File: 04-getroot-sssd

package info (click to toggle)
sudo 1.9.17p2-4
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 26,560 kB
  • sloc: ansic: 114,014; sh: 13,458; makefile: 9,797; yacc: 2,608; lex: 1,574; perl: 366; python: 362; sed: 265
file content (167 lines) | stat: -rwxr-xr-x 5,635 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#!/bin/sh

set -e

# DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail
# slappasswd -s kkkk

TESTNR="04"
BASEDIR="$(pwd)/debian/tests"
COMMONDIR="${BASEDIR}/common"
DIR="${BASEDIR}/${TESTNR}"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
ACCTA="testuser1"
ACCTB="testuser2"
PASSWD="test${TESTNR}23456"
HOMEDIRA="/home/${ACCTA}"
HOMEDIRB="/home/${ACCTB}"
LDIFDIR="${DIR}/ldif"
SSSDCONF="/etc/sssd/sssd.conf"
RUNDIR="/run/slapd"
VARRUNDIR="/var/run/slapd"

trap '
  kill $(pidof slapd) 2>/dev/null || true
  kill $(pidof sssd) 2>/dev/null || true
  kill $(pidof socat) 2>/dev/null || true
  rm -f /dev/log || true
' 0 INT QUIT ABRT PIPE TERM

# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de"

printf "make and chown dirs ... "
mkdir -p "${RUNDIR}" "${VARRUNDIR}"
chown openldap "${VARRUNDIR}"
< ${LDIFDIR}/debconf debconf-set-selections

printf "clean up ldap database ... "
rm -rf /var/lib/ldap/*.mdb

printf "move configuration in place ... "
mkdir -p /etc/ldap /etc/sssd
cp ${LDIFDIR}/server_*.pem /etc/ldap/
cp ${LDIFDIR}/ldap.conf /etc/ldap/
chown openldap:openldap /etc/ldap/server_*.pem
chmod 600 /etc/ldap/server_key.pem
# slapd.conf is only needed for OpenLDAP 2.4 on bullseye
# but since it's already there now, use it for OpenLDAP 2.5+ as well
# this is a testsuite. If you want /etc/ldap/slapd.d to be used (again),
# please submit a patch that will also work on bullseye.
cp ${LDIFDIR}/slapd.conf /etc/ldap/
cp ${LDIFDIR}/sssd.conf /etc/sssd
chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
cp ${LDIFDIR}/slapd-default /etc/default/slapd
echo "slapd: [::1]" >> /etc/hosts.allow

printf "reconfigure slapd ... "
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
kill $(pidof slapd) 2>/dev/null || true
sleep 1

if ! [ -S /dev/log ]; then
  echo "starting fake syslog socket on /dev/log"

  # remove stale file if present
  [ -e /dev/log ] && rm -f /dev/log

  socat -u UNIX-RECV:/dev/log,mode=666 STDOUT >/dev/null 2>/dev/null &
fi

printf "start slapd ... "
slapd -f /etc/ldap/slapd.conf -h "ldaps://:1636/ ldapi:///" -g openldap -u openldap

printf "check slapd running .... "
pgrep -a slapd
# ldapsearch -x -LLL -s base -b "" namingContexts should work here

printf "add users and groups OUs ...\n"
ldapadd -x -c -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null || true

printf "sssd.conf ...\n"
cp ${LDIFDIR}/sssd.conf "${SSSDCONF}"

printf "sudoers file ...\n"
mkdir -p /etc/sudoers.d/
cp ${LDIFDIR}/ldapsudoers /etc/sudoers.d/
chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/*
chmod 755 /etc/sudoers.d/
chmod 600 "${SSSDCONF}" /etc/sudoers.d/*

printf "start sssd ..."
kill $(pidof sssd) 2>/dev/null || true
sleep 1
sssd --logger=files -D

printf "check sssd running .... "
pgrep -a sssd

printf "add users ..."
for user in testuser1 testuser2; do
  ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null
  getent passwd ${user}
  mkdir -p /home/${user}
  chown ${user}:nogroup /home/${user}
done
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null
# ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here.

printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
RET=0
printf "trying %s with correct password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
  printf >&2 "id -u did not give 0\n"
  printf >&2 "stdout:\n"
  cat >&2 ${HOMEDIRA}/stdout
  printf >&2 "stderr:\n"
  cat >&2 ${HOMEDIRA}/stderr
  printf >&2 "exit code %s\n" "${RET}"
  printf >&2 "exit 1\n" "${RET}"
  exit 1
fi

printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
rm -f "${HOMEDIRA}/std*"
RET=0
printf "trying %s with wrong password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
  if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
    printf "%s missing in stderr output\n" "${string}"
    printf >&2 "stdout:\n"
    cat >&2 ${HOMEDIRA}/stdout
    printf >&2 "stderr:\n"
    cat >&2 ${HOMEDIRA}/stderr
    printf >&2 "\nexit code %s\n" "${RET}"
    printf >&2 -- "------\n exit 1\n"
    exit 1
  fi
done

printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do
  if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then
    printf "%s missing in stderr output\n" "${string}"
    printf >&2 "stdout:\n"
    cat >&2 ${HOMEDIRB}/stdout
    printf >&2 "stderr:\n"
    cat >&2 ${HOMEDIRB}/stderr
    printf >&2 "\nexit code %s\n" "${RET}"
    printf >&2 -- "------\n exit 1\n"
    exit 1
  fi
done

printf "test series sucessful, exit 0\n"
exit 0