Openldap clients ignore system-wide LDAP client configuraiton in /etc/ldap.conf

[danc86]

Describe the bug

The system-wide LDAP client configuration in /etc/ldap.conf is ignored by Openldap client programs.

Steps To Reproduce

Steps to reproduce the behavior:

1. Put settings into /etc/ldap.conf via config.settings.ldap.*
2. Run ldapsearch or any other Openldap client

Expected behavior

Openldap client programs should obey the system-wide configuration file in /etc/ldap.conf.

Additional context

strace shows it's reading the example configuration from the package instead:

$ strace -e file ldapsearch
[...]
openat(AT_FDCWD, "/nix/store/j8mm1wgsx4vmxaxbf6ximq59ry5qj7yl-openldap-2.6.2/etc/ldap.conf", O_RDONLY) = 3
newfstatat(3, "", {st_mode=S_IFREG|0444, st_size=247, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/home/dan/ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/dan/.ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "ldaprc", O_RDONLY)    = -1 ENOENT (No such file or directory)
[...]

Since commit 39ef632 the openldap package no longer passes --sysconfdir=/etc to configure, it only passes sysconfdir=${placeholder "out"}/etc to make instead.

Notify maintainers

@ajs124 @das_j @Hexa

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"aarch64-linux"`
 - host os: `Linux 5.15.32, NixOS, 22.05 (Quokka), 22.05.git.c88aa8fd317M`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.1`
 - channels(root): `""`
 - nixpkgs: `/home/dan/nixpkgs`

[danc86]

It seems a bit dodgy, but this might be a solution:

--- a/pkgs/development/libraries/openldap/default.nix
+++ b/pkgs/development/libraries/openldap/default.nix
@@ -97,7 +97,8 @@ stdenv.mkDerivation rec {
     "CC=${stdenv.cc.targetPrefix}cc"
     "STRIP="  # Disable install stripping as it breaks cross-compiling. We strip binaries anyway in fixupPhase.
     "prefix=${placeholder "out"}"
-    "sysconfdir=${placeholder "out"}/etc"
+    "sysconfdir=/etc"
+    "schemadir=${placeholder "out"}/share/schema"
     "systemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
     # contrib modules require these
     "moduledir=${placeholder "out"}/lib/modules"
@@ -134,6 +135,7 @@ stdenv.mkDerivation rec {

   installFlags = [
     "prefix=${placeholder "out"}"
+    "sysconfdir=${placeholder "out"}/etc"
     "moduledir=${placeholder "out"}/lib/modules"
     "INSTALL=install"
   ];

plus corresponding changes to all the packages and tests that refer to ${pkgs.openldap}/etc/schema. I'm just rebuilding a gazillion packages on my system from source, so I can check if that works properly... 🫠

[ajs124]

@ajs124 @das_j @Hexa

you probably meant to ping @dasJ and @mweinelt instead

[danc86]

Oops, sorry about that. I forgot that the maintainer handles listed in the package do not necessarily correspond to their Github usernames.

[danc86]

I realised that changing schemadir is probably unwise. Not only does it break some other packages (like python-ldap) and some Nixos tests, it will also break any users who have configured slapd to refer to the schemas under etc/schema, as I myself have:

      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          "${pkgs.openldap}/etc/schema/nis.ldif"
          ./files/openssh-lpk.ldif
          #./files/pgpkeyowner.ldif
        ];
        ...

And changing schemadir is not necessary to fix the bug anyway. It seems that the approach of passing sysconfdir differently in compile and install works. I'll send a PR for it.