···

       
638
       
 
       
            password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf

     

       
639
       
 
       
          '' +

     

       
640
       
 
       
          optionalString config.services.sssd.enable ''

     

       
641
       
-
       
            password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok

     

       
642
       
 
       
          '' +

     

       
643
       
 
       
          optionalString config.security.pam.krb5.enable ''

     

       
644
       
 
       
            password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass

     

···

       
638
       
 
       
            password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf

     

       
639
       
 
       
          '' +

     

       
640
       
 
       
          optionalString config.services.sssd.enable ''

     

       
641
       
+
       
            password sufficient ${pkgs.sssd}/lib/security/pam_sss.so

     

       
642
       
 
       
          '' +

     

       
643
       
 
       
          optionalString config.security.pam.krb5.enable ''

     

       
644
       
 
       
            password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass

     

···

       
6
       
 
       
  ldapRootPassword = "foobar";

     

       
7
       
 
       


     

       
8
       
 
       
  testUser = "alice";

     

       
9
       
-
       
in import ./make-test-python.nix ({pkgs, ...}: {

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
10
       
 
       
  name = "sssd-ldap";

     

       
11
       
 
       


     

       
12
       
 
       
  meta = with pkgs.lib.maintainers; {

     

       
13
       
-
       
    maintainers = [ bbigras ];

     

       
14
       
 
       
  };

     

       
15
       
 
       


     

       
16
       
 
       
  nodes.machine = { pkgs, ... }: {

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
17
       
 
       
    services.openldap = {

     

       
18
       
 
       
      enable = true;

     

       
0
       
 
       

     

       
19
       
 
       
      settings = {

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
20
       
 
       
        children = {

     

       
21
       
 
       
          "cn=schema".includes = [

     

       
22
       
 
       
            "${pkgs.openldap}/etc/schema/core.ldif"

     
···

       
32
       
 
       
              olcSuffix = dbSuffix;

     

       
33
       
 
       
              olcRootDN = "cn=${ldapRootUser},${dbSuffix}";

     

       
34
       
 
       
              olcRootPW = ldapRootPassword;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
35
       
 
       
            };

     

       
36
       
 
       
          };

     

       
37
       
 
       
        };

     
···

       
55
       
 
       
          dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}

     

       
56
       
 
       
          objectClass: person

     

       
57
       
 
       
          objectClass: posixAccount

     

       
58
       
-
       
          # userPassword: somePasswordHash

     

       
59
       
 
       
          homeDirectory: /home/${testUser}

     

       
60
       
 
       
          uidNumber: 1234

     

       
61
       
 
       
          gidNumber: 1234

     
···

       
78
       
 
       
        [domain/${dbDomain}]

     

       
79
       
 
       
        auth_provider = ldap

     

       
80
       
 
       
        id_provider = ldap

     

       
81
       
-
       
        ldap_uri = ldap://127.0.0.1:389

     

       
0
       
 
       

     

       
0
       
 
       

     

       
82
       
 
       
        ldap_search_base = ${dbSuffix}

     

       
83
       
 
       
        ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}

     

       
84
       
 
       
        ldap_default_authtok_type = password

     
···

       
97
       
 
       
    else:

     

       
98
       
 
       
      machine.wait_for_console_text("Backend is online")

     

       
99
       
 
       
      machine.succeed("getent passwd ${testUser}")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
100
       
 
       
  '';

     

       
101
       
 
       
})

     

···

       
6
       
 
       
  ldapRootPassword = "foobar";

     

       
7
       
 
       


     

       
8
       
 
       
  testUser = "alice";

     

       
9
       
+
       
  testPassword = "foobar";

     

       
10
       
+
       
  testNewPassword = "barfoo";

     

       
11
       
+
       
in

     

       
12
       
+
       
import ./make-test-python.nix ({ pkgs, ... }: {

     

       
13
       
 
       
  name = "sssd-ldap";

     

       
14
       
 
       


     

       
15
       
 
       
  meta = with pkgs.lib.maintainers; {

     

       
16
       
+
       
    maintainers = [ bbigras s1341 ];

     

       
17
       
 
       
  };

     

       
18
       
 
       


     

       
19
       
 
       
  nodes.machine = { pkgs, ... }: {

     

       
20
       
+
       
    security.pam.services.systemd-user.makeHomeDir = true;

     

       
21
       
+
       
    environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;

     

       
22
       
+
       
    environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;

     

       
23
       
 
       
    services.openldap = {

     

       
24
       
 
       
      enable = true;

     

       
25
       
+
       
      urlList = [ "ldap:///" "ldaps:///" ];

     

       
26
       
 
       
      settings = {

     

       
27
       
+
       
        attrs = {

     

       
28
       
+
       
          olcTLSCACertificateFile = "/etc/cert.pem";

     

       
29
       
+
       
          olcTLSCertificateFile = "/etc/cert.pem";

     

       
30
       
+
       
          olcTLSCertificateKeyFile = "/etc/key.pem";

     

       
31
       
+
       
          olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";

     

       
32
       
+
       
          olcTLSCRLCheck = "none";

     

       
33
       
+
       
          olcTLSVerifyClient = "never";

     

       
34
       
+
       
          olcTLSProtocolMin = "3.1";

     

       
35
       
+
       
        };

     

       
36
       
 
       
        children = {

     

       
37
       
 
       
          "cn=schema".includes = [

     

       
38
       
 
       
            "${pkgs.openldap}/etc/schema/core.ldif"

     
···

       
48
       
 
       
              olcSuffix = dbSuffix;

     

       
49
       
 
       
              olcRootDN = "cn=${ldapRootUser},${dbSuffix}";

     

       
50
       
 
       
              olcRootPW = ldapRootPassword;

     

       
51
       
+
       
              olcAccess = [

     

       
52
       
+
       
                /*

     

       
53
       
+
       
                  custom access rules for userPassword attributes

     

       
54
       
+
       
                  */

     

       
55
       
+
       
                ''

     

       
56
       
+
       
                  {0}to attrs=userPassword

     

       
57
       
+
       
                                    by self write

     

       
58
       
+
       
                                    by anonymous auth

     

       
59
       
+
       
                                    by * none''

     

       
60
       
+
       


     

       
61
       
+
       
                /*

     

       
62
       
+
       
                  allow read on anything else

     

       
63
       
+
       
                  */

     

       
64
       
+
       
                ''

     

       
65
       
+
       
                  {1}to *

     

       
66
       
+
       
                                    by * read''

     

       
67
       
+
       
              ];

     

       
68
       
 
       
            };

     

       
69
       
 
       
          };

     

       
70
       
 
       
        };

     
···

       
88
       
 
       
          dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}

     

       
89
       
 
       
          objectClass: person

     

       
90
       
 
       
          objectClass: posixAccount

     

       
91
       
+
       
          userPassword: ${testPassword}

     

       
92
       
 
       
          homeDirectory: /home/${testUser}

     

       
93
       
 
       
          uidNumber: 1234

     

       
94
       
 
       
          gidNumber: 1234

     
···

       
111
       
 
       
        [domain/${dbDomain}]

     

       
112
       
 
       
        auth_provider = ldap

     

       
113
       
 
       
        id_provider = ldap

     

       
114
       
+
       
        ldap_uri = ldaps://127.0.0.1:636

     

       
115
       
+
       
        ldap_tls_reqcert = allow

     

       
116
       
+
       
        ldap_tls_cacert = /etc/cert.pem

     

       
117
       
 
       
        ldap_search_base = ${dbSuffix}

     

       
118
       
 
       
        ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}

     

       
119
       
 
       
        ldap_default_authtok_type = password

     
···

       
132
       
 
       
    else:

     

       
133
       
 
       
      machine.wait_for_console_text("Backend is online")

     

       
134
       
 
       
      machine.succeed("getent passwd ${testUser}")

     

       
135
       
+
       


     

       
136
       
+
       
    with subtest("Log in as ${testUser}"):

     

       
137
       
+
       
        machine.wait_until_tty_matches("1", "login: ")

     

       
138
       
+
       
        machine.send_chars("${testUser}\n")

     

       
139
       
+
       
        machine.wait_until_tty_matches("1", "login: ${testUser}")

     

       
140
       
+
       
        machine.wait_until_succeeds("pgrep login")

     

       
141
       
+
       
        machine.wait_until_tty_matches("1", "Password: ")

     

       
142
       
+
       
        machine.send_chars("${testPassword}\n")

     

       
143
       
+
       
        machine.wait_until_succeeds("pgrep -u ${testUser} bash")

     

       
144
       
+
       
        machine.send_chars("touch done\n")

     

       
145
       
+
       
        machine.wait_for_file("/home/${testUser}/done")

     

       
146
       
+
       


     

       
147
       
+
       
    with subtest("Change ${testUser}'s password"):

     

       
148
       
+
       
        machine.send_chars("passwd\n")

     

       
149
       
+
       
        machine.wait_until_tty_matches("1", "Current Password: ")

     

       
150
       
+
       
        machine.send_chars("${testPassword}\n")

     

       
151
       
+
       
        machine.wait_until_tty_matches("1", "New Password: ")

     

       
152
       
+
       
        machine.send_chars("${testNewPassword}\n")

     

       
153
       
+
       
        machine.wait_until_tty_matches("1", "Reenter new Password: ")

     

       
154
       
+
       
        machine.send_chars("${testNewPassword}\n")

     

       
155
       
+
       
        machine.wait_until_tty_matches("1", "passwd: password updated successfully")

     

       
156
       
+
       


     

       
157
       
+
       
    with subtest("Log in as ${testUser} with new password in virtual console 2"):

     

       
158
       
+
       
        machine.send_key("alt-f2")

     

       
159
       
+
       
        machine.wait_until_succeeds("[ $(fgconsole) = 2 ]")

     

       
160
       
+
       
        machine.wait_for_unit("getty@tty2.service")

     

       
161
       
+
       
        machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'")

     

       
162
       
+
       


     

       
163
       
+
       
        machine.wait_until_tty_matches("2", "login: ")

     

       
164
       
+
       
        machine.send_chars("${testUser}\n")

     

       
165
       
+
       
        machine.wait_until_tty_matches("2", "login: ${testUser}")

     

       
166
       
+
       
        machine.wait_until_succeeds("pgrep login")

     

       
167
       
+
       
        machine.wait_until_tty_matches("2", "Password: ")

     

       
168
       
+
       
        machine.send_chars("${testNewPassword}\n")

     

       
169
       
+
       
        machine.wait_until_succeeds("pgrep -u ${testUser} bash")

     

       
170
       
+
       
        machine.send_chars("touch done2\n")

     

       
171
       
+
       
        machine.wait_for_file("/home/${testUser}/done2")

     

       
172
       
 
       
  '';

     

       
173
       
 
       
})

     

···

       
44
       
 
       
  doCheck = false; # fails

     

       
45
       
 
       


     

       
46
       
 
       
  passthru.tests = {

     

       
47
       
-
       
    inherit (nixosTests) pam-oath-login pam-u2f shadow;

     

       
48
       
 
       
  };

     

       
49
       
 
       


     

       
50
       
 
       
  meta = with lib; {

     

···

       
44
       
 
       
  doCheck = false; # fails

     

       
45
       
 
       


     

       
46
       
 
       
  passthru.tests = {

     

       
47
       
+
       
    inherit (nixosTests) pam-oath-login pam-u2f shadow sssd-ldap;

     

       
48
       
 
       
  };

     

       
49
       
 
       


     

       
50
       
 
       
  meta = with lib; {