about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2020-07-01T17·45+0100
committertazjin <mail@tazj.in>2020-07-01T19·10+0000
commitd2aaf030bd3c1da388f7f417b517269e106835a1 (patch)
tree120aeb02790bb50f88485456c0460e6321f9534a
parent6f5211bba84bdaea391603e8aabbe304a79dd08b (diff)
feat(3p/openldap): Enable slapd-passwd-argon2 module r/1148
This enables support for the Argon2 password hashing mechanism in
OpenLDAP. Note that we also need to configure the LDAP module to load
this, so this change is not yet sufficient for actually using Argon2
hashes.

Change-Id: I151b854b777daa924b22224a43851432a88a2760
Reviewed-on: https://cl.tvl.fyi/c/depot/+/830
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI
-rw-r--r--ci-builds.nix1
-rw-r--r--third_party/default.nix2
-rw-r--r--third_party/openldap/default.nix27
3 files changed, 29 insertions, 1 deletions
diff --git a/ci-builds.nix b/ci-builds.nix
index 076c64258400..63586887696f 100644
--- a/ci-builds.nix
+++ b/ci-builds.nix
@@ -63,6 +63,7 @@ in lib.fix (self: {
     cgit
     git
     nix
+    openldap
   ];
 
   various = with depot; [
diff --git a/third_party/default.nix b/third_party/default.nix
index 77f88b5a60fd..3e55ae63676b 100644
--- a/third_party/default.nix
+++ b/third_party/default.nix
@@ -182,7 +182,7 @@ in exposed.lib.fix(self: exposed // {
 
   # Packages to be overridden
   originals = {
-    inherit (nixpkgs) go grpc notmuch;
+    inherit (nixpkgs) openldap go grpc notmuch;
     inherit (stableNixpkgs) git;
     ffmpeg = nixpkgs.ffmpeg-full;
   };
diff --git a/third_party/openldap/default.nix b/third_party/openldap/default.nix
new file mode 100644
index 000000000000..92de8d3fea7f
--- /dev/null
+++ b/third_party/openldap/default.nix
@@ -0,0 +1,27 @@
+# OpenLDAP by default uses a simple shalted SHA1-hash for passwords,
+# which is less than ideal.
+#
+# It does however include a contrib module which adds support for the
+# Argon2 password hashing scheme. This overrides then OpenLDAP build
+# derivation to include this module.
+{ pkgs, ... }:
+
+pkgs.originals.openldap.overrideAttrs(old: {
+  buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
+
+  postBuild = ''
+    ${old.postBuild}
+    make $makeFlags -C contrib/slapd-modules/passwd/argon2
+  '';
+
+  # This is required because the Makefile for this module hardcodes
+  # /usr/bin/install, which is not a valid path - we want it to be
+  # looked up from $PATH because it is included in stdenv.
+  installFlags = old.installFlags ++ [ "INSTALL=install" ];
+
+  postInstall = ''
+    ${old.postInstall}
+    make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
+  '';
+
+})