feat(3p/openldap): Enable slapd-passwd-argon2 module

This enables support for the Argon2 password hashing mechanism in
OpenLDAP. Note that we also need to configure the LDAP module to load
this, so this change is not yet sufficient for actually using Argon2
hashes.

Change-Id: I151b854b777daa924b22224a43851432a88a2760
Reviewed-on: https://cl.tvl.fyi/c/depot/+/830
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI

ci-builds.nix

@@ -63,6 +63,7 @@ in lib.fix (self: {
     cgit
     git
     nix
+    openldap
   ];
 
   various = with depot; [

third_party/default.nix

@@ -182,7 +182,7 @@ in exposed.lib.fix(self: exposed // {
 
   # Packages to be overridden
   originals = {
-    inherit (nixpkgs) go grpc notmuch;
+    inherit (nixpkgs) openldap go grpc notmuch;
     inherit (stableNixpkgs) git;
     ffmpeg = nixpkgs.ffmpeg-full;
   };

third_party/openldap/default.nix

@@ -0,0 +1,27 @@
+# OpenLDAP by default uses a simple shalted SHA1-hash for passwords,
+# which is less than ideal.
+#
+# It does however include a contrib module which adds support for the
+# Argon2 password hashing scheme. This overrides then OpenLDAP build
+# derivation to include this module.
+{ pkgs, ... }:
+
+pkgs.originals.openldap.overrideAttrs(old: {
+  buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
+
+  postBuild = ''
+    ${old.postBuild}
+    make $makeFlags -C contrib/slapd-modules/passwd/argon2
+  '';
+
+  # This is required because the Makefile for this module hardcodes
+  # /usr/bin/install, which is not a valid path - we want it to be
+  # looked up from $PATH because it is included in stdenv.
+  installFlags = old.installFlags ++ [ "INSTALL=install" ];
+
+  postInstall = ''
+    ${old.postInstall}
+    make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
+  '';
+
+})