openldap: test and fix mutable config

nixos/modules/services/databases/openldap.nix

@@ -231,7 +231,7 @@ in {
 
   config = let
     dbSettings = mapAttrs' (name: { attrs, ... }: nameValuePair attrs.olcSuffix attrs)
-      (filterAttrs (name: value: hasPrefix "olcDatabase=" name) cfg.settings.children);
+      (filterAttrs (name: { attrs, ... }: (hasPrefix "olcDatabase=" name) && attrs ? olcSuffix) cfg.settings.children);
     settingsFile = pkgs.writeText "config.ldif" (lib.concatStringsSep "\n" (attrsToLdif "cn=config" cfg.settings));
     writeConfig = pkgs.writeShellScript "openldap-config" ''
       set -euo pipefail
@@ -245,7 +245,9 @@ in {
 
     contentsFiles = mapAttrs (dn: ldif: pkgs.writeText "${dn}.ldif" ldif) cfg.declarativeContents;
     writeContents = pkgs.writeShellScript "openldap-load" ''
-      rm -rf /var/lib/openldap/$2/*
+      set -euo pipefail
+
+      rm -rf $2/*
       ${openldap}/bin/slapadd -F ${configDir} -b $1 -l $3
     '';
   in mkIf cfg.enable {

nixos/tests/openldap.nix

@@ -55,6 +55,14 @@ in {
             "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
             "${pkgs.openldap}/etc/schema/nis.ldif"
           ];
+          "olcDatabase={0}config" = {
+            attrs = {
+              objectClass = [ "olcDatabaseConfig" ];
+              olcDatabase = "{0}config";
+              olcRootDN = "cn=root,cn=config";
+              olcRootPW = "configpassword";
+            };
+          };
           "olcDatabase={1}mdb" = {
             # This tests string, base64 and path values, as well as lists of string values
             attrs = {
@@ -77,6 +85,9 @@ in {
     };
 
     specialisation = {
+      mutableConfig.configuration = { ... }: {
+        services.openldap.mutableConfig = true;
+      };
       manualConfigDir = {
         inheritParentConfig = false;
         configuration = { ... }: {
@@ -99,10 +110,17 @@ in {
   in ''
     machine.wait_for_unit("openldap.service")
     machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"')
+    machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}')
+
+    with subtest("mutable config"):
+      machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test')
+      machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"')
+      machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}')
+      machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar -b "dc=example"')
 
     with subtest("manual config dir"):
       machine.succeed(
-        'mkdir -p /var/db/slapd.d /var/db/openldap',
+        'mkdir /var/db/slapd.d /var/db/openldap',
         'slapadd -F /var/db/slapd.d -n0 -l ${pkgs.writeText "config.ldif" ldifConfig}',
         'slapadd -F /var/db/slapd.d -n1 -l ${pkgs.writeText "contents.ldif" dbContents}',
         'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap',