pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / openldap.nix
at 25.11-pre 5.9 kB view raw
1import ./make-test-python.nix ( 2 { pkgs, ... }: 3 let 4 dbContents = '' 5 dn: dc=example 6 objectClass: domain 7 dc: example 8 9 dn: ou=users,dc=example 10 objectClass: organizationalUnit 11 ou: users 12 ''; 13 14 ldifConfig = '' 15 dn: cn=config 16 cn: config 17 objectClass: olcGlobal 18 olcLogLevel: stats 19 20 dn: cn=schema,cn=config 21 cn: schema 22 objectClass: olcSchemaConfig 23 24 include: file://${pkgs.openldap}/etc/schema/core.ldif 25 include: file://${pkgs.openldap}/etc/schema/cosine.ldif 26 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif 27 28 dn: olcDatabase={0}config,cn=config 29 olcDatabase: {0}config 30 objectClass: olcDatabaseConfig 31 olcRootDN: cn=root,cn=config 32 olcRootPW: configpassword 33 34 dn: olcDatabase={1}mdb,cn=config 35 objectClass: olcDatabaseConfig 36 objectClass: olcMdbConfig 37 olcDatabase: {1}mdb 38 olcDbDirectory: /var/db/openldap 39 olcDbIndex: objectClass eq 40 olcSuffix: dc=example 41 olcRootDN: cn=root,dc=example 42 olcRootPW: notapassword 43 ''; 44 45 ldapClientConfig = { 46 enable = true; 47 loginPam = false; 48 nsswitch = false; 49 server = "ldap://"; 50 base = "dc=example"; 51 }; 52 53 in 54 { 55 name = "openldap"; 56 57 nodes.machine = 58 { pkgs, ... }: 59 { 60 environment.etc."openldap/root_password".text = "notapassword"; 61 62 users.ldap = ldapClientConfig; 63 64 services.openldap = { 65 enable = true; 66 urlList = [ 67 "ldapi:///" 68 "ldap://" 69 ]; 70 settings = { 71 children = { 72 "cn=schema".includes = [ 73 "${pkgs.openldap}/etc/schema/core.ldif" 74 "${pkgs.openldap}/etc/schema/cosine.ldif" 75 "${pkgs.openldap}/etc/schema/inetorgperson.ldif" 76 "${pkgs.openldap}/etc/schema/nis.ldif" 77 ]; 78 "olcDatabase={0}config" = { 79 attrs = { 80 objectClass = [ "olcDatabaseConfig" ]; 81 olcDatabase = "{0}config"; 82 olcRootDN = "cn=root,cn=config"; 83 olcRootPW = "configpassword"; 84 }; 85 }; 86 "olcDatabase={1}mdb" = { 87 # This tests string, base64 and path values, as well as lists of string values 88 attrs = { 89 objectClass = [ 90 "olcDatabaseConfig" 91 "olcMdbConfig" 92 ]; 93 olcDatabase = "{1}mdb"; 94 olcDbDirectory = "/var/lib/openldap/db"; 95 olcSuffix = "dc=example"; 96 olcRootDN = { 97 # cn=root,dc=example 98 base64 = "Y249cm9vdCxkYz1leGFtcGxl"; 99 }; 100 olcRootPW = { 101 path = "/etc/openldap/root_password"; 102 }; 103 }; 104 }; 105 }; 106 }; 107 }; 108 109 specialisation = { 110 declarativeContents.configuration = 111 { ... }: 112 { 113 services.openldap.declarativeContents."dc=example" = dbContents; 114 }; 115 mutableConfig.configuration = 116 { ... }: 117 { 118 services.openldap = { 119 declarativeContents."dc=example" = dbContents; 120 mutableConfig = true; 121 }; 122 }; 123 manualConfigDir = { 124 inheritParentConfig = false; 125 configuration = 126 { ... }: 127 { 128 users.ldap = ldapClientConfig; 129 services.openldap = { 130 enable = true; 131 configDir = "/var/db/slapd.d"; 132 }; 133 }; 134 }; 135 }; 136 }; 137 testScript = 138 { nodes, ... }: 139 let 140 specializations = "${nodes.machine.system.build.toplevel}/specialisation"; 141 changeRootPw = '' 142 dn: olcDatabase={1}mdb,cn=config 143 changetype: modify 144 replace: olcRootPW 145 olcRootPW: foobar 146 ''; 147 in 148 '' 149 # Test startup with empty DB 150 machine.wait_for_unit("openldap.service") 151 152 with subtest("declarative contents"): 153 machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test') 154 machine.wait_for_unit("openldap.service") 155 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 156 machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 157 158 with subtest("mutable config"): 159 machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test') 160 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 161 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 162 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') 163 164 with subtest("manual config dir"): 165 machine.succeed( 166 'mkdir /var/db/slapd.d /var/db/openldap', 167 'slapadd -F /var/db/slapd.d -n0 -l ${pkgs.writeText "config.ldif" ldifConfig}', 168 'slapadd -F /var/db/slapd.d -n1 -l ${pkgs.writeText "contents.ldif" dbContents}', 169 'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap', 170 '${specializations}/manualConfigDir/bin/switch-to-configuration test', 171 ) 172 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 173 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 174 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') 175 ''; 176 } 177)