
+ try_login("admin", adminPassword, expect_success=False)
- machine.succeed("curl --location --fail http://localhost:17170/")
+ with subtest("different admin password"):
+ machine.succeed('${specializations}/differentAdminPassword/bin/switch-to-configuration test')
+ try_login("admin", "password", expect_success=False)
+ try_login("admin", adminPassword, expect_success=True)
- print(
- machine.succeed('ldapsearch -H ldap://localhost:3890 -D uid=admin,ou=people,dc=example,dc=com -b "ou=people,dc=example,dc=com" -w password')
- )
- '';
+ with subtest("change admin password has no effect"):
+ machine.succeed('${specializations}/differentAdminPassword/bin/switch-to-configuration test')
+ try_login("admin", "password", expect_success=False)
+ try_login("admin", adminPassword, expect_success=True)
+ '';
}
--
2.49.0

View file

@ -1,276 +0,0 @@
From 995413b11fb7a453ecf1a0c30a64b4a550f1aca3 Mon Sep 17 00:00:00 2001
From: ibizaman <ibizaman@tiserbox.com>
Date: Tue, 15 Jul 2025 18:42:42 +0200
Subject: [PATCH 2/4] lldap: lldap 0.6.1 -> 0.6.2
---
nixos/modules/services/databases/lldap.nix | 43 ++++++++++---
nixos/tests/lldap.nix | 8 ++-
.../0001-parameterize-frontend-location.patch | 64 -------------------
pkgs/by-name/ll/lldap/package.nix | 31 +++++----
4 files changed, 56 insertions(+), 90 deletions(-)
delete mode 100644 pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch
diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix
index 1607754d7d9c..1095021b3f35 100644
--- a/nixos/modules/services/databases/lldap.nix
+++ b/nixos/modules/services/databases/lldap.nix
@@ -2,7 +2,6 @@
config,
lib,
pkgs,
- utils,
...
}:
@@ -103,6 +102,16 @@ in
example = "postgres://postgres-user:password@postgres-server/my-database";
};
+ ldap_user_pass = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ description = ''
+ Password for default admin password.
+
+ Unsecure: Use `ldap_user_pass_file` settings instead.
+ '';
+ };
+
ldap_user_pass_file = mkOption {
type = types.nullOr types.str;
default = null;
@@ -163,18 +172,32 @@ in
};
config = lib.mkIf cfg.enable {
+ assertions = [
+ {
+ assertion =
+ (cfg.settings.ldap_user_pass_file or null) != null || (cfg.settings.ldap_user_pass or null) != null;
+ message = "lldap: Default admin user password must be set. Please set the `ldap_user_pass` or better the `ldap_user_pass_file` setting.";
+ }
+ {
+ assertion =
+ (cfg.settings.ldap_user_pass_file or null) == null || (cfg.settings.ldap_user_pass or null) == null;
+ message = "lldap: Both `ldap_user_pass` and `ldap_user_pass_file` settings should not be set at the same time. Set one to `null`.";
+ }
+ ];
+
warnings =
- lib.optionals
- (
- (cfg.settings.ldap_user_pass_file or null) != null
- && cfg.settings.force_ldap_user_pass_reset == false
- && cfg.silenceForceUserPassResetWarning == false
- )
+ lib.optionals (cfg.settings.ldap_user_pass or null != null) [
+ ''
+ lldap: Unsecure `ldap_user_pass` setting is used. Prefer `ldap_user_pass_file` instead.
+ ''
+ ]
+ ++ lib.optionals
+ (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false)
[
''
- lldap: The default admin password is declared with the setting `ldap_user_pass_file`, but `force_ldap_user_pass_reset` is set to `false`.
- This means the admin password can be changed through the UI and will drift from the one defined in your nix config.
- It also means changing the setting `ldap_user_pass_file` will have no effect on the admin password.
+ lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means
+ the admin password can be changed through the UI and will drift from the one defined in your nix config.
+ It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password.
Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
''
];
diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix
index aea6b2058727..8e38d4bdefa3 100644
--- a/nixos/tests/lldap.nix
+++ b/nixos/tests/lldap.nix
@@ -6,7 +6,7 @@ in
name = "lldap";
nodes.machine =
- { pkgs, ... }:
+ { pkgs, lib, ... }:
{
services.lldap = {
enable = true;
@@ -14,6 +14,8 @@ in
settings = {
verbose = true;
ldap_base_dn = "dc=example,dc=com";
+
+ ldap_user_pass = "password";
};
};
environment.systemPackages = [ pkgs.openldap ];
@@ -23,7 +25,8 @@ in
{ ... }:
{
services.lldap.settings = {
- ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" adminPassword);
+ ldap_user_pass = lib.mkForce null;
+ ldap_user_pass_file = lib.mkForce (toString (pkgs.writeText "adminPasswordFile" adminPassword));
force_ldap_user_pass_reset = "always";
};
};
@@ -32,6 +35,7 @@ in
{ ... }:
{
services.lldap.settings = {
+ ldap_user_pass = lib.mkForce null;
ldap_user_pass_file = toString (pkgs.writeText "adminPasswordFile" "password");
force_ldap_user_pass_reset = false;
};
diff --git a/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch b/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch
deleted file mode 100644
index c33f5a7afa10..000000000000
--- a/pkgs/by-name/ll/lldap/0001-parameterize-frontend-location.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From a09babb0cd9dd532ad2de920a2a35aa03d740dc6 Mon Sep 17 00:00:00 2001
-From: Herwig Hochleitner <herwig@bendlas.net>
-Date: Thu, 8 Aug 2024 00:29:14 +0200
-Subject: [PATCH] parameterize frontend location
-
----
- server/src/infra/tcp_server.rs | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/server/src/infra/tcp_server.rs b/server/src/infra/tcp_server.rs
-index fa5f11f..16e64c5 100644
---- a/server/src/infra/tcp_server.rs
-+++ b/server/src/infra/tcp_server.rs
-@@ -25,7 +25,7 @@ use std::sync::RwLock;
- use tracing::info;
-
- async fn index<Backend>(data: web::Data<AppState<Backend>>) -> actix_web::Result<impl Responder> {
-- let mut file = std::fs::read_to_string(r"./app/index.html")?;
-+ let mut file = std::fs::read_to_string(r"@frontend@/index.html")?;
-
- if data.server_url.path() != "/" {
- file = file.replace(
-@@ -80,7 +80,7 @@ pub(crate) fn error_to_http_response(error: TcpError) -> HttpResponse {
- async fn main_js_handler<Backend>(
- data: web::Data<AppState<Backend>>,
- ) -> actix_web::Result<impl Responder> {
-- let mut file = std::fs::read_to_string(r"./app/static/main.js")?;
-+ let mut file = std::fs::read_to_string(r"@frontend@/static/main.js")?;
-
- if data.server_url.path() != "/" {
- file = file.replace("/pkg/", format!("{}/pkg/", data.server_url.path()).as_str());
-@@ -92,12 +92,12 @@ async fn main_js_handler<Backend>(
- }
-
- async fn wasm_handler() -> actix_web::Result<impl Responder> {
-- Ok(actix_files::NamedFile::open_async("./app/pkg/lldap_app_bg.wasm").await?)
-+ Ok(actix_files::NamedFile::open_async("@frontend@/pkg/lldap_app_bg.wasm").await?)
- }
-
- async fn wasm_handler_compressed() -> actix_web::Result<impl Responder> {
- Ok(
-- actix_files::NamedFile::open_async("./app/pkg/lldap_app_bg.wasm.gz")
-+ actix_files::NamedFile::open_async("@frontend@/pkg/lldap_app_bg.wasm.gz")
- .await?
- .customize()
- .insert_header(header::ContentEncoding::Gzip)
-@@ -143,11 +143,11 @@ fn http_config<Backend>(
- .service(web::resource("/pkg/lldap_app_bg.wasm").route(web::route().to(wasm_handler)))
- .service(web::resource("/static/main.js").route(web::route().to(main_js_handler::<Backend>)))
- // Serve the /pkg path with the compiled WASM app.
-- .service(Files::new("/pkg", "./app/pkg"))
-+ .service(Files::new("/pkg", "@frontend@/pkg"))
- // Serve static files
-- .service(Files::new("/static", "./app/static"))
-+ .service(Files::new("/static", "@frontend@/static"))
- // Serve static fonts
-- .service(Files::new("/static/fonts", "./app/static/fonts"))
-+ .service(Files::new("/static/fonts", "@frontend@/static/fonts"))
- // Default to serve index.html for unknown routes, to support routing.
- .default_service(web::route().guard(guard::Get()).to(index::<Backend>));
- }
---
-2.45.2
-
diff --git a/pkgs/by-name/ll/lldap/package.nix b/pkgs/by-name/ll/lldap/package.nix
index c335ffa727bf..11f14fdab871 100644
--- a/pkgs/by-name/ll/lldap/package.nix
+++ b/pkgs/by-name/ll/lldap/package.nix
@@ -3,29 +3,30 @@
fetchFromGitHub,
lib,
lldap,
+ makeWrapper,
nixosTests,
rustPlatform,
rustc,
- wasm-bindgen-cli_0_2_95,
+ wasm-bindgen-cli_0_2_100,
wasm-pack,
which,
}:
let
+ version = "0.6.2";
- commonDerivationAttrs = rec {
+ commonDerivationAttrs = {
pname = "lldap";
- version = "0.6.1";
+ inherit version;
src = fetchFromGitHub {
owner = "lldap";
repo = "lldap";
rev = "v${version}";
- hash = "sha256-iQ+Vv9kx/pWHoa/WZChBK+FD2r1avzWWz57bnnzRjUg=";
+ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y=";
};
- cargoHash = "sha256-qXYgr9uRswuo9hwVROUX9KUKpkzR0VEcXImbdyOgxsY=";
-
+ cargoHash = "sha256-SO7+HiiXNB/KF3fjzSMeiTPjRQq/unEfsnplx4kZv9c=";
};
frontend = rustPlatform.buildRustPackage (
@@ -35,7 +37,7 @@ let
nativeBuildInputs = [
wasm-pack
- wasm-bindgen-cli_0_2_95
+ wasm-bindgen-cli_0_2_100
binaryen
which
rustc
@@ -68,12 +70,10 @@ rustPlatform.buildRustPackage (
"lldap_set_password"
];
- patches = [
- ./0001-parameterize-frontend-location.patch
- ];
-
- postPatch = ''
- substituteInPlace server/src/infra/tcp_server.rs --subst-var-by frontend '${frontend}'
+ nativeBuildInputs = [ makeWrapper ];
+ postInstall = ''
+ wrapProgram $out/bin/lldap \
+ --set LLDAP_ASSETS_PATH ${frontend}
'';
passthru = {
@@ -89,7 +89,10 @@ rustPlatform.buildRustPackage (
changelog = "https://github.com/lldap/lldap/blob/v${lldap.version}/CHANGELOG.md";
license = licenses.gpl3Only;
platforms = platforms.linux;
- maintainers = with maintainers; [ bendlas ];
+ maintainers = with maintainers; [
+ bendlas
+ ibizaman
+ ];
mainProgram = "lldap";
};
}
--
2.49.0

View file

@ -1,76 +0,0 @@
From f22a61651199cc6030b0e3ede64fd52996bbe3eb Mon Sep 17 00:00:00 2001
From: ibizaman <ibizaman@tiserbox.com>
Date: Wed, 13 Aug 2025 08:14:38 +0200
Subject: [PATCH 3/4] lldap-bootstrap: init 0.6.2
---
pkgs/by-name/ll/lldap-bootstrap/package.nix | 57 +++++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 pkgs/by-name/ll/lldap-bootstrap/package.nix
diff --git a/pkgs/by-name/ll/lldap-bootstrap/package.nix b/pkgs/by-name/ll/lldap-bootstrap/package.nix
new file mode 100644
index 000000000000..b48099c10e84
--- /dev/null
+++ b/pkgs/by-name/ll/lldap-bootstrap/package.nix
@@ -0,0 +1,57 @@
+{
+ curl,
+ fetchFromGitHub,
+ jq,
+ jo,
+ lib,
+ lldap,
+ lldap-bootstrap,
+ makeWrapper,
+ stdenv,
+}:
+let
+ version = "0.6.2";
+in
+stdenv.mkDerivation {
+ pname = "lldap-bootstrap";
+ inherit version;
+
+ src = fetchFromGitHub {
+ owner = "lldap";
+ repo = "lldap";
+ rev = "v${version}";
+ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y=";
+ };
+
+ dontBuild = true;
+
+ nativeBuildInputs = [ makeWrapper ];
+
+ installPhase = ''
+ mkdir -p $out/bin
+ cp ./scripts/bootstrap.sh $out/bin/lldap-bootstrap
+
+ wrapProgram $out/bin/lldap-bootstrap \
+ --set LLDAP_SET_PASSWORD_PATH ${lldap}/bin/lldap_set_password \
+ --prefix PATH : ${
+ lib.makeBinPath [
+ curl
+ jq
+ jo
+ ]
+ }
+ '';
+
+ meta = {
+ description = "Bootstrap script for LLDAP";
+ homepage = "https://github.com/lldap/lldap";
+ changelog = "https://github.com/lldap/lldap/blob/v${lldap-bootstrap.version}/CHANGELOG.md";
+ license = lib.licenses.gpl3Only;
+ platforms = lib.platforms.linux;
+ maintainers = with lib.maintainers; [
+ bendlas
+ ibizaman
+ ];
+ mainProgram = "lldap-bootstrap";
+ };
+}
--
2.49.0

View file

@ -1,15 +1,89 @@
From 714063011540d5ea5f172475cc7db2a4e1c25fa6 Mon Sep 17 00:00:00 2001
From 75d2190cde1df122027496bbfcb9eda7d5aab102 Mon Sep 17 00:00:00 2001
From: ibizaman <ibizaman@tiserbox.com>
Date: Wed, 13 Aug 2025 08:15:12 +0200
Subject: [PATCH 4/4] lldap: add ensure options
Date: Wed, 13 Aug 2025 08:14:38 +0200
Subject: [PATCH 1/2] lldap-bootstrap: init 0.6.2
---
nixos/modules/services/databases/lldap.nix | 355 ++++++++++++++++++++-
nixos/tests/lldap.nix | 143 ++++++++-
2 files changed, 490 insertions(+), 8 deletions(-)
pkgs/by-name/ll/lldap-bootstrap/package.nix | 57 +++++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 pkgs/by-name/ll/lldap-bootstrap/package.nix
diff --git a/pkgs/by-name/ll/lldap-bootstrap/package.nix b/pkgs/by-name/ll/lldap-bootstrap/package.nix
new file mode 100644
index 00000000000000..8b9a915b18f4d9
--- /dev/null
+++ b/pkgs/by-name/ll/lldap-bootstrap/package.nix
@@ -0,0 +1,57 @@
+{
+ curl,
+ fetchFromGitHub,
+ jq,
+ jo,
+ lib,
+ lldap,
+ lldap-bootstrap,
+ makeWrapper,
+ stdenv,
+}:
+let
+ version = "0.6.2";
+in
+stdenv.mkDerivation {
+ pname = "lldap-bootstrap";
+ inherit version;
+
+ src = fetchFromGitHub {
+ owner = "lldap";
+ repo = "lldap";
+ rev = "v${version}";
+ hash = "sha256-UBQWOrHika8X24tYdFfY8ETPh9zvI7/HV5j4aK8Uq+Y=";
+ };
+
+ dontBuild = true;
+
+ nativeBuildInputs = [ makeWrapper ];
+
+ installPhase = ''
+ mkdir -p $out/bin
+ cp ./scripts/bootstrap.sh $out/bin/lldap-bootstrap
+
+ wrapProgram $out/bin/lldap-bootstrap \
+ --set LLDAP_SET_PASSWORD_PATH ${lldap}/bin/lldap_set_password \
+ --prefix PATH : ${
+ lib.makeBinPath [
+ curl
+ jq
+ jo
+ ]
+ }
+ '';
+
+ meta = {
+ description = "Bootstrap script for LLDAP";
+ homepage = "https://github.com/lldap/lldap";
+ changelog = "https://github.com/lldap/lldap/blob/v${lldap-bootstrap.version}/CHANGELOG.md";
+ license = lib.licenses.gpl3Only;
+ platforms = lib.platforms.linux;
+ maintainers = with lib.maintainers; [
+ bendlas
+ ibizaman
+ ];
+ mainProgram = "lldap-bootstrap";
+ };
+}
From 6d55fbc42a2d71b6d7ad29c84c1c0774971f9f6a Mon Sep 17 00:00:00 2001
From: ibizaman <ibizaman@tiserbox.com>
Date: Wed, 13 Aug 2025 08:15:12 +0200
Subject: [PATCH 2/2] lldap: add ensure options
---
nixos/modules/services/databases/lldap.nix | 372 ++++++++++++++++++++-
nixos/tests/lldap.nix | 143 +++++++-
2 files changed, 498 insertions(+), 17 deletions(-)
diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix
index 1095021b3f35..6b5d2be44f43 100644
index 3738dba506a707..6b5d2be44f4373 100644
--- a/nixos/modules/services/databases/lldap.nix
+++ b/nixos/modules/services/databases/lldap.nix
@@ -8,6 +8,84 @@
@ -305,7 +379,7 @@ index 1095021b3f35..6b5d2be44f43 100644
};
config = lib.mkIf cfg.enable {
@@ -183,15 +455,60 @@ in
@@ -183,25 +455,77 @@ in
(cfg.settings.ldap_user_pass_file or null) == null || (cfg.settings.ldap_user_pass or null) == null;
message = "lldap: Both `ldap_user_pass` and `ldap_user_pass_file` settings should not be set at the same time. Set one to `null`.";
}
@ -363,17 +437,27 @@ index 1095021b3f35..6b5d2be44f43 100644
lldap: Unsecure `ldap_user_pass` setting is used. Prefer `ldap_user_pass_file` instead.
''
- ]
- ++ lib.optionals
- ++
- lib.optionals
- (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false)
- [
- ''
- lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means
- the admin password can be changed through the UI and will drift from the one defined in your nix config.
- It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password.
- Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
- ''
- ];
+ ])
+ ++ (lib.optionals
(cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false)
[
''
@@ -200,7 +517,15 @@ in
It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password.
Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
''
- ];
+ (cfg.settings.force_ldap_user_pass_reset == false && cfg.silenceForceUserPassResetWarning == false)
+ [
+ ''
+ lldap: The `force_ldap_user_pass_reset` setting is set to `false` which means
+ the admin password can be changed through the UI and will drift from the one defined in your nix config.
+ It also means changing the setting `ldap_user_pass` or `ldap_user_pass_file` will have no effect on the admin password.
+ Either set `force_ldap_user_pass_reset` to `"always"` or silence this warning by setting the option `services.lldap.silenceForceUserPassResetWarning` to `true`.
+ ''
+ ]
+ )
+ ++ (lib.optionals (!cfg.enforceUserMemberships && someUsersBelongToNonEnsuredGroup) [
@ -386,7 +470,7 @@ index 1095021b3f35..6b5d2be44f43 100644
systemd.services.lldap = {
description = "Lightweight LDAP server (lldap)";
@@ -223,6 +548,28 @@ in
@@ -224,6 +548,28 @@ in
+ ''
${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}
'';
@ -416,7 +500,7 @@ index 1095021b3f35..6b5d2be44f43 100644
StateDirectory = "lldap";
StateDirectoryMode = "0750";
diff --git a/nixos/tests/lldap.nix b/nixos/tests/lldap.nix
index 8e38d4bdefa3..47d32c7a2a7b 100644
index 8e38d4bdefa31d..47d32c7a2a7bbc 100644
--- a/nixos/tests/lldap.nix
+++ b/nixos/tests/lldap.nix
@@ -1,6 +1,9 @@
@ -613,6 +697,3 @@ index 8e38d4bdefa3..47d32c7a2a7b 100644
+ raise Exception(f'Unexpected value for attribute "mygroupattribute": {othergroup.get('mygroupattribute')}')
'';
}
--
2.49.0