Loading nixos/tests/sssd-ldap.nix +148 −79 Original line number Diff line number Diff line Loading @@ -6,7 +6,10 @@ let ldapRootPassword = "foobar"; testUser = "alice"; in import ./make-test-python.nix ({pkgs, ...}: { testPassword = "foobar"; testNewPassword = "barfoo"; in import ./make-test-python.nix ({pkgs, ...}: { name = "sssd-ldap"; meta = with pkgs.lib.maintainers; { Loading @@ -14,9 +17,23 @@ in import ./make-test-python.nix ({pkgs, ...}: { }; nodes.machine = {pkgs, ...}: { security.pam.services.systemd-user.makeHomeDir = true; environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem; environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem; services.openldap = { enable = true; urlList = [ "ldap:///" "ldaps:///" ]; settings = { attrs = { olcLogLevel = "conns config"; olcTLSCACertificateFile = "/etc/cert.pem"; olcTLSCertificateFile = "/etc/cert.pem"; olcTLSCertificateKeyFile = "/etc/key.pem"; olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; olcTLSCRLCheck = "none"; olcTLSVerifyClient = "never"; olcTLSProtocolMin = "3.1"; }; children = { "cn=schema".includes = [ "${pkgs.openldap}/etc/schema/core.ldif" Loading @@ -32,6 +49,23 @@ in import ./make-test-python.nix ({pkgs, ...}: { olcSuffix = dbSuffix; olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; olcRootPW = ldapRootPassword; olcAccess = [ /* custom access rules for userPassword attributes */ '' {0}to attrs=userPassword by self write by anonymous auth by * none'' /* allow read on anything else */ '' {1}to * by * read'' ]; }; }; }; Loading @@ -55,7 +89,7 @@ in import ./make-test-python.nix ({pkgs, ...}: { dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} objectClass: person objectClass: posixAccount # userPassword: somePasswordHash userPassword: ${testPassword} homeDirectory: /home/${testUser} uidNumber: 1234 gidNumber: 1234 Loading @@ -78,7 +112,9 @@ in import ./make-test-python.nix ({pkgs, ...}: { [domain/${dbDomain}] auth_provider = ldap id_provider = ldap ldap_uri = ldap://127.0.0.1:389 ldap_uri = ldaps://127.0.0.1:636 ldap_tls_reqcert = allow ldap_tls_cacert = /etc/cert.pem ldap_search_base = ${dbSuffix} ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} ldap_default_authtok_type = password Loading @@ -97,5 +133,38 @@ in import ./make-test-python.nix ({pkgs, ...}: { else: machine.wait_for_console_text("Backend is online") machine.succeed("getent passwd ${testUser}") with subtest("Log in as ${testUser}"): machine.wait_until_tty_matches("1", "login: ") machine.send_chars("${testUser}\n") machine.wait_until_tty_matches("1", "login: ${testUser}") machine.wait_until_succeeds("pgrep login") machine.wait_until_tty_matches("1", "Password: ") machine.send_chars("${testPassword}\n") machine.wait_until_succeeds("pgrep -u ${testUser} bash") machine.send_chars("touch done\n") machine.wait_for_file("/home/${testUser}/done") with subtest("Change ${testUser}'s password"): machine.send_chars("passwd\n") machine.wait_until_tty_matches("1", "Current Password: ") machine.send_chars("${testPassword}\n") machine.wait_until_tty_matches("1", "New Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_tty_matches("1", "Reenter new Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_tty_matches("1", "passwd: password updated successfully") machine.send_chars("exit\n") with subtest("Log in as ${testUser} with new password"): machine.wait_until_tty_matches("1", "login: ") machine.send_chars("${testUser}\n") machine.wait_until_tty_matches("1", "login: ${testUser}") machine.wait_until_succeeds("pgrep login") machine.wait_until_tty_matches("1", "Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_succeeds("pgrep -u ${testUser} bash") machine.send_chars("touch done2\n") machine.wait_for_file("/home/${testUser}/done2") ''; }) Loading
nixos/tests/sssd-ldap.nix +148 −79 Original line number Diff line number Diff line Loading @@ -6,7 +6,10 @@ let ldapRootPassword = "foobar"; testUser = "alice"; in import ./make-test-python.nix ({pkgs, ...}: { testPassword = "foobar"; testNewPassword = "barfoo"; in import ./make-test-python.nix ({pkgs, ...}: { name = "sssd-ldap"; meta = with pkgs.lib.maintainers; { Loading @@ -14,9 +17,23 @@ in import ./make-test-python.nix ({pkgs, ...}: { }; nodes.machine = {pkgs, ...}: { security.pam.services.systemd-user.makeHomeDir = true; environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem; environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem; services.openldap = { enable = true; urlList = [ "ldap:///" "ldaps:///" ]; settings = { attrs = { olcLogLevel = "conns config"; olcTLSCACertificateFile = "/etc/cert.pem"; olcTLSCertificateFile = "/etc/cert.pem"; olcTLSCertificateKeyFile = "/etc/key.pem"; olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; olcTLSCRLCheck = "none"; olcTLSVerifyClient = "never"; olcTLSProtocolMin = "3.1"; }; children = { "cn=schema".includes = [ "${pkgs.openldap}/etc/schema/core.ldif" Loading @@ -32,6 +49,23 @@ in import ./make-test-python.nix ({pkgs, ...}: { olcSuffix = dbSuffix; olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; olcRootPW = ldapRootPassword; olcAccess = [ /* custom access rules for userPassword attributes */ '' {0}to attrs=userPassword by self write by anonymous auth by * none'' /* allow read on anything else */ '' {1}to * by * read'' ]; }; }; }; Loading @@ -55,7 +89,7 @@ in import ./make-test-python.nix ({pkgs, ...}: { dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} objectClass: person objectClass: posixAccount # userPassword: somePasswordHash userPassword: ${testPassword} homeDirectory: /home/${testUser} uidNumber: 1234 gidNumber: 1234 Loading @@ -78,7 +112,9 @@ in import ./make-test-python.nix ({pkgs, ...}: { [domain/${dbDomain}] auth_provider = ldap id_provider = ldap ldap_uri = ldap://127.0.0.1:389 ldap_uri = ldaps://127.0.0.1:636 ldap_tls_reqcert = allow ldap_tls_cacert = /etc/cert.pem ldap_search_base = ${dbSuffix} ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} ldap_default_authtok_type = password Loading @@ -97,5 +133,38 @@ in import ./make-test-python.nix ({pkgs, ...}: { else: machine.wait_for_console_text("Backend is online") machine.succeed("getent passwd ${testUser}") with subtest("Log in as ${testUser}"): machine.wait_until_tty_matches("1", "login: ") machine.send_chars("${testUser}\n") machine.wait_until_tty_matches("1", "login: ${testUser}") machine.wait_until_succeeds("pgrep login") machine.wait_until_tty_matches("1", "Password: ") machine.send_chars("${testPassword}\n") machine.wait_until_succeeds("pgrep -u ${testUser} bash") machine.send_chars("touch done\n") machine.wait_for_file("/home/${testUser}/done") with subtest("Change ${testUser}'s password"): machine.send_chars("passwd\n") machine.wait_until_tty_matches("1", "Current Password: ") machine.send_chars("${testPassword}\n") machine.wait_until_tty_matches("1", "New Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_tty_matches("1", "Reenter new Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_tty_matches("1", "passwd: password updated successfully") machine.send_chars("exit\n") with subtest("Log in as ${testUser} with new password"): machine.wait_until_tty_matches("1", "login: ") machine.send_chars("${testUser}\n") machine.wait_until_tty_matches("1", "login: ${testUser}") machine.wait_until_succeeds("pgrep login") machine.wait_until_tty_matches("1", "Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_succeeds("pgrep -u ${testUser} bash") machine.send_chars("touch done2\n") machine.wait_for_file("/home/${testUser}/done2") ''; })
