3 files changed, 29 insertions, 1 deletions

diff --git a/ci-builds.nix b/ci-builds.nix
index 076c642584..6358688769 100644
--- a/ci-builds.nix
+++ b/ci-builds.nix
@@ -63,6 +63,7 @@ in lib.fix (self: {
     cgit
     git
     nix
+    openldap
   ];
 
   various = with depot; [
diff --git a/third_party/default.nix b/third_party/default.nix
index 77f88b5a60..3e55ae6367 100644
--- a/third_party/default.nix
+++ b/third_party/default.nix
@@ -182,7 +182,7 @@ in exposed.lib.fix(self: exposed // {
 
   # Packages to be overridden
   originals = {
-    inherit (nixpkgs) go grpc notmuch;
+    inherit (nixpkgs) openldap go grpc notmuch;
     inherit (stableNixpkgs) git;
     ffmpeg = nixpkgs.ffmpeg-full;
   };
diff --git a/third_party/openldap/default.nix b/third_party/openldap/default.nix
new file mode 100644
index 0000000000..92de8d3fea
--- /dev/null
+++ b/third_party/openldap/default.nix
@@ -0,0 +1,27 @@
+# OpenLDAP by default uses a simple shalted SHA1-hash for passwords,
+# which is less than ideal.
+#
+# It does however include a contrib module which adds support for the
+# Argon2 password hashing scheme. This overrides then OpenLDAP build
+# derivation to include this module.
+{ pkgs, ... }:
+
+pkgs.originals.openldap.overrideAttrs(old: {
+  buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
+
+  postBuild = ''
+    ${old.postBuild}
+    make $makeFlags -C contrib/slapd-modules/passwd/argon2
+  '';
+
+  # This is required because the Makefile for this module hardcodes
+  # /usr/bin/install, which is not a valid path - we want it to be
+  # looked up from $PATH because it is included in stdenv.
+  installFlags = old.installFlags ++ [ "INSTALL=install" ];
+
+  postInstall = ''
+    ${old.postInstall}
+    make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
+  '';
+
+})