Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

ldap: do not write password to the Nix store

Browse source
This commit is contained in:
Antoine Eiche 2023-05-20 00:12:02 +02:00 committed by lewo
parent 33554e57ce
commit fb3210b932
5 changed files with 114 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tests/ldap.nix
View file

@ -28,6 +28,8 @@ pkgs.nixosTest {
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
'')];
environment.etc.bind-password.text = bindPassword;
services.openldap = {
enable = true;
settings = {
@ -45,7 +47,7 @@ pkgs.nixosTest {
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap";
olcDbDirectory = "/var/lib/openldap/example";
olcSuffix = "dc=example";
};
};
@ -96,7 +98,7 @@ pkgs.nixosTest {
];
bind = {
dn = "cn=mail,dc=example";
password = bindPassword;
passwordFile = "/etc/bind-password";
};
searchBase = "ou=users,dc=example";
searchScope = "sub";
@ -141,6 +143,10 @@ pkgs.nixosTest {
machine.succeed("doveadm user -u alice@example.com")
machine.succeed("doveadm user -u bob@example.com")
with subtest("Files containing secrets are only readable by root"):
machine.succeed("ls -l /run/postfix/*.cf | grep -e '-rw------- 1 root root'")
machine.succeed("ls -l /run/dovecot2/dovecot-ldap.conf.ext | grep -e '-rw------- 1 root root'")
with subtest("Test account/mail address binding"):
machine.fail(" ".join([
"mail-check send-and-read",