nixos/openldap: switch to slapd.d configuration

The old slapd.conf is deprecated. Replace with slapd.d, and use this opportunity to write some structured settings. Incidentally, this fixes the fact that openldap is reported up before any checks have completed, by using forking mode.
author: Kai Wohlfahrt <kai.wohlfahrt@gmail.com> 2020-08-02 23:52:37 +0100
committer: Kai Wohlfahrt <kai.wohlfahrt@gmail.com> 2020-11-21 15:39:19 +0000
commit: 1fde3c35619bd445357077d816c72b0e589e0775 (patch)
tree: cbb1a8a1ffdb77737339bf5101c98c6030ba397c /nixos/tests
parent: c18b90b5b90bd20c421ffe795420ad501e6613c7 (diff)
1 files changed, 138 insertions, 25 deletions
diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix
index f8321a2c522d..33b7b7f6608a 100644
--- a/nixos/tests/openldap.nix
+++ b/nixos/tests/openldap.nix
@@ -1,33 +1,146 @@
-import ./make-test-python.nix {
-  name = "openldap";
-
-  machine = { pkgs, ... }: {
-    services.openldap = {
-      enable = true;
-      suffix = "dc=example";
-      rootdn = "cn=root,dc=example";
-      rootpw = "notapassword";
-      database = "bdb";
-      extraDatabaseConfig = ''
-        directory /var/db/openldap
-      '';
-      declarativeContents = ''
-        dn: dc=example
-        objectClass: domain
-        dc: example
-
-        dn: ou=users,dc=example
-        objectClass: organizationalUnit
-        ou: users
-      '';
-    };
-  };
+{ pkgs, system ? builtins.currentSystem, ... }: let
+  declarativeContents = ''
+    dn: dc=example
+    objectClass: domain
+    dc: example
 
+    dn: ou=users,dc=example
+    objectClass: organizationalUnit
+    ou: users
+  '';
   testScript = ''
     machine.wait_for_unit("openldap.service")
     machine.succeed(
-        "systemctl status openldap.service",
         'ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"',
     )
   '';
+in {
+  # New-style configuration
+  current = import ./make-test-python.nix {
+    inherit testScript;
+    name = "openldap";
+
+    machine = { pkgs, ... }: {
+      services.openldap = {
+        inherit declarativeContents;
+        enable = true;
+        defaultSchemas = null;
+        dataDir = null;
+        database = null;
+        settings = {
+          children = {
+            "cn=schema" = {
+              includes = [
+                "${pkgs.openldap}/etc/schema/core.ldif"
+                "${pkgs.openldap}/etc/schema/cosine.ldif"
+                "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+                "${pkgs.openldap}/etc/schema/nis.ldif"
+              ];
+            };
+            "olcDatabase={1}mdb" = {
+              attrs = {
+                objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+                olcDatabase = "{1}mdb";
+                olcDbDirectory = "/var/db/openldap";
+                olcSuffix = "dc=example";
+                olcRootDN = "cn=root,dc=example";
+                olcRootPW = "notapassword";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  # Old-style configuration
+  shortOptions = import ./make-test-python.nix {
+    inherit testScript;
+    name = "openldap";
+
+    machine = { pkgs, ... }: {
+      services.openldap = {
+        inherit declarativeContents;
+        enable = true;
+        suffix = "dc=example";
+        rootdn = "cn=root,dc=example";
+        rootpw = "notapassword";
+      };
+    };
+  };
+
+  # Manually managed configDir, for example if dynamic config is essential
+  manualConfigDir = import ./make-test-python.nix {
+    name = "openldap";
+
+    machine = { pkgs, ... }: {
+      services.openldap = {
+        enable = true;
+        configDir = "/var/db/slapd.d";
+        # Silence warnings
+        defaultSchemas = null;
+        dataDir = null;
+        database = null;
+      };
+    };
+
+    testScript = let
+      contents = pkgs.writeText "data.ldif" declarativeContents;
+      config = pkgs.writeText "config.ldif" ''
+        dn: cn=config
+        cn: config
+        objectClass: olcGlobal
+        olcLogLevel: stats
+        olcPidFile: /run/slapd/slapd.pid
+
+        dn: cn=schema,cn=config
+        cn: schema
+        objectClass: olcSchemaConfig
+
+        include: file://${pkgs.openldap}/etc/schema/core.ldif
+        include: file://${pkgs.openldap}/etc/schema/cosine.ldif
+        include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
+
+        dn: olcDatabase={1}mdb,cn=config
+        objectClass: olcDatabaseConfig
+        objectClass: olcMdbConfig
+        olcDatabase: {1}mdb
+        olcDbDirectory: /var/db/openldap
+        olcDbIndex: objectClass eq
+        olcSuffix: dc=example
+        olcRootDN: cn=root,dc=example
+        olcRootPW: notapassword
+      '';
+    in ''
+      machine.succeed(
+          "mkdir -p /var/db/slapd.d /var/db/openldap",
+          "slapadd -F /var/db/slapd.d -n0 -l ${config}",
+          "slapadd -F /var/db/slapd.d -n1 -l ${contents}",
+          "chown -R openldap:openldap /var/db/slapd.d /var/db/openldap",
+          "systemctl restart openldap",
+      )
+    '' + testScript;
+  };
+
+  # extraConfig forces use of slapd.conf, test this until that option is removed
+  legacyConfig = import ./make-test-python.nix {
+    inherit testScript;
+    name = "openldap";
+
+    machine = { pkgs, ... }: {
+      services.openldap = {
+        inherit declarativeContents;
+        enable = true;
+        suffix = "dc=example";
+        rootdn = "cn=root,dc=example";
+        rootpw = "notapassword";
+        extraConfig = ''
+          # No-op
+        '';
+        extraDatabaseConfig = ''
+          # No-op
+        '';
+      };
+    };
+  };
 }
author	Kai Wohlfahrt <kai.wohlfahrt@gmail.com>	2020-08-02 23:52:37 +0100
committer	Kai Wohlfahrt <kai.wohlfahrt@gmail.com>	2020-11-21 15:39:19 +0000
commit	1fde3c35619bd445357077d816c72b0e589e0775 (patch)
tree	cbb1a8a1ffdb77737339bf5101c98c6030ba397c /nixos/tests
parent	c18b90b5b90bd20c421ffe795420ad501e6613c7 (diff)