1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
#!/bin/sh
set -e
# DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail
# slappasswd -s kkkk
TESTNR="04"
BASEDIR="$(pwd)/debian/tests"
COMMONDIR="${BASEDIR}/common"
DIR="${BASEDIR}/${TESTNR}"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
ACCTA="testuser1"
ACCTB="testuser2"
PASSWD="test${TESTNR}23456"
HOMEDIRA="/home/${ACCTA}"
HOMEDIRB="/home/${ACCTB}"
LDIFDIR="${DIR}/ldif"
SSSDCONF="/etc/sssd/sssd.conf"
RUNDIR="/run/slapd"
VARRUNDIR="/var/run/slapd"
trap '
kill $(pidof slapd) 2>/dev/null || true
kill $(pidof sssd) 2>/dev/null || true
kill $(pidof socat) 2>/dev/null || true
rm -f /dev/log || true
' 0 INT QUIT ABRT PIPE TERM
# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de"
printf "make and chown dirs ... "
mkdir -p "${RUNDIR}" "${VARRUNDIR}"
chown openldap "${VARRUNDIR}"
< ${LDIFDIR}/debconf debconf-set-selections
printf "clean up ldap database ... "
rm -rf /var/lib/ldap/*.mdb
printf "move configuration in place ... "
mkdir -p /etc/ldap /etc/sssd
cp ${LDIFDIR}/server_*.pem /etc/ldap/
cp ${LDIFDIR}/ldap.conf /etc/ldap/
chown openldap:openldap /etc/ldap/server_*.pem
chmod 600 /etc/ldap/server_key.pem
# slapd.conf is only needed for OpenLDAP 2.4 on bullseye
# but since it's already there now, use it for OpenLDAP 2.5+ as well
# this is a testsuite. If you want /etc/ldap/slapd.d to be used (again),
# please submit a patch that will also work on bullseye.
cp ${LDIFDIR}/slapd.conf /etc/ldap/
cp ${LDIFDIR}/sssd.conf /etc/sssd
chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
cp ${LDIFDIR}/slapd-default /etc/default/slapd
echo "slapd: [::1]" >> /etc/hosts.allow
printf "reconfigure slapd ... "
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
kill $(pidof slapd) 2>/dev/null || true
sleep 1
if ! [ -S /dev/log ]; then
echo "starting fake syslog socket on /dev/log"
# remove stale file if present
[ -e /dev/log ] && rm -f /dev/log
socat -u UNIX-RECV:/dev/log,mode=666 STDOUT >/dev/null 2>/dev/null &
fi
printf "start slapd ... "
slapd -f /etc/ldap/slapd.conf -h "ldaps://:1636/ ldapi:///" -g openldap -u openldap
printf "check slapd running .... "
pgrep -a slapd
# ldapsearch -x -LLL -s base -b "" namingContexts should work here
printf "add users and groups OUs ...\n"
ldapadd -x -c -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null || true
printf "sssd.conf ...\n"
cp ${LDIFDIR}/sssd.conf "${SSSDCONF}"
printf "sudoers file ...\n"
mkdir -p /etc/sudoers.d/
cp ${LDIFDIR}/ldapsudoers /etc/sudoers.d/
chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/*
chmod 755 /etc/sudoers.d/
chmod 600 "${SSSDCONF}" /etc/sudoers.d/*
printf "start sssd ..."
kill $(pidof sssd) 2>/dev/null || true
sleep 1
sssd --logger=files -D
printf "check sssd running .... "
pgrep -a sssd
printf "add users ..."
for user in testuser1 testuser2; do
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null
getent passwd ${user}
mkdir -p /home/${user}
chown ${user}:nogroup /home/${user}
done
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null
# ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here.
printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
RET=0
printf "trying %s with correct password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
printf >&2 "id -u did not give 0\n"
printf >&2 "stdout:\n"
cat >&2 ${HOMEDIRA}/stdout
printf >&2 "stderr:\n"
cat >&2 ${HOMEDIRA}/stderr
printf >&2 "exit code %s\n" "${RET}"
printf >&2 "exit 1\n" "${RET}"
exit 1
fi
printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
rm -f "${HOMEDIRA}/std*"
RET=0
printf "trying %s with wrong password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
printf "%s missing in stderr output\n" "${string}"
printf >&2 "stdout:\n"
cat >&2 ${HOMEDIRA}/stdout
printf >&2 "stderr:\n"
cat >&2 ${HOMEDIRA}/stderr
printf >&2 "\nexit code %s\n" "${RET}"
printf >&2 -- "------\n exit 1\n"
exit 1
fi
done
printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do
if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then
printf "%s missing in stderr output\n" "${string}"
printf >&2 "stdout:\n"
cat >&2 ${HOMEDIRB}/stdout
printf >&2 "stderr:\n"
cat >&2 ${HOMEDIRB}/stderr
printf >&2 "\nexit code %s\n" "${RET}"
printf >&2 -- "------\n exit 1\n"
exit 1
fi
done
printf "test series sucessful, exit 0\n"
exit 0
|
