summaryrefslogtreecommitdiffstats
path: root/debian/tests/03-getroot-ldap
blob: f50be3a7bc1038520f4df9be7ec49c252ba06d36 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

#!/bin/sh

set -e

TESTNR="03"
BASEDIR="$(pwd)/debian/tests"
COMMONDIR="${BASEDIR}/common"
DIR="${BASEDIR}/${TESTNR}"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
ACCTA="test${TESTNR}a"
ACCTB="test${TESTNR}b"
PASSWD="test${TESTNR}23456"
HOMEDIRA="/home/${ACCTA}"
HOMEDIRB="/home/${ACCTB}"
LDIFDIR="${DIR}/ldif"

trap '
  kill $(pidof slapd) 2>/dev/null || true
  deluser --remove-home "${ACCTA}" 2>/dev/null || true
  deluser --remove-home "${ACCTB}" 2>/dev/null || true
  mv /etc/disabled.sudoers /etc/sudoers 2>/dev/null || true
' 0 INT QUIT ABRT PIPE TERM

if ! grep -q '^slapd: ALL' /etc/hosts.allow; then
  echo "slapd: ALL" >> /etc/hosts.allow
fi

< ${LDIFDIR}/debconf debconf-set-selections
printf "clean up ldap database ... "
rm -rf /var/lib/ldap/*.mdb
printf "reconfigure slapd ... "
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
if ! grep -q '^slapd: ALL$' /etc/hosts.allow; then
  echo "slapd: ALL" >> /etc/hosts.allow
fi
printf "start slapd ... "
slapd -h 'ldap://127.0.0.1:11389/ ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d
echo "URI ldap://127.0.0.1:11389" > /etc/ldap/ldap.conf
# ldapsearch -x -LLL -s base -b "" namingContexts should work here
printf "add sudo schema to slapd ... "
< /usr/share/doc/sudo-ldap/schema.olcSudo ldapadd -Y EXTERNAL -H ldapi:/// 2>/dev/null
printf "add sudo group ... "
< ${LDIFDIR}/container.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw 2>/dev/null
if ! grep -q '^sudoers: ldap$' /etc/nsswitch.conf; then
  sed -i '/^sudoers.*/d' /etc/nsswitch.conf
  echo "sudoers: ldap" >> /etc/nsswitch.conf
fi
touch /etc/ldap/ldap.conf
if ! grep -q '^sudoers_base ou=SUDOers,dc=example,dc=com' /etc/ldap/ldap.conf; then
  echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/ldap/ldap.conf
fi
printf "reconfigure sudo-ldap (#1001851) ... "
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical sudo-ldap 2>/dev/null
printf "cvtsudoers into sudoers.ldif ... "
cvtsudoers -b ou=SUDOers,dc=example,dc=com -o ${LDIFDIR}/sudoers.ldif /etc/sudoers
printf "\n cat sudoers.ldif\n"
cat ${LDIFDIR}/sudoers.ldif
printf "pull sudoers.ldif into ldap ..."
< ${LDIFDIR}/sudoers.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw
# ldapsearch -x -LLL -b "ou=SUDOers,dc=example,dc=com" should work here
printf "move away sudoers ...\n"
mv /etc/sudoers /etc/disabled.sudoers


printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
printf > /etc/hosts "127.0.1.1 %s\n" "$(hostname)"
deluser ${ACCTA} 2>/dev/null || true
adduser --disabled-password --home "${HOMEDIRA}" --gecos "" "${ACCTA}"
printf "%s:%s\n" "${ACCTA}" "${PASSWD}" | chpasswd
adduser "${ACCTA}" sudo
RET=0
printf "trying %s with correct password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
  printf >&2 "id -u did not give 0\n"
  printf >&2 "stdout:\n"
  cat >&2 ${HOMEDIRA}/stdout
  printf >&2 "stderr:\n"
  cat >&2 ${HOMEDIRA}/stderr
  printf >&2 "exit code %s\n" "${RET}"
  printf >&2 "exit 1\n" "${RET}"
  exit 1
fi

printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
rm -f "${HOMEDIRA}/std*"
RET=0
printf "trying %s with wrong password\n" "${ACCTA}"
su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
  if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
    printf "%s missing in stderr output\n" "${string}"
    printf >&2 "stdout:\n"
    cat >&2 ${HOMEDIRA}/stdout
    printf >&2 "stderr:\n"
    cat >&2 ${HOMEDIRA}/stderr
    printf >&2 "\nexit code %s\n" "${RET}"
    printf >&2 -- "------\n exit 1\n"
    exit 1
  fi
done

printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
deluser ${ACCTB} 2>/dev/null || true
adduser --disabled-password --home "${HOMEDIRB}" --gecos "" "${ACCTB}"
printf "%s:%s\n" "${ACCTB}" "${PASSWD}" | chpasswd
RET=0
printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
printf -- "\n-------\n"
for string in "[sudo] password for ${ACCTB}" "${ACCTB} is not allowed to run sudo on"; do
  if ! grep -F "${string}" ${HOMEDIRB}/stderr; then
    printf "%s missing in stderr output\n" "${string}"
    printf >&2 "stdout:\n"
    cat >&2 ${HOMEDIRB}/stdout
    printf >&2 "stderr:\n"
    cat >&2 ${HOMEDIRB}/stderr
    printf >&2 "\nexit code %s\n" "${RET}"
    printf >&2 -- "------\n exit 1\n"
    exit 1
  fi
done

printf "test series sucessful, exit 0\n"
exit 0
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-08 16:54:10 +0000