Skip to content
Commits on Source (2)
Show whitespace changes
Inline Side-by-side
debian/tests/common-tests 0 → 100644
View file @ c239192a
#!/bin/sh
run_common_tests() {
echo "Assert local user databases do not have our LDAP test data"
check_local_user "${ldap_user}"
check_local_group "${ldap_user}"
check_local_group "${ldap_group}"
echo "The LDAP user is known to the system via getent"
check_getent_user "${ldap_user}"
echo "The LDAP user's private group is known to the system via getent"
check_getent_group "${ldap_user}"
echo "The LDAP group ${ldap_group} is known to the system via getent"
check_getent_group "${ldap_group}"
echo "The id(1) command can resolve the group membership of the LDAP user"
#$ id -Gn testuser1
#testuser1 ldapusers
output=$(id -Gn ${ldap_user})
# XXX couldn't find a better way to make this comparison using just /bin/sh
if [ "${output}" != "${ldap_user} ${ldap_group}" ]; then
if [ "${output}" != "${ldap_group} ${ldap_user}" ]; then
die "Output doesn't match expected group membership: ${output}"
fi
fi
}
debian/tests/control 0 → 100644
View file @ c239192a
Tests: ldap-user-group-ldap-auth
Depends: @, slapd, ldap-utils, openssl, expect, lsb-release
Restrictions: isolation-container, needs-root, allow-stderr
Tests: ldap-user-group-krb5-auth
Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc
Restrictions: isolation-container, needs-root, allow-stderr
debian/tests/ldap-user-group-krb5-auth 0 → 100755
View file @ c239192a
#!/bin/sh
set -ex
. debian/tests/util
. debian/tests/common-tests
mydomain="example.com"
myhostname="ldap.${mydomain}"
mysuffix="dc=example,dc=com"
myrealm="EXAMPLE.COM"
admin_dn="cn=admin,${mysuffix}"
admin_pw="secret"
ldap_user="testuser1"
ldap_user_pw="testuser1secret"
kerberos_principal_pw="testuser1kerberos"
ldap_group="ldapusers"
adjust_hostname "${myhostname}"
reconfigure_slapd
generate_certs "${myhostname}"
enable_ldap_ssl
populate_ldap_rfc2307
create_realm "${myrealm}" "${myhostname}"
create_krb_principal "${ldap_user}" "${kerberos_principal_pw}"
configure_sssd_ldap_rfc2307_krb5_auth
enable_pam_mkhomedir
# tests begin here
run_common_tests
# login works with the kerneros password
echo "The Kerberos principal can login on a terminal"
kdestroy > /dev/null 2>&1 || /bin/true
/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${kerberos_principal_pw}" "${ldap_user}"@"${myrealm}"
debian/tests/ldap-user-group-ldap-auth 0 → 100755
View file @ c239192a
#!/bin/sh
set -ex
. debian/tests/util
. debian/tests/common-tests
mydomain="example.com"
myhostname="ldap.${mydomain}"
mysuffix="dc=example,dc=com"
admin_dn="cn=admin,${mysuffix}"
admin_pw="secret"
ldap_user="testuser1"
ldap_user_pw="testuser1secret"
ldap_group="ldapusers"
adjust_hostname "${myhostname}"
reconfigure_slapd
generate_certs "${myhostname}"
enable_ldap_ssl
populate_ldap_rfc2307
configure_sssd_ldap_rfc2307
enable_pam_mkhomedir
# tests begin here
run_common_tests
echo "The LDAP user can login on a terminal"
/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${ldap_user_pw}"
debian/tests/login.exp 0 → 100755
View file @ c239192a
#!/usr/bin/expect
set timeout 10
set user [lindex $argv 0]
set password [lindex $argv 1]
set principal [lindex $argv 2]
set distribution [exec "lsb_release" "-is"]
if { $distribution == "Ubuntu" } {
set welcome "Welcome to"
} elseif { $distribution == "Debian" } {
set welcome "Debian GNU/Linux comes"
} else {
puts "Unsupported linux distribution $distribution"
exit 1
}
spawn login
expect "login:"
send "$user\r"
expect "Password:"
send "$password\r"
expect {
timeout
{
puts "Expect error: timeout after password\r\r"
exit 1
}
"Login incorrect"
{
puts "Expect error: incorrect credentials\r\r"
exit 1
}
"$welcome"
}
expect {
timeout
{
puts "Expect error: timeout waiting for prompt\r\r"
exit 1
}
"$ "
}
send "id -un\r"
expect {
timeout
{
puts "Expect error: timeout waiting for 'id' result\r\r"
exit 1
}
"$user"
}
expect {
timeout
{
puts "Expect error: timeout waiting for prompt\r\r"
exit 1
}
"$ "
}
if { $principal != "" } {
send "klist\r"
expect {
timeout
{
puts "Expect error: timeout waiting for klist output\r\r"
exit 1
}
"Default principal: $principal"
}
}
send "logout\r"
exit 0
debian/tests/util 0 → 100644
View file @ c239192a
#!/bin/sh
reconfigure_slapd() {
debconf-set-selections << EOF
slapd slapd/domain string ${mydomain}
slapd shared/organization string ${mydomain}
slapd slapd/password1 password ${admin_pw}
slapd slapd/password2 password ${admin_pw}
EOF
rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb
dpkg-reconfigure -fnoninteractive -pcritical slapd
}
die() {
echo "ERROR"
echo "$@"
exit 1
}
enable_pam_mkhomedir() {
if ! grep -qE "^session.*pam_mkhomedir\.so" /etc/pam.d/common-session; then
echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common-session
fi
}
adjust_hostname() {
local myhostname="$1"
echo "${myhostname}" > /etc/hostname
hostname "${myhostname}"
if ! grep -qE "${myhostname}" /etc/hosts; then
# just so it's resolvable
echo "127.0.1.10 ${myhostname}" >> /etc/hosts
fi
}
generate_certs() {
local cn="$1"
local cert="/etc/ldap/server.pem"
local key="/etc/ldap/server.key"
local cnf="/etc/ldap/openssl.cnf"
cat > "$cnf" <<EOF
RANDFILE = /dev/urandom
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
[ req_distinguished_name ]
commonName = ${cn}
EOF
openssl req -new -x509 -nodes -out "$cert" -keyout "$key" -config "$cnf"
chmod 0640 "$key"
chgrp openldap "$key"
if [ ! -f "$cert" ]; then
echo "ERROR, failed to generate certificate for ldap test"
exit 1
fi
if [ ! -f "$key" ]; then
echo "ERROR, failed to generate key for ldap test"
exit 1
fi
}
enable_ldap_ssl() {
cat > /etc/ldap/ldap.conf <<EOF
BASE ${mysuffix}
URI ldap://${myhostname}
TLS_CACERT /etc/ldap/server.pem
EOF
{
cat <<EOF
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/server.key
EOF
} | ldapmodify -H ldapi:/// -Y EXTERNAL -Q
}
populate_ldap_rfc2307() {
{
cat <<EOF
dn: ou=People,${mysuffix}
ou: People
objectClass: organizationalUnit
dn: ou=Group,${mysuffix}
ou: Group
objectClass: organizationalUnit
dn: uid=${ldap_user},ou=People,${mysuffix}
uid: ${ldap_user}
objectClass: inetOrgPerson
objectClass: posixAccount
cn: ${ldap_user}
sn: ${ldap_user}
givenName: ${ldap_user}
mail: ${ldap_user}@${mydomain}
userPassword: ${ldap_user_pw}
uidNumber: 10001
gidNumber: 10001
loginShell: /bin/bash
homeDirectory: /home/${ldap_user}
dn: cn=${ldap_user},ou=Group,${mysuffix}
cn: ${ldap_user}
objectClass: posixGroup
gidNumber: 10001
memberUid: ${ldap_user}
dn: cn=${ldap_group},ou=Group,${mysuffix}
cn: ${ldap_group}
objectClass: posixGroup
gidNumber: 10100
memberUid: ${ldap_user}
EOF
} | ldapadd -x -D "${admin_dn}" -w "${admin_pw}"
}
configure_sssd_ldap_rfc2307_krb5_auth() {
cat > /etc/sssd/sssd.conf <<EOF
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://${myhostname}
auth_provider = krb5
krb5_server = ${myhostname}
krb5_realm = ${myrealm}
cache_credentials = True
ldap_search_base = ${mysuffix}
EOF
chmod 0600 /etc/sssd/sssd.conf
systemctl restart sssd
}
configure_sssd_ldap_rfc2307() {
cat > /etc/sssd/sssd.conf <<EOF
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://${myhostname}
cache_credentials = True
ldap_search_base = ${mysuffix}
EOF
chmod 0600 /etc/sssd/sssd.conf
systemctl restart sssd
}
check_local_user() {
local local_user="$1"
if grep -q "^${local_user}" /etc/passwd; then
die "Found ${local_user} in /etc/passwd"
fi
}
check_local_group() {
local local_group="$1"
if grep -q "^${local_group}" /etc/group; then
die "Found ${local_group} in /etc/group"
fi
}
check_getent_user() {
local getent_user="$1"
local output
output=$(getent passwd ${getent_user})
if [ -z "${output}" ]; then
die "${getent_user} not found via getent passwd"
fi
}
check_getent_group() {
local getent_group="$1"
local output
output=$(getent group ${getent_group})
if [ -z "${output}" ]; then
die "${getent_group} not found via getent group"
fi
}
create_realm() {
local realm_name="$1"
local kerberos_server="$2"
# start fresh
rm -rf /var/lib/krb5kdc/*
rm -rf /etc/krb5kdc/*
rm -f /etc/krb5.keytab
# setup some defaults
cat > /etc/krb5kdc/kdc.conf <<EOF
[kdcdefaults]
kdc_ports = 750,88
[realms]
${realm_name} = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
EOF
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = ${realm_name}
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
${realm_name} = {
kdc = ${kerberos_server}
admin_server = ${kerberos_server}
}
EOF
echo "# */admin *" > /etc/krb5kdc/kadm5.acl
# create the realm
kdb5_util create -s -P secretpassword
# restart services
systemctl restart krb5-kdc.service krb5-admin-server.service
}
create_krb_principal() {
local principal="$1"
local password="$2"
kadmin.local -q "addprinc -pw ${password} ${principal}"
}