[Nix-dev] [PATCH] LDAP non-anonymous bind

Rickard Nilsson rickard.nilsson at telia.com
Thu Sep 29 23:15:36 CEST 2011 

Hi Nicolas,

I finally got around fixing the LDAP patch according to your suggestions.

The password is now stored in a separate file, which is read from the  
activation script. I also cleaned up the options definitions a bit. Would  
you care to look at it again?

Best regards,
   Rickard Nilsson


Den 2011-08-28 00:43:53 skrev Nicolas Pierron  
<nicolas.b.pierron at gmail.com>:

> Hi Richard,
>
> On Sat, Aug 27, 2011 at 12:41, Rickard Nilsson
> <rickard.nilsson at telia.com> wrote:
>> I need to bind to my LDAP server with credentials when looking up  
>> users, so
>> I added the options "bindAnonymously", "binddn" and "bindpw" to
>> modules/config/ldap.nix.
>
> Thanks for contributing.
>
>> I think the patch should be rather uncontroversial,
>> but I'm happy to make any adjustments required to get it in.
>
> I have some remarks about your patch before accepting it into the  
> mainline.
>
> 1/ Based on the context I can't blame you but the current way to go is
> to use type for option declarations such as
>
>   type = with pkgs.lib.types; bool;
>   type = with pkgs.lib.types; string;
>
> This help users by reporting errors early as well as providing
> specialized merge rules.
>
> 2/ Your patch has a security issue.  All users have access to the
> /nix/store, especially the ldap.conf file produced by the function
> pkgs.writeText.  Thus, "bindpw" field would appear as readable by all
> users of your machine.  Today, we have no mean to prevent storage of
> some files in a public (to all users of the computer) nix store.  To
> use password safely in NixOS you must declare a file containing the
> password, and use the activation script to substitute a pattern by the
> content of the file.
>
> 3/ All your options are starting by "bind", could you make an
> attribute of it and use clear name for the fields, such as:
>
> bind = {
>   Identified = mkOption {
>     default = false;
>     type = with pkgs.lib.types; bool;
>     description = " ... ";
>   };
>
>   domainName = mkOption {
>     ...
>   };
>
>   password = mkOption {
>     default = "/etc/ldap/bind.password";
>     type = with pkgs.lib.types; string;
>     description = " ... ";
>   };
> };
>
>
> I have additional question which are not related to your patch, but to
> the difficulty you encounter to get your hands dirty by patching
> NixOS.  Your answers to these questions interest me to improve the
> overall user experience.  Did you use the documentation wiki/manual ?
> Is it readable ?  Did you found ldap.nix easily ?  How many attempts
> did you had before getting a working configuration ?  How much did
> that took between the need and your first working patch ?
>
> Sincerely,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap.nix.diff
Type: application/octet-stream
Size: 2145 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20110929/783a76b2/attachment.obj

More information about the nix-dev mailing list