[Nix-dev] [PATCH] LDAP non-anonymous bind
Rickard Nilsson
rickard.nilsson at telia.com
Thu Sep 29 23:15:36 CEST 2011
Hi Nicolas,
I finally got around fixing the LDAP patch according to your suggestions.
The password is now stored in a separate file, which is read from the
activation script. I also cleaned up the options definitions a bit. Would
you care to look at it again?
Best regards,
Rickard Nilsson
Den 2011-08-28 00:43:53 skrev Nicolas Pierron
<nicolas.b.pierron at gmail.com>:
> Hi Richard,
>
> On Sat, Aug 27, 2011 at 12:41, Rickard Nilsson
> <rickard.nilsson at telia.com> wrote:
>> I need to bind to my LDAP server with credentials when looking up
>> users, so
>> I added the options "bindAnonymously", "binddn" and "bindpw" to
>> modules/config/ldap.nix.
>
> Thanks for contributing.
>
>> I think the patch should be rather uncontroversial,
>> but I'm happy to make any adjustments required to get it in.
>
> I have some remarks about your patch before accepting it into the
> mainline.
>
> 1/ Based on the context I can't blame you but the current way to go is
> to use type for option declarations such as
>
> type = with pkgs.lib.types; bool;
> type = with pkgs.lib.types; string;
>
> This help users by reporting errors early as well as providing
> specialized merge rules.
>
> 2/ Your patch has a security issue. All users have access to the
> /nix/store, especially the ldap.conf file produced by the function
> pkgs.writeText. Thus, "bindpw" field would appear as readable by all
> users of your machine. Today, we have no mean to prevent storage of
> some files in a public (to all users of the computer) nix store. To
> use password safely in NixOS you must declare a file containing the
> password, and use the activation script to substitute a pattern by the
> content of the file.
>
> 3/ All your options are starting by "bind", could you make an
> attribute of it and use clear name for the fields, such as:
>
> bind = {
> Identified = mkOption {
> default = false;
> type = with pkgs.lib.types; bool;
> description = " ... ";
> };
>
> domainName = mkOption {
> ...
> };
>
> password = mkOption {
> default = "/etc/ldap/bind.password";
> type = with pkgs.lib.types; string;
> description = " ... ";
> };
> };
>
>
> I have additional question which are not related to your patch, but to
> the difficulty you encounter to get your hands dirty by patching
> NixOS. Your answers to these questions interest me to improve the
> overall user experience. Did you use the documentation wiki/manual ?
> Is it readable ? Did you found ldap.nix easily ? How many attempts
> did you had before getting a working configuration ? How much did
> that took between the need and your first working patch ?
>
> Sincerely,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap.nix.diff
Type: application/octet-stream
Size: 2145 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20110929/783a76b2/attachment.obj
More information about the nix-dev
mailing list