* Generate the LDAP configuration automatically.

svn path=/nixos/trunk/; revision=7698
This commit is contained in:
Eelco Dolstra 2007-01-16 16:09:43 +00:00
parent 07506308d6
commit 9866132d81
5 changed files with 84 additions and 5 deletions

View File

@ -33,7 +33,7 @@ done
# Various log directories.
mkdir -m 0755 -p /var/run
echo -n > /var/run/utmp # must exist
touch /var/run/utmp # must exist
chmod 644 /var/run/utmp
mkdir -m 0755 -p /var/log

View File

@ -1,5 +1,12 @@
{pkgs, upstartJobs, systemPath, wrapperDir}:
{config, pkgs, upstartJobs, systemPath, wrapperDir}:
let
optional = option: file:
if config.get option then [file] else [];
in
import ../helpers/make-etc.nix {
inherit (pkgs) stdenv;
@ -68,14 +75,28 @@ import ../helpers/make-etc.nix {
};
target = "profile";
}
]
# LDAP configuration.
++ (optional ["users" "ldap" "enable"] {
source = import etc/ldap.conf.nix {
inherit (pkgs) writeText;
inherit config;
};
target = "ldap.conf";
})
# A bunch of PAM configuration files for various programs.
++ (map
(program:
{ source = pkgs.substituteAll {
src = ./etc/pam.d + ("/" + program);
inherit (pkgs) pam_unix2 pam_ldap;
inherit (pkgs) pam_unix2;
pam_ldap =
if config.get ["users" "ldap" "enable"]
then pkgs.pam_ldap
else "/no-such-path";
};
target = "pam.d/" + program;
}

18
system/etc/ldap.conf.nix Normal file
View File

@ -0,0 +1,18 @@
{writeText, config}:
# Careful: OpenLDAP seems to be very picky about the indentation of
# this file. Directives HAVE to start in the first column!
writeText "ldap.conf" "
uri ${config.get ["users" "ldap" "server"]}
base ${config.get ["users" "ldap" "base"]}
${
if config.get ["users" "ldap" "useTLS"] then "
ssl start_tls
tls_checkpeer no
" else ""
}
"

View File

@ -533,4 +533,43 @@
}
{
name = ["users" "ldap" "enable"];
default = false;
description = "
Whether to enable authentication against an LDAP server.
";
}
{
name = ["users" "ldap" "server"];
example = "ldap://ldap.example.org/";
description = "
The URL of the LDAP server.
";
}
{
name = ["users" "ldap" "base"];
example = "dc=example,dc=org";
description = "
The distinguished name of the search base.
";
}
{
name = ["users" "ldap" "useTLS"];
default = false;
description = "
If enabled, use TLS (encryption) over an LDAP (port 389)
connection. The alternative is to specify an LDAPS server (port
636) in <option>users.ldap.server</option> or to forego
security.
";
}
]

View File

@ -116,7 +116,8 @@ rec {
# NSS modules. Hacky!
nssModules = [pkgs.nss_ldap];
nssModules =
if config.get ["users" "ldap" "enable"] then [pkgs.nss_ldap] else [];
nssModulesPath = pkgs.lib.concatStrings (pkgs.lib.intersperse ":"
(map (mod: mod + "/lib") nssModules));
@ -130,7 +131,7 @@ rec {
# The static parts of /etc.
etc = import ./etc.nix {
inherit pkgs upstartJobs systemPath wrapperDir;
inherit config pkgs upstartJobs systemPath wrapperDir;
};