add test for ldap

seed/dovecot/tests/test_imap.py

@@ -1,6 +1,5 @@
 from yaml import load, SafeLoader
 from os import environ
-from os.path import isdir
 import pytest
 
 from imaplib2 import IMAP4_SSL
@@ -33,12 +32,8 @@ def test_imap_wrong_password(typ, username, password):
 
 @pytest.mark.parametrize('typ, username, password', parameters)
 def test_imap_migration(typ, username, password):
-    if typ == 'family':
-        dirname = f'/var/lib/risotto/srv/{data["dns"]}/home/families/{data["name_family"]}/{username}'
-    else:
-        dirname = f'/var/lib/risotto/srv/{data["dns"]}/home/users/{username}'
     msg = get_msg(username, 'MIGRATION')
-    if not isdir(dirname):
+    if 'FIRST_RUN' in environ:
         smtp = SMTP(data['address'], '587')
         smtp.starttls()
         smtp.login(username, password)

seed/lemonldap/dictionaries/70_lemonldap_ng.xml

@@ -18,7 +18,9 @@
       <file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
       <file>/etc/default/lemonldap-ng-fastcgi-server</file>
       <file mode="750">/sbin/interne_well_known.pl</file>
+      <file mode="750">/sbin/wget.pl</file>
       <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
+      <file>/tests/lemonldap.yml</file>
     </service>
   </services>
   <variables>

seed/lemonldap/templates/interne_well_known.pl

@@ -1,4 +1,5 @@
 %echo "#!/usr/bin/env perl"
+# retrieve and modify (if no argument) well-known file
 
 use HTTP::Tiny;
 use JSON qw(from_json to_json);
@@ -10,7 +11,11 @@ my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configu
 die "Failed!\n" unless $response->{success};
 
 my $json = from_json($response->{content});
-$json->{token_endpoint} = $baseUrl . 'oauth2/token';
-$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
-$json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
+%echo "$num_args = $#ARGV + 1;"
+
+if ($num_args == 0) {
+    $json->{token_endpoint} = $baseUrl . 'oauth2/token';
+    $json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
+    $json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
+}
 printf to_json($json) . "\n";

seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service

@@ -3,4 +3,5 @@ After=nginx.service
 
 [Service]
 ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
-ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'
+ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 5; done'
+ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext'

seed/lemonldap/templates/lemonldap.yml

@@ -0,0 +1,3 @@
+address: %%revprox_client_external_domainname
+internal_address: %%domain_name_eth0
+ip: %%ip_eth0

seed/lemonldap/templates/portal-nginx.conf

@@ -15,24 +15,32 @@ upstream llng_portal_upstream {
     server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
 }
 
-# GNUNUX server {
-# GNUNUX   listen 127.0.0.1:80;
-# GNUNUX   server_name localhost;
-# GNUNUX   root /usr/share/lemonldap-ng/portal/htdocs/;
-# GNUNUX   if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
-# GNUNUX     rewrite ^/(.*)$ /index.psgi/$1 break;
-# GNUNUX   }
-# GNUNUX   location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
-# GNUNUX     include /etc/nginx/fastcgi_params;
-# GNUNUX     fastcgi_pass llng_portal_upstream;
-# GNUNUX     fastcgi_param REQUEST_URI /.well-known/openid-configuration;
-# GNUNUX     fastcgi_param HTTP_HOST %%domain_name_eth0;
-# GNUNUX     fastcgi_param LLTYPE psgi;
-# GNUNUX     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-# GNUNUX     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
-# GNUNUX     fastcgi_param PATH_INFO  $fastcgi_path_info;
-# GNUNUX   }
-# GNUNUX }
+server {
+  listen 127.0.0.1:80;
+  server_name localhost;
+  root /usr/share/lemonldap-ng/portal/htdocs/;
+  if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
+    rewrite ^/(.*)$ /index.psgi/$1 break;
+  }
+  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+    include /etc/nginx/fastcgi_params;
+    fastcgi_pass llng_portal_upstream;
+    fastcgi_param REQUEST_URI /.well-known/openid-configuration;
+    fastcgi_param HTTP_HOST %%domain_name_eth0;
+    fastcgi_param LLTYPE psgi;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+    fastcgi_param PATH_INFO  $fastcgi_path_info;
+  }
+}
+
+#>GNUNUX
+geo $zone_name {
+  default ext;
+  %%gateway_eth0 ext;
+  %%network_eth0 int;
+}
+#<GNUNUX
 
 server {
   # GNUNUX listen 80;
@@ -163,6 +171,7 @@ server {
   }
 #>GNUNUX
 # rewrite well-known
+  rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break;
   location /.well-known/openid-configuration {
     root /var/www/html;
   }

seed/lemonldap/templates/tmpfile-lemonldap.conf

@@ -9,4 +9,4 @@ d     /srv/lemonldap-ng/psessions/lock 750 www-data www-data - -
 d     /srv/lemonldap-ng/sessions 750 www-data www-data - -
 d     /srv/lemonldap-ng/sessions/lock 750 www-data www-data - -
 d     /srv/lemonldap-ng/cache 750 www-data www-data - -
-d     /var/www/html/.well-known 755 root root - -
+d     /var/www/html/.well-known/openid-configuration 755 root root - -

seed/lemonldap/templates/wget.pl

@@ -0,0 +1,10 @@
+%echo "#!/usr/bin/env perl"
+
+use HTTP::Tiny;
+use JSON qw(from_json to_json);
+
+my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
+
+die "Failed!\n" unless $response->{success};
+
+printf $response->{content} . "\n";

seed/lemonldap/tests/test_lemonldap.py

@@ -0,0 +1,54 @@
+from yaml import load, SafeLoader
+from os import environ
+import warnings
+import socket
+from json import loads
+from requests import get
+
+from execute import run
+
+
+def req(url, ip, verify=True):
+    # Monkey patch to force IPv4 resolution
+    old_getaddrinfo = socket.getaddrinfo
+    def new_getaddrinfo(*args, **kwargs):
+        ret = old_getaddrinfo(*args, **kwargs)
+        dns = list(ret[0])
+        dns[-1] = (ip, dns[-1][1])
+        return [dns]
+    socket.getaddrinfo = new_getaddrinfo
+    ret = get(url, verify=verify)
+    ret_code = ret.status_code
+    content = ret.content
+    socket.getaddrinfo = old_getaddrinfo
+    return ret_code, content.decode()
+
+
+def test_well_known_outside():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    url = f'https://{data["address"]}/.well-known/openid-configuration'
+    with warnings.catch_warnings():
+        warnings.simplefilter("ignore")
+        ret_code, content = req(url, data['ip'], verify=False)
+    assert ret_code == 200
+    json = loads(content)
+
+    assert data['internal_address'] not in json['token_endpoint']
+    assert data['internal_address'] not in json['userinfo_endpoint']
+    assert data['internal_address'] not in json['jwks_uri']
+
+
+def test_well_known_inside():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    result = run(data['internal_address'],
+                 ['/usr/local/lib/sbin/wget.pl'],
+                 )
+    json = loads(list(result)[-2])
+
+    assert data['internal_address'] in json['token_endpoint']
+    assert data['internal_address'] in json['userinfo_endpoint']
+    assert data['internal_address'] in json['jwks_uri']

seed/mariadb/dictionaries/20_mariadb.xml

@@ -6,6 +6,7 @@
       <file>/etc/my.cnf.d/risotto.cnf</file>
       <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
       <file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
+	  <file>/tests/mariadb.yml</file>
     </service>
   </services>
   <variables>

seed/mariadb/templates/mariadb.sql

@@ -1,8 +1,13 @@
+%set %%new_accounts = [('_gateway', 'rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
 %for %%server in %%accounts.remotes
  %set %%name = %%normalize_family(%%server)
  %set %%password = %%accounts['remote_' + %%name]['password_' + %%name]
+ %%new_accounts.append((%%str(%%server), %%name, %%password))
+%end for
+%for %%server, %%name, %%password in %%new_accounts
 CREATE USER IF NOT EXISTS '%%name'@'%%server' IDENTIFIED BY '%%password';
 CREATE DATABASE IF NOT EXISTS %%name CHARACTER SET utf8;
 GRANT ALL PRIVILEGES ON %%name.* TO '%%name'@'%%server' IDENTIFIED BY '%%password';
-FLUSH PRIVILEGES;
 %end for
+FLUSH PRIVILEGES;
+

seed/mariadb/templates/mariadb.yml

@@ -0,0 +1,4 @@
+address: %%ip_eth0
+user: rougail_test
+password: %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True)
+dbname: rougail_test

seed/mariadb/tests/test_mariadb.py

@@ -0,0 +1,80 @@
+from yaml import load, SafeLoader
+from os import environ
+from pytest import raises
+
+from pymysql import connect
+from pymysql.err import OperationalError
+
+
+def test_mariadb_wrong_password():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    with raises(OperationalError):
+        connect(data['address'], data['user'], 'a', data['dbname'])
+
+
+def test_mariadb_connection():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    db = connect(data['address'], data['user'], data['password'], data['dbname'])
+    db.close()
+
+
+def test_mariadb_migration():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    db = connect(data['address'], data['user'], data['password'], data['dbname'])
+    cursor = db.cursor()
+    if 'FIRST_RUN' in environ:
+        sql = """CREATE TABLE test (col  CHAR(20) NOT NULL)"""
+        cursor.execute(sql)
+        sql = """INSERT INTO test (col) VALUES ("test")"""
+        cursor.execute(sql)
+        db.commit()
+    sql = """SELECT * FROM test"""
+    cursor.execute(sql)
+    results = cursor.fetchall()
+    assert len(results) == 1
+    results[0] == ('test',)
+    cursor.close()
+    db.close()
+
+
+def test_mariadb_insert():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    db = connect(data['address'], data['user'], data['password'], data['dbname'])
+    cursor = db.cursor()
+    sql = """INSERT INTO test (col) VALUES ("test2")"""
+    cursor.execute(sql)
+    db.commit()
+    #
+    sql = """SELECT * FROM test WHERE col = 'test2'"""
+    cursor.execute(sql)
+    results = cursor.fetchall()
+    assert len(results) == 1
+    results[0] == ('test2',)
+    cursor.close()
+    db.close()
+
+
+def test_mariadb_delete():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    db = connect(data['address'], data['user'], data['password'], data['dbname'])
+    cursor = db.cursor()
+    sql = """DELETE FROM test WHERE col = 'test2'"""
+    cursor.execute(sql)
+    db.commit()
+    #
+    sql = """SELECT * FROM test WHERE col = 'test2'"""
+    cursor.execute(sql)
+    results = cursor.fetchall()
+    assert len(results) == 0
+    cursor.close()
+    db.close()

seed/nextcloud/DEBUG.md

@@ -34,3 +34,23 @@ php /usr/share/nextcloud/occ ldap:check-user gnunux@gnunux.info
 
 su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login"
 Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password
+
+## The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available.
+
+Vérification :
+
+```
+su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:list"|grep know
+```
+
+Suppression de cache nextcloud :
+
+```
+su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:app:set --value 0 oidc_login last_updated_well_known"
+```
+
+Sur lemonldap, le script de création du fichier .well-known :
+
+```
+/usr/local/lib/sbin/interne_well_known.pl
+```

seed/openldap/dictionaries/21_openldap-server.xml

@@ -14,6 +14,7 @@
       <file>/secrets/admin_ldap.pwd</file>
       <file engine="none">/sysusers.d/risotto-openldap.conf</file>
       <file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
+	  <file>/tests/openldap.yml</file>
     </service>
   </services>
 

seed/openldap/templates/config_acl.ldif

@@ -1,10 +1,22 @@
+%set %%name_family = 'gnunux'
 %set %%dns = {}
 %set %%groups = []
+%%groups.append('cn=remote_test0,' + %%ldapclient_base_dn)%slurp
+%%groups.append('cn=remote_test1,' + %%ldapclient_base_dn)%slurp
+%%groups.append('cn=remote_test2,' + %%ldapclient_base_dn)%slurp
+%%dns.setdefault(None, []).append(('cn=remote_test0,' + %%ldapclient_base_dn, 'read'))%slurp
+%%dns.setdefault('all', []).append(('cn=remote_test1,' + %%ldapclient_base_dn, 'read'))%slurp
+%%dns.setdefault(%%name_family, []).append(('cn=remote_test2,' + %%ldapclient_base_dn, 'read'))%slurp
 %for %%remote in %%accounts.remotes
  %set %%name = %%normalize_family(%%remote)
  %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
 %%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
-%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
+ %if %%accounts['remote_' + %%name]['read_only_' + %%name]
+  %set %%right = 'read'
+ %else
+  %set %%right = 'write'
+ %end if
+%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%right))%slurp
 %end for
 dn: olcDatabase={2}mdb,cn=config
 changetype:modify
@@ -21,19 +33,28 @@ olcAccess: {1}to dn.subtree="%%ldap_group_dn"
 %set %%aclidx = 2
 %for %%family, %%remotes in %%dns.items()
  %if %%family == 'all'
-olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
- %else
-olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
+  %continue
  %end if
+olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
     by self read
  %for %%remote in %%remotes
-    by dn="%%remote[0]" %slurp
-  %if %%remote[1]
-read
-  %else
-write
-  %end if
+    by dn="%%remote[0]" %%remote[1]
  %end for
-  %set %%aclidx += 1
+ %if %%family != 'all' and 'all' in %%dns
+  %for %%remote in  %%dns['all']
+    by dn="%%remote[0]" %%remote[1]
+  %end for
+ %end if
+ %set %%aclidx += 1
+ %if %%family != 'all'
     by * none
+ %end if
 %end for
+%if 'all' in %%dns
+olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
+    by self read
+ %for %%remote in %%dns['all']
+    by dn="%%remote[0]" %%remote[1]
+ %end for
+    by * none
+%end if

seed/openldap/templates/openldap.yml

@@ -0,0 +1,40 @@
+%set %%username = "rougail_test@silique.fr"
+%set %%username_family = "rougail_test@gnunux.info"
+%set %%familydn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='gnunux')
+address: %%ip_eth0
+admin_dn: %%ldapclient_user
+admin_password: %%ldapclient_user_password
+user_dn: cn=%%username,%%ldap_user_dn
+user_password: %%get_password(server_name=%%ldap_server_address, username=%%username, description="ldap user", type="cleartext", hide=%%hide_secret, temporary=True)
+user_family_dn: cn=%%username_family,%%familydn
+user_family_password: %%get_password(server_name=%%ldap_server_address, username=%%username_family, description="ldap family user", type="cleartext", hide=%%hide_secret, temporary=True)
+base_account_dn: %%ldap_account_dn
+base_user_dn: %%ldap_user_dn
+base_family_dn: %%familydn
+base_group_dn: %%ldap_group_dn
+%for %%idx in %%range(3)
+  %set %%name = 'remote_test' + %%str(%%idx)
+remote%%idx: cn=%%name,%%ldapclient_base_dn
+remote_password%%idx: %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)
+%end for
+users:
+%for %%user in %%accounts.users.ldap_user_mail
+  %%user: cn=%%user,%%ldap_user_dn
+%end for
+%for %%family in %%accounts.families
+  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
+  %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
+  %%user: cn=%%user,%%families
+  %end for
+%end for
+groups:
+  users:
+%for %%user in %%accounts.users.ldap_user_mail
+    - cn=%%user,%%ldap_user_dn
+%end for
+%for %%family in %%accounts.families
+  %%family:
+  %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
+    - cn=%%user,%%families
+  %end for
+%end for

seed/openldap/templates/users.ldif

@@ -1,3 +1,4 @@
+%set name_family = 'gnunux'
 # BaseDN
 %set groups = {}
 dn: %%ldapclient_base_dn
@@ -11,13 +12,21 @@ objectClass: organizationalUnit
 %end if
 
 # Remote
+%set %%acc = []
+%for %%idx in %%range(3)
+  %set %%name = 'remote_test' + %%str(%%idx)
+%%acc.append(('cn=' + %%name + ',' + %%ldapclient_base_dn, %%name, %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)))%slurp
+%end for
 %for %%remote in %%accounts.remotes
  %set %%name = %%normalize_family(%%remote)
-dn: %%accounts['remote_' + %%name]['dn_' + %%name]
+%%acc.append((%%accounts['remote_' + %%name]['dn_' + %%name], %%remote, %%accounts['remote_' + %%name]['password_' + %%name]))%slurp
+%end for
+%for %%dn, %%remote, %%password in %%acc
+dn: %%dn
 cn: %%remote
 sn: %%remote
 uid: %%remote
-userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
+userPassword:: %%ssha_encode(%%password)
 objectClass: top
 objectClass: inetOrgPerson
 

seed/openldap/templates/users_mod.ldif

@@ -1,16 +1,27 @@
+%set groups = {}
 # Remote
+%set %%acc = []
+%for %%idx in %%range(3)
+  %set %%name = 'remote_test' + %%str(%%idx)
+%%acc.append(('cn=' + %%name + ',' + %%ldapclient_base_dn, %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)))%slurp
+%end for
 %for %%remote in %%accounts.remotes
  %set %%name = %%normalize_family(%%remote)
-dn: %%accounts['remote_' + %%name]['dn_' + %%name]
+%%acc.append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['password_' + %%name]))%slurp
+%end for
+%for %%dn, %%password in %%acc
+dn: %%dn
 changetype: modify
 replace: userPassword
-userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
+userPassword:: %%ssha_encode(%%password)
 
 %end for
 # Users
 %set %%users = %%ldap_user_dn
 %for %%user in %%accounts.users.ldap_user_mail
-dn: cn=%%user,%%users
+%set %%userdn = 'cn=' + %%user + ',' + %%users
+%%groups.setdefault('users', []).append(%%userdn)%slurp
+dn: %%userdn
 changetype: modify
 #add: objectClass
 #objectClass: inetLocalMailRecipient
@@ -28,7 +39,9 @@ mailLocalAddress: %%alias
 %for %%family in %%accounts.families
   %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
   %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
-dn: cn=%%user,%%families
+%set %%userdn = 'cn=' + %%user + ',' + %%families
+%%groups.setdefault(%%family, []).append(%%userdn)%slurp
+dn: %%userdn
 changetype: modify
 #add: objectClass
 #objectClass: inetLocalMailRecipient
@@ -43,3 +56,14 @@ mailLocalAddress: %%alias
 
   %end for
 %end for
+# Groups
+%set %%groupdn = %%ldap_group_dn
+%for %%group, %%members in %%groups.items()
+dn: cn=%%group,%%groupdn
+changetype: modify
+replace: member
+ %for %%member in %%members
+member: %%member
+ %end for
+
+%end for

seed/openldap/tests/test_openldap.py

@@ -0,0 +1,162 @@
+from yaml import load, SafeLoader
+from os import environ
+from pytest import raises
+from ldap import NO_SUCH_OBJECT, INVALID_CREDENTIALS, OPT_X_TLS_NEVER, OPT_X_TLS_REQUIRE_CERT, SCOPE_SUBTREE, set_option, initialize
+
+
+def test_ldap_wrong_password():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    with raises(INVALID_CREDENTIALS):
+        l.simple_bind_s(data['admin_dn'], 'a')
+
+
+def test_ldap_admin():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    l.simple_bind_s(data['admin_dn'], data['admin_password'])
+
+    assert l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+
+
+def test_ldap_accounts():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    l.simple_bind_s(data['admin_dn'], data['admin_password'])
+
+    for dn, attrs in l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn']):
+        cn = attrs['cn'][0].decode()
+        assert cn in data['users']
+        assert data['users'][cn] == dn
+        del data['users'][cn]
+
+    # all users are retrieved
+    assert not data['users']
+
+
+def test_ldap_groups():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    l.simple_bind_s(data['admin_dn'], data['admin_password'])
+
+    for dn, attrs in l.search_s(data['base_group_dn'], SCOPE_SUBTREE,'(objectClass=groupOfNames)',['cn', 'member']):
+        cn = attrs['cn'][0].decode()
+        assert cn in data['groups']
+        assert set(data['groups'][cn]) == set([member.decode() for member in attrs['member']])
+        del data['groups'][cn]
+
+    # all groups are retrieved
+    assert not data['groups']
+
+
+def test_ldap_user():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    l.simple_bind_s(data['user_dn'], data['user_password'])
+
+
+def test_ldap_user_family():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    l.simple_bind_s(data['user_family_dn'], data['user_family_password'])
+
+
+def test_ldap_remote_auth():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    l.simple_bind_s(data['remote0'], data['remote_password0'])
+    l.simple_bind_s(data['remote1'], data['remote_password1'])
+    l.simple_bind_s(data['remote2'], data['remote_password2'])
+
+
+def test_ldap_remote_base():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    #
+    l.simple_bind_s(data['remote0'], data['remote_password0'])
+    with raises(NO_SUCH_OBJECT):
+        l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+    #
+    l.simple_bind_s(data['remote1'], data['remote_password1'])
+    l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+    #
+    l.simple_bind_s(data['remote2'], data['remote_password2'])
+    with raises(NO_SUCH_OBJECT):
+        l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+
+
+def test_ldap_remote_users():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    #
+    l.simple_bind_s(data['remote0'], data['remote_password0'])
+    l.search_s(data['base_user_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+    #
+    l.simple_bind_s(data['remote1'], data['remote_password1'])
+    l.search_s(data['base_user_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+    #
+    l.simple_bind_s(data['remote2'], data['remote_password2'])
+    with raises(NO_SUCH_OBJECT):
+        l.search_s(data['base_user_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+
+
+def test_ldap_remote_family():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    #
+    l.simple_bind_s(data['remote0'], data['remote_password0'])
+    with raises(NO_SUCH_OBJECT):
+        l.search_s(data['base_family_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+    #
+    l.simple_bind_s(data['remote1'], data['remote_password1'])
+    l.search_s(data['base_family_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+    #
+    l.simple_bind_s(data['remote2'], data['remote_password2'])
+    l.search_s(data['base_family_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
+
+
+def test_ldap_remote_group():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
+    l = initialize(f'ldaps://{data["address"]}')
+    #
+    l.simple_bind_s(data['remote0'], data['remote_password0'])
+    l.search_s(data['base_group_dn'], SCOPE_SUBTREE,'(objectClass=groupOfNames)',['cn'])
+    #
+    l.simple_bind_s(data['remote1'], data['remote_password1'])
+    l.search_s(data['base_group_dn'], SCOPE_SUBTREE,'(objectClass=groupOfNames)',['cn'])
+    #
+    l.simple_bind_s(data['remote2'], data['remote_password2'])
+    l.search_s(data['base_group_dn'], SCOPE_SUBTREE,'(objectClass=groupOfNames)',['cn'])