1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
#!/bin/sh
set -e
# DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail
# slappasswd -s kkkk
TESTNR="04"
BASEDIR="$(pwd)/debian/tests"
COMMONDIR="${BASEDIR}/common"
DIR="${BASEDIR}/${TESTNR}"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
ACCTA="testuser1"
ACCTB="testuser2"
PASSWD="test${TESTNR}23456"
HOMEDIRA="/home/${ACCTA}"
HOMEDIRB="/home/${ACCTB}"
LDIFDIR="${DIR}/ldif"
SSSDCONF="/etc/sssd/sssd.conf"
trap '
kill $(pidof slapd) 2>/dev/null || true
kill $(pidof sssd) 2>/dev/null || true
' 0 INT QUIT ABRT PIPE TERM
# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de"
< ${LDIFDIR}/debconf debconf-set-selections
printf "clean up ldap database ... "
rm -rf /var/lib/ldap/*.mdb
printf "move configuration in place ... "
mkdir -p /etc/ldap /etc/sssd
cp ${LDIFDIR}/server_*.pem /etc/ldap/
cp ${LDIFDIR}/ldap.conf /etc/ldap/
chown openldap:openldap /etc/ldap/server_*.pem
chmod 600 /etc/ldap/server_key.pem
cp ${LDIFDIR}/sssd.conf /etc/sssd
chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
cp ${LDIFDIR}/slapd-default /etc/default/slapd
echo "slapd: [::1]" >> /etc/hosts.allow
printf "reconfigure slapd ... "
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
kill $(pidof slapd) 2>/dev/null || true
sleep 1
printf "start slapd ... "
slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
# ldapsearch -x -LLL -s base -b "" namingContexts should work here
printf "set LDAP passwords"
ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null
ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null
ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif 2>/dev/null
printf "add users and groups OUs ..."
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null
printf "add users ..."
printf "sssd.conf ...\n"
cp ${LDIFDIR}/sssd.conf "${SSSDCONF}"
printf "sudoers file ...\n"A
mkdir -p /etc/sudoers.d/
mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/
chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/*
chmod 755 /etc/sudoers.d/
chmod 600 "${SSSDCONF}" /etc/sudoers.d/*
kill $(pidof sssd) 2>/dev/null || true
sleep 1
sssd --logger=files -D
for user in testuser1 testuser2; do
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null
mkdir -p /home/${user}
chown ${user}:nogroup /home/${user}
done
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null
# ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here.
printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
RET=0
printf "trying %s with correct password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
printf >&2 "id -u did not give 0\n"
printf >&2 "stdout:\n"
cat >&2 ${HOMEDIRA}/stdout
printf >&2 "stderr:\n"
cat >&2 ${HOMEDIRA}/stderr
printf >&2 "exit code %s\n" "${RET}"
printf >&2 "exit 1\n" "${RET}"
exit 1
fi
printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
rm -f "${HOMEDIRA}/std*"
RET=0
printf "trying %s with wrong password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
printf "%s missing in stderr output\n" "${string}"
printf >&2 "stdout:\n"
cat >&2 ${HOMEDIRA}/stdout
printf >&2 "stderr:\n"
cat >&2 ${HOMEDIRA}/stderr
printf >&2 "\nexit code %s\n" "${RET}"
printf >&2 -- "------\n exit 1\n"
exit 1
fi
done
printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do
if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then
printf "%s missing in stderr output\n" "${string}"
printf >&2 "stdout:\n"
cat >&2 ${HOMEDIRB}/stdout
printf >&2 "stderr:\n"
cat >&2 ${HOMEDIRB}/stderr
printf >&2 "\nexit code %s\n" "${RET}"
printf >&2 -- "------\n exit 1\n"
exit 1
fi
done
printf "test series sucessful, exit 0\n"
exit 0
|