diff options
author | Florian Klink <flokli@flokli.de> | 2019-03-27 02:27:57 +0100 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2019-03-28 13:08:47 +0100 |
commit | 8817bbefdbe9f54f7ee42e5cef00f386e227bf5d (patch) | |
tree | 31dcfd14da5a0177007bc2db3716fcac35c3d4c7 /nixos/doc | |
parent | 0a1451afe366873890c1df7a2fc6532ccc39f6bf (diff) | |
download | nixlib-8817bbefdbe9f54f7ee42e5cef00f386e227bf5d.tar nixlib-8817bbefdbe9f54f7ee42e5cef00f386e227bf5d.tar.gz nixlib-8817bbefdbe9f54f7ee42e5cef00f386e227bf5d.tar.bz2 nixlib-8817bbefdbe9f54f7ee42e5cef00f386e227bf5d.tar.lz nixlib-8817bbefdbe9f54f7ee42e5cef00f386e227bf5d.tar.xz nixlib-8817bbefdbe9f54f7ee42e5cef00f386e227bf5d.tar.zst nixlib-8817bbefdbe9f54f7ee42e5cef00f386e227bf5d.zip |
nixos/ldap: set proper User= and Group= for nslcd service
eb90d9700958aefbc7b886f2b524c6d04dc1d80d broke nslcd, as /run/nslcd was created/chowned as root user, while nslcd wants to do parts as nslcd user. This commit changes the nslcd to run with the proper uid/gid from the start (through User= and Group=), so the RuntimeDirectory has proper permissions, too. In some cases, secrets are baked into nslcd's config file during startup (so we don't want to provide it from the store). This config file is normally hard-wired to /etc/nslcd.conf, but we don't want to use PermissionsStartOnly anymore (#56265), and activation scripts are ugly, so redirect /etc/nslcd.conf to /run/nslcd/nslcd.conf, which now gets provisioned inside ExecStartPre=. This change requires the files referenced to in users.ldap.bind.passwordFile and users.ldap.daemon.rootpwmodpwFile to be readable by the nslcd user (in the non-nslcd case, this was already the case for users.ldap.bind.passwordFile) fixes #57783
Diffstat (limited to 'nixos/doc')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1903.xml | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index 7d40637df931..bbd3cf2e9db5 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -516,6 +516,13 @@ Graylog</link> for details. </para> </listitem> + <listitem> + <para> + The option <literal>users.ldap.bind.password</literal> was renamed to <literal>users.ldap.bind.passwordFile</literal>, + and needs to be readable by the <literal>nslcd</literal> user. + Same applies to the new <literal>users.ldap.daemon.rootpwmodpwFile</literal> option. + </para> + </listitem> </itemizedlist> </section> |