summaryrefslogtreecommitdiffstats
path: root/debian/tests
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xdebian/tests/01-getroot100
-rwxr-xr-xdebian/tests/02-1003969-audit-no-resolve43
-rwxr-xr-xdebian/tests/03-getroot-ldap132
-rw-r--r--debian/tests/03/ldif/container.ldif5
-rw-r--r--debian/tests/03/ldif/debconf16
-rw-r--r--debian/tests/03/ldif/sudoers.ldif32
-rwxr-xr-xdebian/tests/04-getroot-sssd138
-rw-r--r--debian/tests/04/ldif/adminpw-example-com.ldif4
-rw-r--r--debian/tests/04/ldif/adminpw.ldif7
-rw-r--r--debian/tests/04/ldif/container.ldif5
-rw-r--r--debian/tests/04/ldif/debconf15
-rw-r--r--debian/tests/04/ldif/ldap.conf6
-rw-r--r--debian/tests/04/ldif/ldapsudoers1
-rw-r--r--debian/tests/04/ldif/ldapsudoers.ldif6
-rw-r--r--debian/tests/04/ldif/server_cert.pem30
-rw-r--r--debian/tests/04/ldif/server_key.pem52
-rw-r--r--debian/tests/04/ldif/slapd-default7
-rw-r--r--debian/tests/04/ldif/sss-ous.ldif9
-rwxr-xr-xdebian/tests/04/ldif/sssd.conf24
-rw-r--r--debian/tests/04/ldif/testuser1.ldif16
-rw-r--r--debian/tests/04/ldif/testuser2.ldif17
-rw-r--r--debian/tests/04/ldif/tls.ldif10
-rwxr-xr-xdebian/tests/common/asuser7
-rw-r--r--debian/tests/control16
24 files changed, 698 insertions, 0 deletions
diff --git a/debian/tests/01-getroot b/debian/tests/01-getroot
new file mode 100755
index 0000000..4edef3e
--- /dev/null
+++ b/debian/tests/01-getroot
@@ -0,0 +1,100 @@
+#!/bin/sh
+
+set -e
+
+# set a root password so that we can later replace sudo with sudo-ldap
+# see #1001858
+passwd=$(getent shadow root|cut -f2 -d:)
+passwd1=$(echo "$passwd" |cut -c1)
+# Note: we do need the 'xfoo' syntax here, since POSIX special-cases
+# the $passwd value '!' as negation.
+if [ "x$passwd" = "x*" ] || [ "x$passwd1" = "x!" ]; then
+ echo "root:rootpassword" | chpasswd
+fi
+
+TESTNR="01"
+BASEDIR="$(pwd)/debian/tests"
+COMMONDIR="${BASEDIR}/common"
+DIR="${BASEDIR}/${TESTNR}"
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+ACCTA="test${TESTNR}a"
+ACCTB="test${TESTNR}b"
+PASSWD="test${TESTNR}23456"
+HOMEDIRA="/home/${ACCTA}"
+HOMEDIRB="/home/${ACCTB}"
+LDIFDIR="${DIR}/ldif"
+
+trap '
+ deluser --remove-home "${ACCTA}" 2>/dev/null || true
+ deluser --remove-home "${ACCTB}" 2>/dev/null || true
+' 0 INT QUIT ABRT PIPE TERM
+
+printf > /etc/hosts "127.0.1.1 %s\n" "$(hostname)"
+cat /etc/hosts
+
+printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
+deluser ${ACCTA} 2>/dev/null || true
+adduser --disabled-password --home "${HOMEDIRA}" --gecos "" "${ACCTA}"
+printf "%s:%s\n" "${ACCTA}" "${PASSWD}" | chpasswd
+adduser "${ACCTA}" sudo
+RET=0
+printf "trying %s with correct password\n" "${ACCTA}"
+su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
+printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
+if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
+ echo >&2 id -u did not give 0
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "exit code %s\n" "${RET}"
+ printf >&2 "exit 1\n" "${RET}"
+ exit 1
+fi
+
+printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
+rm -f "${HOMEDIRA}/std*"
+RET=0
+printf "trying %s with wrong password\n" "${ACCTA}"
+su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
+printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
+head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
+printf -- "\n-------\n"
+for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
+ if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
+ printf "%s missing in stderr output\n" "${string}"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "\nexit code %s\n" "${RET}"
+ printf >&2 -- "------\n exit 1\n"
+ exit 1
+ fi
+done
+
+printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
+deluser ${ACCTB} 2>/dev/null || true
+adduser --disabled-password --home "${HOMEDIRB}" --gecos "" "${ACCTB}"
+printf "%s:%s\n" "${ACCTB}" "${PASSWD}" | chpasswd
+RET=0
+printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
+su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
+printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
+head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRA}/stderr
+printf -- "\n-------\n"
+for string in "[sudo] password for ${ACCTB}" "${ACCTB} is not in the sudoers file"; do
+ if ! grep -F "${string}" ${HOMEDIRB}/stderr; then
+ printf "%s missing in stderr output\n" "${string}"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRB}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRB}/stderr
+ printf >&2 "\nexit code %s\n" "${RET}"
+ printf >&2 -- "------\n exit 1\n"
+ exit 1
+ fi
+done
+
+printf "test series sucessful, exit 0\n"
+exit 0
diff --git a/debian/tests/02-1003969-audit-no-resolve b/debian/tests/02-1003969-audit-no-resolve
new file mode 100755
index 0000000..3fc32aa
--- /dev/null
+++ b/debian/tests/02-1003969-audit-no-resolve
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -e
+
+TESTNR="02"
+BASEDIR="$(pwd)/debian/tests"
+COMMONDIR="${BASEDIR}/common"
+DIR="${BASEDIR}/${TESTNR}"
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+ACCTA="test${TESTNR}a"
+ACCTB="test${TESTNR}b"
+PASSWD="test${TESTNR}23456"
+HOMEDIRA="/root"
+LDIFDIR="${DIR}/ldif"
+
+trap '
+ printf "\ntrap handler\n"
+ mv /etc/resolv.conf.disabled /etc/resolv.conf || true
+ mv /etc/hosts.disabled /etc/hosts || true
+' 0 INT QUIT ABRT PIPE TERM
+
+printf "========= test %s\.1: sudo to nobody\n" "${TESTNR}"
+mv /etc/resolv.conf /etc/resolv.conf.disabled
+mv /etc/hosts /etc/hosts.disabled
+RET=0
+printf "trying sudo to nobody\n"
+cd "${HOMEDIRA}"
+${COMMONDIR}/asuser "" nobody || RET=$?
+printf "sudo to nobody, return value %s\n" "${RET}"
+STDERRLENGTH="$(cat ${HOMEDIRA}/stderr | grep -vE 'sudo: unable to resolve host [^:]+: Temporary failure in name resolution' | wc -l)"
+if [ "${STDERRLENGTH}" != "0" ]; then
+ echo >&2 non-empty stderr
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "exit code %s\n" "${RET}"
+ printf >&2 "exit 1\n" "${RET}"
+ exit 1
+fi
+
+printf "test series sucessful, exit 0\n"
+exit 0
diff --git a/debian/tests/03-getroot-ldap b/debian/tests/03-getroot-ldap
new file mode 100755
index 0000000..f50be3a
--- /dev/null
+++ b/debian/tests/03-getroot-ldap
@@ -0,0 +1,132 @@
+#!/bin/sh
+
+set -e
+
+TESTNR="03"
+BASEDIR="$(pwd)/debian/tests"
+COMMONDIR="${BASEDIR}/common"
+DIR="${BASEDIR}/${TESTNR}"
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+ACCTA="test${TESTNR}a"
+ACCTB="test${TESTNR}b"
+PASSWD="test${TESTNR}23456"
+HOMEDIRA="/home/${ACCTA}"
+HOMEDIRB="/home/${ACCTB}"
+LDIFDIR="${DIR}/ldif"
+
+trap '
+ kill $(pidof slapd) 2>/dev/null || true
+ deluser --remove-home "${ACCTA}" 2>/dev/null || true
+ deluser --remove-home "${ACCTB}" 2>/dev/null || true
+ mv /etc/disabled.sudoers /etc/sudoers 2>/dev/null || true
+' 0 INT QUIT ABRT PIPE TERM
+
+if ! grep -q '^slapd: ALL' /etc/hosts.allow; then
+ echo "slapd: ALL" >> /etc/hosts.allow
+fi
+
+< ${LDIFDIR}/debconf debconf-set-selections
+printf "clean up ldap database ... "
+rm -rf /var/lib/ldap/*.mdb
+printf "reconfigure slapd ... "
+DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
+if ! grep -q '^slapd: ALL$' /etc/hosts.allow; then
+ echo "slapd: ALL" >> /etc/hosts.allow
+fi
+printf "start slapd ... "
+slapd -h 'ldap://127.0.0.1:11389/ ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d
+echo "URI ldap://127.0.0.1:11389" > /etc/ldap/ldap.conf
+# ldapsearch -x -LLL -s base -b "" namingContexts should work here
+printf "add sudo schema to slapd ... "
+< /usr/share/doc/sudo-ldap/schema.olcSudo ldapadd -Y EXTERNAL -H ldapi:/// 2>/dev/null
+printf "add sudo group ... "
+< ${LDIFDIR}/container.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw 2>/dev/null
+if ! grep -q '^sudoers: ldap$' /etc/nsswitch.conf; then
+ sed -i '/^sudoers.*/d' /etc/nsswitch.conf
+ echo "sudoers: ldap" >> /etc/nsswitch.conf
+fi
+touch /etc/ldap/ldap.conf
+if ! grep -q '^sudoers_base ou=SUDOers,dc=example,dc=com' /etc/ldap/ldap.conf; then
+ echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/ldap/ldap.conf
+fi
+printf "reconfigure sudo-ldap (#1001851) ... "
+DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical sudo-ldap 2>/dev/null
+printf "cvtsudoers into sudoers.ldif ... "
+cvtsudoers -b ou=SUDOers,dc=example,dc=com -o ${LDIFDIR}/sudoers.ldif /etc/sudoers
+printf "\n cat sudoers.ldif\n"
+cat ${LDIFDIR}/sudoers.ldif
+printf "pull sudoers.ldif into ldap ..."
+< ${LDIFDIR}/sudoers.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw
+# ldapsearch -x -LLL -b "ou=SUDOers,dc=example,dc=com" should work here
+printf "move away sudoers ...\n"
+mv /etc/sudoers /etc/disabled.sudoers
+
+
+printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
+printf > /etc/hosts "127.0.1.1 %s\n" "$(hostname)"
+deluser ${ACCTA} 2>/dev/null || true
+adduser --disabled-password --home "${HOMEDIRA}" --gecos "" "${ACCTA}"
+printf "%s:%s\n" "${ACCTA}" "${PASSWD}" | chpasswd
+adduser "${ACCTA}" sudo
+RET=0
+printf "trying %s with correct password\n" "${ACCTA}"
+su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
+printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
+if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
+ printf >&2 "id -u did not give 0\n"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "exit code %s\n" "${RET}"
+ printf >&2 "exit 1\n" "${RET}"
+ exit 1
+fi
+
+printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
+rm -f "${HOMEDIRA}/std*"
+RET=0
+printf "trying %s with wrong password\n" "${ACCTA}"
+su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
+printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
+head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
+printf -- "\n-------\n"
+for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
+ if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
+ printf "%s missing in stderr output\n" "${string}"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "\nexit code %s\n" "${RET}"
+ printf >&2 -- "------\n exit 1\n"
+ exit 1
+ fi
+done
+
+printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
+deluser ${ACCTB} 2>/dev/null || true
+adduser --disabled-password --home "${HOMEDIRB}" --gecos "" "${ACCTB}"
+printf "%s:%s\n" "${ACCTB}" "${PASSWD}" | chpasswd
+RET=0
+printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
+su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
+printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
+head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
+printf -- "\n-------\n"
+for string in "[sudo] password for ${ACCTB}" "${ACCTB} is not allowed to run sudo on"; do
+ if ! grep -F "${string}" ${HOMEDIRB}/stderr; then
+ printf "%s missing in stderr output\n" "${string}"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRB}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRB}/stderr
+ printf >&2 "\nexit code %s\n" "${RET}"
+ printf >&2 -- "------\n exit 1\n"
+ exit 1
+ fi
+done
+
+printf "test series sucessful, exit 0\n"
+exit 0
+
diff --git a/debian/tests/03/ldif/container.ldif b/debian/tests/03/ldif/container.ldif
new file mode 100644
index 0000000..8f02a68
--- /dev/null
+++ b/debian/tests/03/ldif/container.ldif
@@ -0,0 +1,5 @@
+dn: ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: SUDOers
+
diff --git a/debian/tests/03/ldif/debconf b/debian/tests/03/ldif/debconf
new file mode 100644
index 0000000..d40ae8c
--- /dev/null
+++ b/debian/tests/03/ldif/debconf
@@ -0,0 +1,16 @@
+slapd slapd/password1 password ldappw
+slapd slapd/password2 password ldappw
+slapd slapd/internal/adminpw password ldappw
+slapd slapd/internal/generated_adminpw password ldappw
+slapd slapd/password_mismatch note
+slapd slapd/domain string example.com
+slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
+slapd slapd/purge_database boolean true
+slapd slapd/dump_database select when needed
+slapd slapd/no_configuration boolean false
+slapd slapd/ppolicy_schema_needs_update select abort installation
+slapd slapd/invalid_config boolean false
+slapd shared/organization string example.com
+slapd slapd/move_old_database boolean true
+slapd slapd/unsafe_selfwrite_acl note
+
diff --git a/debian/tests/03/ldif/sudoers.ldif b/debian/tests/03/ldif/sudoers.ldif
new file mode 100644
index 0000000..d321d52
--- /dev/null
+++ b/debian/tests/03/ldif/sudoers.ldif
@@ -0,0 +1,32 @@
+dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption: env_reset
+sudoOption: mail_badpass
+sudoOption: secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+sudoOption: use_pty
+
+dn: cn=root,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 1
+
+dn: cn=%sudo,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %sudo
+sudoUser: %sudo
+sudoHost: ALL
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoCommand: ALL
+sudoOrder: 2
+
diff --git a/debian/tests/04-getroot-sssd b/debian/tests/04-getroot-sssd
new file mode 100755
index 0000000..eb13852
--- /dev/null
+++ b/debian/tests/04-getroot-sssd
@@ -0,0 +1,138 @@
+#!/bin/sh
+
+set -e
+
+# DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail
+# slappasswd -s kkkk
+
+TESTNR="04"
+BASEDIR="$(pwd)/debian/tests"
+COMMONDIR="${BASEDIR}/common"
+DIR="${BASEDIR}/${TESTNR}"
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+ACCTA="testuser1"
+ACCTB="testuser2"
+PASSWD="test${TESTNR}23456"
+HOMEDIRA="/home/${ACCTA}"
+HOMEDIRB="/home/${ACCTB}"
+LDIFDIR="${DIR}/ldif"
+SSSDCONF="/etc/sssd/sssd.conf"
+
+trap '
+ kill $(pidof slapd) 2>/dev/null || true
+ kill $(pidof sssd) 2>/dev/null || true
+' 0 INT QUIT ABRT PIPE TERM
+
+# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de"
+
+< ${LDIFDIR}/debconf debconf-set-selections
+printf "clean up ldap database ... "
+rm -rf /var/lib/ldap/*.mdb
+printf "move configuration in place ... "
+mkdir -p /etc/ldap /etc/sssd
+cp ${LDIFDIR}/server_*.pem /etc/ldap/
+cp ${LDIFDIR}/ldap.conf /etc/ldap/
+chown openldap:openldap /etc/ldap/server_*.pem
+chmod 600 /etc/ldap/server_key.pem
+cp ${LDIFDIR}/sssd.conf /etc/sssd
+chown root:root /etc/sssd/sssd.conf
+chmod 600 /etc/sssd/sssd.conf
+cp ${LDIFDIR}/slapd-default /etc/default/slapd
+echo "slapd: [::1]" >> /etc/hosts.allow
+printf "reconfigure slapd ... "
+DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
+kill $(pidof slapd) 2>/dev/null || true
+sleep 1
+printf "start slapd ... "
+slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
+# ldapsearch -x -LLL -s base -b "" namingContexts should work here
+printf "set LDAP passwords"
+ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null
+printf "set LDAP passwords for admin"
+ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null
+printf "set LDAP passwords for admin example"
+ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif 2>/dev/null
+printf "add users and groups OUs ..."
+ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null
+printf "add users ..."
+
+printf "sssd.conf ...\n"
+cp ${LDIFDIR}/sssd.conf "${SSSDCONF}"
+
+printf "sudoers file ...\n"A
+mkdir -p /etc/sudoers.d/
+mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/
+chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/*
+chmod 755 /etc/sudoers.d/
+chmod 600 "${SSSDCONF}" /etc/sudoers.d/*
+kill $(pidof sssd) 2>/dev/null || true
+sleep 1
+sssd --logger=files -D
+
+for user in testuser1 testuser2; do
+ ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null
+ mkdir -p /home/${user}
+ chown ${user}:nogroup /home/${user}
+done
+ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null
+# ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here.
+
+printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
+RET=0
+printf "trying %s with correct password\n" "${ACCTA}"
+su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
+printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
+if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
+ printf >&2 "id -u did not give 0\n"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "exit code %s\n" "${RET}"
+ printf >&2 "exit 1\n" "${RET}"
+ exit 1
+fi
+
+printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
+rm -f "${HOMEDIRA}/std*"
+RET=0
+printf "trying %s with wrong password\n" "${ACCTA}"
+su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
+printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
+head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
+printf -- "\n-------\n"
+for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
+ if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
+ printf "%s missing in stderr output\n" "${string}"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "\nexit code %s\n" "${RET}"
+ printf >&2 -- "------\n exit 1\n"
+ exit 1
+ fi
+done
+
+printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
+printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
+su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
+printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
+head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
+printf -- "\n-------\n"
+for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do
+ if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then
+ printf "%s missing in stderr output\n" "${string}"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRB}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRB}/stderr
+ printf >&2 "\nexit code %s\n" "${RET}"
+ printf >&2 -- "------\n exit 1\n"
+ exit 1
+ fi
+done
+
+printf "test series sucessful, exit 0\n"
+exit 0
+
diff --git a/debian/tests/04/ldif/adminpw-example-com.ldif b/debian/tests/04/ldif/adminpw-example-com.ldif
new file mode 100644
index 0000000..adf42d5
--- /dev/null
+++ b/debian/tests/04/ldif/adminpw-example-com.ldif
@@ -0,0 +1,4 @@
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {SSHA}5VEuBX9dLCSCj+TIp7XBXQRb3F5M2aSN
diff --git a/debian/tests/04/ldif/adminpw.ldif b/debian/tests/04/ldif/adminpw.ldif
new file mode 100644
index 0000000..6cf1bb8
--- /dev/null
+++ b/debian/tests/04/ldif/adminpw.ldif
@@ -0,0 +1,7 @@
+# this sets a password ldappw for the config database
+# ldapsearch -H ldapi:// -LLL -D "cn=admin,cn=config" -W -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW olcSuffix
+# should work without -Y EXTERNAL and as normal user now
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {SSHA}5VEuBX9dLCSCj+TIp7XBXQRb3F5M2aSN
diff --git a/debian/tests/04/ldif/container.ldif b/debian/tests/04/ldif/container.ldif
new file mode 100644
index 0000000..8f02a68
--- /dev/null
+++ b/debian/tests/04/ldif/container.ldif
@@ -0,0 +1,5 @@
+dn: ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: SUDOers
+
diff --git a/debian/tests/04/ldif/debconf b/debian/tests/04/ldif/debconf
new file mode 100644
index 0000000..bb14313
--- /dev/null
+++ b/debian/tests/04/ldif/debconf
@@ -0,0 +1,15 @@
+slapd slapd/password1 password ldappw
+slapd slapd/password2 password ldappw
+slapd slapd/internal/adminpw password ldappw
+slapd slapd/internal/generated_adminpw password ldappw
+slapd slapd/password_mismatch note
+slapd slapd/domain string example.com
+slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
+slapd slapd/purge_database boolean true
+slapd slapd/no_configuration boolean false
+slapd slapd/ppolicy_schema_needs_update select abort installation
+slapd slapd/invalid_config boolean false
+slapd shared/organization string example.com
+slapd slapd/move_old_database boolean true
+slapd slapd/unsafe_selfwrite_acl note
+
diff --git a/debian/tests/04/ldif/ldap.conf b/debian/tests/04/ldif/ldap.conf
new file mode 100644
index 0000000..3f3000a
--- /dev/null
+++ b/debian/tests/04/ldif/ldap.conf
@@ -0,0 +1,6 @@
+BASE dc=example,dc=com
+URI ldaps://[::1]:636/
+TLS_CACERT /etc/ldap/server_cert.pem
+TLS_REQCERT allow
+SASL_NOCANON on
+
diff --git a/debian/tests/04/ldif/ldapsudoers b/debian/tests/04/ldif/ldapsudoers
new file mode 100644
index 0000000..8d11b0b
--- /dev/null
+++ b/debian/tests/04/ldif/ldapsudoers
@@ -0,0 +1 @@
+%ldapsudoers ALL=(ALL:ALL) ALL
diff --git a/debian/tests/04/ldif/ldapsudoers.ldif b/debian/tests/04/ldif/ldapsudoers.ldif
new file mode 100644
index 0000000..029d73e
--- /dev/null
+++ b/debian/tests/04/ldif/ldapsudoers.ldif
@@ -0,0 +1,6 @@
+dn: cn=ldapsudoers,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+objectClass: top
+gidNumber: 270
+cn: ldapsudoers
+memberUid: testuser1
diff --git a/debian/tests/04/ldif/server_cert.pem b/debian/tests/04/ldif/server_cert.pem
new file mode 100644
index 0000000..69392cd
--- /dev/null
+++ b/debian/tests/04/ldif/server_cert.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFMTCCAxmgAwIBAgIUatkSzjnbPNHqrbv9GByfPIoUjtYwDQYJKoZIhvcNAQEL
+BQAwKDELMAkGA1UEBhMCREUxGTAXBgNVBAMMEGxkYXAuZXhhbXBsZS5jb20wHhcN
+MjMwMTAyMTc0NDA2WhcNMjQwMTAyMTc0NDA2WjAoMQswCQYDVQQGEwJERTEZMBcG
+A1UEAwwQbGRhcC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAOscbfVg0NKHrFWLv2y+veqaRv/8ANup0ZSm/Qyx1zHdCV0sQMxfxeVb
+OMcucCoBbAsPznHLZXaJFL3cgqdcaQ5oLYGCaaj7TbfBwm4i0bGP+xpDV7nvxyW3
+HLw5mYmoYpm5iAFaRuqWuMbCU2bILuTVO/D7V/1TUS4ciLpz9Dw5rrFy9t+ZURMv
+bf45/tjlD4T6ItDrr4gBKJ6fqRbCVZl38oyiont/Spm+nBRpHpZz70F4AYo8rwMD
+dLGonJ85KrVeIDg5TZEMEKgxgXu6hrvNVxyGWXmA3mOVy+vyRj8XHDebDX8qmPgF
+g/Rzzm4VgrlXqtuEc/YQqyu6VqpNR9Yu0oj+q7J/A4BU316PioNB4zHWWwqqBEKu
+bXy9EtXfYXppPV56/XfnYm6mbyIn0x382oBrcQiQD5pTWoz61lawrt9YDGnDvWSH
+BHUhzoVSY++D0QX0hae35zZkTbW9/eXpZGr5UDVFgkZGWDPPxrXyOAgiJfwiTtqm
+Du9Lp3JycX95ywGhTPBNM9nvaPk5bBSWgz9uaoP2NY4VQga4vhn2mC0WbJOtUHSm
++tMpjTcBIJzpdyH0yh7DEGORk5aev9gU+K1VcSRD/3pXkSjo7xSEfSNW+flAGwVS
+UABDs/0XkdmhvL4zawnuMapEttWqHKH0wrQLkvzTkFUnqJsQ8cerAgMBAAGjUzBR
+MB0GA1UdDgQWBBS1r+sdVFP2hBByMEw9iSvkvvGqxTAfBgNVHSMEGDAWgBS1r+sd
+VFP2hBByMEw9iSvkvvGqxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4ICAQA8otnqTtetl0Tqqx+lNsmfOi2iEbptyKuvDhSBSlkdHVGD+rRilDeehdVN
+9vE2fNOdYdtAfxBVEUW6S4RRY3gJZ38oik0JbYxotUYqAgFzY53Zg5CAQpmGDCYg
+GMS/2zHlo5ZFNoKLMJG5o8qGao1HehBlIJ9D06mRQO88aguMa4jPBYHMb43ZWOxh
+Un9P6fOl7bfRqomxgixnovPlFiELg/ZWANpECRY7lsVahKLndWf+Tw3Ayp4+CpvL
+mWc0xRCYTFDua1lyLypxsH/4H5IZlDwpw8bvSAmmpdqhbA4Sh+Qo6gXn4Bm92A4L
+sltnUjCliJb79Q3gkuvIB/qlPPbZ/s9L0OxRHnHYR+7JfVxlsWb2guMApGc4R3Um
+5U4sK4QEFZFCBgsrA3DpXQo1pW30DCZjXjrzQ3kbPuKX8njOzPI9Q02xdoMkuqMw
+o4tvo28xgWlW2HZrzU7fnm7t0MTGJG33LKlcz/tRco9Ky+YxKz5HvQAGCKrb3L6x
+iOeVuT90cKfNX7pVoHNR7YSav+n9YacIknB+HBpGLKGlfvHIlwvCMtOK9axHxUiO
+AZaCYYUXgFbYetyoux5PyYBDwIrJSIw7FpQkONmHLRSM2j3S9RRGi9ipR3jzvvqz
+d7dsFok749nOEuJ4qvnWrJ5WkcrbrX5GcR0UL1mWSJqCRXOp1A==
+-----END CERTIFICATE-----
diff --git a/debian/tests/04/ldif/server_key.pem b/debian/tests/04/ldif/server_key.pem
new file mode 100644
index 0000000..7baef03
--- /dev/null
+++ b/debian/tests/04/ldif/server_key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDrHG31YNDSh6xV
+i79svr3qmkb//ADbqdGUpv0Msdcx3QldLEDMX8XlWzjHLnAqAWwLD85xy2V2iRS9
+3IKnXGkOaC2Bgmmo+023wcJuItGxj/saQ1e578cltxy8OZmJqGKZuYgBWkbqlrjG
+wlNmyC7k1Tvw+1f9U1EuHIi6c/Q8Oa6xcvbfmVETL23+Of7Y5Q+E+iLQ66+IASie
+n6kWwlWZd/KMoqJ7f0qZvpwUaR6Wc+9BeAGKPK8DA3SxqJyfOSq1XiA4OU2RDBCo
+MYF7uoa7zVcchll5gN5jlcvr8kY/Fxw3mw1/Kpj4BYP0c85uFYK5V6rbhHP2EKsr
+ulaqTUfWLtKI/quyfwOAVN9ej4qDQeMx1lsKqgRCrm18vRLV32F6aT1eev1352Ju
+pm8iJ9Md/NqAa3EIkA+aU1qM+tZWsK7fWAxpw71khwR1Ic6FUmPvg9EF9IWnt+c2
+ZE21vf3l6WRq+VA1RYJGRlgzz8a18jgIIiX8Ik7apg7vS6dycnF/ecsBoUzwTTPZ
+72j5OWwUloM/bmqD9jWOFUIGuL4Z9pgtFmyTrVB0pvrTKY03ASCc6Xch9MoewxBj
+kZOWnr/YFPitVXEkQ/96V5Eo6O8UhH0jVvn5QBsFUlAAQ7P9F5HZoby+M2sJ7jGq
+RLbVqhyh9MK0C5L805BVJ6ibEPHHqwIDAQABAoICAE2uU4BnECf3Ts/nAAT4krxQ
+ZBQRGeF6HvaMJADNQ6pEe2MPC4vbOwIYXU6mP8YJOT8AZnf/uZLsIO/IS1zrsgRi
+FGL9iVadTaTgvpJwK7OMvG0Fghc7q6OA+FwSdfHfMlDTVaYIw3Sf/wYgz7iefKv7
+7jWlfgGDxUdEg0KDrFc3wcn8j6f6Oqjpm2CLnfHg4PtRQC6iKJl5tIeQfig4Zlry
+IDAqTiAawzXAHka6IrKYNJ1/fpbDjRmkSyql6LXNCBjrtB6PhFrfzyMbVEpiq0Ci
+zFzu4OI923yw0jMvldkjlB2lO9Tf6LHN9LbQioyhy9LcLeYgwcWz5TJp+1eCeDCg
+np5ipwqhkTvx9T6rQRtInZCJZSmY+JxWYlQJ7Gz2e4V4L+9or3nTBs/YDPV+dDSs
+SjcQgEstc/nEj0y4l2iEZq7N9Ro3PtWM6beM3yYacsJEdDwhH2vRBj/xl9j3fKc+
+0kvWem0r9+kKXw/LweSmeTTtrsjKZPi2pFrvXBG1yrhwmERtQOoQN0llRgQy7XBW
+EUN3WMHYVfUcKzRRHrlDQ3tTuTlm1cFv6JQ5ip4sedNJSkWMBAv1yyLH5CnISm6k
+OpOhz1oGHTNG91PkVvVJP8GvhOXafi84bLrXU7FJaAkgci/EGQAkqO5R3ITjYKMG
+eoPul58iQ8057C9As9LhAoIBAQD4mvuPSxTwaH/9AsEPrv3fhmG0QfeD0wFUvFKO
+X/gDfVbkQjH6CcNe5QjbRzooJAGdENmQzn8S9qhqcdghYKAtKnabwhgqzVv2Xr6z
+XpyhmJCF+MEaTfhIw/C1HmjURwdxmk0w4uaTOixKlCwwA1bi69dDZ82dMqM1Y7u4
+uPQwykud4AAeFRETAcWAXe0BZ4d5uow7siaSRS24Do7SEAa7zcLiTqVbuKhBNqRa
+FSY/r7f8W78oL7Z/TwhYP0MpQLAG9gAUc48BO6Rm5tJfMmd2D8KLQ2Lfze4ETBSA
+ZJk0j1LuXNWzSM2wQ4vbhGrw4qLTue6uv9V0lY1FB0d9y+JLAoIBAQDyGrGLPPeR
+IBHzXiFGGFd/it20ux1x7+iFhC/NEwJVKU6oVO39jqte4nVfFo5cb4WKuQHfmiEN
+E6hcdkXBCezgTGKsvqaY+nmmoNMNg2wh/cGc6VoBMiixZYa43S+i5U4pdWZbwbgB
+1zUqh1k1NcSBQErqoML2R1aORw627OV1Ef+/UpnVlQGlrqor+w1XtmOb9s6/02gb
+QA+pZlLEuyJwhXhxAioFoY+G7zKcJisAKORGS7ZtvmCzOqq2cUD4EYtYPGJmjpU5
+yfwW7YoJALmoIckORHQuQXkL6nnDXOhvL66dKAU523NkbfHUmdl/DyiedZxOtUH8
+Jky+oarQm1QhAoIBAQCNDWItqyv2O1Ri+W0QuPjSGizVWZhV8yKOMUul/E17rWHf
+oK86bs+qx8h+oasdm1BPDYBj6MWwvMJRosY+KdS3y6AAP9/2aQ4Eez04CDZWeXmG
+id0GT7bPklzAZsCTsLlIe4PQeOzaG+eFaQypMTvbBHTeicbfqhtv72ZTKJ1kEWNV
+8AIhD1LgteCZNLGEWnlDV9S5ChtYYmfORnRCO1WWuOgZ/wVTRTIxzg7yDY3mFI0P
+Yf7Tjj69fNn/N+WjQlCdonXpJKe+y1g8CjrSSIbrNYXr/g/ba7vgNEptjqZea/Nh
+ysp1LpmFqM1xf3AtvGkmOBh0jeNOgovk3nxxo3yBAoIBAGs6/XYhS7mAjdLP10b3
+kxGPjQD2e2UykDdKw+09xSO5BvixnTNX1HlTLg8uq2Evl+NIbBcAajEjisdhLyX/
+4mW6D15ZlupczjLKOpBarDMl9HIuPMoY0EM6J4CLnwS0MXlVYT+0vm46RncOualC
+pkVlF4lyKMfx8tlTiaXlqP/AOBkiWbZqp+8dPIv8Rv2Zb+btWsdFuG+RYR5zjqdK
+B0f1JdJP1hLmau6l1TGqChOpCOpFsIhM8QGRM3lZEiCNjL1JCYBJGLkeyEPTc/bm
+1lQsmqNyGE9Aen+Xm9S2utA8O0eqKR5mH2bU925lshp/uUrt5oxJ5e7re8RXUJPS
+qGECggEAMBcRhHnk9mlo6zi89hRY4YduN14ahxatZu99fFep9Ea3mslcTDzy26Xm
+Mw0X3oij6+eJODlWpwzUMp5MylI8XEeOkfZ9il+6etFSOK6QWe2U7SDAy6nXYUVB
+PZc5kTtCYSMIUmU+GjShMoEYPNCjqRSEY9sArZ85wFWEl5nRn5sEg8NLBhbURWu1
+iY1R0ie8XeXEoOWujMfhVmJUNadkeR23/XMmzfZ6M5gavkYkUjNMvCNMu7+GVeYU
+uuxNmnNqjJP5GcLsd7dgzgslE+FPPxHiVjONIR7qrZwZcg9rGO2ODrLnuHZHzZha
+x4rwQL3+5SADD++19sqJhDoXJW8KEw==
+-----END PRIVATE KEY-----
diff --git a/debian/tests/04/ldif/slapd-default b/debian/tests/04/ldif/slapd-default
new file mode 100644
index 0000000..9d92858
--- /dev/null
+++ b/debian/tests/04/ldif/slapd-default
@@ -0,0 +1,7 @@
+SLAPD_CONF=
+SLAPD_USER="openldap"
+SLAPD_GROUP="openldap"
+SLAPD_PIDFILE=
+SLAPD_SERVICES="ldaps:/// ldapi:///"
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+SLAPD_OPTIONS=""
diff --git a/debian/tests/04/ldif/sss-ous.ldif b/debian/tests/04/ldif/sss-ous.ldif
new file mode 100644
index 0000000..5ba018c
--- /dev/null
+++ b/debian/tests/04/ldif/sss-ous.ldif
@@ -0,0 +1,9 @@
+dn: ou=users,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=groups,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
diff --git a/debian/tests/04/ldif/sssd.conf b/debian/tests/04/ldif/sssd.conf
new file mode 100755
index 0000000..ee06ef5
--- /dev/null
+++ b/debian/tests/04/ldif/sssd.conf
@@ -0,0 +1,24 @@
+[sssd]
+domains = example.com
+services = nss, pam
+debug_level = 0x01ff
+
+[domain/example.com]
+id_provider = ldap
+auth_provider = ldap
+
+ldap_uri = ldaps://[::1]:636/
+ldap_search_base = dc=example,dc=com
+
+ldap_tls_cacert = /etc/ldap/server_cert.pem
+ldap_tls_reqcert = allow
+
+ldap_default_bind_dn = cn=admin,dc=example,dc=com
+ldap_default_authtok_type = password
+ldap_default_authtok = ldappw
+
+[pam]
+offline_credentials_expiration = 2
+offline_failed_login_attempts = 3
+offline_failed_login_delay = 5
+
diff --git a/debian/tests/04/ldif/testuser1.ldif b/debian/tests/04/ldif/testuser1.ldif
new file mode 100644
index 0000000..2419a68
--- /dev/null
+++ b/debian/tests/04/ldif/testuser1.ldif
@@ -0,0 +1,16 @@
+dn: uid=testuser1,ou=users,dc=example,dc=com
+objectClass: top
+objectClass: account
+objectClass: posixAccount
+objectClass: shadowAccount
+cn: testuser1
+uid: testuser1
+uidNumber: 10001
+gidNumber: 100
+homeDirectory: /home/testuser1
+loginShell: /bin/bash
+gecos: testuser1 from LDAP
+userPassword: {SSHA}n8CrO1tNcRrd4u8rMLOE91a18iFRQFBx
+shadowLastChange: 0
+shadowMax: 0
+shadowWarning: 0
diff --git a/debian/tests/04/ldif/testuser2.ldif b/debian/tests/04/ldif/testuser2.ldif
new file mode 100644
index 0000000..541c383
--- /dev/null
+++ b/debian/tests/04/ldif/testuser2.ldif
@@ -0,0 +1,17 @@
+dn: uid=testuser2,ou=users,dc=example,dc=com
+objectClass: top
+objectClass: account
+objectClass: posixAccount
+objectClass: shadowAccount
+cn: testuser2
+uid: testuser2
+uidNumber: 10002
+gidNumber: 100
+homeDirectory: /home/testuser2
+loginShell: /bin/bash
+gecos: testuser2 from LDAP
+userPassword: {SSHA}n8CrO1tNcRrd4u8rMLOE91a18iFRQFBx
+shadowLastChange: 0
+shadowMax: 0
+shadowWarning: 0
+
diff --git a/debian/tests/04/ldif/tls.ldif b/debian/tests/04/ldif/tls.ldif
new file mode 100644
index 0000000..012adf2
--- /dev/null
+++ b/debian/tests/04/ldif/tls.ldif
@@ -0,0 +1,10 @@
+dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/server_cert.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/server_key.pem
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/server_cert.pem
diff --git a/debian/tests/common/asuser b/debian/tests/common/asuser
new file mode 100755
index 0000000..291b40a
--- /dev/null
+++ b/debian/tests/common/asuser
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+echo "${1:-}" | sudo -u "${2:-root}" --stdin id -u > "${3:-stdout}" 2> "${4:-stderr}"
+
+
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..a0bc0d6
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,16 @@
+Tests: 01-getroot
+Depends: sudo, adduser
+Restrictions: needs-root
+
+Tests: 02-1003969-audit-no-resolve
+Depends: sudo
+Restrictions: needs-root
+
+Tests: 03-getroot-ldap
+Depends: sudo-ldap, adduser, slapd, ldap-utils, cron
+Restrictions: needs-root
+
+#Tests: 04-getroot-sssd
+#Depends: sudo, adduser, slapd, ldap-utils, sssd-common, sssd-ldap, cron
+#Restrictions: needs-root
+