ldap: replace pass_attrs option with password attr option

The passdb only checks password access, so instead of customizing the whole pass_attrs setting we now allow customization of the password field used.
2026-03-15 18:44:31 +01:00
parent 091eda1ed2
commit af480dba87
2 changed files with 15 additions and 15 deletions
@@ -394,6 +394,17 @@ in
            [RFC4530]: https://www.rfc-editor.org/rfc/rfc4530.html
          '';
        };
+
+        password = mkOption {
+          type = types.str;
+          default = "userPassword";
+          example = "unix_password";
+          description = ''
+            The LDAP attribute referencing the account password used to login with.
+
+            Typically the `userPassword` attribute which is part of the `inetOrgPerson` schema.
+          '';
+        };
      };

      dovecot = {
@@ -410,18 +421,6 @@ in
          '';
        };

-        passAttrs = mkOption {
-          type = types.str;
-          default = "userPassword=password";
-          description = ''
-            LDAP attributes to be retrieved during passdb lookups.
-
-            See the pass_attrs reference at
-            https://doc.dovecot.org/2.3/configuration_manual/authentication/ldap_settings_auth/#pass-attrs
-            in the Dovecot manual.
-          '';
-        };
-
        passFilter = mkOption {
          type = types.nullOr types.str;
          default = "mail=%{user}";
@@ -1638,5 +1637,8 @@ in
    (mkRemovedOptionModule [ "mailserver" "ldap" "dovecot" "userAttrs" ] ''
      The user_attrs field is now used internally to map the home and mail directories.
    '')
+    (mkRemovedOptionModule [ "mailserver" "ldap" "dovecot" "passAttrs" ] ''
+      The pass_attrs field is now used internally. You can customize the `mailserver.ldap.attributes.password` field instead.
+    '')
  ];
 }