From 458b0ceb85dd0593c7738ca50b9e03a5e13fa99b Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Mon, 12 Oct 2020 17:16:51 +0200
Subject: [PATCH] ldap: Use hashed passwords in the test

We should lead with good example and when users copy code from this repo
it should not incentivize them to use plain text passwords.
---
 flake.nix | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/flake.nix b/flake.nix
index 7756916b..1d9825ae 100644
--- a/flake.nix
+++ b/flake.nix
@@ -366,9 +366,14 @@
                 rootpw = "notapassword";
                 database = "bdb";
                 dataDir = "/var/lib/openldap";
+                extraConfig = ''
+                  moduleload pw-sha2
+                '';
                 extraDatabaseConfig = ''
                 '';
 
+                # userPassword generated via `slappasswd -o module-load=pw-sha2  -h '{SSHA256}'`
+                # The admin user has the password `password and `user` has the password `foobar`.
                 declarativeContents = ''
                   dn: dc=example
                   dc: example
@@ -401,7 +406,7 @@
                   sn: user
                   cn: user
                   mail: user@example
-                  userPassword: foobar
+                  userPassword: {SSHA256}B9rfUbNgv8nIGn1Hm5qbVQdv6AIQb012ORJwegqELB0DWCzoMCY+4A==
 
                   dn: cn=admin,ou=users,dc=example
                   objectClass: organizationalPerson
@@ -409,7 +414,7 @@
                   sn: admin
                   cn: admin
                   mail: admin@example
-                  userPassword: password
+                  userPassword: {SSHA256}meKP7fSWhkzXFC1f8RWRb8V8ssmN/VQJp7xJrUFFcNUDuwP1PbitMg==
                 '';
               };
               systemd.services.hdyra-server.environment.CATALYST_DEBUG = "1";