[Nix-dev] [PATCH] LDAP non-anonymous bind

Nicolas Pierron nicolas.b.pierron at gmail.com
Sun Aug 28 00:43:53 CEST 2011


Hi Richard,

On Sat, Aug 27, 2011 at 12:41, Rickard Nilsson
<rickard.nilsson at telia.com> wrote:
> I need to bind to my LDAP server with credentials when looking up users, so
> I added the options "bindAnonymously", "binddn" and "bindpw" to
> modules/config/ldap.nix.

Thanks for contributing.

> I think the patch should be rather uncontroversial,
> but I'm happy to make any adjustments required to get it in.

I have some remarks about your patch before accepting it into the mainline.

1/ Based on the context I can't blame you but the current way to go is
to use type for option declarations such as

  type = with pkgs.lib.types; bool;
  type = with pkgs.lib.types; string;

This help users by reporting errors early as well as providing
specialized merge rules.

2/ Your patch has a security issue.  All users have access to the
/nix/store, especially the ldap.conf file produced by the function
pkgs.writeText.  Thus, "bindpw" field would appear as readable by all
users of your machine.  Today, we have no mean to prevent storage of
some files in a public (to all users of the computer) nix store.  To
use password safely in NixOS you must declare a file containing the
password, and use the activation script to substitute a pattern by the
content of the file.

3/ All your options are starting by "bind", could you make an
attribute of it and use clear name for the fields, such as:

bind = {
  Identified = mkOption {
    default = false;
    type = with pkgs.lib.types; bool;
    description = " ... ";
  };

  domainName = mkOption {
    ...
  };

  password = mkOption {
    default = "/etc/ldap/bind.password";
    type = with pkgs.lib.types; string;
    description = " ... ";
  };
};


I have additional question which are not related to your patch, but to
the difficulty you encounter to get your hands dirty by patching
NixOS.  Your answers to these questions interest me to improve the
overall user experience.  Did you use the documentation wiki/manual ?
Is it readable ?  Did you found ldap.nix easily ?  How many attempts
did you had before getting a working configuration ?  How much did
that took between the need and your first working patch ?

Sincerely,

-- 
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/



More information about the nix-dev mailing list