From af480dba878e2203d1553724a55cedd45f86b2d0 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sun, 15 Mar 2026 18:44:31 +0100
Subject: [PATCH] ldap: replace pass_attrs option with password attr option

The passdb only checks password access, so instead of customizing the
whole pass_attrs setting we now allow customization of the password field
used.
---
 default.nix             | 26 ++++++++++++++------------
 mail-server/dovecot.nix |  4 +---
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/default.nix b/default.nix
index 3472d57..ad3164e 100644
--- a/default.nix
+++ b/default.nix
@@ -394,6 +394,17 @@ in
             [RFC4530]: https://www.rfc-editor.org/rfc/rfc4530.html
           '';
         };
+
+        password = mkOption {
+          type = types.str;
+          default = "userPassword";
+          example = "unix_password";
+          description = ''
+            The LDAP attribute referencing the account password used to login with.
+
+            Typically the `userPassword` attribute which is part of the `inetOrgPerson` schema.
+          '';
+        };
       };
 
       dovecot = {
@@ -410,18 +421,6 @@ in
           '';
         };
 
-        passAttrs = mkOption {
-          type = types.str;
-          default = "userPassword=password";
-          description = ''
-            LDAP attributes to be retrieved during passdb lookups.
-
-            See the pass_attrs reference at
-            https://doc.dovecot.org/2.3/configuration_manual/authentication/ldap_settings_auth/#pass-attrs
-            in the Dovecot manual.
-          '';
-        };
-
         passFilter = mkOption {
           type = types.nullOr types.str;
           default = "mail=%{user}";
@@ -1638,5 +1637,8 @@ in
     (mkRemovedOptionModule [ "mailserver" "ldap" "dovecot" "userAttrs" ] ''
       The user_attrs field is now used internally to map the home and mail directories.
     '')
+    (mkRemovedOptionModule [ "mailserver" "ldap" "dovecot" "passAttrs" ] ''
+      The pass_attrs field is now used internally. You can customize the `mailserver.ldap.attributes.password` field instead.
+    '')
   ];
 }
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index fda742a..307f0f4 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -84,9 +84,7 @@ let
           lib.optionalString (cfg.indexDir != null) ":INDEX=${cfg.indexDir}/ldap/%{ldap:${ldapUuidAttribute}}"
         }
       user_filter = ${cfg.ldap.dovecot.userFilter}
-      ${lib.optionalString (cfg.ldap.dovecot.passAttrs != "") ''
-        pass_attrs = ${cfg.ldap.dovecot.passAttrs}
-      ''}
+      pass_attrs = ${cfg.ldap.attributes.password}=password
       pass_filter = ${cfg.ldap.dovecot.passFilter}
     '';
   };