Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/openldap: add option for configuring OpenLDAP package to use #91963

Merged
merged 1 commit into from Jul 2, 2020

Conversation

@tazjin
Copy link
Member

tazjin commented Jul 1, 2020

Motivation for this change

In certain cases, for example when custom OpenLDAP modules are
compiled into the binary, users may want to override the package used
for OpenLDAP.

This is especially common in setups where LDAP is the primary
authentication source, as good password hashing mechanisms need to be
enabled as extra modules.

Concretely this came up because we have enabled the Argos2 module in a deployment and the only way to update the OpenLDAP package was via an override in the package set, which causes extremely widespread rebuilds (as packages such as Python or GPG depend on OpenLDAP).

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@tazjin tazjin requested a review from ciil Jul 1, 2020
Copy link
Member

ciil left a comment

Seems reasonable overall, but I'd really like the documentation to be very clear here what this option does, because it's not like there are multiple openldap packages (like specific versions or open/closed source alternatives) in standard nixpkgs so this might confuse some people.

default = pkgs.openldap;
description = ''
Package to use for OpenLDAP. This can be overridden if
custom modules or other similar features are necessary.

This comment has been minimized.

@ciil

ciil Jul 1, 2020 Member

Could you clarify the description some more to make it clear that we always mean an openldap package, just that it can be a custom OpenLDAP package with an override to enable specific features or modules.

This comment has been minimized.

@tazjin

tazjin Jul 1, 2020 Author Member

Cool, I've updated the description - what do you think?

In certain cases, for example when custom OpenLDAP modules are
compiled into the binary, users may want to override the package used
for OpenLDAP.

This is especially common in setups where LDAP is the primary
authentication source, as good password hashing mechanisms need to be
enabled as extra modules.
@tazjin tazjin force-pushed the tazjin:feat/openldap-package branch from d2c9175 to c0122d3 Jul 1, 2020
@ciil
ciil approved these changes Jul 1, 2020
Copy link
Member

ciil left a comment

Nice!

@edef1c
Copy link
Member

edef1c commented Jul 1, 2020

@ofborg test openldap

@edef1c edef1c merged commit e226b12 into NixOS:master Jul 2, 2020
2 checks passed
2 checks passed
tests.openldap on aarch64-linux Success
Details
tests.openldap on x86_64-linux Success
Details
@tazjin tazjin deleted the tazjin:feat/openldap-package branch Jul 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.