···
ldapRootPassword = "foobar";
9
-
in import ./make-test-python.nix ({pkgs, ...}: {
9
+
testPassword = "foobar";
10
+
testNewPassword = "barfoo";
12
+
import ./make-test-python.nix ({ pkgs, ... }: {
meta = with pkgs.lib.maintainers; {
13
-
maintainers = [ bbigras ];
16
+
maintainers = [ bbigras s1341 ];
nodes.machine = { pkgs, ... }: {
20
+
security.pam.services.systemd-user.makeHomeDir = true;
21
+
environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
22
+
environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
25
+
urlList = [ "ldap:///" "ldaps:///" ];
28
+
olcTLSCACertificateFile = "/etc/cert.pem";
29
+
olcTLSCertificateFile = "/etc/cert.pem";
30
+
olcTLSCertificateKeyFile = "/etc/key.pem";
31
+
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
32
+
olcTLSCRLCheck = "none";
33
+
olcTLSVerifyClient = "never";
34
+
olcTLSProtocolMin = "3.1";
"${pkgs.openldap}/etc/schema/core.ldif"
···
olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
olcRootPW = ldapRootPassword;
53
+
custom access rules for userPassword attributes
56
+
{0}to attrs=userPassword
62
+
allow read on anything else
···
dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
objectClass: posixAccount
58
-
# userPassword: somePasswordHash
91
+
userPassword: ${testPassword}
homeDirectory: /home/${testUser}
···
81
-
ldap_uri = ldap://127.0.0.1:389
114
+
ldap_uri = ldaps://127.0.0.1:636
115
+
ldap_tls_reqcert = allow
116
+
ldap_tls_cacert = /etc/cert.pem
ldap_search_base = ${dbSuffix}
ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
ldap_default_authtok_type = password
···
machine.wait_for_console_text("Backend is online")
machine.succeed("getent passwd ${testUser}")
136
+
with subtest("Log in as ${testUser}"):
137
+
machine.wait_until_tty_matches("1", "login: ")
138
+
machine.send_chars("${testUser}\n")
139
+
machine.wait_until_tty_matches("1", "login: ${testUser}")
140
+
machine.wait_until_succeeds("pgrep login")
141
+
machine.wait_until_tty_matches("1", "Password: ")
142
+
machine.send_chars("${testPassword}\n")
143
+
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
144
+
machine.send_chars("touch done\n")
145
+
machine.wait_for_file("/home/${testUser}/done")
147
+
with subtest("Change ${testUser}'s password"):
148
+
machine.send_chars("passwd\n")
149
+
machine.wait_until_tty_matches("1", "Current Password: ")
150
+
machine.send_chars("${testPassword}\n")
151
+
machine.wait_until_tty_matches("1", "New Password: ")
152
+
machine.send_chars("${testNewPassword}\n")
153
+
machine.wait_until_tty_matches("1", "Reenter new Password: ")
154
+
machine.send_chars("${testNewPassword}\n")
155
+
machine.wait_until_tty_matches("1", "passwd: password updated successfully")
157
+
with subtest("Log in as ${testUser} with new password in virtual console 2"):
158
+
machine.send_key("alt-f2")
159
+
machine.wait_until_succeeds("[ $(fgconsole) = 2 ]")
160
+
machine.wait_for_unit("getty@tty2.service")
161
+
machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'")
163
+
machine.wait_until_tty_matches("2", "login: ")
164
+
machine.send_chars("${testUser}\n")
165
+
machine.wait_until_tty_matches("2", "login: ${testUser}")
166
+
machine.wait_until_succeeds("pgrep login")
167
+
machine.wait_until_tty_matches("2", "Password: ")
168
+
machine.send_chars("${testNewPassword}\n")
169
+
machine.wait_until_succeeds("pgrep -u ${testUser} bash")
170
+
machine.send_chars("touch done2\n")
171
+
machine.wait_for_file("/home/${testUser}/done2")
pyrox.dev