Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openldap: enable sha2 and pbkdf2 modules #79286

merged 1 commit into from May 22, 2020


Copy link

@ju1m ju1m commented Feb 5, 2020

Motivation for this change

Being able to bind to LDAP using a SHA2 or PBKDF2 scheme in userPassword.

Things done

Build and install contrib/slapd-modules/passwd/{sha2,pbkdf2}/ already released within OpenLDAP.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits
@ofborg ofborg bot requested a review from lovek323 Feb 5, 2020
@FRidh FRidh added this to WIP in Staging via automation Feb 5, 2020
@FRidh FRidh moved this from WIP to Needs review in Staging Feb 5, 2020
Copy link

@FRidh FRidh commented Feb 16, 2020

@ju1m I suggest finding people that can review and approve this PR. Typically that's the maintainer(s) or other people that have made (recent) changes.

@@ -51,9 +64,12 @@ stdenv.mkDerivation rec {
rm -rf $out/var
rm -r libraries/*/.libs
rm -r contrib/slapd-modules/passwd/*/.libs

This comment has been minimized.


flokli Apr 28, 2020

Why is this necessary?

This comment has been minimized.


ju1m Apr 29, 2020
Author Contributor

There is a comment just above explaining it, which I'm naively following. Maybe this can be changed now that NixOS/patchelf#98 has been merged.

This comment has been minimized.


flokli Apr 29, 2020

Hm, I tried removing these three lines, but ran into

RPATH of binary /nix/store/3iwmkw16wvr5fcl7h3g49gh1jx5prsms-openldap-2.4.49/bin/ldapsearch contains a forbidden reference to /build/

So it's probably still necessary.

Copy link

@flokli flokli commented Apr 29, 2020

It seems nixosTests.ldap currently is broken (even before this PR, see #86305), so there's currently no easy way to verify this works. How did you test it?

Copy link
Contributor Author

@ju1m ju1m commented Apr 29, 2020

I've only tested it on my live system. But I've disabled it last February because it triggered the local build of too many reverse dependencies each time I was upgrading nixpkgs, which I could not afford.
Here's the module I'm using for that, important fields being ˋolcModule*ˋ and ˋolcPasswordHashˋ:

{ pkgs, lib, config, ... }:
  inherit (builtins) baseNameOf readFile;
  inherit (lib) types;
  inherit ( openldap;
  inherit (config.users) ldap;
  unlines = lib.concatStringsSep "\n";
  unlinesAttrs = f: as: unlines (lib.mapAttrsToList f as);
options = {
services.openldap.cnConfig = lib.mkOption {
  type = types.lines;
  description = "The cn=config in LDIF";
  apply = lines: pkgs.writeText "cn=config.ldif"
    (lines + "\n" + unlinesAttrs (olcSuffix: {conf, olcDbDirectory, ...}:
      "include: file://" + pkgs.writeText "config.ldif" (conf + ''
        olcSuffix: ${olcSuffix}
        olcDbDirectory: ${olcDbDirectory}
    ) openldap.databases);
  default = ''
    dn: cn=config
    objectClass: olcGlobal
    olcLogLevel: none
    olcToolThreads: 1

    dn: cn={0}module,cn=config
    objectClass: olcModuleList
    olcModulePath: ${pkgs.openldap}/lib/modules
    olcModuleLoad: pw-sha2
    olcModuleLoad: pw-pbkdf2
    olcModuleLoad: back_mdb

    # The first database is the special frontend database
    # whose settings are applied globally to all the other databases.
    # Beware that cn={0}module,cn=config must appear before
    # for enabling password schemes provided by the modules in olcPasswordHash.
    dn: olcDatabase={-1}frontend,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcFrontendConfig
    olcSizeLimit: 500
    # Allow unlimited access to local connection from the local root user
    olcAccess: to *
      by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
      by * break
    # Allow unauthenticated read access for schema and base DN autodiscovery
    olcAccess: to dn.exact=""
      by * read
    olcAccess: to dn.base="cn=Subschema"
      by * read
    # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
    olcPasswordHash: {PBKDF2-SHA256}
    #olcPasswordHash: {SSHA}

    dn: olcDatabase={0}config,cn=config
    objectClass: olcDatabaseConfig
    olcRootDN: cn=admin,cn=config
    # Access to cn=config, system root can be manager
    # with SASL mechanism (-Y EXTERNAL) over unix socket (-H ldapi://)
    olcAccess: to *
      by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
      by * break

    dn: cn=schema,cn=config
    objectClass: olcSchemaConfig

    include: file://${pkgs.openldap}/etc/schema/core.ldif
    include: file://${pkgs.openldap}/etc/schema/cosine.ldif
    include: file://${pkgs.openldap}/etc/schema/nis.ldif
    include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
services.openldap.databases = lib.mkOption {
  default = {};
  type = types.attrsOf (types.submodule ({name, options, config, ...}: {
    options = {
      conf = lib.mkOption {
        type = types.lines;
        description = "The database's config in LDIF.";
      data = lib.mkOption {
        type = types.nullOr types.lines;
        description = "The database's data in LDIF.";
      olcDbDirectory = lib.mkOption {
        type = types.str;
        description = "The directory where the database is stored.";
        default = "${openldap.dataDir}/${name}";
config = lib.mkIf openldap.enable { =
  # olcDbDirectory must be created before adding the config.
  set -e
  install -D -d -m 0700 -o "${openldap.user}" -g "${}" "${openldap.configDir}"
  '' +
  unlinesAttrs (olcSuffix: {data, olcDbDirectory, ...}: lib.optionalString (data != null) ''
    rm -rf "${olcDbDirectory}"
    install -D -d -m 0700 -o "${openldap.user}" -g "${}" "${olcDbDirectory}"
  '') openldap.databases
  # slapd is supposed to have been stopped by systemd
  # before entering this preStart,
  # hence slap* commands can safely be used.
  # slapadd(8):
  # To populate the config database slapd-config(5),
  # use -n 0 as it is always the first database.
  # It must physically exist on the filesystem prior to this, however.
  + ''
  umask 0077
  rm -rf "${openldap.configDir}"/cn=config \
  ${pkgs.openldap}/bin/slapadd -n 0 \
   -F "${openldap.configDir}" \
   -l ${openldap.cnConfig}
  chown -R "${openldap.user}:${}" "${openldap.configDir}"
  '' +
  unlinesAttrs (olcSuffix: {data, olcDbDirectory, ...}: lib.optionalString (data != null) ''
    ${pkgs.openldap}/bin/slapadd \
     -F "${openldap.configDir}" \
     -b ${olcSuffix} \
     -l ${pkgs.writeText "data.ldif" data}
    '' + ''
    test ! -e "${olcDbDirectory}" ||
    chown -R "${openldap.user}:${}" "${olcDbDirectory}"
  '') openldap.databases;
Copy link

@flokli flokli commented Apr 29, 2020

@ju1m interesting - this looks similar to nixosTests.ldap. Maybe you could contribute to #86305?

I'd be fine with merging this PR, if you can test it once more, rebased on latest master.

Copy link

@flokli flokli commented May 22, 2020

Okay, let's merge this. If this unexpectedly breaks anything, it can be fixed in a follow-up PR.

@flokli flokli merged commit 98efbe9 into NixOS:master May 22, 2020
15 checks passed
15 checks passed
Evaluation Performance Report Evaluator Performance Report
grahamcofborg-eval ^.^!
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
grahamcofborg-eval-check-meta config.nix: checkMeta = true
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
grahamcofborg-eval-package-list nix-env -qa --json --file .
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
openldap on aarch64-linux Success
openldap on x86_64-linux Success
Staging automation moved this from Needs review to Done May 22, 2020
Copy link

@marsam marsam commented May 22, 2020

This breaks openldap on darwin #88634

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.