#!/bin/sh set -e # DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail # slappasswd -s kkkk TESTNR="04" BASEDIR="$(pwd)/debian/tests" COMMONDIR="${BASEDIR}/common" DIR="${BASEDIR}/${TESTNR}" PATH="/bin:/usr/bin:/sbin:/usr/sbin" ACCTA="testuser1" ACCTB="testuser2" PASSWD="test${TESTNR}23456" HOMEDIRA="/home/${ACCTA}" HOMEDIRB="/home/${ACCTB}" LDIFDIR="${DIR}/ldif" SSSDCONF="/etc/sssd/sssd.conf" trap ' kill $(pidof slapd) 2>/dev/null || true kill $(pidof sssd) 2>/dev/null || true ' 0 INT QUIT ABRT PIPE TERM # openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de" < ${LDIFDIR}/debconf debconf-set-selections printf "clean up ldap database ... " rm -rf /var/lib/ldap/*.mdb printf "move configuration in place ... " mkdir -p /etc/ldap /etc/sssd cp ${LDIFDIR}/server_*.pem /etc/ldap/ cp ${LDIFDIR}/ldap.conf /etc/ldap/ chown openldap:openldap /etc/ldap/server_*.pem chmod 600 /etc/ldap/server_key.pem cp ${LDIFDIR}/sssd.conf /etc/sssd chown root:root /etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf cp ${LDIFDIR}/slapd-default /etc/default/slapd echo "slapd: [::1]" >> /etc/hosts.allow printf "reconfigure slapd ... " DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null kill $(pidof slapd) 2>/dev/null || true sleep 1 printf "start slapd ... " slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d # ldapsearch -x -LLL -s base -b "" namingContexts should work here printf "set LDAP passwords" ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null printf "set LDAP passwords for admin" ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null printf "set LDAP passwords for admin example" ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif 2>/dev/null printf "add users and groups OUs ..." ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null printf "add users ..." printf "sssd.conf ...\n" cp ${LDIFDIR}/sssd.conf "${SSSDCONF}" printf "sudoers file ...\n"A mkdir -p /etc/sudoers.d/ mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/ chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/* chmod 755 /etc/sudoers.d/ chmod 600 "${SSSDCONF}" /etc/sudoers.d/* kill $(pidof sssd) 2>/dev/null || true sleep 1 sssd --logger=files -D for user in testuser1 testuser2; do ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null mkdir -p /home/${user} chown ${user}:nogroup /home/${user} done ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null # ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here. printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}" RET=0 printf "trying %s with correct password\n" "${ACCTA}" su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}" if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then printf >&2 "id -u did not give 0\n" printf >&2 "stdout:\n" cat >&2 ${HOMEDIRA}/stdout printf >&2 "stderr:\n" cat >&2 ${HOMEDIRA}/stderr printf >&2 "exit code %s\n" "${RET}" printf >&2 "exit 1\n" "${RET}" exit 1 fi printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}" rm -f "${HOMEDIRA}/std*" RET=0 printf "trying %s with wrong password\n" "${ACCTA}" su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$? printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}" head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr printf -- "\n-------\n" for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do if ! grep -F "${string}" ${HOMEDIRA}/stderr; then printf "%s missing in stderr output\n" "${string}" printf >&2 "stdout:\n" cat >&2 ${HOMEDIRA}/stdout printf >&2 "stderr:\n" cat >&2 ${HOMEDIRA}/stderr printf >&2 "\nexit code %s\n" "${RET}" printf >&2 -- "------\n exit 1\n" exit 1 fi done printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}" printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}" su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}" head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr printf -- "\n-------\n" for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then printf "%s missing in stderr output\n" "${string}" printf >&2 "stdout:\n" cat >&2 ${HOMEDIRB}/stdout printf >&2 "stderr:\n" cat >&2 ${HOMEDIRB}/stderr printf >&2 "\nexit code %s\n" "${RET}" printf >&2 -- "------\n exit 1\n" exit 1 fi done printf "test series sucessful, exit 0\n" exit 0