commit afd8bb3aef271cc92d6cd0889d4673d9e1c5f189 · pyrox.dev/nixpkgs

+105 -95

nixos/tests/ldap.nix

···

       1
       1
       -
       import ./make-test.nix ({ pkgs, lib, ...} :

     

       1
       1
       +
       import ./make-test-python.nix ({ pkgs, lib, ...} :

     

       2
       2
        
       

     

       3
       3
        
       let

     

       4
       4
        
         unlines = lib.concatStringsSep "\n";

     
···

       288
       288
        
       

     

       289
       289
        
           client1 = mkClient true; # use nss_pam_ldapd

     

       290
       290
        
           client2 = mkClient false; # use nss_ldap and pam_ldap

     

       291
       291
       -
       

     

       292
       291
        
         };

     

       293
       292
        
       

     

       294
       293
        
         testScript = ''

     

       295
       295
       -
           $server->start;

     

       296
       296
       -
           $server->waitForUnit("default.target");

     

       294
       294
       +
           def expect_script(*commands):

     

       295
       295
       +
               script = ";".join(commands)

     

       296
       296
       +
               return f"${pkgs.expect}/bin/expect -c '{script}'"

     

       297
       297
        
       

     

       298
       298
       -
           subtest "slapd", sub {

     

       299
       299
       -
             subtest "auth as database admin with SASL and check a POSIX account", sub {

     

       300
       300
       -
               $server->succeed(join ' ', 'test',

     

       301
       301
       -
                '"$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL',

     

       302
       302
       -
                    '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ',

     

       303
       303
       -
                    '-s base uidNumber |',

     

       304
       304
       -
                  'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ',

     

       305
       305
       -
                ')" -eq ${toString ldapUserId}');

     

       306
       306
       -
             };

     

       307
       307
       -
             subtest "auth as database admin with password and check a POSIX account", sub {

     

       308
       308
       -
               $server->succeed(join ' ', 'test',

     

       309
       309
       -
                '"$(ldapsearch -LLL -H ldap://server',

     

       310
       310
       -
                    '-D \'cn=admin,${dbSuffix}\' -w \'${dbAdminPwd}\' ',

     

       311
       311
       -
                    '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ',

     

       312
       312
       -
                    '-s base uidNumber |',

     

       313
       313
       -
                  'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ',

     

       314
       314
       -
                ')" -eq ${toString ldapUserId}');

     

       315
       315
       -
             };

     

       316
       316
       -
           };

     

       317
       298
        
       

     

       318
       318
       -
           $client1->start;

     

       319
       319
       -
           $client1->waitForUnit("default.target");

     

       299
       299
       +
           server.start()

     

       300
       300
       +
           server.wait_for_unit("default.target")

     

       320
       301
        
       

     

       321
       321
       -
           subtest "password", sub {

     

       322
       322
       -
             subtest "su with password to a POSIX account", sub {

     

       323
       323
       -
               $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',

     

       324
       324
       -
                 'spawn su "${ldapUser}"',

     

       325
       325
       -
                 'expect "Password:"',

     

       326
       326
       -
                 'send "${ldapUserPwd}\n"',

     

       327
       327
       -
                 'expect "*"',

     

       328
       328
       -
                 'send "whoami\n"',

     

       329
       329
       -
                 'expect -ex "${ldapUser}" {exit}',

     

       330
       330
       -
                 'exit 1' . "'");

     

       331
       331
       -
             };

     

       332
       332
       -
             subtest "change password of a POSIX account as root", sub {

     

       333
       333
       -
               $client1->succeed("chpasswd <<<'${ldapUser}:new-password'");

     

       334
       334
       -
               $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',

     

       335
       335
       -
                 'spawn su "${ldapUser}"',

     

       336
       336
       -
                 'expect "Password:"',

     

       337
       337
       -
                 'send "new-password\n"',

     

       338
       338
       -
                 'expect "*"',

     

       339
       339
       -
                 'send "whoami\n"',

     

       340
       340
       -
                 'expect -ex "${ldapUser}" {exit}',

     

       341
       341
       -
                 'exit 1' . "'");

     

       342
       342
       -
               $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');

     

       343
       343
       -
             };

     

       344
       344
       -
             subtest "change password of a POSIX account from itself", sub {

     

       345
       345
       -
               $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');

     

       346
       346
       -
               $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',

     

       347
       347
       -
                 'spawn su --login ${ldapUser} -c passwd',

     

       348
       348
       -
                 'expect "Password: "',

     

       349
       349
       -
                 'send "${ldapUserPwd}\n"',

     

       350
       350
       -
                 'expect "(current) UNIX password: "',

     

       351
       351
       -
                 'send "${ldapUserPwd}\n"',

     

       352
       352
       -
                 'expect "New password: "',

     

       353
       353
       -
                 'send "new-password\n"',

     

       354
       354
       -
                 'expect "Retype new password: "',

     

       355
       355
       -
                 'send "new-password\n"',

     

       356
       356
       -
                 'expect "passwd: password updated successfully" {exit}',

     

       357
       357
       -
                 'exit 1' . "'");

     

       358
       358
       -
               $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',

     

       359
       359
       -
                 'spawn su "${ldapUser}"',

     

       360
       360
       -
                 'expect "Password:"',

     

       361
       361
       -
                 'send "${ldapUserPwd}\n"',

     

       362
       362
       -
                 'expect "su: Authentication failure" {exit}',

     

       363
       363
       -
                 'exit 1' . "'");

     

       364
       364
       -
               $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',

     

       365
       365
       -
                 'spawn su "${ldapUser}"',

     

       366
       366
       -
                 'expect "Password:"',

     

       367
       367
       -
                 'send "new-password\n"',

     

       368
       368
       -
                 'expect "*"',

     

       369
       369
       -
                 'send "whoami\n"',

     

       370
       370
       -
                 'expect -ex "${ldapUser}" {exit}',

     

       371
       371
       -
                 'exit 1' . "'");

     

       372
       372
       -
               $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');

     

       373
       373
       -
             };

     

       374
       374
       -
           };

     

       302
       302
       +
           with subtest("slapd: auth as database admin with SASL and check a POSIX account"):

     

       303
       303
       +
               server.succeed(

     

       304
       304
       +
                   'test "$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL '

     

       305
       305
       +
                   + "-b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' "

     

       306
       306
       +
                   + "-s base uidNumber | "

     

       307
       307
       +
                   + "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}"

     

       308
       308
       +
               )

     

       375
       309
        
       

     

       376
       376
       -
           $client2->start;

     

       377
       377
       -
           $client2->waitForUnit("default.target");

     

       310
       310
       +
           with subtest("slapd: auth as database admin with password and check a POSIX account"):

     

       311
       311
       +
               server.succeed(

     

       312
       312
       +
                   "test \"$(ldapsearch -LLL -H ldap://server -D 'cn=admin,${dbSuffix}' "

     

       313
       313
       +
                   + "-w '${dbAdminPwd}' -b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' "

     

       314
       314
       +
                   + "-s base uidNumber | "

     

       315
       315
       +
                   + "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}"

     

       316
       316
       +
               )

     

       378
       317
        
       

     

       379
       379
       -
           subtest "NSS", sub {

     

       380
       380
       -
               $client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}");

     

       381
       381
       -
               $client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'");

     

       382
       382
       -
               $client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}");

     

       383
       383
       -
               $client1->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'");

     

       384
       384
       -
               $client2->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}");

     

       385
       385
       -
               $client2->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'");

     

       386
       386
       -
               $client2->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}");

     

       387
       387
       -
               $client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'");

     

       388
       388
       -
           };

     

       318
       318
       +
           client1.start()

     

       319
       319
       +
           client1.wait_for_unit("default.target")

     

       320
       320
       +
       

     

       321
       321
       +
           with subtest("password: su with password to a POSIX account"):

     

       322
       322
       +
               client1.succeed(

     

       323
       323
       +
                   expect_script(

     

       324
       324
       +
                       'spawn su "${ldapUser}"',

     

       325
       325
       +
                       'expect "Password:"',

     

       326
       326
       +
                       'send "${ldapUserPwd}\n"',

     

       327
       327
       +
                       'expect "*"',

     

       328
       328
       +
                       'send "whoami\n"',

     

       329
       329
       +
                       'expect -ex "${ldapUser}" {exit}',

     

       330
       330
       +
                       "exit 1",

     

       331
       331
       +
                   )

     

       332
       332
       +
               )

     

       333
       333
       +
       

     

       334
       334
       +
           with subtest("password: change password of a POSIX account as root"):

     

       335
       335
       +
               client1.succeed(

     

       336
       336
       +
                   "chpasswd <<<'${ldapUser}:new-password'",

     

       337
       337
       +
                   expect_script(

     

       338
       338
       +
                       'spawn su "${ldapUser}"',

     

       339
       339
       +
                       'expect "Password:"',

     

       340
       340
       +
                       'send "new-password\n"',

     

       341
       341
       +
                       'expect "*"',

     

       342
       342
       +
                       'send "whoami\n"',

     

       343
       343
       +
                       'expect -ex "${ldapUser}" {exit}',

     

       344
       344
       +
                       "exit 1",

     

       345
       345
       +
                   ),

     

       346
       346
       +
                   "chpasswd <<<'${ldapUser}:${ldapUserPwd}'",

     

       347
       347
       +
               )

     

       348
       348
       +
       

     

       349
       349
       +
           with subtest("password: change password of a POSIX account from itself"):

     

       350
       350
       +
               client1.succeed(

     

       351
       351
       +
                   "chpasswd <<<'${ldapUser}:${ldapUserPwd}' ",

     

       352
       352
       +
                   expect_script(

     

       353
       353
       +
                       "spawn su --login ${ldapUser} -c passwd",

     

       354
       354
       +
                       'expect "Password: "',

     

       355
       355
       +
                       'send "${ldapUserPwd}\n"',

     

       356
       356
       +
                       'expect "(current) UNIX password: "',

     

       357
       357
       +
                       'send "${ldapUserPwd}\n"',

     

       358
       358
       +
                       'expect "New password: "',

     

       359
       359
       +
                       'send "new-password\n"',

     

       360
       360
       +
                       'expect "Retype new password: "',

     

       361
       361
       +
                       'send "new-password\n"',

     

       362
       362
       +
                       'expect "passwd: password updated successfully" {exit}',

     

       363
       363
       +
                       "exit 1",

     

       364
       364
       +
                   ),

     

       365
       365
       +
                   expect_script(

     

       366
       366
       +
                       'spawn su "${ldapUser}"',

     

       367
       367
       +
                       'expect "Password:"',

     

       368
       368
       +
                       'send "${ldapUserPwd}\n"',

     

       369
       369
       +
                       'expect "su: Authentication failure" {exit}',

     

       370
       370
       +
                       "exit 1",

     

       371
       371
       +
                   ),

     

       372
       372
       +
                   expect_script(

     

       373
       373
       +
                       'spawn su "${ldapUser}"',

     

       374
       374
       +
                       'expect "Password:"',

     

       375
       375
       +
                       'send "new-password\n"',

     

       376
       376
       +
                       'expect "*"',

     

       377
       377
       +
                       'send "whoami\n"',

     

       378
       378
       +
                       'expect -ex "${ldapUser}" {exit}',

     

       379
       379
       +
                       "exit 1",

     

       380
       380
       +
                   ),

     

       381
       381
       +
                   "chpasswd <<<'${ldapUser}:${ldapUserPwd}'",

     

       382
       382
       +
               )

     

       383
       383
       +
       

     

       384
       384
       +
           client2.start()

     

       385
       385
       +
           client2.wait_for_unit("default.target")

     

       386
       386
       +
       

     

       387
       387
       +
           with subtest("NSS"):

     

       388
       388
       +
               client1.succeed(

     

       389
       389
       +
                   "test \"$(id -u    '${ldapUser}')\" -eq ${toString ldapUserId}",

     

       390
       390
       +
                   "test \"$(id -u -n '${ldapUser}')\" =  '${ldapUser}'",

     

       391
       391
       +
                   "test \"$(id -g    '${ldapUser}')\" -eq ${toString ldapGroupId}",

     

       392
       392
       +
                   "test \"$(id -g -n '${ldapUser}')\" =  '${ldapGroup}'",

     

       393
       393
       +
                   "test \"$(id -u    '${ldapUser}')\" -eq ${toString ldapUserId}",

     

       394
       394
       +
                   "test \"$(id -u -n '${ldapUser}')\" =  '${ldapUser}'",

     

       395
       395
       +
                   "test \"$(id -g    '${ldapUser}')\" -eq ${toString ldapGroupId}",

     

       396
       396
       +
                   "test \"$(id -g -n '${ldapUser}')\" =  '${ldapGroup}'",

     

       397
       397
       +
               )

     

       389
       398
        
       

     

       390
       390
       -
           subtest "PAM", sub {

     

       391
       391
       -
               $client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true");

     

       392
       392
       -
               $client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true");

     

       393
       393
       -
           };

     

       399
       399
       +
           with subtest("PAM"):

     

       400
       400
       +
               client1.succeed(

     

       401
       401
       +
                   "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true",

     

       402
       402
       +
                   "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true",

     

       403
       403
       +
               )

     

       394
       404
        
         '';

     

       395
       405
        
       })

+6 -4

nixos/tests/openldap.nix

···

       1
       1
       -
       import ./make-test.nix {

     

       1
       1
       +
       import ./make-test-python.nix {

     

       2
       2
        
         name = "openldap";

     

       3
       3
        
       

     

       4
       4
        
         machine = { pkgs, ... }: {

     
···

       24
       24
        
         };

     

       25
       25
        
       

     

       26
       26
        
         testScript = ''

     

       27
       27
       -
           $machine->waitForUnit('openldap.service');

     

       28
       28
       -
           $machine->succeed('systemctl status openldap.service');

     

       29
       29
       -
           $machine->succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"');

     

       27
       27
       +
           machine.wait_for_unit("openldap.service")

     

       28
       28
       +
           machine.succeed(

     

       29
       29
       +
               "systemctl status openldap.service",

     

       30
       30
       +
               'ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"',

     

       31
       31
       +
           )

     

       30
       32
        
         '';

     

       31
       33
        
       }