94427deb9d
GitOrigin-RevId: f91ee3065de91a3531329a674a45ddcb3467a650
173 lines
5.9 KiB
Nix
173 lines
5.9 KiB
Nix
let
|
|
dbDomain = "example.org";
|
|
dbSuffix = "dc=example,dc=org";
|
|
|
|
ldapRootUser = "admin";
|
|
ldapRootPassword = "foobar";
|
|
|
|
testUser = "alice";
|
|
testPassword = "foobar";
|
|
testNewPassword = "barfoo";
|
|
in
|
|
import ./make-test-python.nix ({ pkgs, ... }: {
|
|
name = "sssd-ldap";
|
|
|
|
meta = with pkgs.lib.maintainers; {
|
|
maintainers = [ bbigras s1341 ];
|
|
};
|
|
|
|
nodes.machine = { pkgs, ... }: {
|
|
security.pam.services.systemd-user.makeHomeDir = true;
|
|
environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
|
|
environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
|
|
services.openldap = {
|
|
enable = true;
|
|
urlList = [ "ldap:///" "ldaps:///" ];
|
|
settings = {
|
|
attrs = {
|
|
olcTLSCACertificateFile = "/etc/cert.pem";
|
|
olcTLSCertificateFile = "/etc/cert.pem";
|
|
olcTLSCertificateKeyFile = "/etc/key.pem";
|
|
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
|
|
olcTLSCRLCheck = "none";
|
|
olcTLSVerifyClient = "never";
|
|
olcTLSProtocolMin = "3.1";
|
|
};
|
|
children = {
|
|
"cn=schema".includes = [
|
|
"${pkgs.openldap}/etc/schema/core.ldif"
|
|
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
|
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
|
"${pkgs.openldap}/etc/schema/nis.ldif"
|
|
];
|
|
"olcDatabase={1}mdb" = {
|
|
attrs = {
|
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
|
olcDatabase = "{1}mdb";
|
|
olcDbDirectory = "/var/lib/openldap/db";
|
|
olcSuffix = dbSuffix;
|
|
olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
|
|
olcRootPW = ldapRootPassword;
|
|
olcAccess = [
|
|
/*
|
|
custom access rules for userPassword attributes
|
|
*/
|
|
''
|
|
{0}to attrs=userPassword
|
|
by self write
|
|
by anonymous auth
|
|
by * none''
|
|
|
|
/*
|
|
allow read on anything else
|
|
*/
|
|
''
|
|
{1}to *
|
|
by * read''
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
declarativeContents = {
|
|
${dbSuffix} = ''
|
|
dn: ${dbSuffix}
|
|
objectClass: top
|
|
objectClass: dcObject
|
|
objectClass: organization
|
|
o: ${dbDomain}
|
|
|
|
dn: ou=posix,${dbSuffix}
|
|
objectClass: top
|
|
objectClass: organizationalUnit
|
|
|
|
dn: ou=accounts,ou=posix,${dbSuffix}
|
|
objectClass: top
|
|
objectClass: organizationalUnit
|
|
|
|
dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
|
|
objectClass: person
|
|
objectClass: posixAccount
|
|
userPassword: ${testPassword}
|
|
homeDirectory: /home/${testUser}
|
|
uidNumber: 1234
|
|
gidNumber: 1234
|
|
cn: ""
|
|
sn: ""
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.sssd = {
|
|
enable = true;
|
|
# just for testing purposes, don't put this into the Nix store in production!
|
|
environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
|
|
config = ''
|
|
[sssd]
|
|
config_file_version = 2
|
|
services = nss, pam, sudo
|
|
domains = ${dbDomain}
|
|
|
|
[domain/${dbDomain}]
|
|
auth_provider = ldap
|
|
id_provider = ldap
|
|
ldap_uri = ldaps://127.0.0.1:636
|
|
ldap_tls_reqcert = allow
|
|
ldap_tls_cacert = /etc/cert.pem
|
|
ldap_search_base = ${dbSuffix}
|
|
ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
|
|
ldap_default_authtok_type = password
|
|
ldap_default_authtok = $LDAP_BIND_PW
|
|
'';
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
machine.start()
|
|
machine.wait_for_unit("openldap.service")
|
|
machine.wait_for_unit("sssd.service")
|
|
result = machine.execute("getent passwd ${testUser}")
|
|
if result[0] == 0:
|
|
assert "${testUser}" in result[1]
|
|
else:
|
|
machine.wait_for_console_text("Backend is online")
|
|
machine.succeed("getent passwd ${testUser}")
|
|
|
|
with subtest("Log in as ${testUser}"):
|
|
machine.wait_until_tty_matches("1", "login: ")
|
|
machine.send_chars("${testUser}\n")
|
|
machine.wait_until_tty_matches("1", "login: ${testUser}")
|
|
machine.wait_until_succeeds("pgrep login")
|
|
machine.wait_until_tty_matches("1", "Password: ")
|
|
machine.send_chars("${testPassword}\n")
|
|
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
|
|
machine.send_chars("touch done\n")
|
|
machine.wait_for_file("/home/${testUser}/done")
|
|
|
|
with subtest("Change ${testUser}'s password"):
|
|
machine.send_chars("passwd\n")
|
|
machine.wait_until_tty_matches("1", "Current Password: ")
|
|
machine.send_chars("${testPassword}\n")
|
|
machine.wait_until_tty_matches("1", "New Password: ")
|
|
machine.send_chars("${testNewPassword}\n")
|
|
machine.wait_until_tty_matches("1", "Reenter new Password: ")
|
|
machine.send_chars("${testNewPassword}\n")
|
|
machine.wait_until_tty_matches("1", "passwd: password updated successfully")
|
|
|
|
with subtest("Log in as ${testUser} with new password in virtual console 2"):
|
|
machine.send_key("alt-f2")
|
|
machine.wait_until_succeeds("[ $(fgconsole) = 2 ]")
|
|
machine.wait_for_unit("getty@tty2.service")
|
|
machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'")
|
|
|
|
machine.wait_until_tty_matches("2", "login: ")
|
|
machine.send_chars("${testUser}\n")
|
|
machine.wait_until_tty_matches("2", "login: ${testUser}")
|
|
machine.wait_until_succeeds("pgrep login")
|
|
machine.wait_until_tty_matches("2", "Password: ")
|
|
machine.send_chars("${testNewPassword}\n")
|
|
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
|
|
machine.send_chars("touch done2\n")
|
|
machine.wait_for_file("/home/${testUser}/done2")
|
|
'';
|
|
})
|