Merge pull request #1292 from jozko/openldap-fixes

Added openldap user, group and configure service so its not running as root
2013-11-28 13:40:11 -08:00 · 2013-11-28 13:40:11 -08:00 · 4da388351a
commit 4da388351a
parent 32fbf27bc3 cb691265b6
2 changed files with 27 additions and 2 deletions
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -107,6 +107,7 @@
      redis = 96;
      haproxy = 97;
      mongodb = 98;
+      openldap = 99;

      # When adding a uid, make sure it doesn't match an existing gid.

@ -194,6 +195,7 @@
      amule = 90;
      minidlna = 91;
      haproxy = 92;
+      openldap = 93;

      # When adding a gid, make sure it doesn't match an existing uid.

--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@ -26,6 +26,16 @@ in
        ";
      };

+      user = mkOption {
+        default = "openldap";
+        description = "User account under which slapd runs.";
+      };
+
+      group = mkOption {
+        default = "openldap";
+        description = "Group account under which slapd runs.";
+      };
+
      extraConfig = mkOption {
        default = "";
        description = "
@ -49,10 +59,23 @@ in
      after = [ "network.target" ];
      preStart = ''
        mkdir -p /var/run/slapd
+        chown -R ${cfg.user}:${cfg.group} /var/run/slapd
+        mkdir -p /var/db/openldap
+        chown -R ${cfg.user}:${cfg.group} /var/db/openldap
      '';
-      serviceConfig.ExecStart = "${openldap}/libexec/slapd -d 0 -f ${configFile}";
+      serviceConfig.ExecStart = "${openldap}/libexec/slapd -u openldap -g openldap -d 0 -f ${configFile}";
    };

-  };
+    users.extraUsers = optionalAttrs (cfg.user == "openldap") (singleton
+      { name = "openldap";
+        group = "openldap";
+        uid = config.ids.uids.openldap;
+      });

+    users.extraGroups = optionalAttrs (cfg.group == "openldap") (singleton
+      { name = "openldap";
+        gid = config.ids.gids.openldap;
+     });
+
+  };
 }