Hi Nicolas, I finally got around fixing the LDAP patch according to your suggestions.
The password is now stored in a separate file, which is read from the activation script. I also cleaned up the options definitions a bit. Would you care to look at it again?
Best regards, Rickard NilssonDen 2011-08-28 00:43:53 skrev Nicolas Pierron <[email protected]>:
Hi Richard, On Sat, Aug 27, 2011 at 12:41, Rickard Nilsson <[email protected]> wrote:I need to bind to my LDAP server with credentials when looking up users, soI added the options "bindAnonymously", "binddn" and "bindpw" to modules/config/ldap.nix.Thanks for contributing.I think the patch should be rather uncontroversial, but I'm happy to make any adjustments required to get it in.I have some remarks about your patch before accepting it into the mainline.1/ Based on the context I can't blame you but the current way to go is to use type for option declarations such as type = with pkgs.lib.types; bool; type = with pkgs.lib.types; string; This help users by reporting errors early as well as providing specialized merge rules. 2/ Your patch has a security issue. All users have access to the /nix/store, especially the ldap.conf file produced by the function pkgs.writeText. Thus, "bindpw" field would appear as readable by all users of your machine. Today, we have no mean to prevent storage of some files in a public (to all users of the computer) nix store. To use password safely in NixOS you must declare a file containing the password, and use the activation script to substitute a pattern by the content of the file. 3/ All your options are starting by "bind", could you make an attribute of it and use clear name for the fields, such as: bind = { Identified = mkOption { default = false; type = with pkgs.lib.types; bool; description = " ... "; }; domainName = mkOption { ... }; password = mkOption { default = "/etc/ldap/bind.password"; type = with pkgs.lib.types; string; description = " ... "; }; }; I have additional question which are not related to your patch, but to the difficulty you encounter to get your hands dirty by patching NixOS. Your answers to these questions interest me to improve the overall user experience. Did you use the documentation wiki/manual ? Is it readable ? Did you found ldap.nix easily ? How many attempts did you had before getting a working configuration ? How much did that took between the need and your first working patch ? Sincerely,
ldap.nix.diff
Description: Binary data
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
