New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/openldap: switch to slapd.d configuration with structured settings #94610
Conversation
5b83e7a
to
60593a5
Compare
I've removed the static UIDs/GIDs as suggested in NixOS/rfcs#52, I think this is backwards compatible.
|
@GrahamcOfBorg eval |
@GrahamcOfBorg build openldap |
@GrahamcOfBorg test openldap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review, I've committed the suggestions.
I'm a bit confused about the grahamcofborg-eval
failure (This PR does not cleanly list package outputs after merging.
), with the error message:
nix-env failed:
warning: ignoring the user-specified setting 'restrict-eval', because it is a restricted setting and you are not a trusted user
error: stack overflow (possible infinite recursion)
I'm not sure what in this change triggers this, or what I can do to resolve it so advice is appreciated.
I can reproduce this by building the manual: $ nix-build nixos/release.nix -A manual
error: stack overflow (possible infinite recursion) |
Ah, the reason seems to be here:
Is there a way to override the documentation type for this case, so it doesn't go into the infinite recursion here? |
Maybe |
I think this is fixed now, by simply marking all options below the top-level of |
|
upstream. Please migrate to `services.openldap.settings`. | ||
|
||
You can run: | ||
slapcat -F ${configDir} -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get:
$ slapcat -F /etc/openldap/slapd.d -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
5f395c1f invalid config directory /etc/openldap/slapd.d, error 2
I think we should include that you need to deploy your old configuration at least once before the directory is created?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using this configuration: https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/openldap/default.nix#L19
it also seems to not pick up yet my schema:
● openldap.service - LDAP server
Loaded: loaded (/nix/store/a0vf2f37b63h1cziws81ml9f4m0v4cv2-unit-openldap.service/openldap.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2020-08-16 16:41:32 UTC; 6min ago
Process: 6127 ExecStartPre=/nix/store/0fyrxmxa7ibkca2b4n3pjwfr536n3579-unit-script-openldap-pre-start/bin/openldap-pre-start (code=exited, status=1/FAILURE)
IP: 0B in, 0B out
CPU: 36ms
Aug 16 16:41:32 eve systemd[1]: Starting LDAP server...
Aug 16 16:41:32 eve openldap-pre-start[6184]: config file testing succeeded
Aug 16 16:41:32 eve slaptest[6184]: DIGEST-MD5 common mech free
Aug 16 16:41:32 eve openldap-pre-start[6306]: 5f3961bc olcObjectClasses: value #0 olcObjectClasses: ObjectClass not found: "uidObject"
Aug 16 16:41:32 eve openldap-pre-start[6306]: 5f3961bc config error processing cn=config: olcObjectClasses: ObjectClass not found: "uidObject"
Aug 16 16:41:32 eve openldap-pre-start[6306]: slaptest: bad configuration directory!
Aug 16 16:41:32 eve systemd[1]: openldap.service: Control process exited, code=exited, status=1/FAILURE
Aug 16 16:41:32 eve systemd[1]: openldap.service: Failed with result 'exit-code'.
Aug 16 16:41:32 eve systemd[1]: Failed to start LDAP server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should include that you need to deploy your old configuration at least once before the directory is created?
Yes, good point.
I'll check out the schema issue.
e2dcd5b
to
be6963a
Compare
Does it not include the schemas?
|
I think the schemas are correctly included by openldap. |
Hm, I'm surprised that this PR caused changes here. Could you post the shell commands to reproduce after deployment? I'm assuming something like:
Anything else? Are you using a Could you try loading your schema with |
OK, I think all comments are addressed. Overall, I think it might be nice to keep the top-level I'd also like some way of defaulting Apart from those two points, I think this is ready to go now. |
The old slapd.conf is deprecated. Replace with slapd.d, and use this opportunity to write some structured settings. Incidentally, this fixes the fact that openldap is reported up before any checks have completed, by using forking mode.
Adding by index could be an issue if the user wanted the data to be added to a DB other than the first.
Instead of deprecating, as per PR feedback
This offers less helpful warnings, but makes the implementation considerably more straightforward.
Use this as a test of the migration warnings/functionality.
@Mic92 and @infinisil, thanks for the review. I think I've addressed all of the comments here and resolved the merge conflict. Is there anything else here that requires more discussion/work? |
Thanks. This looks a lot better now: Mic92/dotfiles@d1eb62a |
Motivation for this change
The current configuration options are rather limited (without escaping from NixOS via
configDir
orextraConfig
).Second, the use of
slapd.conf
, which is what NixOS currently generates, is deprecated upstream. As a result,extraConfig
is not a good long-term solution for complex configurations (andconfigDir
completely removes the configuration from NixOS's control, so this is not a good solution either).Things done
services.openldap.settings
, that mirrors the structure of OpenLDAP's configuration. This is used to generate an LDIF file to load and test the configuration at run-time.extraConfig
andextraDatabaseConfig
. This is deprecated upstream. Provide instructions to hopefully ease migration.settings
. They could still be supported, but the current API is poor in some respects (e.g. support for only one database), so for now I've deprecated them pending discussion.Type = forking
, this way the service is not reported as up until it is ready to service requests.This conflicts with #92544 (sorry!). I'm happy to add support for initial (as opposed to declarative) contents on top of this PR but haven't included that work here to keep the scope down a little.
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)