diff options
Diffstat (limited to 'debian/tests/04-getroot-sssd')
-rwxr-xr-x | debian/tests/04-getroot-sssd | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/debian/tests/04-getroot-sssd b/debian/tests/04-getroot-sssd new file mode 100755 index 0000000..bcafaf8 --- /dev/null +++ b/debian/tests/04-getroot-sssd @@ -0,0 +1,136 @@ +#!/bin/sh + +set -e + +# DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail +# slappasswd -s kkkk + +TESTNR="04" +BASEDIR="$(pwd)/debian/tests" +COMMONDIR="${BASEDIR}/common" +DIR="${BASEDIR}/${TESTNR}" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +ACCTA="testuser1" +ACCTB="testuser2" +PASSWD="test${TESTNR}23456" +HOMEDIRA="/home/${ACCTA}" +HOMEDIRB="/home/${ACCTB}" +LDIFDIR="${DIR}/ldif" +SSSDCONF="/etc/sssd/sssd.conf" + +trap ' + kill $(pidof slapd) 2>/dev/null || true + kill $(pidof sssd) 2>/dev/null || true +' 0 INT QUIT ABRT PIPE TERM + +# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de" + +< ${LDIFDIR}/debconf debconf-set-selections +printf "clean up ldap database ... " +rm -rf /var/lib/ldap/*.mdb +printf "move configuration in place ... " +mkdir -p /etc/ldap /etc/sssd +cp ${LDIFDIR}/server_*.pem /etc/ldap/ +cp ${LDIFDIR}/ldap.conf /etc/ldap/ +chown openldap:openldap /etc/ldap/server_*.pem +chmod 600 /etc/ldap/server_key.pem +cp ${LDIFDIR}/sssd.conf /etc/sssd +chown root:root /etc/sssd/sssd.conf +chmod 600 /etc/sssd/sssd.conf +cp ${LDIFDIR}/slapd-default /etc/default/slapd +echo "slapd: [::1]" >> /etc/hosts.allow +printf "reconfigure slapd ... " +DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null +kill $(pidof slapd) 2>/dev/null || true +sleep 1 +printf "start slapd ... " +slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d +# ldapsearch -x -LLL -s base -b "" namingContexts should work here +printf "set LDAP passwords" +ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null +ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null +ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif 2>/dev/null +printf "add users and groups OUs ..." +ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null +printf "add users ..." + +printf "sssd.conf ...\n" +cp ${LDIFDIR}/sssd.conf "${SSSDCONF}" + +printf "sudoers file ...\n"A +mkdir -p /etc/sudoers.d/ +mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/ +chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/* +chmod 755 /etc/sudoers.d/ +chmod 600 "${SSSDCONF}" /etc/sudoers.d/* +kill $(pidof sssd) 2>/dev/null || true +sleep 1 +sssd --logger=files -D + +for user in testuser1 testuser2; do + ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null + mkdir -p /home/${user} + chown ${user}:nogroup /home/${user} +done +ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null +# ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here. + +printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}" +RET=0 +printf "trying %s with correct password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}" +if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then + printf >&2 "id -u did not give 0\n" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "exit code %s\n" "${RET}" + printf >&2 "exit 1\n" "${RET}" + exit 1 +fi + +printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}" +rm -f "${HOMEDIRA}/std*" +RET=0 +printf "trying %s with wrong password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$? +printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}" +head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do + if ! grep -F "${string}" ${HOMEDIRA}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}" +printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}" +su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}" +head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do + if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRB}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRB}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "test series sucessful, exit 0\n" +exit 0 + |