mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 15:03:28 +00:00
nixos/test/sssd-ldap: nixpkgs-fmt
This commit is contained in:
parent
20d707c8c4
commit
73811d22bb
@ -9,162 +9,162 @@ let
|
||||
testPassword = "foobar";
|
||||
testNewPassword = "barfoo";
|
||||
in
|
||||
import ./make-test-python.nix ({pkgs, ...}: {
|
||||
name = "sssd-ldap";
|
||||
import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
name = "sssd-ldap";
|
||||
|
||||
meta = with pkgs.lib.maintainers; {
|
||||
maintainers = [bbigras];
|
||||
};
|
||||
meta = with pkgs.lib.maintainers; {
|
||||
maintainers = [ bbigras ];
|
||||
};
|
||||
|
||||
nodes.machine = {pkgs, ...}: {
|
||||
security.pam.services.systemd-user.makeHomeDir = true;
|
||||
environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
|
||||
environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
urlList = [ "ldap:///" "ldaps:///" ];
|
||||
settings = {
|
||||
attrs = {
|
||||
olcLogLevel = "conns config";
|
||||
olcTLSCACertificateFile = "/etc/cert.pem";
|
||||
olcTLSCertificateFile = "/etc/cert.pem";
|
||||
olcTLSCertificateKeyFile = "/etc/key.pem";
|
||||
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
|
||||
olcTLSCRLCheck = "none";
|
||||
olcTLSVerifyClient = "never";
|
||||
olcTLSProtocolMin = "3.1";
|
||||
};
|
||||
children = {
|
||||
"cn=schema".includes = [
|
||||
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||
"${pkgs.openldap}/etc/schema/nis.ldif"
|
||||
];
|
||||
"olcDatabase={1}mdb" = {
|
||||
attrs = {
|
||||
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
|
||||
olcDatabase = "{1}mdb";
|
||||
olcDbDirectory = "/var/lib/openldap/db";
|
||||
olcSuffix = dbSuffix;
|
||||
olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
|
||||
olcRootPW = ldapRootPassword;
|
||||
olcAccess = [
|
||||
/*
|
||||
nodes.machine = { pkgs, ... }: {
|
||||
security.pam.services.systemd-user.makeHomeDir = true;
|
||||
environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
|
||||
environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
urlList = [ "ldap:///" "ldaps:///" ];
|
||||
settings = {
|
||||
attrs = {
|
||||
olcLogLevel = "conns config";
|
||||
olcTLSCACertificateFile = "/etc/cert.pem";
|
||||
olcTLSCertificateFile = "/etc/cert.pem";
|
||||
olcTLSCertificateKeyFile = "/etc/key.pem";
|
||||
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
|
||||
olcTLSCRLCheck = "none";
|
||||
olcTLSVerifyClient = "never";
|
||||
olcTLSProtocolMin = "3.1";
|
||||
};
|
||||
children = {
|
||||
"cn=schema".includes = [
|
||||
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||
"${pkgs.openldap}/etc/schema/nis.ldif"
|
||||
];
|
||||
"olcDatabase={1}mdb" = {
|
||||
attrs = {
|
||||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||
olcDatabase = "{1}mdb";
|
||||
olcDbDirectory = "/var/lib/openldap/db";
|
||||
olcSuffix = dbSuffix;
|
||||
olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
|
||||
olcRootPW = ldapRootPassword;
|
||||
olcAccess = [
|
||||
/*
|
||||
custom access rules for userPassword attributes
|
||||
*/
|
||||
''
|
||||
{0}to attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none''
|
||||
''
|
||||
{0}to attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none''
|
||||
|
||||
/*
|
||||
/*
|
||||
allow read on anything else
|
||||
*/
|
||||
''
|
||||
{1}to *
|
||||
by * read''
|
||||
];
|
||||
};
|
||||
''
|
||||
{1}to *
|
||||
by * read''
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
declarativeContents = {
|
||||
${dbSuffix} = ''
|
||||
dn: ${dbSuffix}
|
||||
objectClass: top
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
o: ${dbDomain}
|
||||
|
||||
dn: ou=posix,${dbSuffix}
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
dn: ou=accounts,ou=posix,${dbSuffix}
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
|
||||
objectClass: person
|
||||
objectClass: posixAccount
|
||||
userPassword: ${testPassword}
|
||||
homeDirectory: /home/${testUser}
|
||||
uidNumber: 1234
|
||||
gidNumber: 1234
|
||||
cn: ""
|
||||
sn: ""
|
||||
'';
|
||||
};
|
||||
};
|
||||
declarativeContents = {
|
||||
${dbSuffix} = ''
|
||||
dn: ${dbSuffix}
|
||||
objectClass: top
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
o: ${dbDomain}
|
||||
|
||||
services.sssd = {
|
||||
enable = true;
|
||||
# just for testing purposes, don't put this into the Nix store in production!
|
||||
environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
|
||||
config = ''
|
||||
[sssd]
|
||||
config_file_version = 2
|
||||
services = nss, pam, sudo
|
||||
domains = ${dbDomain}
|
||||
dn: ou=posix,${dbSuffix}
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
[domain/${dbDomain}]
|
||||
auth_provider = ldap
|
||||
id_provider = ldap
|
||||
ldap_uri = ldaps://127.0.0.1:636
|
||||
ldap_tls_reqcert = allow
|
||||
ldap_tls_cacert = /etc/cert.pem
|
||||
ldap_search_base = ${dbSuffix}
|
||||
ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
|
||||
ldap_default_authtok_type = password
|
||||
ldap_default_authtok = $LDAP_BIND_PW
|
||||
dn: ou=accounts,ou=posix,${dbSuffix}
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
|
||||
objectClass: person
|
||||
objectClass: posixAccount
|
||||
userPassword: ${testPassword}
|
||||
homeDirectory: /home/${testUser}
|
||||
uidNumber: 1234
|
||||
gidNumber: 1234
|
||||
cn: ""
|
||||
sn: ""
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
machine.start()
|
||||
machine.wait_for_unit("openldap.service")
|
||||
machine.wait_for_unit("sssd.service")
|
||||
result = machine.execute("getent passwd ${testUser}")
|
||||
if result[0] == 0:
|
||||
assert "${testUser}" in result[1]
|
||||
else:
|
||||
machine.wait_for_console_text("Backend is online")
|
||||
machine.succeed("getent passwd ${testUser}")
|
||||
services.sssd = {
|
||||
enable = true;
|
||||
# just for testing purposes, don't put this into the Nix store in production!
|
||||
environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
|
||||
config = ''
|
||||
[sssd]
|
||||
config_file_version = 2
|
||||
services = nss, pam, sudo
|
||||
domains = ${dbDomain}
|
||||
|
||||
with subtest("Log in as ${testUser}"):
|
||||
machine.wait_until_tty_matches("1", "login: ")
|
||||
machine.send_chars("${testUser}\n")
|
||||
machine.wait_until_tty_matches("1", "login: ${testUser}")
|
||||
machine.wait_until_succeeds("pgrep login")
|
||||
machine.wait_until_tty_matches("1", "Password: ")
|
||||
machine.send_chars("${testPassword}\n")
|
||||
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
|
||||
machine.send_chars("touch done\n")
|
||||
machine.wait_for_file("/home/${testUser}/done")
|
||||
[domain/${dbDomain}]
|
||||
auth_provider = ldap
|
||||
id_provider = ldap
|
||||
ldap_uri = ldaps://127.0.0.1:636
|
||||
ldap_tls_reqcert = allow
|
||||
ldap_tls_cacert = /etc/cert.pem
|
||||
ldap_search_base = ${dbSuffix}
|
||||
ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
|
||||
ldap_default_authtok_type = password
|
||||
ldap_default_authtok = $LDAP_BIND_PW
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
with subtest("Change ${testUser}'s password"):
|
||||
machine.send_chars("passwd\n")
|
||||
machine.wait_until_tty_matches("1", "Current Password: ")
|
||||
machine.send_chars("${testPassword}\n")
|
||||
machine.wait_until_tty_matches("1", "New Password: ")
|
||||
machine.send_chars("${testNewPassword}\n")
|
||||
machine.wait_until_tty_matches("1", "Reenter new Password: ")
|
||||
machine.send_chars("${testNewPassword}\n")
|
||||
machine.wait_until_tty_matches("1", "passwd: password updated successfully")
|
||||
machine.send_chars("exit\n")
|
||||
testScript = ''
|
||||
machine.start()
|
||||
machine.wait_for_unit("openldap.service")
|
||||
machine.wait_for_unit("sssd.service")
|
||||
result = machine.execute("getent passwd ${testUser}")
|
||||
if result[0] == 0:
|
||||
assert "${testUser}" in result[1]
|
||||
else:
|
||||
machine.wait_for_console_text("Backend is online")
|
||||
machine.succeed("getent passwd ${testUser}")
|
||||
|
||||
with subtest("Log in as ${testUser} with new password"):
|
||||
machine.wait_until_tty_matches("1", "login: ")
|
||||
machine.send_chars("${testUser}\n")
|
||||
machine.wait_until_tty_matches("1", "login: ${testUser}")
|
||||
machine.wait_until_succeeds("pgrep login")
|
||||
machine.wait_until_tty_matches("1", "Password: ")
|
||||
machine.send_chars("${testNewPassword}\n")
|
||||
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
|
||||
machine.send_chars("touch done2\n")
|
||||
machine.wait_for_file("/home/${testUser}/done2")
|
||||
'';
|
||||
})
|
||||
with subtest("Log in as ${testUser}"):
|
||||
machine.wait_until_tty_matches("1", "login: ")
|
||||
machine.send_chars("${testUser}\n")
|
||||
machine.wait_until_tty_matches("1", "login: ${testUser}")
|
||||
machine.wait_until_succeeds("pgrep login")
|
||||
machine.wait_until_tty_matches("1", "Password: ")
|
||||
machine.send_chars("${testPassword}\n")
|
||||
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
|
||||
machine.send_chars("touch done\n")
|
||||
machine.wait_for_file("/home/${testUser}/done")
|
||||
|
||||
with subtest("Change ${testUser}'s password"):
|
||||
machine.send_chars("passwd\n")
|
||||
machine.wait_until_tty_matches("1", "Current Password: ")
|
||||
machine.send_chars("${testPassword}\n")
|
||||
machine.wait_until_tty_matches("1", "New Password: ")
|
||||
machine.send_chars("${testNewPassword}\n")
|
||||
machine.wait_until_tty_matches("1", "Reenter new Password: ")
|
||||
machine.send_chars("${testNewPassword}\n")
|
||||
machine.wait_until_tty_matches("1", "passwd: password updated successfully")
|
||||
machine.send_chars("exit\n")
|
||||
|
||||
with subtest("Log in as ${testUser} with new password"):
|
||||
machine.wait_until_tty_matches("1", "login: ")
|
||||
machine.send_chars("${testUser}\n")
|
||||
machine.wait_until_tty_matches("1", "login: ${testUser}")
|
||||
machine.wait_until_succeeds("pgrep login")
|
||||
machine.wait_until_tty_matches("1", "Password: ")
|
||||
machine.send_chars("${testNewPassword}\n")
|
||||
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
|
||||
machine.send_chars("touch done2\n")
|
||||
machine.wait_for_file("/home/${testUser}/done2")
|
||||
'';
|
||||
})
|
||||
|
Loading…
Reference in New Issue
Block a user