about summary refs log tree commit diff
path: root/nixos/tests/sssd-ldap.nix
blob: ff83e96068a96d9a418e4764f68cb51b3f4260c5 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

let
  dbDomain = "example.org";
  dbSuffix = "dc=example,dc=org";

  ldapRootUser = "admin";
  ldapRootPassword = "foobar";

  testUser = "alice";
in import ./make-test-python.nix ({pkgs, ...}: {
  name = "sssd-ldap";

  meta = with pkgs.lib.maintainers; {
    maintainers = [ bbigras ];
  };

  nodes.machine = { pkgs, ... }: {
    services.openldap = {
      enable = true;
      settings = {
        children = {
          "cn=schema".includes = [
            "${pkgs.openldap}/etc/schema/core.ldif"
            "${pkgs.openldap}/etc/schema/cosine.ldif"
            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
            "${pkgs.openldap}/etc/schema/nis.ldif"
          ];
          "olcDatabase={1}mdb" = {
            attrs = {
              objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
              olcDatabase = "{1}mdb";
              olcDbDirectory = "/var/lib/openldap/db";
              olcSuffix = dbSuffix;
              olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
              olcRootPW = ldapRootPassword;
            };
          };
        };
      };
      declarativeContents = {
        ${dbSuffix} = ''
          dn: ${dbSuffix}
          objectClass: top
          objectClass: dcObject
          objectClass: organization
          o: ${dbDomain}

          dn: ou=posix,${dbSuffix}
          objectClass: top
          objectClass: organizationalUnit

          dn: ou=accounts,ou=posix,${dbSuffix}
          objectClass: top
          objectClass: organizationalUnit

          dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
          objectClass: person
          objectClass: posixAccount
          # userPassword: somePasswordHash
          homeDirectory: /home/${testUser}
          uidNumber: 1234
          gidNumber: 1234
          cn: ""
          sn: ""
        '';
      };
    };

    services.sssd = {
      enable = true;
      # just for testing purposes, don't put this into the Nix store in production!
      environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
      config = ''
        [sssd]
        config_file_version = 2
        services = nss, pam, sudo
        domains = ${dbDomain}

        [domain/${dbDomain}]
        auth_provider = ldap
        id_provider = ldap
        ldap_uri = ldap://127.0.0.1:389
        ldap_search_base = ${dbSuffix}
        ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
        ldap_default_authtok_type = password
        ldap_default_authtok = $LDAP_BIND_PW
      '';
    };
  };

  testScript = ''
    machine.start()
    machine.wait_for_unit("openldap.service")
    machine.wait_for_unit("sssd.service")
    result = machine.execute("getent passwd ${testUser}")
    if result[0] == 0:
      assert "${testUser}" in result[1]
    else:
      machine.wait_for_console_text("Backend is online")
      machine.succeed("getent passwd ${testUser}")
  '';
})
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-16 17:15:24 +0000