feat(3p/openldap): Enable slapd-passwd-argon2 module

This enables support for the Argon2 password hashing mechanism in
OpenLDAP. Note that we also need to configure the LDAP module to load
this, so this change is not yet sufficient for actually using Argon2
hashes.

Change-Id: I151b854b777daa924b22224a43851432a88a2760
Reviewed-on: https://cl.tvl.fyi/c/depot/+/830
Reviewed-by: BuildkiteCI
Reviewed-by: isomer <isomer@tvl.fyi>
Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo 2020-07-01 18:45:23 +01:00 committed by tazjin
parent 6f5211bba8
commit d2aaf030bd
3 changed files with 29 additions and 1 deletions

View file

@ -63,6 +63,7 @@ in lib.fix (self: {
cgit
git
nix
openldap
];
various = with depot; [

View file

@ -182,7 +182,7 @@ in exposed.lib.fix(self: exposed // {
# Packages to be overridden
originals = {
inherit (nixpkgs) go grpc notmuch;
inherit (nixpkgs) openldap go grpc notmuch;
inherit (stableNixpkgs) git;
ffmpeg = nixpkgs.ffmpeg-full;
};

27
third_party/openldap/default.nix vendored Normal file
View file

@ -0,0 +1,27 @@
# OpenLDAP by default uses a simple shalted SHA1-hash for passwords,
# which is less than ideal.
#
# It does however include a contrib module which adds support for the
# Argon2 password hashing scheme. This overrides then OpenLDAP build
# derivation to include this module.
{ pkgs, ... }:
pkgs.originals.openldap.overrideAttrs(old: {
buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
postBuild = ''
${old.postBuild}
make $makeFlags -C contrib/slapd-modules/passwd/argon2
'';
# This is required because the Makefile for this module hardcodes
# /usr/bin/install, which is not a valid path - we want it to be
# looked up from $PATH because it is included in stdenv.
installFlags = old.installFlags ++ [ "INSTALL=install" ];
postInstall = ''
${old.postInstall}
make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
'';
})