From 4d51487a519e624083e0809c26d2b0af1d333d9e Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Wed, 29 Apr 2020 14:01:28 +0200
Subject: [PATCH] openldap: no SHA2 anor PBKDF2 password modules by default

---
 modules/services/databases/openldap.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/services/databases/openldap.nix b/modules/services/databases/openldap.nix
index 1ae5eea..bc7a2ec 100644
--- a/modules/services/databases/openldap.nix
+++ b/modules/services/databases/openldap.nix
@@ -2,9 +2,10 @@
 let
   inherit (builtins) baseNameOf readFile;
   inherit (lib) types;
-  inherit (pkgs.lib) unlinesAttrs;
   inherit (config.services) openldap;
   inherit (config.users) ldap;
+  unlines = lib.concatStringsSep "\n";
+  unlinesAttrs = f: as: unlines (lib.mapAttrsToList f as);
 in
 {
 options = {
@@ -27,8 +28,8 @@ services.openldap.cnConfig = lib.mkOption {
     dn: cn={0}module,cn=config
     objectClass: olcModuleList
     olcModulePath: ${pkgs.openldap}/lib/modules
-    olcModuleLoad: pw-sha2
-    olcModuleLoad: pw-pbkdf2
+    #olcModuleLoad: pw-sha2
+    #olcModuleLoad: pw-pbkdf2
     olcModuleLoad: back_mdb
 
     dn: olcDatabase={-1}frontend,cn=config
@@ -45,7 +46,8 @@ services.openldap.cnConfig = lib.mkOption {
     olcAccess: to dn.base="cn=Subschema"
       by * read
     # Hash algorithm to be used by LDAP Password Modify Extended Operation or the ppolicy overlay
-    olcPasswordHash: {PBKDF2-SHA256}
+    #olcPasswordHash: {PBKDF2-SHA256}
+    olcPasswordHash: {SSHA}
 
     dn: olcDatabase={0}config,cn=config
     objectClass: olcDatabaseConfig
-- 
2.47.2