120 lines
3.6 KiB
Nix
120 lines
3.6 KiB
Nix
import ./make-test.nix ({ pkgs, lib, ...} :
|
|
|
|
let
|
|
|
|
dbSuffix = "dc=example,dc=com";
|
|
dbPath = "/var/db/openldap";
|
|
dbAdminDn = "cn=admin,${dbSuffix}";
|
|
dbAdminPwd = "test";
|
|
serverUri = "ldap:///";
|
|
ldapUser = "test-ldap-user";
|
|
ldapUserId = 10000;
|
|
ldapUserPwd = "test";
|
|
ldapGroup = "test-ldap-group";
|
|
ldapGroupId = 10000;
|
|
setupLdif = pkgs.writeText "test-ldap.ldif" ''
|
|
dn: ${dbSuffix}
|
|
dc: ${with lib; let dc = head (splitString "," dbSuffix); dcName = head (tail (splitString "=" dc)); in dcName}
|
|
o: ${dbSuffix}
|
|
objectclass: top
|
|
objectclass: dcObject
|
|
objectclass: organization
|
|
|
|
dn: cn=${ldapUser},${dbSuffix}
|
|
sn: ${ldapUser}
|
|
objectClass: person
|
|
objectClass: posixAccount
|
|
uid: ${ldapUser}
|
|
uidNumber: ${toString ldapUserId}
|
|
gidNumber: ${toString ldapGroupId}
|
|
homeDirectory: /home/${ldapUser}
|
|
loginShell: /bin/sh
|
|
userPassword: ${ldapUserPwd}
|
|
|
|
dn: cn=${ldapGroup},${dbSuffix}
|
|
objectClass: posixGroup
|
|
gidNumber: ${toString ldapGroupId}
|
|
memberUid: ${ldapUser}
|
|
'';
|
|
mkClient = useDaemon:
|
|
{ lib, ... }:
|
|
{
|
|
virtualisation.memorySize = 256;
|
|
virtualisation.vlans = [ 1 ];
|
|
security.pam.services.su.rootOK = lib.mkForce false;
|
|
users.ldap.enable = true;
|
|
users.ldap.daemon.enable = useDaemon;
|
|
users.ldap.loginPam = true;
|
|
users.ldap.nsswitch = true;
|
|
users.ldap.server = "ldap://server";
|
|
users.ldap.base = "${dbSuffix}";
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
name = "ldap";
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
maintainers = [ montag451 ];
|
|
};
|
|
|
|
nodes = {
|
|
|
|
server =
|
|
{ pkgs, ... }:
|
|
{
|
|
virtualisation.memorySize = 256;
|
|
virtualisation.vlans = [ 1 ];
|
|
networking.firewall.allowedTCPPorts = [ 389 ];
|
|
services.openldap.enable = true;
|
|
services.openldap.dataDir = dbPath;
|
|
services.openldap.urlList = [
|
|
serverUri
|
|
];
|
|
services.openldap.extraConfig = ''
|
|
include ${pkgs.openldap.out}/etc/schema/core.schema
|
|
include ${pkgs.openldap.out}/etc/schema/cosine.schema
|
|
include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema
|
|
include ${pkgs.openldap.out}/etc/schema/nis.schema
|
|
|
|
database mdb
|
|
suffix ${dbSuffix}
|
|
rootdn ${dbAdminDn}
|
|
rootpw ${dbAdminPwd}
|
|
directory ${dbPath}
|
|
'';
|
|
};
|
|
|
|
client1 = mkClient true; # use nss_pam_ldapd
|
|
client2 = mkClient false; # use nss_ldap and pam_ldap
|
|
|
|
};
|
|
|
|
testScript = ''
|
|
startAll;
|
|
$server->waitForUnit("default.target");
|
|
$client1->waitForUnit("default.target");
|
|
$client2->waitForUnit("default.target");
|
|
|
|
$server->succeed("ldapadd -D '${dbAdminDn}' -w ${dbAdminPwd} -H ${serverUri} -f '${setupLdif}'");
|
|
|
|
# NSS tests
|
|
subtest "nss", sub {
|
|
$client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}");
|
|
$client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'");
|
|
$client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}");
|
|
$client1->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'");
|
|
$client2->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}");
|
|
$client2->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'");
|
|
$client2->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}");
|
|
$client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'");
|
|
};
|
|
|
|
# PAM tests
|
|
subtest "pam", sub {
|
|
$client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true");
|
|
$client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true");
|
|
};
|
|
'';
|
|
})
|