nixos/tests/openldap.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / openldap.nix
at 24.11-pre 5.2 kB view raw
  1import ./make-test-python.nix ({ pkgs, ... }: let
  2  dbContents = ''
  3    dn: dc=example
  4    objectClass: domain
  5    dc: example
  6
  7    dn: ou=users,dc=example
  8    objectClass: organizationalUnit
  9    ou: users
 10  '';
 11
 12  ldifConfig = ''
 13    dn: cn=config
 14    cn: config
 15    objectClass: olcGlobal
 16    olcLogLevel: stats
 17
 18    dn: cn=schema,cn=config
 19    cn: schema
 20    objectClass: olcSchemaConfig
 21
 22    include: file://${pkgs.openldap}/etc/schema/core.ldif
 23    include: file://${pkgs.openldap}/etc/schema/cosine.ldif
 24    include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif
 25
 26    dn: olcDatabase={0}config,cn=config
 27    olcDatabase: {0}config
 28    objectClass: olcDatabaseConfig
 29    olcRootDN: cn=root,cn=config
 30    olcRootPW: configpassword
 31
 32    dn: olcDatabase={1}mdb,cn=config
 33    objectClass: olcDatabaseConfig
 34    objectClass: olcMdbConfig
 35    olcDatabase: {1}mdb
 36    olcDbDirectory: /var/db/openldap
 37    olcDbIndex: objectClass eq
 38    olcSuffix: dc=example
 39    olcRootDN: cn=root,dc=example
 40    olcRootPW: notapassword
 41  '';
 42
 43  ldapClientConfig = {
 44    enable = true;
 45    loginPam = false;
 46    nsswitch = false;
 47    server = "ldap://";
 48    base = "dc=example";
 49  };
 50
 51in {
 52  name = "openldap";
 53
 54  nodes.machine = { pkgs, ... }: {
 55    environment.etc."openldap/root_password".text = "notapassword";
 56
 57    users.ldap = ldapClientConfig;
 58
 59    services.openldap = {
 60      enable = true;
 61      urlList = [ "ldapi:///" "ldap://" ];
 62      settings = {
 63        children = {
 64          "cn=schema".includes = [
 65            "${pkgs.openldap}/etc/schema/core.ldif"
 66            "${pkgs.openldap}/etc/schema/cosine.ldif"
 67            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
 68            "${pkgs.openldap}/etc/schema/nis.ldif"
 69          ];
 70          "olcDatabase={0}config" = {
 71            attrs = {
 72              objectClass = [ "olcDatabaseConfig" ];
 73              olcDatabase = "{0}config";
 74              olcRootDN = "cn=root,cn=config";
 75              olcRootPW = "configpassword";
 76            };
 77          };
 78          "olcDatabase={1}mdb" = {
 79            # This tests string, base64 and path values, as well as lists of string values
 80            attrs = {
 81              objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
 82              olcDatabase = "{1}mdb";
 83              olcDbDirectory = "/var/lib/openldap/db";
 84              olcSuffix = "dc=example";
 85              olcRootDN = {
 86                # cn=root,dc=example
 87                base64 = "Y249cm9vdCxkYz1leGFtcGxl";
 88              };
 89              olcRootPW = {
 90                path = "/etc/openldap/root_password";
 91              };
 92            };
 93          };
 94        };
 95      };
 96    };
 97
 98    specialisation = {
 99      declarativeContents.configuration = { ... }: {
100        services.openldap.declarativeContents."dc=example" = dbContents;
101      };
102      mutableConfig.configuration = { ... }: {
103        services.openldap = {
104          declarativeContents."dc=example" = dbContents;
105          mutableConfig = true;
106        };
107      };
108      manualConfigDir = {
109        inheritParentConfig = false;
110        configuration = { ... }: {
111          users.ldap = ldapClientConfig;
112          services.openldap = {
113            enable = true;
114            configDir = "/var/db/slapd.d";
115          };
116        };
117      };
118    };
119  };
120  testScript = { nodes, ... }: let
121    specializations = "${nodes.machine.system.build.toplevel}/specialisation";
122    changeRootPw = ''
123      dn: olcDatabase={1}mdb,cn=config
124      changetype: modify
125      replace: olcRootPW
126      olcRootPW: foobar
127    '';
128  in ''
129    # Test startup with empty DB
130    machine.wait_for_unit("openldap.service")
131
132    with subtest("declarative contents"):
133      machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test')
134      machine.wait_for_unit("openldap.service")
135      machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword')
136      machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}')
137
138    with subtest("mutable config"):
139      machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test')
140      machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword')
141      machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}')
142      machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar')
143
144    with subtest("manual config dir"):
145      machine.succeed(
146        'mkdir /var/db/slapd.d /var/db/openldap',
147        'slapadd -F /var/db/slapd.d -n0 -l ${pkgs.writeText "config.ldif" ldifConfig}',
148        'slapadd -F /var/db/slapd.d -n1 -l ${pkgs.writeText "contents.ldif" dbContents}',
149        'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap',
150        '${specializations}/manualConfigDir/bin/switch-to-configuration test',
151      )
152      machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword')
153      machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}')
154      machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar')
155  '';
156})