summary refs log tree commit diff
path: root/gnu/services/authentication.scm
diff options
context:
space:
mode:
authorAttila Lendvai <attila@lendvai.name>2022-05-17 13:39:28 +0200
committerLudovic Courtès <ludo@gnu.org>2022-06-15 00:25:21 +0200
commit8cb1a49a3998c39f315a4199b7d4a121a6d66449 (patch)
tree6467f9cb21bc9f60b6f2a2f561d690b5cfdb3b3d /gnu/services/authentication.scm
parente11517052b1bbd9fa06891ad0b13b24494db757e (diff)
downloadguix-8cb1a49a3998c39f315a4199b7d4a121a6d66449.tar.gz
services: configuration: Use *unspecified* instead of 'disabled.
Use *unspecified* as a marker for field values that have not been set.

Rationale: 'disabled may easily clash with user values for boolean fields, is
confusing (i.e. its meaning is *not* boolean false, but unspecified) and it
also passes silently through the symbol? predicate of a field of type symbol.

* gnu/services/configuration.scm (configuration-missing-default-value):
Renamed from configuration-no-default-value.
(define-maybe-helper): Use *unspecified* instead of 'disabled, and make
the default value optional.
* gnu/home/services/desktop.scm (home-redshift-configuration):
Change (maybe-xyz 'disabled) to maybe-xyz.
* gnu/services/authentication.scm (nslcd-configuration): Likewise.
* gnu/services/cgit.scm (repository-cgit-configuration): Likewise.
* gnu/services/file-sharing.scm (serialize-maybe-string)
(serialize-maybe-file-object): Use 'unspecified?' instead of (eq? val
'disabled).
* gnu/services/messaging.scm (raw-content?): Likewise.
(ssl-configuration): Change (maybe-xyz 'disabled) to maybe-xyz.
(prosody-configuration): Likewise.
* gnu/services/file-sharing.scm (transmission-daemon-configuration):
Likewise.
* gnu/services/messaging.scm (define-all-configurations):
Use *unspecified* instead of 'disabled'.
* gnu/services/networking.scm (opendht-configuration): Likewise.
* gnu/services/pm.scm (tlp-configuration): Likewise.
* gnu/services/telephony.scm (jami-account): Likewise.
(jami-configuration): Likewise.
* gnu/services/vpn.scm (openvpn-client-configuration): Likewise.
* tests/services/configuration.scm ("maybe type, no default")
("maybe type, with default"): New tests.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'gnu/services/authentication.scm')
-rw-r--r--gnu/services/authentication.scm82
1 files changed, 41 insertions, 41 deletions
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index cb0ef6d85a..f7becdfafb 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -218,7 +218,7 @@
 
   ;; Runtime options
   (threads
-   (maybe-number 'disabled)
+   maybe-number
    "The number of threads to start that can handle requests and perform LDAP
 queries.  Each thread opens a separate connection to the LDAP server.  The
 default is to start 5 threads.")
@@ -243,45 +243,45 @@ messages with the specified log level or higher are logged.")
    "The list of LDAP server URIs.  Normally, only the first server will be
 used with the following servers as fall-back.")
   (ldap-version
-   (maybe-string 'disabled)
+   maybe-string
    "The version of the LDAP protocol to use.  The default is to use the
 maximum version supported by the LDAP library.")
   (binddn
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the distinguished name with which to bind to the directory
 server for lookups.  The default is to bind anonymously.")
   (bindpw
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the credentials with which to bind.  This option is only
 applicable when used with binddn.")
   (rootpwmoddn
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the distinguished name to use when the root user tries to modify
 a user's password using the PAM module.")
   (rootpwmodpw
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the credentials with which to bind if the root user tries to
 change a user's password.  This option is only applicable when used with
 rootpwmoddn")
 
   ;; SASL authentication options
   (sasl-mech
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the SASL mechanism to be used when performing SASL
 authentication.")
   (sasl-realm
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the SASL realm to be used when performing SASL authentication.")
   (sasl-authcid
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the authentication identity to be used when performing SASL
 authentication.")
   (sasl-authzid
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the authorization identity to be used when performing SASL
 authentication.")
   (sasl-canonicalize?
-   (maybe-boolean 'disabled)
+   maybe-boolean
    "Determines whether the LDAP server host name should be canonicalised.  If
 this is enabled the LDAP library will do a reverse host name lookup.  By
 default, it is left up to the LDAP library whether this check is performed or
@@ -289,7 +289,7 @@ not.")
 
   ;; Kerberos authentication options
   (krb5-ccname
-   (maybe-string 'disabled)
+   maybe-string
    "Set the name for the GSS-API Kerberos credentials cache.")
 
   ;; Search / mapping options
@@ -302,11 +302,11 @@ not.")
 default scope is subtree; base scope is almost never useful for name service
 lookups; children scope is not supported on all servers.")
   (deref
-   (maybe-deref-option 'disabled)
+   maybe-deref-option
    "Specifies the policy for dereferencing aliases.  The default policy is to
 never dereference aliases.")
   (referrals
-   (maybe-boolean 'disabled)
+   maybe-boolean
    "Specifies whether automatic referral chasing should be enabled.  The
 default behaviour is to chase referrals.")
   (maps
@@ -322,132 +322,132 @@ applies and an LDAP search filter expression.")
 
   ;; Timing / reconnect options
   (bind-timelimit
-   (maybe-number 'disabled)
+   maybe-number
    "Specifies the time limit in seconds to use when connecting to the
 directory server.  The default value is 10 seconds.")
   (timelimit
-   (maybe-number 'disabled)
+   maybe-number
    "Specifies the time limit (in seconds) to wait for a response from the LDAP
 server.  A value of zero, which is the default, is to wait indefinitely for
 searches to be completed.")
   (idle-timelimit
-   (maybe-number 'disabled)
+   maybe-number
    "Specifies the period if inactivity (in seconds) after which the con‐
 nection to the LDAP server will be closed.  The default is not to time out
 connections.")
   (reconnect-sleeptime
-   (maybe-number 'disabled)
+   maybe-number
    "Specifies the number of seconds to sleep when connecting to all LDAP
 servers fails.  By default one second is waited between the first failure and
 the first retry.")
   (reconnect-retrytime
-   (maybe-number 'disabled)
+   maybe-number
    "Specifies the time after which the LDAP server is considered to be
 permanently unavailable.  Once this time is reached retries will be done only
 once per this time period.  The default value is 10 seconds.")
 
   ;; TLS options
   (ssl
-   (maybe-ssl-option 'disabled)
+   maybe-ssl-option
    "Specifies whether to use SSL/TLS or not (the default is not to).  If
 'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.")
   (tls-reqcert
-   (maybe-tls-reqcert-option 'disabled)
+   maybe-tls-reqcert-option
    "Specifies what checks to perform on a server-supplied certificate.
 The meaning of the values is described in the ldap.conf(5) manual page.")
   (tls-cacertdir
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the directory containing X.509 certificates for peer authen‐
 tication.  This parameter is ignored when using GnuTLS.")
   (tls-cacertfile
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the path to the X.509 certificate for peer authentication.")
   (tls-randfile
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the path to an entropy source.  This parameter is ignored when
 using GnuTLS.")
   (tls-ciphers
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the ciphers to use for TLS as a string.")
   (tls-cert
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the path to the file containing the local certificate for client
 TLS authentication.")
   (tls-key
-   (maybe-string 'disabled)
+   maybe-string
    "Specifies the path to the file containing the private key for client TLS
 authentication.")
 
   ;; Other options
   (pagesize
-   (maybe-number 'disabled)
+   maybe-number
    "Set this to a number greater than 0 to request paged results from the LDAP
 server in accordance with RFC2696.  The default (0) is to not request paged
 results.")
   (nss-initgroups-ignoreusers
-   (maybe-ignore-users-option 'disabled)
+   maybe-ignore-users-option
    "This option prevents group membership lookups through LDAP for the
 specified users.  Alternatively, the value 'all-local may be used.  With that
 value nslcd builds a full list of non-LDAP users on startup.")
   (nss-min-uid
-   (maybe-number 'disabled)
+   maybe-number
    "This option ensures that LDAP users with a numeric user id lower than the
 specified value are ignored.")
   (nss-uid-offset
-   (maybe-number 'disabled)
+   maybe-number
    "This option specifies an offset that is added to all LDAP numeric user
 ids.  This can be used to avoid user id collisions with local users.")
   (nss-gid-offset
-   (maybe-number 'disabled)
+   maybe-number
    "This option specifies an offset that is added to all LDAP numeric group
 ids.  This can be used to avoid user id collisions with local groups.")
   (nss-nested-groups
-   (maybe-boolean 'disabled)
+   maybe-boolean
    "If this option is set, the member attribute of a group may point to
 another group.  Members of nested groups are also returned in the higher level
 group and parent groups are returned when finding groups for a specific user.
 The default is not to perform extra searches for nested groups.")
   (nss-getgrent-skipmembers
-   (maybe-boolean 'disabled)
+   maybe-boolean
    "If this option is set, the group member list is not retrieved when looking
 up groups.  Lookups for finding which groups a user belongs to will remain
 functional so the user will likely still get the correct groups assigned on
 login.")
   (nss-disable-enumeration
-   (maybe-boolean 'disabled)
+   maybe-boolean
    "If this option is set, functions which cause all user/group entries to be
 loaded from the directory will not succeed in doing so.  This can dramatically
 reduce LDAP server load in situations where there are a great number of users
 and/or groups.  This option is not recommended for most configurations.")
   (validnames
-   (maybe-string 'disabled)
+   maybe-string
    "This option can be used to specify how user and group names are verified
 within the system.  This pattern is used to check all user and group names
 that are requested and returned from LDAP.")
   (ignorecase
-   (maybe-boolean 'disabled)
+   maybe-boolean
    "This specifies whether or not to perform searches using case-insensitive
 matching.  Enabling this could open up the system to authorization bypass
 vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow
 denial of service.")
   (pam-authc-ppolicy
-   (maybe-boolean 'disabled)
+   maybe-boolean
    "This option specifies whether password policy controls are requested and
 handled from the LDAP server when performing user authentication.")
   (pam-authc-search
-   (maybe-string 'disabled)
+   maybe-string
    "By default nslcd performs an LDAP search with the user's credentials after
 BIND (authentication) to ensure that the BIND operation was successful.  The
 default search is a simple check to see if the user's DN exists.  A search
 filter can be specified that will be used instead.  It should return at least
 one entry.")
   (pam-authz-search
-   (maybe-string 'disabled)
+   maybe-string
    "This option allows flexible fine tuning of the authorisation check that
 should be performed.  The search filter specified is executed and if any
 entries match, access is granted, otherwise access is denied.")
   (pam-password-prohibit-message
-   (maybe-string 'disabled)
+   maybe-string
    "If this option is set password modification using pam_ldap will be denied
 and the specified message will be presented to the user instead.  The message
 can be used to direct the user to an alternative means of changing their