From d2aaf030bd3c1da388f7f417b517269e106835a1 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Wed, 1 Jul 2020 18:45:23 +0100
Subject: feat(3p/openldap): Enable slapd-passwd-argon2 module

This enables support for the Argon2 password hashing mechanism in
OpenLDAP. Note that we also need to configure the LDAP module to load
this, so this change is not yet sufficient for actually using Argon2
hashes.

Change-Id: I151b854b777daa924b22224a43851432a88a2760
Reviewed-on: https://cl.tvl.fyi/c/depot/+/830
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI
---
 ci-builds.nix                    |  1 +
 third_party/default.nix          |  2 +-
 third_party/openldap/default.nix | 27 +++++++++++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 third_party/openldap/default.nix

diff --git a/ci-builds.nix b/ci-builds.nix
index 076c642584..6358688769 100644
--- a/ci-builds.nix
+++ b/ci-builds.nix
@@ -63,6 +63,7 @@ in lib.fix (self: {
     cgit
     git
     nix
+    openldap
   ];
 
   various = with depot; [
diff --git a/third_party/default.nix b/third_party/default.nix
index 77f88b5a60..3e55ae6367 100644
--- a/third_party/default.nix
+++ b/third_party/default.nix
@@ -182,7 +182,7 @@ in exposed.lib.fix(self: exposed // {
 
   # Packages to be overridden
   originals = {
-    inherit (nixpkgs) go grpc notmuch;
+    inherit (nixpkgs) openldap go grpc notmuch;
     inherit (stableNixpkgs) git;
     ffmpeg = nixpkgs.ffmpeg-full;
   };
diff --git a/third_party/openldap/default.nix b/third_party/openldap/default.nix
new file mode 100644
index 0000000000..92de8d3fea
--- /dev/null
+++ b/third_party/openldap/default.nix
@@ -0,0 +1,27 @@
+# OpenLDAP by default uses a simple shalted SHA1-hash for passwords,
+# which is less than ideal.
+#
+# It does however include a contrib module which adds support for the
+# Argon2 password hashing scheme. This overrides then OpenLDAP build
+# derivation to include this module.
+{ pkgs, ... }:
+
+pkgs.originals.openldap.overrideAttrs(old: {
+  buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
+
+  postBuild = ''
+    ${old.postBuild}
+    make $makeFlags -C contrib/slapd-modules/passwd/argon2
+  '';
+
+  # This is required because the Makefile for this module hardcodes
+  # /usr/bin/install, which is not a valid path - we want it to be
+  # looked up from $PATH because it is included in stdenv.
+  installFlags = old.installFlags ++ [ "INSTALL=install" ];
+
+  postInstall = ''
+    ${old.postInstall}
+    make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
+  '';
+
+})
-- 
cgit 1.4.1