From 334d622ec72c79a23bc5102f424ca535685e3dfb Mon Sep 17 00:00:00 2001
From: Kai Wohlfahrt <kai.wohlfahrt@gmail.com>
Date: Sun, 5 Jun 2022 20:03:46 +0100
Subject: [PATCH] openldap: test starting with empty DB

This addresses the original concern behind #92544
---
 nixos/modules/services/databases/openldap.nix |  5 ++++-
 nixos/tests/openldap.nix                      | 18 ++++++++++++++----
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix
index 167eba16b99d..608e88938b43 100644
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -236,7 +236,10 @@ in {
     writeConfig = pkgs.writeShellScript "openldap-config" ''
       set -euo pipefail
 
-      ${lib.optionalString (!cfg.mutableConfig) "rm -rf ${configDir}/*"}
+      ${lib.optionalString (!cfg.mutableConfig) ''
+        chmod -R u+w ${configDir}
+        rm -rf ${configDir}/*
+      ''}
       if [ ! -e "${configDir}/cn=config.ldif" ]; then
         ${openldap}/bin/slapadd -F ${configDir} -bcn=config -l ${settingsFile}
       fi
diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix
index b31df594a36d..04e2650e3808 100644
--- a/nixos/tests/openldap.nix
+++ b/nixos/tests/openldap.nix
@@ -81,12 +81,17 @@ in {
           };
         };
       };
-      declarativeContents."dc=example" = dbContents;
     };
 
     specialisation = {
+      declarativeContents.configuration = { ... }: {
+        services.openldap.declarativeContents."dc=example" = dbContents;
+      };
       mutableConfig.configuration = { ... }: {
-        services.openldap.mutableConfig = true;
+        services.openldap = {
+          declarativeContents."dc=example" = dbContents;
+          mutableConfig = true;
+        };
       };
       manualConfigDir = {
         inheritParentConfig = false;
@@ -108,9 +113,14 @@ in {
       olcRootPW: foobar
     '';
   in ''
+    # Test startup with empty DB
     machine.wait_for_unit("openldap.service")
-    machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"')
-    machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}')
+
+    with subtest("declarative contents"):
+      machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test')
+      machine.wait_for_unit("openldap.service")
+      machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"')
+      machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}')
 
     with subtest("mutable config"):
       machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test')