From 262e883554db5c63e1f75df04ec5a88b725880cc Mon Sep 17 00:00:00 2001
From: Nicolas Pierron <nicolas.b.pierron@gmail.com>
Date: Sun, 30 Oct 2011 18:46:31 +0000
Subject: [PATCH] Add more options for LDAP module. (timeLimit, bind.timeLimit,
 bind.policy)

Patch by Rickard Nilsson.

svn path=/nixos/trunk/; revision=30138
---
 modules/config/ldap.nix | 42 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/modules/config/ldap.nix b/modules/config/ldap.nix
index 4c2924b5975e..3821482361f7 100644
--- a/modules/config/ldap.nix
+++ b/modules/config/ldap.nix
@@ -39,6 +39,16 @@ let
           ";
         };
 
+        timeLimit = mkOption {
+          default = 0;
+          type = with pkgs.lib.types; int;
+          description = "
+            Specifies the time limit (in seconds) to use when performing
+            searches. A value of zero (0), which is the default, is to
+            wait indefinitely for searches to be completed.
+          ";
+        };
+
         bind = {
           distinguishedName = mkOption {
             default = "";
@@ -58,6 +68,35 @@ let
               to the LDAP server (if not binding anonymously).
             ";
           };
+
+          timeLimit = mkOption {
+            default = 30;
+            type = with pkgs.lib.types; int;
+            description = "
+              Specifies the time limit (in seconds) to use when connecting
+              to the directory server. This is distinct from the time limit
+              specified in <literal>users.ldap.timeLimit</literal> and affects
+              the initial server connection only.
+            ";
+          };
+
+          policy = mkOption {
+            default = "hard_open";
+            type = with pkgs.lib.types; string;
+            description = "
+              Specifies the policy to use for reconnecting to an unavailable
+              LDAP server. The default is <literal>hard_open</literal>, which
+              reconnects if opening the connection to the directory server
+              failed. By contrast, <literal>hard_init</literal> reconnects if
+              initializing the connection failed. Initializing may not
+              actually contact the directory server, and it is possible that
+              a malformed configuration file will trigger reconnection. If
+              <literal>soft</literal> is specified, then
+              <literal>nss_ldap</literal> will return immediately on server
+              failure. All hard reconnect policies block with exponential
+              backoff before retrying.
+            ";
+          };
         };
 
       };
@@ -82,6 +121,9 @@ mkIf config.users.ldap.enable {
           ''
             uri ${config.users.ldap.server}
             base ${config.users.ldap.base}
+            timelimit ${toString config.users.ldap.timeLimit}
+            bind_timelimit ${toString config.users.ldap.bind.timeLimit}
+            bind_policy ${config.users.ldap.bind.policy}
 
             ${optionalString config.users.ldap.useTLS ''
               ssl start_tls