vuls: init at 0.27.0
[NixPkgs.git] / nixos / tests / sssd-ldap.nix
blob60f3b1a415dafa596c285d7cc2aceef30df93d68
1 let
2   dbDomain = "example.org";
3   dbSuffix = "dc=example,dc=org";
5   ldapRootUser = "admin";
6   ldapRootPassword = "foobar";
8   testUser = "alice";
9   testPassword = "foobar";
10   testNewPassword = "barfoo";
12 import ./make-test-python.nix ({ pkgs, ... }: {
13   name = "sssd-ldap";
15   meta = with pkgs.lib.maintainers; {
16     maintainers = [ bbigras s1341 ];
17   };
19   nodes.machine = { pkgs, ... }: {
20     security.pam.services.systemd-user.makeHomeDir = true;
21     environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
22     environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
23     services.openldap = {
24       enable = true;
25       urlList = [ "ldap:///" "ldaps:///" ];
26       settings = {
27         attrs = {
28           olcTLSCACertificateFile = "/etc/cert.pem";
29           olcTLSCertificateFile = "/etc/cert.pem";
30           olcTLSCertificateKeyFile = "/etc/key.pem";
31           olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
32           olcTLSCRLCheck = "none";
33           olcTLSVerifyClient = "never";
34           olcTLSProtocolMin = "3.1";
35         };
36         children = {
37           "cn=schema".includes = [
38             "${pkgs.openldap}/etc/schema/core.ldif"
39             "${pkgs.openldap}/etc/schema/cosine.ldif"
40             "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
41             "${pkgs.openldap}/etc/schema/nis.ldif"
42           ];
43           "olcDatabase={1}mdb" = {
44             attrs = {
45               objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
46               olcDatabase = "{1}mdb";
47               olcDbDirectory = "/var/lib/openldap/db";
48               olcSuffix = dbSuffix;
49               olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
50               olcRootPW = ldapRootPassword;
51               olcAccess = [
52                 /*
53                   custom access rules for userPassword attributes
54                   */
55                 ''
56                   {0}to attrs=userPassword
57                                     by self write
58                                     by anonymous auth
59                                     by * none''
61                 /*
62                   allow read on anything else
63                   */
64                 ''
65                   {1}to *
66                                     by * read''
67               ];
68             };
69           };
70         };
71       };
72       declarativeContents = {
73         ${dbSuffix} = ''
74           dn: ${dbSuffix}
75           objectClass: top
76           objectClass: dcObject
77           objectClass: organization
78           o: ${dbDomain}
80           dn: ou=posix,${dbSuffix}
81           objectClass: top
82           objectClass: organizationalUnit
84           dn: ou=accounts,ou=posix,${dbSuffix}
85           objectClass: top
86           objectClass: organizationalUnit
88           dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
89           objectClass: person
90           objectClass: posixAccount
91           userPassword: ${testPassword}
92           homeDirectory: /home/${testUser}
93           uidNumber: 1234
94           gidNumber: 1234
95           cn: ""
96           sn: ""
97         '';
98       };
99     };
101     services.sssd = {
102       enable = true;
103       # just for testing purposes, don't put this into the Nix store in production!
104       environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
105       config = ''
106         [sssd]
107         config_file_version = 2
108         services = nss, pam, sudo
109         domains = ${dbDomain}
111         [domain/${dbDomain}]
112         auth_provider = ldap
113         id_provider = ldap
114         ldap_uri = ldaps://127.0.0.1:636
115         ldap_tls_reqcert = allow
116         ldap_tls_cacert = /etc/cert.pem
117         ldap_search_base = ${dbSuffix}
118         ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
119         ldap_default_authtok_type = password
120         ldap_default_authtok = $LDAP_BIND_PW
121       '';
122     };
123   };
125   testScript = ''
126     machine.start()
127     machine.wait_for_unit("openldap.service")
128     machine.wait_for_unit("sssd.service")
129     result = machine.execute("getent passwd ${testUser}")
130     if result[0] == 0:
131       assert "${testUser}" in result[1]
132     else:
133       machine.wait_for_console_text("Backend is online")
134       machine.succeed("getent passwd ${testUser}")
136     with subtest("Log in as ${testUser}"):
137         machine.wait_until_tty_matches("1", "login: ")
138         machine.send_chars("${testUser}\n")
139         machine.wait_until_tty_matches("1", "login: ${testUser}")
140         machine.wait_until_succeeds("pgrep login")
141         machine.wait_until_tty_matches("1", "Password: ")
142         machine.send_chars("${testPassword}\n")
143         machine.wait_until_succeeds("pgrep -u ${testUser} bash")
144         machine.send_chars("touch done\n")
145         machine.wait_for_file("/home/${testUser}/done")
147     with subtest("Change ${testUser}'s password"):
148         machine.send_chars("passwd\n")
149         machine.wait_until_tty_matches("1", "Current Password: ")
150         machine.send_chars("${testPassword}\n")
151         machine.wait_until_tty_matches("1", "New Password: ")
152         machine.send_chars("${testNewPassword}\n")
153         machine.wait_until_tty_matches("1", "Reenter new Password: ")
154         machine.send_chars("${testNewPassword}\n")
155         machine.wait_until_tty_matches("1", "passwd: password updated successfully")
157     with subtest("Log in as ${testUser} with new password in virtual console 2"):
158         machine.send_key("alt-f2")
159         machine.wait_until_succeeds("[ $(fgconsole) = 2 ]")
160         machine.wait_for_unit("getty@tty2.service")
161         machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'")
163         machine.wait_until_tty_matches("2", "login: ")
164         machine.send_chars("${testUser}\n")
165         machine.wait_until_tty_matches("2", "login: ${testUser}")
166         machine.wait_until_succeeds("pgrep login")
167         machine.wait_until_tty_matches("2", "Password: ")
168         machine.send_chars("${testNewPassword}\n")
169         machine.wait_until_succeeds("pgrep -u ${testUser} bash")
170         machine.send_chars("touch done2\n")
171         machine.wait_for_file("/home/${testUser}/done2")
172   '';