import ./make-test.nix ({ pkgs, lib, ...} : let dbSuffix = "dc=example,dc=com"; dbPath = "/var/db/openldap"; dbAdminDn = "cn=admin,${dbSuffix}"; dbAdminPwd = "test"; serverUri = "ldap:///"; ldapUser = "test-ldap-user"; ldapUserId = 10000; ldapUserPwd = "test"; ldapGroup = "test-ldap-group"; ldapGroupId = 10000; setupLdif = pkgs.writeText "test-ldap.ldif" '' dn: ${dbSuffix} dc: ${with lib; let dc = head (splitString "," dbSuffix); dcName = head (tail (splitString "=" dc)); in dcName} o: ${dbSuffix} objectclass: top objectclass: dcObject objectclass: organization dn: cn=${ldapUser},${dbSuffix} sn: ${ldapUser} objectClass: person objectClass: posixAccount uid: ${ldapUser} uidNumber: ${toString ldapUserId} gidNumber: ${toString ldapGroupId} homeDirectory: /home/${ldapUser} loginShell: /bin/sh userPassword: ${ldapUserPwd} dn: cn=${ldapGroup},${dbSuffix} objectClass: posixGroup gidNumber: ${toString ldapGroupId} memberUid: ${ldapUser} ''; mkClient = useDaemon: { lib, ... }: { virtualisation.memorySize = 256; virtualisation.vlans = [ 1 ]; security.pam.services.su.rootOK = lib.mkForce false; users.ldap.enable = true; users.ldap.daemon.enable = useDaemon; users.ldap.loginPam = true; users.ldap.nsswitch = true; users.ldap.server = "ldap://server"; users.ldap.base = "${dbSuffix}"; }; in { name = "ldap"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ montag451 ]; }; nodes = { server = { pkgs, ... }: { virtualisation.memorySize = 256; virtualisation.vlans = [ 1 ]; networking.firewall.allowedTCPPorts = [ 389 ]; services.openldap.enable = true; services.openldap.dataDir = dbPath; services.openldap.urlList = [ serverUri ]; services.openldap.extraConfig = '' include ${pkgs.openldap.out}/etc/schema/core.schema include ${pkgs.openldap.out}/etc/schema/cosine.schema include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema include ${pkgs.openldap.out}/etc/schema/nis.schema database mdb suffix ${dbSuffix} rootdn ${dbAdminDn} rootpw ${dbAdminPwd} directory ${dbPath} ''; }; client1 = mkClient true; # use nss_pam_ldapd client2 = mkClient false; # use nss_ldap and pam_ldap }; testScript = '' startAll; $server->waitForUnit("default.target"); $client1->waitForUnit("default.target"); $client2->waitForUnit("default.target"); $server->succeed("ldapadd -D '${dbAdminDn}' -w ${dbAdminPwd} -H ${serverUri} -f '${setupLdif}'"); # NSS tests subtest "nss", sub { $client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); $client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); $client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); $client1->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); $client2->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); $client2->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); $client2->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); $client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); }; # PAM tests subtest "pam", sub { $client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); $client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); }; ''; })