diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix
index 1a5dbcd4e26b..e63f8c0d43e7 100644
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@@ -59,30 +59,28 @@ in
users.ldap = {
- enable = mkOption {
- type = types.bool;
- default = false;
- description = "Whether to enable authentication against an LDAP server.";
- };
+ enable = mkEnableOption "authentication against an LDAP server";
loginPam = mkOption {
type = types.bool;
default = true;
- description = "Whether to include authentication against LDAP in login PAM";
+ description = "Whether to include authentication against LDAP in login PAM.";
};
nsswitch = mkOption {
type = types.bool;
default = true;
- description = "Whether to include lookup against LDAP in NSS";
+ description = "Whether to include lookup against LDAP in NSS.";
};
server = mkOption {
+ type = types.str;
example = "ldap://ldap.example.org/";
description = "The URL of the LDAP server.";
};
base = mkOption {
+ type = types.str;
example = "dc=example,dc=org";
description = "The distinguished name of the search base.";
};
@@ -129,7 +127,7 @@ in
type = types.lines;
description = ''
Extra configuration options that will be added verbatim at
- the end of the nslcd configuration file (nslcd.conf).
+ the end of the nslcd configuration file (nslcd.conf(5)).
'' ;
} ;
@@ -180,7 +178,7 @@ in
description = ''
Specifies the time limit (in seconds) to use when connecting
to the directory server. This is distinct from the time limit
- specified in users.ldap.timeLimit and affects
+ specified in and affects
the initial server connection only.
'';
};
@@ -197,7 +195,7 @@ in
actually contact the directory server, and it is possible that
a malformed configuration file will trigger reconnection. If
soft is specified, then
- nss_ldap will return immediately on server
+ nss_ldap will return immediately on server
failure. All hard reconnect policies block with exponential
backoff before retrying.
'';
@@ -209,10 +207,10 @@ in
type = types.lines;
description = ''
Extra configuration options that will be added verbatim at
- the end of the ldap configuration file (ldap.conf).
- If users.ldap.daemon is enabled, this
+ the end of the ldap configuration file (ldap.conf(5)).
+ If is enabled, this
configuration will not be used. In that case, use
- users.ldap.daemon.extraConfig instead.
+ instead.
'' ;
};
@@ -276,7 +274,12 @@ in
} >"$conf"
mv -fT "$conf" /run/nslcd/nslcd.conf
'';
- restartTriggers = [ "/run/nslcd/nslcd.conf" ];
+
+ restartTriggers = [
+ nslcdConfig
+ cfg.bind.passwordFile
+ cfg.daemon.rootpwmodpwFile
+ ];
serviceConfig = {
ExecStart = "${nslcdWrapped}/bin/nslcd";