summaryrefslogtreecommitdiffstats
path: root/debian/tests/04-getroot-sssd
blob: eb13852cd15ee88f4988f8db6da16ac1e05d76a4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/bin/sh

set -e

# DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail
# slappasswd -s kkkk

TESTNR="04"
BASEDIR="$(pwd)/debian/tests"
COMMONDIR="${BASEDIR}/common"
DIR="${BASEDIR}/${TESTNR}"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
ACCTA="testuser1"
ACCTB="testuser2"
PASSWD="test${TESTNR}23456"
HOMEDIRA="/home/${ACCTA}"
HOMEDIRB="/home/${ACCTB}"
LDIFDIR="${DIR}/ldif"
SSSDCONF="/etc/sssd/sssd.conf"

trap '
  kill $(pidof slapd) 2>/dev/null || true
  kill $(pidof sssd) 2>/dev/null || true
' 0 INT QUIT ABRT PIPE TERM

# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de"

< ${LDIFDIR}/debconf debconf-set-selections
printf "clean up ldap database ... "
rm -rf /var/lib/ldap/*.mdb
printf "move configuration in place ... "
mkdir -p /etc/ldap /etc/sssd
cp ${LDIFDIR}/server_*.pem /etc/ldap/
cp ${LDIFDIR}/ldap.conf /etc/ldap/
chown openldap:openldap /etc/ldap/server_*.pem
chmod 600 /etc/ldap/server_key.pem
cp ${LDIFDIR}/sssd.conf /etc/sssd
chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
cp ${LDIFDIR}/slapd-default /etc/default/slapd
echo "slapd: [::1]" >> /etc/hosts.allow
printf "reconfigure slapd ... "
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
kill $(pidof slapd) 2>/dev/null || true
sleep 1
printf "start slapd ... "
slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
# ldapsearch -x -LLL -s base -b "" namingContexts should work here
printf "set LDAP passwords"
ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null
printf "set LDAP passwords for admin"
ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null
printf "set LDAP passwords for admin example"
ldapmodify -v -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif 2>/dev/null
printf "add users and groups OUs ..."
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null
printf "add users ..."

printf "sssd.conf ...\n"
cp ${LDIFDIR}/sssd.conf "${SSSDCONF}"

printf "sudoers file ...\n"A
mkdir -p /etc/sudoers.d/
mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/
chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/*
chmod 755 /etc/sudoers.d/
chmod 600 "${SSSDCONF}" /etc/sudoers.d/*
kill $(pidof sssd) 2>/dev/null || true
sleep 1
sssd --logger=files -D

for user in testuser1 testuser2; do
  ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null
  mkdir -p /home/${user}
  chown ${user}:nogroup /home/${user}
done
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null
# ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here.

printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
RET=0
printf "trying %s with correct password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
  printf >&2 "id -u did not give 0\n"
  printf >&2 "stdout:\n"
  cat >&2 ${HOMEDIRA}/stdout
  printf >&2 "stderr:\n"
  cat >&2 ${HOMEDIRA}/stderr
  printf >&2 "exit code %s\n" "${RET}"
  printf >&2 "exit 1\n" "${RET}"
  exit 1
fi

printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
rm -f "${HOMEDIRA}/std*"
RET=0
printf "trying %s with wrong password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
  if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
    printf "%s missing in stderr output\n" "${string}"
    printf >&2 "stdout:\n"
    cat >&2 ${HOMEDIRA}/stdout
    printf >&2 "stderr:\n"
    cat >&2 ${HOMEDIRA}/stderr
    printf >&2 "\nexit code %s\n" "${RET}"
    printf >&2 -- "------\n exit 1\n"
    exit 1
  fi
done

printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do
  if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then
    printf "%s missing in stderr output\n" "${string}"
    printf >&2 "stdout:\n"
    cat >&2 ${HOMEDIRB}/stdout
    printf >&2 "stderr:\n"
    cat >&2 ${HOMEDIRB}/stderr
    printf >&2 "\nexit code %s\n" "${RET}"
    printf >&2 -- "------\n exit 1\n"
    exit 1
  fi
done

printf "test series sucessful, exit 0\n"
exit 0