diff options
Diffstat (limited to '')
-rwxr-xr-x | debian/tests/03-getroot-ldap | 132 | ||||
-rw-r--r-- | debian/tests/03/ldif/container.ldif | 5 | ||||
-rw-r--r-- | debian/tests/03/ldif/debconf | 16 | ||||
-rw-r--r-- | debian/tests/03/ldif/sudoers.ldif | 32 |
4 files changed, 185 insertions, 0 deletions
diff --git a/debian/tests/03-getroot-ldap b/debian/tests/03-getroot-ldap new file mode 100755 index 0000000..f50be3a --- /dev/null +++ b/debian/tests/03-getroot-ldap @@ -0,0 +1,132 @@ +#!/bin/sh + +set -e + +TESTNR="03" +BASEDIR="$(pwd)/debian/tests" +COMMONDIR="${BASEDIR}/common" +DIR="${BASEDIR}/${TESTNR}" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +ACCTA="test${TESTNR}a" +ACCTB="test${TESTNR}b" +PASSWD="test${TESTNR}23456" +HOMEDIRA="/home/${ACCTA}" +HOMEDIRB="/home/${ACCTB}" +LDIFDIR="${DIR}/ldif" + +trap ' + kill $(pidof slapd) 2>/dev/null || true + deluser --remove-home "${ACCTA}" 2>/dev/null || true + deluser --remove-home "${ACCTB}" 2>/dev/null || true + mv /etc/disabled.sudoers /etc/sudoers 2>/dev/null || true +' 0 INT QUIT ABRT PIPE TERM + +if ! grep -q '^slapd: ALL' /etc/hosts.allow; then + echo "slapd: ALL" >> /etc/hosts.allow +fi + +< ${LDIFDIR}/debconf debconf-set-selections +printf "clean up ldap database ... " +rm -rf /var/lib/ldap/*.mdb +printf "reconfigure slapd ... " +DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null +if ! grep -q '^slapd: ALL$' /etc/hosts.allow; then + echo "slapd: ALL" >> /etc/hosts.allow +fi +printf "start slapd ... " +slapd -h 'ldap://127.0.0.1:11389/ ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d +echo "URI ldap://127.0.0.1:11389" > /etc/ldap/ldap.conf +# ldapsearch -x -LLL -s base -b "" namingContexts should work here +printf "add sudo schema to slapd ... " +< /usr/share/doc/sudo-ldap/schema.olcSudo ldapadd -Y EXTERNAL -H ldapi:/// 2>/dev/null +printf "add sudo group ... " +< ${LDIFDIR}/container.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw 2>/dev/null +if ! grep -q '^sudoers: ldap$' /etc/nsswitch.conf; then + sed -i '/^sudoers.*/d' /etc/nsswitch.conf + echo "sudoers: ldap" >> /etc/nsswitch.conf +fi +touch /etc/ldap/ldap.conf +if ! grep -q '^sudoers_base ou=SUDOers,dc=example,dc=com' /etc/ldap/ldap.conf; then + echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/ldap/ldap.conf +fi +printf "reconfigure sudo-ldap (#1001851) ... " +DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical sudo-ldap 2>/dev/null +printf "cvtsudoers into sudoers.ldif ... " +cvtsudoers -b ou=SUDOers,dc=example,dc=com -o ${LDIFDIR}/sudoers.ldif /etc/sudoers +printf "\n cat sudoers.ldif\n" +cat ${LDIFDIR}/sudoers.ldif +printf "pull sudoers.ldif into ldap ..." +< ${LDIFDIR}/sudoers.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw +# ldapsearch -x -LLL -b "ou=SUDOers,dc=example,dc=com" should work here +printf "move away sudoers ...\n" +mv /etc/sudoers /etc/disabled.sudoers + + +printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}" +printf > /etc/hosts "127.0.1.1 %s\n" "$(hostname)" +deluser ${ACCTA} 2>/dev/null || true +adduser --disabled-password --home "${HOMEDIRA}" --gecos "" "${ACCTA}" +printf "%s:%s\n" "${ACCTA}" "${PASSWD}" | chpasswd +adduser "${ACCTA}" sudo +RET=0 +printf "trying %s with correct password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}" +if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then + printf >&2 "id -u did not give 0\n" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "exit code %s\n" "${RET}" + printf >&2 "exit 1\n" "${RET}" + exit 1 +fi + +printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}" +rm -f "${HOMEDIRA}/std*" +RET=0 +printf "trying %s with wrong password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$? +printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}" +head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do + if ! grep -F "${string}" ${HOMEDIRA}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}" +deluser ${ACCTB} 2>/dev/null || true +adduser --disabled-password --home "${HOMEDIRB}" --gecos "" "${ACCTB}" +printf "%s:%s\n" "${ACCTB}" "${PASSWD}" | chpasswd +RET=0 +printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}" +su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}" +head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTB}" "${ACCTB} is not allowed to run sudo on"; do + if ! grep -F "${string}" ${HOMEDIRB}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRB}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRB}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "test series sucessful, exit 0\n" +exit 0 + diff --git a/debian/tests/03/ldif/container.ldif b/debian/tests/03/ldif/container.ldif new file mode 100644 index 0000000..8f02a68 --- /dev/null +++ b/debian/tests/03/ldif/container.ldif @@ -0,0 +1,5 @@ +dn: ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: SUDOers + diff --git a/debian/tests/03/ldif/debconf b/debian/tests/03/ldif/debconf new file mode 100644 index 0000000..d40ae8c --- /dev/null +++ b/debian/tests/03/ldif/debconf @@ -0,0 +1,16 @@ +slapd slapd/password1 password ldappw +slapd slapd/password2 password ldappw +slapd slapd/internal/adminpw password ldappw +slapd slapd/internal/generated_adminpw password ldappw +slapd slapd/password_mismatch note +slapd slapd/domain string example.com +slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION +slapd slapd/purge_database boolean true +slapd slapd/dump_database select when needed +slapd slapd/no_configuration boolean false +slapd slapd/ppolicy_schema_needs_update select abort installation +slapd slapd/invalid_config boolean false +slapd shared/organization string example.com +slapd slapd/move_old_database boolean true +slapd slapd/unsafe_selfwrite_acl note + diff --git a/debian/tests/03/ldif/sudoers.ldif b/debian/tests/03/ldif/sudoers.ldif new file mode 100644 index 0000000..d321d52 --- /dev/null +++ b/debian/tests/03/ldif/sudoers.ldif @@ -0,0 +1,32 @@ +dn: cn=defaults,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: env_reset +sudoOption: mail_badpass +sudoOption: secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +sudoOption: use_pty + +dn: cn=root,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 1 + +dn: cn=%sudo,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: %sudo +sudoUser: %sudo +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 2 + |