We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.
Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.
Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.
This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)
Fixes#181937.
This improves security, by starting the service as an unprivileged user,
rather than starting as root and relying on the service to drop
privileges. This requires a significant cleanup of pre-init scripts, to
make use of StateDirectory and RuntimeDirectory for permissions.
By default, this is /run/ldapi, which is not compatible with systemd's
runtime directories. Change it to /run/slapd/ldapi (in library and
server). This makes `ldapi:///` work as a default socket again.
The NixOS manual documents that you can invoke every tests using
nix-build path/to/nixos/tests/test.nix
which was not the case for openldap since it is not autocallable, but
requires pkgs and system as arguments. Usually, make-test-pythons.nix
takes care of this if it is imported at the top-level, but since
openldap.nix contains multiple tests, this was not the case.
This is however easily fixed by:
* Adding default values for the pkgs and system arguments based on the
definition in make-test-python.nix
* Passing pkgs and system explicitly to make-test-python.nix to ensure
the pkgs and system values passed from all-tests.nix are used.
The old slapd.conf is deprecated. Replace with slapd.d, and use this
opportunity to write some structured settings.
Incidentally, this fixes the fact that openldap is reported up before
any checks have completed, by using forking mode.
