pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / openldap.nix
at master 5.6 kB view raw
1{ pkgs, ... }: 2let 3 dbContents = '' 4 dn: dc=example 5 objectClass: domain 6 dc: example 7 8 dn: ou=users,dc=example 9 objectClass: organizationalUnit 10 ou: users 11 ''; 12 13 ldifConfig = '' 14 dn: cn=config 15 cn: config 16 objectClass: olcGlobal 17 olcLogLevel: stats 18 19 dn: cn=schema,cn=config 20 cn: schema 21 objectClass: olcSchemaConfig 22 23 include: file://${pkgs.openldap}/etc/schema/core.ldif 24 include: file://${pkgs.openldap}/etc/schema/cosine.ldif 25 include: file://${pkgs.openldap}/etc/schema/inetorgperson.ldif 26 27 dn: olcDatabase={0}config,cn=config 28 olcDatabase: {0}config 29 objectClass: olcDatabaseConfig 30 olcRootDN: cn=root,cn=config 31 olcRootPW: configpassword 32 33 dn: olcDatabase={1}mdb,cn=config 34 objectClass: olcDatabaseConfig 35 objectClass: olcMdbConfig 36 olcDatabase: {1}mdb 37 olcDbDirectory: /var/db/openldap 38 olcDbIndex: objectClass eq 39 olcSuffix: dc=example 40 olcRootDN: cn=root,dc=example 41 olcRootPW: notapassword 42 ''; 43 44 ldapClientConfig = { 45 enable = true; 46 loginPam = false; 47 nsswitch = false; 48 server = "ldap://"; 49 base = "dc=example"; 50 }; 51 52in 53{ 54 name = "openldap"; 55 56 nodes.machine = 57 { config, pkgs, ... }: 58 { 59 environment.etc."openldap/root_password".text = "notapassword"; 60 61 users.ldap = ldapClientConfig; 62 63 services.openldap = { 64 enable = true; 65 urlList = [ 66 "ldapi:///" 67 "ldap://" 68 ]; 69 settings = { 70 children = { 71 "cn=schema".includes = [ 72 "${pkgs.openldap}/etc/schema/core.ldif" 73 "${pkgs.openldap}/etc/schema/cosine.ldif" 74 "${pkgs.openldap}/etc/schema/inetorgperson.ldif" 75 "${pkgs.openldap}/etc/schema/nis.ldif" 76 ]; 77 "olcDatabase={0}config" = { 78 attrs = { 79 objectClass = [ "olcDatabaseConfig" ]; 80 olcDatabase = "{0}config"; 81 olcRootDN = "cn=root,cn=config"; 82 olcRootPW = "configpassword"; 83 }; 84 }; 85 "olcDatabase={1}mdb" = { 86 # This tests string, base64 and path values, as well as lists of string values 87 attrs = { 88 objectClass = [ 89 "olcDatabaseConfig" 90 "olcMdbConfig" 91 ]; 92 olcDatabase = "{1}mdb"; 93 olcDbDirectory = "/var/lib/openldap/db"; 94 olcSuffix = "dc=example"; 95 olcRootDN = { 96 # cn=root,dc=example 97 base64 = "Y249cm9vdCxkYz1leGFtcGxl"; 98 }; 99 olcRootPW = { 100 path = "/etc/openldap/root_password"; 101 }; 102 }; 103 }; 104 }; 105 }; 106 }; 107 108 specialisation = { 109 declarativeContents.configuration = 110 { ... }: 111 { 112 services.openldap.declarativeContents."dc=example" = dbContents; 113 }; 114 mutableConfig.configuration = 115 { ... }: 116 { 117 services.openldap = { 118 declarativeContents."dc=example" = dbContents; 119 mutableConfig = true; 120 }; 121 }; 122 manualConfigDir = { 123 inheritParentConfig = false; 124 configuration = 125 { ... }: 126 { 127 nixpkgs.hostPlatform = config.nixpkgs.hostPlatform; 128 129 users.ldap = ldapClientConfig; 130 services.openldap = { 131 enable = true; 132 configDir = "/var/db/slapd.d"; 133 }; 134 }; 135 }; 136 }; 137 }; 138 139 testScript = 140 { nodes, ... }: 141 let 142 specializations = "${nodes.machine.system.build.toplevel}/specialisation"; 143 changeRootPw = '' 144 dn: olcDatabase={1}mdb,cn=config 145 changetype: modify 146 replace: olcRootPW 147 olcRootPW: foobar 148 ''; 149 in 150 '' 151 # Test startup with empty DB 152 machine.wait_for_unit("openldap.service") 153 154 with subtest("declarative contents"): 155 machine.succeed('${specializations}/declarativeContents/bin/switch-to-configuration test') 156 machine.wait_for_unit("openldap.service") 157 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 158 machine.fail('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 159 160 with subtest("mutable config"): 161 machine.succeed('${specializations}/mutableConfig/bin/switch-to-configuration test') 162 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 163 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 164 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') 165 166 with subtest("manual config dir"): 167 machine.succeed( 168 'mkdir /var/db/slapd.d /var/db/openldap', 169 'slapadd -F /var/db/slapd.d -n0 -l ${pkgs.writeText "config.ldif" ldifConfig}', 170 'slapadd -F /var/db/slapd.d -n1 -l ${pkgs.writeText "contents.ldif" dbContents}', 171 'chown -R openldap:openldap /var/db/slapd.d /var/db/openldap', 172 '${specializations}/manualConfigDir/bin/switch-to-configuration test', 173 ) 174 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword') 175 machine.succeed('ldapmodify -D cn=root,cn=config -w configpassword -f ${pkgs.writeText "rootpw.ldif" changeRootPw}') 176 machine.succeed('ldapsearch -LLL -D "cn=root,dc=example" -w foobar') 177 ''; 178}