nixpkgs/nixos/tests/sssd-ldap.nix
2023-05-09 18:13:09 +03:00

170 lines
5.8 KiB
Nix

let
dbDomain = "example.org";
dbSuffix = "dc=example,dc=org";
ldapRootUser = "admin";
ldapRootPassword = "foobar";
testUser = "alice";
testPassword = "foobar";
testNewPassword = "barfoo";
in
import ./make-test-python.nix ({ pkgs, ... }: {
name = "sssd-ldap";
meta = with pkgs.lib.maintainers; {
maintainers = [ bbigras ];
};
nodes.machine = { pkgs, ... }: {
security.pam.services.systemd-user.makeHomeDir = true;
environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
services.openldap = {
enable = true;
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
olcTLSCACertificateFile = "/etc/cert.pem";
olcTLSCertificateFile = "/etc/cert.pem";
olcTLSCertificateKeyFile = "/etc/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/db";
olcSuffix = dbSuffix;
olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
olcRootPW = ldapRootPassword;
olcAccess = [
/*
custom access rules for userPassword attributes
*/
''
{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/*
allow read on anything else
*/
''
{1}to *
by * read''
];
};
};
};
};
declarativeContents = {
${dbSuffix} = ''
dn: ${dbSuffix}
objectClass: top
objectClass: dcObject
objectClass: organization
o: ${dbDomain}
dn: ou=posix,${dbSuffix}
objectClass: top
objectClass: organizationalUnit
dn: ou=accounts,ou=posix,${dbSuffix}
objectClass: top
objectClass: organizationalUnit
dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
objectClass: person
objectClass: posixAccount
userPassword: ${testPassword}
homeDirectory: /home/${testUser}
uidNumber: 1234
gidNumber: 1234
cn: ""
sn: ""
'';
};
};
services.sssd = {
enable = true;
# just for testing purposes, don't put this into the Nix store in production!
environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
config = ''
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = ${dbDomain}
[domain/${dbDomain}]
auth_provider = ldap
id_provider = ldap
ldap_uri = ldaps://127.0.0.1:636
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/cert.pem
ldap_search_base = ${dbSuffix}
ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
ldap_default_authtok_type = password
ldap_default_authtok = $LDAP_BIND_PW
'';
};
};
testScript = ''
machine.start()
machine.wait_for_unit("openldap.service")
machine.wait_for_unit("sssd.service")
result = machine.execute("getent passwd ${testUser}")
if result[0] == 0:
assert "${testUser}" in result[1]
else:
machine.wait_for_console_text("Backend is online")
machine.succeed("getent passwd ${testUser}")
with subtest("Log in as ${testUser}"):
machine.wait_until_tty_matches("1", "login: ")
machine.send_chars("${testUser}\n")
machine.wait_until_tty_matches("1", "login: ${testUser}")
machine.wait_until_succeeds("pgrep login")
machine.wait_until_tty_matches("1", "Password: ")
machine.send_chars("${testPassword}\n")
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
machine.send_chars("touch done\n")
machine.wait_for_file("/home/${testUser}/done")
with subtest("Change ${testUser}'s password"):
machine.send_chars("passwd\n")
machine.wait_until_tty_matches("1", "Current Password: ")
machine.send_chars("${testPassword}\n")
machine.wait_until_tty_matches("1", "New Password: ")
machine.send_chars("${testNewPassword}\n")
machine.wait_until_tty_matches("1", "Reenter new Password: ")
machine.send_chars("${testNewPassword}\n")
machine.wait_until_tty_matches("1", "passwd: password updated successfully")
machine.send_chars("exit\n")
with subtest("Log in as ${testUser} with new password"):
machine.wait_until_tty_matches("1", "login: ")
machine.send_chars("${testUser}\n")
machine.wait_until_tty_matches("1", "login: ${testUser}")
machine.wait_until_succeeds("pgrep login")
machine.wait_until_tty_matches("1", "Password: ")
machine.send_chars("${testNewPassword}\n")
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
machine.send_chars("touch done2\n")
machine.wait_for_file("/home/${testUser}/done2")
'';
})