pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / sssd-ldap.nix
at 25.11-pre 6.6 kB view raw
1let 2 dbDomain = "example.org"; 3 dbSuffix = "dc=example,dc=org"; 4 5 ldapRootUser = "admin"; 6 ldapRootPassword = "foobar"; 7 8 testUser = "alice"; 9 testPassword = "foobar"; 10 testNewPassword = "barfoo"; 11in 12import ./make-test-python.nix ( 13 { pkgs, ... }: 14 { 15 name = "sssd-ldap"; 16 17 meta = with pkgs.lib.maintainers; { 18 maintainers = [ 19 bbigras 20 s1341 21 ]; 22 }; 23 24 nodes.machine = 25 { pkgs, ... }: 26 { 27 security.pam.services.systemd-user.makeHomeDir = true; 28 environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem; 29 environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem; 30 services.openldap = { 31 enable = true; 32 urlList = [ 33 "ldap:///" 34 "ldaps:///" 35 ]; 36 settings = { 37 attrs = { 38 olcTLSCACertificateFile = "/etc/cert.pem"; 39 olcTLSCertificateFile = "/etc/cert.pem"; 40 olcTLSCertificateKeyFile = "/etc/key.pem"; 41 olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; 42 olcTLSCRLCheck = "none"; 43 olcTLSVerifyClient = "never"; 44 olcTLSProtocolMin = "3.1"; 45 }; 46 children = { 47 "cn=schema".includes = [ 48 "${pkgs.openldap}/etc/schema/core.ldif" 49 "${pkgs.openldap}/etc/schema/cosine.ldif" 50 "${pkgs.openldap}/etc/schema/inetorgperson.ldif" 51 "${pkgs.openldap}/etc/schema/nis.ldif" 52 ]; 53 "olcDatabase={1}mdb" = { 54 attrs = { 55 objectClass = [ 56 "olcDatabaseConfig" 57 "olcMdbConfig" 58 ]; 59 olcDatabase = "{1}mdb"; 60 olcDbDirectory = "/var/lib/openldap/db"; 61 olcSuffix = dbSuffix; 62 olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; 63 olcRootPW = ldapRootPassword; 64 olcAccess = [ 65 # custom access rules for userPassword attributes 66 '' 67 {0}to attrs=userPassword 68 by self write 69 by anonymous auth 70 by * none'' 71 72 # allow read on anything else 73 '' 74 {1}to * 75 by * read'' 76 ]; 77 }; 78 }; 79 }; 80 }; 81 declarativeContents = { 82 ${dbSuffix} = '' 83 dn: ${dbSuffix} 84 objectClass: top 85 objectClass: dcObject 86 objectClass: organization 87 o: ${dbDomain} 88 89 dn: ou=posix,${dbSuffix} 90 objectClass: top 91 objectClass: organizationalUnit 92 93 dn: ou=accounts,ou=posix,${dbSuffix} 94 objectClass: top 95 objectClass: organizationalUnit 96 97 dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} 98 objectClass: person 99 objectClass: posixAccount 100 userPassword: ${testPassword} 101 homeDirectory: /home/${testUser} 102 uidNumber: 1234 103 gidNumber: 1234 104 cn: "" 105 sn: "" 106 ''; 107 }; 108 }; 109 110 services.sssd = { 111 enable = true; 112 # just for testing purposes, don't put this into the Nix store in production! 113 environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}"; 114 config = '' 115 [sssd] 116 config_file_version = 2 117 services = nss, pam, sudo 118 domains = ${dbDomain} 119 120 [domain/${dbDomain}] 121 auth_provider = ldap 122 id_provider = ldap 123 ldap_uri = ldaps://127.0.0.1:636 124 ldap_tls_reqcert = allow 125 ldap_tls_cacert = /etc/cert.pem 126 ldap_search_base = ${dbSuffix} 127 ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} 128 ldap_default_authtok_type = password 129 ldap_default_authtok = $LDAP_BIND_PW 130 ''; 131 }; 132 }; 133 134 testScript = '' 135 machine.start() 136 machine.wait_for_unit("openldap.service") 137 machine.wait_for_unit("sssd.service") 138 result = machine.execute("getent passwd ${testUser}") 139 if result[0] == 0: 140 assert "${testUser}" in result[1] 141 else: 142 machine.wait_for_console_text("Backend is online") 143 machine.succeed("getent passwd ${testUser}") 144 145 with subtest("Log in as ${testUser}"): 146 machine.wait_until_tty_matches("1", "login: ") 147 machine.send_chars("${testUser}\n") 148 machine.wait_until_tty_matches("1", "login: ${testUser}") 149 machine.wait_until_succeeds("pgrep login") 150 machine.wait_until_tty_matches("1", "Password: ") 151 machine.send_chars("${testPassword}\n") 152 machine.wait_until_succeeds("pgrep -u ${testUser} bash") 153 machine.send_chars("touch done\n") 154 machine.wait_for_file("/home/${testUser}/done") 155 156 with subtest("Change ${testUser}'s password"): 157 machine.send_chars("passwd\n") 158 machine.wait_until_tty_matches("1", "Current Password: ") 159 machine.send_chars("${testPassword}\n") 160 machine.wait_until_tty_matches("1", "New Password: ") 161 machine.send_chars("${testNewPassword}\n") 162 machine.wait_until_tty_matches("1", "Reenter new Password: ") 163 machine.send_chars("${testNewPassword}\n") 164 machine.wait_until_tty_matches("1", "passwd: password updated successfully") 165 166 with subtest("Log in as ${testUser} with new password in virtual console 2"): 167 machine.send_key("alt-f2") 168 machine.wait_until_succeeds("[ $(fgconsole) = 2 ]") 169 machine.wait_for_unit("getty@tty2.service") 170 machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") 171 172 machine.wait_until_tty_matches("2", "login: ") 173 machine.send_chars("${testUser}\n") 174 machine.wait_until_tty_matches("2", "login: ${testUser}") 175 machine.wait_until_succeeds("pgrep login") 176 machine.wait_until_tty_matches("2", "Password: ") 177 machine.send_chars("${testNewPassword}\n") 178 machine.wait_until_succeeds("pgrep -u ${testUser} bash") 179 machine.send_chars("touch done2\n") 180 machine.wait_for_file("/home/${testUser}/done2") 181 ''; 182 } 183)