nixos/tests/sssd-ldap.nix

   1 let
   2   dbDomain = "example.org";
   3   dbSuffix = "dc=example,dc=org";
   4
   5   ldapRootUser = "admin";
   6   ldapRootPassword = "foobar";
   7
   8   testUser = "alice";
   9 in import ./make-test-python.nix ({pkgs, ...}: {
  10   name = "sssd-ldap";
  11
  12   meta = with pkgs.lib.maintainers; {
  13     maintainers = [ bbigras ];
  14   };
  15
  16   nodes.machine = { pkgs, ... }: {
  17     services.openldap = {
  18       enable = true;
  19       settings = {
  20         children = {
  21           "cn=schema".includes = [
  22             "${pkgs.openldap}/etc/schema/core.ldif"
  23             "${pkgs.openldap}/etc/schema/cosine.ldif"
  24             "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
  25             "${pkgs.openldap}/etc/schema/nis.ldif"
  26           ];
  27           "olcDatabase={1}mdb" = {
  28             attrs = {
  29               objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
  30               olcDatabase = "{1}mdb";
  31               olcDbDirectory = "/var/lib/openldap/db";
  32               olcSuffix = dbSuffix;
  33               olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
  34               olcRootPW = ldapRootPassword;
  35             };
  36           };
  37         };
  38       };
  39       declarativeContents = {
  40         ${dbSuffix} = ''
  41           dn: ${dbSuffix}
  42           objectClass: top
  43           objectClass: dcObject
  44           objectClass: organization
  45           o: ${dbDomain}
  46
  47           dn: ou=posix,${dbSuffix}
  48           objectClass: top
  49           objectClass: organizationalUnit
  50
  51           dn: ou=accounts,ou=posix,${dbSuffix}
  52           objectClass: top
  53           objectClass: organizationalUnit
  54
  55           dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
  56           objectClass: person
  57           objectClass: posixAccount
  58           # userPassword: somePasswordHash
  59           homeDirectory: /home/${testUser}
  60           uidNumber: 1234
  61           gidNumber: 1234
  62           cn: ""
  63           sn: ""
  64         '';
  65       };
  66     };
  67
  68     services.sssd = {
  69       enable = true;
  70       # just for testing purposes, don't put this into the Nix store in production!
  71       environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
  72       config = ''
  73         [sssd]
  74         config_file_version = 2
  75         services = nss, pam, sudo
  76         domains = ${dbDomain}
  77
  78         [domain/${dbDomain}]
  79         auth_provider = ldap
  80         id_provider = ldap
  81         ldap_uri = ldap://127.0.0.1:389
  82         ldap_search_base = ${dbSuffix}
  83         ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
  84         ldap_default_authtok_type = password
  85         ldap_default_authtok = $LDAP_BIND_PW
  86       '';
  87     };
  88   };
  89
  90   testScript = ''
  91     machine.start()
  92     machine.wait_for_unit("openldap.service")
  93     machine.wait_for_unit("sssd.service")
  94     result = machine.execute("getent passwd ${testUser}")
  95     if result[0] == 0:
  96       assert "${testUser}" in result[1]
  97     else:
  98       machine.wait_for_console_text("Backend is online")
  99       machine.succeed("getent passwd ${testUser}")
 100   '';
 101 })