[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 2 commits: * d/t/{ldap-user-group-ldap-auth, control, login.exp, util, common-tests}: add
Timo Aaltonen
gitlab at salsa.debian.org
Sat Nov 3 19:57:42 GMT 2018
Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd
Commits:
e4a03792 by Andreas Hasenack at 2018-11-03T16:30:18Z
* d/t/{ldap-user-group-ldap-auth,control,login.exp,util,common-tests}: add
LDAP DEP8 test
- - - - -
c239192a by Andreas Hasenack at 2018-11-03T16:30:39Z
* d/t/{util,login.exp,ldap-user-group-krb5-auth,control}: add krb5 DEP8 test
- - - - -
6 changed files:
- + debian/tests/common-tests
- + debian/tests/control
- + debian/tests/ldap-user-group-krb5-auth
- + debian/tests/ldap-user-group-ldap-auth
- + debian/tests/login.exp
- + debian/tests/util
Changes:
=====================================
debian/tests/common-tests
=====================================
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+run_common_tests() {
+ echo "Assert local user databases do not have our LDAP test data"
+ check_local_user "${ldap_user}"
+ check_local_group "${ldap_user}"
+ check_local_group "${ldap_group}"
+
+ echo "The LDAP user is known to the system via getent"
+ check_getent_user "${ldap_user}"
+
+ echo "The LDAP user's private group is known to the system via getent"
+ check_getent_group "${ldap_user}"
+
+ echo "The LDAP group ${ldap_group} is known to the system via getent"
+ check_getent_group "${ldap_group}"
+
+ echo "The id(1) command can resolve the group membership of the LDAP user"
+ #$ id -Gn testuser1
+ #testuser1 ldapusers
+ output=$(id -Gn ${ldap_user})
+ # XXX couldn't find a better way to make this comparison using just /bin/sh
+ if [ "${output}" != "${ldap_user} ${ldap_group}" ]; then
+ if [ "${output}" != "${ldap_group} ${ldap_user}" ]; then
+ die "Output doesn't match expected group membership: ${output}"
+ fi
+ fi
+}
=====================================
debian/tests/control
=====================================
@@ -0,0 +1,7 @@
+Tests: ldap-user-group-ldap-auth
+Depends: @, slapd, ldap-utils, openssl, expect, lsb-release
+Restrictions: isolation-container, needs-root, allow-stderr
+
+Tests: ldap-user-group-krb5-auth
+Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc
+Restrictions: isolation-container, needs-root, allow-stderr
=====================================
debian/tests/ldap-user-group-krb5-auth
=====================================
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -ex
+
+. debian/tests/util
+. debian/tests/common-tests
+
+mydomain="example.com"
+myhostname="ldap.${mydomain}"
+mysuffix="dc=example,dc=com"
+myrealm="EXAMPLE.COM"
+admin_dn="cn=admin,${mysuffix}"
+admin_pw="secret"
+ldap_user="testuser1"
+ldap_user_pw="testuser1secret"
+kerberos_principal_pw="testuser1kerberos"
+ldap_group="ldapusers"
+
+adjust_hostname "${myhostname}"
+reconfigure_slapd
+generate_certs "${myhostname}"
+enable_ldap_ssl
+populate_ldap_rfc2307
+create_realm "${myrealm}" "${myhostname}"
+create_krb_principal "${ldap_user}" "${kerberos_principal_pw}"
+configure_sssd_ldap_rfc2307_krb5_auth
+enable_pam_mkhomedir
+
+# tests begin here
+run_common_tests
+
+# login works with the kerneros password
+echo "The Kerberos principal can login on a terminal"
+kdestroy > /dev/null 2>&1 || /bin/true
+/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${kerberos_principal_pw}" "${ldap_user}"@"${myrealm}"
=====================================
debian/tests/ldap-user-group-ldap-auth
=====================================
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -ex
+
+. debian/tests/util
+. debian/tests/common-tests
+
+mydomain="example.com"
+myhostname="ldap.${mydomain}"
+mysuffix="dc=example,dc=com"
+admin_dn="cn=admin,${mysuffix}"
+admin_pw="secret"
+ldap_user="testuser1"
+ldap_user_pw="testuser1secret"
+ldap_group="ldapusers"
+
+adjust_hostname "${myhostname}"
+reconfigure_slapd
+generate_certs "${myhostname}"
+enable_ldap_ssl
+populate_ldap_rfc2307
+configure_sssd_ldap_rfc2307
+enable_pam_mkhomedir
+
+# tests begin here
+run_common_tests
+
+echo "The LDAP user can login on a terminal"
+/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${ldap_user_pw}"
=====================================
debian/tests/login.exp
=====================================
@@ -0,0 +1,74 @@
+#!/usr/bin/expect
+
+set timeout 10
+set user [lindex $argv 0]
+set password [lindex $argv 1]
+set principal [lindex $argv 2]
+
+set distribution [exec "lsb_release" "-is"]
+
+if { $distribution == "Ubuntu" } {
+ set welcome "Welcome to"
+} elseif { $distribution == "Debian" } {
+ set welcome "Debian GNU/Linux comes"
+} else {
+ puts "Unsupported linux distribution $distribution"
+ exit 1
+}
+
+spawn login
+expect "login:"
+send "$user\r"
+expect "Password:"
+send "$password\r"
+expect {
+ timeout
+ {
+ puts "Expect error: timeout after password\r\r"
+ exit 1
+ }
+ "Login incorrect"
+ {
+ puts "Expect error: incorrect credentials\r\r"
+ exit 1
+ }
+ "$welcome"
+}
+expect {
+ timeout
+ {
+ puts "Expect error: timeout waiting for prompt\r\r"
+ exit 1
+ }
+ "$ "
+}
+send "id -un\r"
+expect {
+ timeout
+ {
+ puts "Expect error: timeout waiting for 'id' result\r\r"
+ exit 1
+ }
+ "$user"
+}
+expect {
+ timeout
+ {
+ puts "Expect error: timeout waiting for prompt\r\r"
+ exit 1
+ }
+ "$ "
+}
+if { $principal != "" } {
+ send "klist\r"
+ expect {
+ timeout
+ {
+ puts "Expect error: timeout waiting for klist output\r\r"
+ exit 1
+ }
+ "Default principal: $principal"
+ }
+}
+send "logout\r"
+exit 0
=====================================
debian/tests/util
=====================================
@@ -0,0 +1,259 @@
+#!/bin/sh
+
+reconfigure_slapd() {
+ debconf-set-selections << EOF
+slapd slapd/domain string ${mydomain}
+slapd shared/organization string ${mydomain}
+slapd slapd/password1 password ${admin_pw}
+slapd slapd/password2 password ${admin_pw}
+EOF
+ rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb
+ dpkg-reconfigure -fnoninteractive -pcritical slapd
+}
+
+die() {
+ echo "ERROR"
+ echo "$@"
+ exit 1
+}
+
+enable_pam_mkhomedir() {
+ if ! grep -qE "^session.*pam_mkhomedir\.so" /etc/pam.d/common-session; then
+ echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common-session
+ fi
+}
+
+adjust_hostname() {
+ local myhostname="$1"
+
+ echo "${myhostname}" > /etc/hostname
+ hostname "${myhostname}"
+ if ! grep -qE "${myhostname}" /etc/hosts; then
+ # just so it's resolvable
+ echo "127.0.1.10 ${myhostname}" >> /etc/hosts
+ fi
+}
+
+generate_certs() {
+ local cn="$1"
+ local cert="/etc/ldap/server.pem"
+ local key="/etc/ldap/server.key"
+ local cnf="/etc/ldap/openssl.cnf"
+
+ cat > "$cnf" <<EOF
+RANDFILE = /dev/urandom
+[ req ]
+default_bits = 1024
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+prompt = no
+policy = policy_anything
+
+[ req_distinguished_name ]
+commonName = ${cn}
+EOF
+ openssl req -new -x509 -nodes -out "$cert" -keyout "$key" -config "$cnf"
+ chmod 0640 "$key"
+ chgrp openldap "$key"
+ if [ ! -f "$cert" ]; then
+ echo "ERROR, failed to generate certificate for ldap test"
+ exit 1
+ fi
+ if [ ! -f "$key" ]; then
+ echo "ERROR, failed to generate key for ldap test"
+ exit 1
+ fi
+}
+
+enable_ldap_ssl() {
+ cat > /etc/ldap/ldap.conf <<EOF
+BASE ${mysuffix}
+URI ldap://${myhostname}
+TLS_CACERT /etc/ldap/server.pem
+EOF
+ {
+ cat <<EOF
+dn: cn=config
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/server.pem
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/server.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/server.key
+EOF
+ } | ldapmodify -H ldapi:/// -Y EXTERNAL -Q
+}
+
+populate_ldap_rfc2307() {
+ {
+ cat <<EOF
+dn: ou=People,${mysuffix}
+ou: People
+objectClass: organizationalUnit
+
+dn: ou=Group,${mysuffix}
+ou: Group
+objectClass: organizationalUnit
+
+dn: uid=${ldap_user},ou=People,${mysuffix}
+uid: ${ldap_user}
+objectClass: inetOrgPerson
+objectClass: posixAccount
+cn: ${ldap_user}
+sn: ${ldap_user}
+givenName: ${ldap_user}
+mail: ${ldap_user}@${mydomain}
+userPassword: ${ldap_user_pw}
+uidNumber: 10001
+gidNumber: 10001
+loginShell: /bin/bash
+homeDirectory: /home/${ldap_user}
+
+dn: cn=${ldap_user},ou=Group,${mysuffix}
+cn: ${ldap_user}
+objectClass: posixGroup
+gidNumber: 10001
+memberUid: ${ldap_user}
+
+dn: cn=${ldap_group},ou=Group,${mysuffix}
+cn: ${ldap_group}
+objectClass: posixGroup
+gidNumber: 10100
+memberUid: ${ldap_user}
+EOF
+ } | ldapadd -x -D "${admin_dn}" -w "${admin_pw}"
+}
+
+configure_sssd_ldap_rfc2307_krb5_auth() {
+ cat > /etc/sssd/sssd.conf <<EOF
+[sssd]
+config_file_version = 2
+services = nss, pam
+domains = LDAP
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://${myhostname}
+auth_provider = krb5
+krb5_server = ${myhostname}
+krb5_realm = ${myrealm}
+cache_credentials = True
+ldap_search_base = ${mysuffix}
+EOF
+ chmod 0600 /etc/sssd/sssd.conf
+ systemctl restart sssd
+}
+
+configure_sssd_ldap_rfc2307() {
+ cat > /etc/sssd/sssd.conf <<EOF
+[sssd]
+config_file_version = 2
+services = nss, pam
+domains = LDAP
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://${myhostname}
+cache_credentials = True
+ldap_search_base = ${mysuffix}
+EOF
+ chmod 0600 /etc/sssd/sssd.conf
+ systemctl restart sssd
+}
+
+check_local_user() {
+ local local_user="$1"
+
+ if grep -q "^${local_user}" /etc/passwd; then
+ die "Found ${local_user} in /etc/passwd"
+ fi
+}
+
+check_local_group() {
+ local local_group="$1"
+
+ if grep -q "^${local_group}" /etc/group; then
+ die "Found ${local_group} in /etc/group"
+ fi
+}
+
+check_getent_user() {
+ local getent_user="$1"
+ local output
+
+ output=$(getent passwd ${getent_user})
+ if [ -z "${output}" ]; then
+ die "${getent_user} not found via getent passwd"
+ fi
+}
+
+check_getent_group() {
+ local getent_group="$1"
+ local output
+
+ output=$(getent group ${getent_group})
+ if [ -z "${output}" ]; then
+ die "${getent_group} not found via getent group"
+ fi
+}
+
+create_realm() {
+ local realm_name="$1"
+ local kerberos_server="$2"
+
+ # start fresh
+ rm -rf /var/lib/krb5kdc/*
+ rm -rf /etc/krb5kdc/*
+ rm -f /etc/krb5.keytab
+
+ # setup some defaults
+ cat > /etc/krb5kdc/kdc.conf <<EOF
+[kdcdefaults]
+ kdc_ports = 750,88
+[realms]
+ ${realm_name} = {
+ database_name = /var/lib/krb5kdc/principal
+ admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
+ acl_file = /etc/krb5kdc/kadm5.acl
+ key_stash_file = /etc/krb5kdc/stash
+ kdc_ports = 750,88
+ max_life = 10h 0m 0s
+ max_renewable_life = 7d 0h 0m 0s
+ master_key_type = des3-hmac-sha1
+ #supported_enctypes = aes256-cts:normal aes128-cts:normal
+ default_principal_flags = +preauth
+ }
+EOF
+
+ cat > /etc/krb5.conf <<EOF
+[libdefaults]
+ default_realm = ${realm_name}
+ kdc_timesync = 1
+ ccache_type = 4
+ forwardable = true
+ proxiable = true
+ fcc-mit-ticketflags = true
+[realms]
+ ${realm_name} = {
+ kdc = ${kerberos_server}
+ admin_server = ${kerberos_server}
+ }
+EOF
+ echo "# */admin *" > /etc/krb5kdc/kadm5.acl
+
+ # create the realm
+ kdb5_util create -s -P secretpassword
+
+ # restart services
+ systemctl restart krb5-kdc.service krb5-admin-server.service
+}
+
+create_krb_principal() {
+ local principal="$1"
+ local password="$2"
+
+ kadmin.local -q "addprinc -pw ${password} ${principal}"
+}
+
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/5509084ab57bb722062bb9e3455ad74fd9b2cec3...c239192adde119b701236ce86c56052ec5e528a1
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/5509084ab57bb722062bb9e3455ad74fd9b2cec3...c239192adde119b701236ce86c56052ec5e528a1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20181103/dbfb1b7d/attachment-0001.html>
More information about the Pkg-sssd-devel
mailing list