From f0ca6f9290051829e589f1f8614b897864a8ac22 Mon Sep 17 00:00:00 2001 From: montag451 Date: Fri, 26 May 2017 21:42:24 +0200 Subject: [PATCH] nixos/tests: add tests for the LDAP stack --- nixos/release.nix | 1 + nixos/tests/ldap.nix | 119 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 nixos/tests/ldap.nix diff --git a/nixos/release.nix b/nixos/release.nix index aaf23d7ffb7..54c2a963e69 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -262,6 +262,7 @@ in rec { tests.keystone = callTest tests/keystone.nix {}; tests.kubernetes = hydraJob (import tests/kubernetes.nix { system = "x86_64-linux"; }); tests.latestKernel.login = callTest tests/login.nix { latestKernel = true; }; + tests.ldap = callTest tests/ldap.nix {}; #tests.lightdm = callTest tests/lightdm.nix {}; tests.login = callTest tests/login.nix {}; #tests.logstash = callTest tests/logstash.nix {}; diff --git a/nixos/tests/ldap.nix b/nixos/tests/ldap.nix new file mode 100644 index 00000000000..b39f4124c95 --- /dev/null +++ b/nixos/tests/ldap.nix @@ -0,0 +1,119 @@ +import ./make-test.nix ({ pkgs, lib, ...} : + +let + + dbSuffix = "dc=example,dc=com"; + dbPath = "/var/db/openldap"; + dbAdminDn = "cn=admin,${dbSuffix}"; + dbAdminPwd = "test"; + serverUri = "ldap:///"; + ldapUser = "test-ldap-user"; + ldapUserId = 10000; + ldapUserPwd = "test"; + ldapGroup = "test-ldap-group"; + ldapGroupId = 10000; + setupLdif = pkgs.writeText "test-ldap.ldif" '' + dn: ${dbSuffix} + dc: ${with lib; let dc = head (splitString "," dbSuffix); dcName = head (tail (splitString "=" dc)); in dcName} + o: ${dbSuffix} + objectclass: top + objectclass: dcObject + objectclass: organization + + dn: cn=${ldapUser},${dbSuffix} + sn: ${ldapUser} + objectClass: person + objectClass: posixAccount + uid: ${ldapUser} + uidNumber: ${toString ldapUserId} + gidNumber: ${toString ldapGroupId} + homeDirectory: /home/${ldapUser} + loginShell: /bin/sh + userPassword: ${ldapUserPwd} + + dn: cn=${ldapGroup},${dbSuffix} + objectClass: posixGroup + gidNumber: ${toString ldapGroupId} + memberUid: ${ldapUser} + ''; + mkClient = useDaemon: + { config, pkgs, lib, ... }: + { + virtualisation.memorySize = 256; + virtualisation.vlans = [ 1 ]; + security.pam.services.su.rootOK = lib.mkForce false; + users.ldap.enable = true; + users.ldap.daemon.enable = useDaemon; + users.ldap.loginPam = true; + users.ldap.nsswitch = true; + users.ldap.server = "ldap://server"; + users.ldap.base = "${dbSuffix}"; + }; + +in + +{ + name = "ldap"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ montag451 ]; + }; + + nodes = { + + server = + { config, pkgs, lib, ... }: + { + virtualisation.memorySize = 256; + virtualisation.vlans = [ 1 ]; + networking.firewall.allowedTCPPorts = [ 389 ]; + services.openldap.enable = true; + services.openldap.dataDir = dbPath; + services.openldap.urlList = [ + serverUri + ]; + services.openldap.extraConfig = '' + include ${pkgs.openldap.out}/etc/schema/core.schema + include ${pkgs.openldap.out}/etc/schema/cosine.schema + include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema + include ${pkgs.openldap.out}/etc/schema/nis.schema + + database mdb + suffix ${dbSuffix} + rootdn ${dbAdminDn} + rootpw ${dbAdminPwd} + directory ${dbPath} + ''; + }; + + client1 = mkClient true; # use nss_pam_ldapd + client2 = mkClient false; # use nss_ldap and pam_ldap + + }; + + testScript = '' + startAll; + $server->waitForUnit("default.target"); + $client1->waitForUnit("default.target"); + $client2->waitForUnit("default.target"); + + $server->succeed("ldapadd -D '${dbAdminDn}' -w ${dbAdminPwd} -H ${serverUri} -f '${setupLdif}'"); + + # NSS tests + subtest "nss", sub { + $client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); + $client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); + $client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); + $client1->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); + $client2->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); + $client2->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); + $client2->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); + $client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); + }; + + # PAM tests + subtest "pam", sub { + $client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); + $client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); + }; + ''; +})