From 1fde3c35619bd445357077d816c72b0e589e0775 Mon Sep 17 00:00:00 2001
From: Kai Wohlfahrt <kai.wohlfahrt@gmail.com>
Date: Sun, 2 Aug 2020 23:52:37 +0100
Subject: nixos/openldap: switch to slapd.d configuration

The old slapd.conf is deprecated. Replace with slapd.d, and use this
opportunity to write some structured settings.

Incidentally, this fixes the fact that openldap is reported up before
any checks have completed, by using forking mode.
---
 nixos/tests/openldap.nix | 163 +++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 138 insertions(+), 25 deletions(-)

(limited to 'nixos/tests')

diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix
index f8321a2c522d..33b7b7f6608a 100644
--- a/nixos/tests/openldap.nix
+++ b/nixos/tests/openldap.nix
@@ -1,33 +1,146 @@
-import ./make-test-python.nix {
-  name = "openldap";
-
-  machine = { pkgs, ... }: {
-    services.openldap = {
-      enable = true;
-      suffix = "dc=example";
-      rootdn = "cn=root,dc=example";
-      rootpw = "notapassword";
-      database = "bdb";
-      extraDatabaseConfig = ''
-        directory /var/db/openldap
-      '';
-      declarativeContents = ''
-        dn: dc=example
-        objectClass: domain
-        dc: example
-
-        dn: ou=users,dc=example
-        objectClass: organizationalUnit
-        ou: users
-      '';
-    };
-  };
+{ pkgs, system ? builtins.currentSystem, ... }: let
+  declarativeContents = ''
+    dn: dc=example
+    objectClass: domain
+    dc: example
 
+    dn: ou=users,dc=example
+    objectClass: organizationalUnit
+    ou: users
+  '';
   testScript = ''
     machine.wait_for_unit("openldap.service")
     machine.succeed(
-        "systemctl status openldap.service",
         'ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"',
     )
   '';
+in {
+  # New-style configuration
+  current = import ./make-test-python.nix {
+    inherit testScript;
+    name = "openldap";
+
+    machine = { pkgs, ... }: {
+      services.openldap = {
+        inherit declarativeContents;
+        enable = true;
+        defaultSchemas = null;
+        dataDir = null;
+        database = null;
+        settings = {
+          children = {
+            "cn=schema" = {
+              includes = [
+                "${pkgs.openldap}/etc/schema/core.ldif"
+                "${pkgs.openldap}/etc/schema/cosine.ldif"
+                "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+                "${pkgs.openldap}/etc/schema/nis.ldif"
+              ];
+            };
+            "olcDatabase={1}mdb" = {
+              attrs = {
+                objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+                olcDatabase = "{1}mdb";
+                olcDbDirectory = "/var/db/openldap";
+                olcSuffix = "dc=example";
+                olcRootDN = "cn=root,dc=example";
+                olcRootPW = "notapassword";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  # Old-style configuration
+  shortOptions = import ./make-test-python.nix {
+    inherit testScript;
+    name = "openldap";
+
+    machine = { pkgs, ... }: {
+      services.openldap = {
+        inherit declarativeContents;
+        enable = true;
+        suffix = "dc=example";
+        rootdn = "cn=root,dc=example";
+        rootpw = "notapassword";
+      };
+    };
+  };
+
+  # Manually managed configDir, for example if dynamic config is essential
+  manualConfigDir = import ./make-test-python.nix {
+    name = "openldap";
+
+    machine = { pkgs, ... }: {
+      services.openldap = {
+        enable = true;
+        configDir = "/var/db/slapd.d";
+        # Silence warnings
+        defaultSchemas = null;
+        dataDir = null;
+        database = null;
+      };
+    };
+
+    testScript = let
+      contents = pkgs.writeText "data.ldif" declarativeContents;
+      config = pkgs.writeText "config.ldif" ''
+        dn: cn=config
+        cn: config
+        objectClass: olcGlobal
+        olcLogLevel: stats
+        olcPidFile: /run/slapd/slapd.pid
+
+        dn: cn=schema,cn=config
+        cn: schema
+        objectClass: olcSchemaConfig
+
+        include: file://${pkgs.openldap}/etc/schema/core.ldif
+        include: file://${pkgs.openldap}/etc/schema/cosine.ldif
+        include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
+
+        dn: olcDatabase={1}mdb,cn=config
+        objectClass: olcDatabaseConfig
+        objectClass: olcMdbConfig
+        olcDatabase: {1}mdb
+        olcDbDirectory: /var/db/openldap
+        olcDbIndex: objectClass eq
+        olcSuffix: dc=example
+        olcRootDN: cn=root,dc=example
+        olcRootPW: notapassword
+      '';
+    in ''
+      machine.succeed(
+          "mkdir -p /var/db/slapd.d /var/db/openldap",
+          "slapadd -F /var/db/slapd.d -n0 -l ${config}",
+          "slapadd -F /var/db/slapd.d -n1 -l ${contents}",
+          "chown -R openldap:openldap /var/db/slapd.d /var/db/openldap",
+          "systemctl restart openldap",
+      )
+    '' + testScript;
+  };
+
+  # extraConfig forces use of slapd.conf, test this until that option is removed
+  legacyConfig = import ./make-test-python.nix {
+    inherit testScript;
+    name = "openldap";
+
+    machine = { pkgs, ... }: {
+      services.openldap = {
+        inherit declarativeContents;
+        enable = true;
+        suffix = "dc=example";
+        rootdn = "cn=root,dc=example";
+        rootpw = "notapassword";
+        extraConfig = ''
+          # No-op
+        '';
+        extraDatabaseConfig = ''
+          # No-op
+        '';
+      };
+    };
+  };
 }
-- 
cgit v1.2.3