let dbDomain = "example.org"; dbSuffix = "dc=example,dc=org"; ldapRootUser = "admin"; ldapRootPassword = "foobar"; testUser = "alice"; testPassword = "foobar"; testNewPassword = "barfoo"; in import ./make-test-python.nix ( { pkgs, ... }: { name = "sssd-ldap"; meta = with pkgs.lib.maintainers; { maintainers = [ bbigras s1341 ]; }; nodes.machine = { pkgs, ... }: { security.pam.services.systemd-user.makeHomeDir = true; environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem; environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem; services.openldap = { enable = true; urlList = [ "ldap:///" "ldaps:///" ]; settings = { attrs = { olcTLSCACertificateFile = "/etc/cert.pem"; olcTLSCertificateFile = "/etc/cert.pem"; olcTLSCertificateKeyFile = "/etc/key.pem"; olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; olcTLSCRLCheck = "none"; olcTLSVerifyClient = "never"; olcTLSProtocolMin = "3.1"; }; children = { "cn=schema".includes = [ "${pkgs.openldap}/etc/schema/core.ldif" "${pkgs.openldap}/etc/schema/cosine.ldif" "${pkgs.openldap}/etc/schema/inetorgperson.ldif" "${pkgs.openldap}/etc/schema/nis.ldif" ]; "olcDatabase={1}mdb" = { attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/db"; olcSuffix = dbSuffix; olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; olcRootPW = ldapRootPassword; olcAccess = [ # custom access rules for userPassword attributes '' {0}to attrs=userPassword by self write by anonymous auth by * none'' # allow read on anything else '' {1}to * by * read'' ]; }; }; }; }; declarativeContents = { ${dbSuffix} = '' dn: ${dbSuffix} objectClass: top objectClass: dcObject objectClass: organization o: ${dbDomain} dn: ou=posix,${dbSuffix} objectClass: top objectClass: organizationalUnit dn: ou=accounts,ou=posix,${dbSuffix} objectClass: top objectClass: organizationalUnit dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} objectClass: person objectClass: posixAccount userPassword: ${testPassword} homeDirectory: /home/${testUser} uidNumber: 1234 gidNumber: 1234 cn: "" sn: "" ''; }; }; services.sssd = { enable = true; # just for testing purposes, don't put this into the Nix store in production! environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}"; config = '' [sssd] config_file_version = 2 services = nss, pam, sudo domains = ${dbDomain} [domain/${dbDomain}] auth_provider = ldap id_provider = ldap ldap_uri = ldaps://127.0.0.1:636 ldap_tls_reqcert = allow ldap_tls_cacert = /etc/cert.pem ldap_search_base = ${dbSuffix} ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} ldap_default_authtok_type = password ldap_default_authtok = $LDAP_BIND_PW ''; }; }; testScript = '' machine.start() machine.wait_for_unit("openldap.service") machine.wait_for_unit("sssd.service") result = machine.execute("getent passwd ${testUser}") if result[0] == 0: assert "${testUser}" in result[1] else: machine.wait_for_console_text("Backend is online") machine.succeed("getent passwd ${testUser}") with subtest("Log in as ${testUser}"): machine.wait_until_tty_matches("1", "login: ") machine.send_chars("${testUser}\n") machine.wait_until_tty_matches("1", "login: ${testUser}") machine.wait_until_succeeds("pgrep login") machine.wait_until_tty_matches("1", "Password: ") machine.send_chars("${testPassword}\n") machine.wait_until_succeeds("pgrep -u ${testUser} bash") machine.send_chars("touch done\n") machine.wait_for_file("/home/${testUser}/done") with subtest("Change ${testUser}'s password"): machine.send_chars("passwd\n") machine.wait_until_tty_matches("1", "Current Password: ") machine.send_chars("${testPassword}\n") machine.wait_until_tty_matches("1", "New Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_tty_matches("1", "Reenter new Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_tty_matches("1", "passwd: password updated successfully") with subtest("Log in as ${testUser} with new password in virtual console 2"): machine.send_key("alt-f2") machine.wait_until_succeeds("[ $(fgconsole) = 2 ]") machine.wait_for_unit("getty@tty2.service") machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") machine.wait_until_tty_matches("2", "login: ") machine.send_chars("${testUser}\n") machine.wait_until_tty_matches("2", "login: ${testUser}") machine.wait_until_succeeds("pgrep login") machine.wait_until_tty_matches("2", "Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_succeeds("pgrep -u ${testUser} bash") machine.send_chars("touch done2\n") machine.wait_for_file("/home/${testUser}/done2") ''; } )