summaryrefslogtreecommitdiffstats
path: root/debian/tests/04-getroot-sssd
diff options
context:
space:
mode:
Diffstat (limited to 'debian/tests/04-getroot-sssd')
-rwxr-xr-xdebian/tests/04-getroot-sssd136
1 files changed, 136 insertions, 0 deletions
diff --git a/debian/tests/04-getroot-sssd b/debian/tests/04-getroot-sssd
new file mode 100755
index 0000000..bcafaf8
--- /dev/null
+++ b/debian/tests/04-getroot-sssd
@@ -0,0 +1,136 @@
+#!/bin/sh
+
+set -e
+
+# DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail
+# slappasswd -s kkkk
+
+TESTNR="04"
+BASEDIR="$(pwd)/debian/tests"
+COMMONDIR="${BASEDIR}/common"
+DIR="${BASEDIR}/${TESTNR}"
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+ACCTA="testuser1"
+ACCTB="testuser2"
+PASSWD="test${TESTNR}23456"
+HOMEDIRA="/home/${ACCTA}"
+HOMEDIRB="/home/${ACCTB}"
+LDIFDIR="${DIR}/ldif"
+SSSDCONF="/etc/sssd/sssd.conf"
+
+trap '
+ kill $(pidof slapd) 2>/dev/null || true
+ kill $(pidof sssd) 2>/dev/null || true
+' 0 INT QUIT ABRT PIPE TERM
+
+# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de"
+
+< ${LDIFDIR}/debconf debconf-set-selections
+printf "clean up ldap database ... "
+rm -rf /var/lib/ldap/*.mdb
+printf "move configuration in place ... "
+mkdir -p /etc/ldap /etc/sssd
+cp ${LDIFDIR}/server_*.pem /etc/ldap/
+cp ${LDIFDIR}/ldap.conf /etc/ldap/
+chown openldap:openldap /etc/ldap/server_*.pem
+chmod 600 /etc/ldap/server_key.pem
+cp ${LDIFDIR}/sssd.conf /etc/sssd
+chown root:root /etc/sssd/sssd.conf
+chmod 600 /etc/sssd/sssd.conf
+cp ${LDIFDIR}/slapd-default /etc/default/slapd
+echo "slapd: [::1]" >> /etc/hosts.allow
+printf "reconfigure slapd ... "
+DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
+kill $(pidof slapd) 2>/dev/null || true
+sleep 1
+printf "start slapd ... "
+slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
+# ldapsearch -x -LLL -s base -b "" namingContexts should work here
+printf "set LDAP passwords"
+ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null
+ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null
+ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif 2>/dev/null
+printf "add users and groups OUs ..."
+ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null
+printf "add users ..."
+
+printf "sssd.conf ...\n"
+cp ${LDIFDIR}/sssd.conf "${SSSDCONF}"
+
+printf "sudoers file ...\n"A
+mkdir -p /etc/sudoers.d/
+mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/
+chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/*
+chmod 755 /etc/sudoers.d/
+chmod 600 "${SSSDCONF}" /etc/sudoers.d/*
+kill $(pidof sssd) 2>/dev/null || true
+sleep 1
+sssd --logger=files -D
+
+for user in testuser1 testuser2; do
+ ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null
+ mkdir -p /home/${user}
+ chown ${user}:nogroup /home/${user}
+done
+ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null
+# ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here.
+
+printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
+RET=0
+printf "trying %s with correct password\n" "${ACCTA}"
+su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
+printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
+if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
+ printf >&2 "id -u did not give 0\n"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "exit code %s\n" "${RET}"
+ printf >&2 "exit 1\n" "${RET}"
+ exit 1
+fi
+
+printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
+rm -f "${HOMEDIRA}/std*"
+RET=0
+printf "trying %s with wrong password\n" "${ACCTA}"
+su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
+printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
+head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
+printf -- "\n-------\n"
+for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
+ if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
+ printf "%s missing in stderr output\n" "${string}"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRA}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRA}/stderr
+ printf >&2 "\nexit code %s\n" "${RET}"
+ printf >&2 -- "------\n exit 1\n"
+ exit 1
+ fi
+done
+
+printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
+printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
+su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
+printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
+head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
+printf -- "\n-------\n"
+for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do
+ if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then
+ printf "%s missing in stderr output\n" "${string}"
+ printf >&2 "stdout:\n"
+ cat >&2 ${HOMEDIRB}/stdout
+ printf >&2 "stderr:\n"
+ cat >&2 ${HOMEDIRB}/stderr
+ printf >&2 "\nexit code %s\n" "${RET}"
+ printf >&2 -- "------\n exit 1\n"
+ exit 1
+ fi
+done
+
+printf "test series sucessful, exit 0\n"
+exit 0
+