diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 1a5dbcd4e26b..e63f8c0d43e7 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -59,30 +59,28 @@ in users.ldap = { - enable = mkOption { - type = types.bool; - default = false; - description = "Whether to enable authentication against an LDAP server."; - }; + enable = mkEnableOption "authentication against an LDAP server"; loginPam = mkOption { type = types.bool; default = true; - description = "Whether to include authentication against LDAP in login PAM"; + description = "Whether to include authentication against LDAP in login PAM."; }; nsswitch = mkOption { type = types.bool; default = true; - description = "Whether to include lookup against LDAP in NSS"; + description = "Whether to include lookup against LDAP in NSS."; }; server = mkOption { + type = types.str; example = "ldap://ldap.example.org/"; description = "The URL of the LDAP server."; }; base = mkOption { + type = types.str; example = "dc=example,dc=org"; description = "The distinguished name of the search base."; }; @@ -129,7 +127,7 @@ in type = types.lines; description = '' Extra configuration options that will be added verbatim at - the end of the nslcd configuration file (nslcd.conf). + the end of the nslcd configuration file (nslcd.conf(5)). '' ; } ; @@ -180,7 +178,7 @@ in description = '' Specifies the time limit (in seconds) to use when connecting to the directory server. This is distinct from the time limit - specified in users.ldap.timeLimit and affects + specified in and affects the initial server connection only. ''; }; @@ -197,7 +195,7 @@ in actually contact the directory server, and it is possible that a malformed configuration file will trigger reconnection. If soft is specified, then - nss_ldap will return immediately on server + nss_ldap will return immediately on server failure. All hard reconnect policies block with exponential backoff before retrying. ''; @@ -209,10 +207,10 @@ in type = types.lines; description = '' Extra configuration options that will be added verbatim at - the end of the ldap configuration file (ldap.conf). - If users.ldap.daemon is enabled, this + the end of the ldap configuration file (ldap.conf(5)). + If is enabled, this configuration will not be used. In that case, use - users.ldap.daemon.extraConfig instead. + instead. '' ; }; @@ -276,7 +274,12 @@ in } >"$conf" mv -fT "$conf" /run/nslcd/nslcd.conf ''; - restartTriggers = [ "/run/nslcd/nslcd.conf" ]; + + restartTriggers = [ + nslcdConfig + cfg.bind.passwordFile + cfg.daemon.rootpwmodpwFile + ]; serviceConfig = { ExecStart = "${nslcdWrapped}/bin/nslcd";