gnunux/dataset
1
0
Fork 0
forked from stove/dataset
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: gnunux:f33c8f2d37b399af8a7b3f68a08ab5c1569df50e
Branches Tags
gnunux:main
gnunux:develop
stove:main
..
compare: gnunux:4d98ec14f1f7a2af450f492a70a17867e3646175
Branches Tags
gnunux:main
gnunux:develop
stove:main

No commits in common. "f33c8f2d37b399af8a7b3f68a08ab5c1569df50e" and "4d98ec14f1f7a2af450f492a70a17867e3646175" have entirely different histories.
f33c8f2d37 ... 4d98ec14f1

20 changed files with 47 additions and 493 deletions
Show stats Expand all files Collapse all files

7
seed/dovecot/tests/test_imap.py
View file

@ -1,5 +1,6 @@
from yaml import load, SafeLoader from yaml import load, SafeLoader
from os import environ from os import environ
from os.path import isdir
import pytest import pytest
from imaplib2 import IMAP4_SSL from imaplib2 import IMAP4_SSL
@ -32,8 +33,12 @@ def test_imap_wrong_password(typ, username, password):
@pytest.mark.parametrize('typ, username, password', parameters) @pytest.mark.parametrize('typ, username, password', parameters)
def test_imap_migration(typ, username, password): def test_imap_migration(typ, username, password):
if typ == 'family':
dirname = f'/var/lib/risotto/srv/{data["dns"]}/home/families/{data["name_family"]}/{username}'
else:
dirname = f'/var/lib/risotto/srv/{data["dns"]}/home/users/{username}'
msg = get_msg(username, 'MIGRATION') msg = get_msg(username, 'MIGRATION')
if 'FIRST_RUN' in environ: if not isdir(dirname):
smtp = SMTP(data['address'], '587') smtp = SMTP(data['address'], '587')
smtp.starttls() smtp.starttls()
smtp.login(username, password) smtp.login(username, password)

2
seed/lemonldap/dictionaries/70_lemonldap_ng.xml
View file

@ -18,9 +18,7 @@
<file>/etc/lemonldap-ng/nginx-lmlog.conf</file> <file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
<file>/etc/default/lemonldap-ng-fastcgi-server</file> <file>/etc/default/lemonldap-ng-fastcgi-server</file>
<file mode="750">/sbin/interne_well_known.pl</file> <file mode="750">/sbin/interne_well_known.pl</file>
<file mode="750">/sbin/wget.pl</file>
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file> <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
<file>/tests/lemonldap.yml</file>
</service> </service>
</services> </services>
<variables> <variables>

11
seed/lemonldap/templates/interne_well_known.pl
View file

@ -1,5 +1,4 @@
%echo "#!/usr/bin/env perl" %echo "#!/usr/bin/env perl"
# retrieve and modify (if no argument) well-known file
use HTTP::Tiny; use HTTP::Tiny;
use JSON qw(from_json to_json); use JSON qw(from_json to_json);
@ -11,11 +10,7 @@ my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configu
die "Failed!\n" unless $response->{success}; die "Failed!\n" unless $response->{success};
my $json = from_json($response->{content}); my $json = from_json($response->{content});
%echo "$num_args = $#ARGV + 1;" $json->{token_endpoint} = $baseUrl . 'oauth2/token';
$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
if ($num_args == 0) { $json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
$json->{token_endpoint} = $baseUrl . 'oauth2/token';
$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
$json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
}
printf to_json($json) . "\n"; printf to_json($json) . "\n";

3
seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
View file

@ -3,5 +3,4 @@ After=nginx.service
[Service] [Service]
ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done' ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 5; done' ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'
ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext'

3
seed/lemonldap/templates/lemonldap.yml
View file

@ -1,3 +0,0 @@
address: %%revprox_client_external_domainname
internal_address: %%domain_name_eth0
ip: %%ip_eth0

45
seed/lemonldap/templates/portal-nginx.conf
View file

@ -15,32 +15,24 @@ upstream llng_portal_upstream {
server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
} }
server { # GNUNUX server {
listen 127.0.0.1:80; # GNUNUX listen 127.0.0.1:80;
server_name localhost; # GNUNUX server_name localhost;
root /usr/share/lemonldap-ng/portal/htdocs/; # GNUNUX root /usr/share/lemonldap-ng/portal/htdocs/;
if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) { # GNUNUX if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break; # GNUNUX rewrite ^/(.*)$ /index.psgi/$1 break;
} # GNUNUX }
location ~ ^(?<sc>/.*\.psgi)(?:$|/) { # GNUNUX location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
include /etc/nginx/fastcgi_params; # GNUNUX include /etc/nginx/fastcgi_params;
fastcgi_pass llng_portal_upstream; # GNUNUX fastcgi_pass llng_portal_upstream;
fastcgi_param REQUEST_URI /.well-known/openid-configuration; # GNUNUX fastcgi_param REQUEST_URI /.well-known/openid-configuration;
fastcgi_param HTTP_HOST %%domain_name_eth0; # GNUNUX fastcgi_param HTTP_HOST %%domain_name_eth0;
fastcgi_param LLTYPE psgi; # GNUNUX fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # GNUNUX fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$; # GNUNUX fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info; # GNUNUX fastcgi_param PATH_INFO $fastcgi_path_info;
} # GNUNUX }
} # GNUNUX }
#>GNUNUX
geo $zone_name {
default ext;
%%gateway_eth0 ext;
%%network_eth0 int;
}
#<GNUNUX
server { server {
# GNUNUX listen 80; # GNUNUX listen 80;
@ -171,7 +163,6 @@ server {
} }
#>GNUNUX #>GNUNUX
# rewrite well-known # rewrite well-known
rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break;
location /.well-known/openid-configuration { location /.well-known/openid-configuration {
root /var/www/html; root /var/www/html;
} }

2
seed/lemonldap/templates/tmpfile-lemonldap.conf
View file

@ -9,4 +9,4 @@ d /srv/lemonldap-ng/psessions/lock 750 www-data www-data - -
d /srv/lemonldap-ng/sessions 750 www-data www-data - - d /srv/lemonldap-ng/sessions 750 www-data www-data - -
d /srv/lemonldap-ng/sessions/lock 750 www-data www-data - - d /srv/lemonldap-ng/sessions/lock 750 www-data www-data - -
d /srv/lemonldap-ng/cache 750 www-data www-data - - d /srv/lemonldap-ng/cache 750 www-data www-data - -
d /var/www/html/.well-known/openid-configuration 755 root root - - d /var/www/html/.well-known 755 root root - -

10
seed/lemonldap/templates/wget.pl
View file

@ -1,10 +0,0 @@
%echo "#!/usr/bin/env perl"
use HTTP::Tiny;
use JSON qw(from_json to_json);
my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
die "Failed!\n" unless $response->{success};
printf $response->{content} . "\n";

54
seed/lemonldap/tests/test_lemonldap.py
View file

@ -1,54 +0,0 @@
from yaml import load, SafeLoader
from os import environ
import warnings
import socket
from json import loads
from requests import get
from execute import run
def req(url, ip, verify=True):
# Monkey patch to force IPv4 resolution
old_getaddrinfo = socket.getaddrinfo
def new_getaddrinfo(*args, **kwargs):
ret = old_getaddrinfo(*args, **kwargs)
dns = list(ret[0])
dns[-1] = (ip, dns[-1][1])
return [dns]
socket.getaddrinfo = new_getaddrinfo
ret = get(url, verify=verify)
ret_code = ret.status_code
content = ret.content
socket.getaddrinfo = old_getaddrinfo
return ret_code, content.decode()
def test_well_known_outside():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
url = f'https://{data["address"]}/.well-known/openid-configuration'
with warnings.catch_warnings():
warnings.simplefilter("ignore")
ret_code, content = req(url, data['ip'], verify=False)
assert ret_code == 200
json = loads(content)
assert data['internal_address'] not in json['token_endpoint']
assert data['internal_address'] not in json['userinfo_endpoint']
assert data['internal_address'] not in json['jwks_uri']
def test_well_known_inside():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
result = run(data['internal_address'],
['/usr/local/lib/sbin/wget.pl'],
)
json = loads(list(result)[-2])
assert data['internal_address'] in json['token_endpoint']
assert data['internal_address'] in json['userinfo_endpoint']
assert data['internal_address'] in json['jwks_uri']

1
seed/mariadb/dictionaries/20_mariadb.xml
View file

@ -6,7 +6,6 @@
<file>/etc/my.cnf.d/risotto.cnf</file> <file>/etc/my.cnf.d/risotto.cnf</file>
<file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file> <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
<file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file> <file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
<file>/tests/mariadb.yml</file>
</service> </service>
</services> </services>
<variables> <variables>

7
seed/mariadb/templates/mariadb.sql
View file

@ -1,13 +1,8 @@
%set %%new_accounts = [('_gateway', 'rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
%for %%server in %%accounts.remotes %for %%server in %%accounts.remotes
%set %%name = %%normalize_family(%%server) %set %%name = %%normalize_family(%%server)
%set %%password = %%accounts['remote_' + %%name]['password_' + %%name] %set %%password = %%accounts['remote_' + %%name]['password_' + %%name]
%%new_accounts.append((%%str(%%server), %%name, %%password))
%end for
%for %%server, %%name, %%password in %%new_accounts
CREATE USER IF NOT EXISTS '%%name'@'%%server' IDENTIFIED BY '%%password'; CREATE USER IF NOT EXISTS '%%name'@'%%server' IDENTIFIED BY '%%password';
CREATE DATABASE IF NOT EXISTS %%name CHARACTER SET utf8; CREATE DATABASE IF NOT EXISTS %%name CHARACTER SET utf8;
GRANT ALL PRIVILEGES ON %%name.* TO '%%name'@'%%server' IDENTIFIED BY '%%password'; GRANT ALL PRIVILEGES ON %%name.* TO '%%name'@'%%server' IDENTIFIED BY '%%password';
%end for
FLUSH PRIVILEGES; FLUSH PRIVILEGES;
%end for

4
seed/mariadb/templates/mariadb.yml
View file

@ -1,4 +0,0 @@
address: %%ip_eth0
user: rougail_test
password: %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True)
dbname: rougail_test

80
seed/mariadb/tests/test_mariadb.py
View file

@ -1,80 +0,0 @@
from yaml import load, SafeLoader
from os import environ
from pytest import raises
from pymysql import connect
from pymysql.err import OperationalError
def test_mariadb_wrong_password():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
with raises(OperationalError):
connect(data['address'], data['user'], 'a', data['dbname'])
def test_mariadb_connection():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
db = connect(data['address'], data['user'], data['password'], data['dbname'])
db.close()
def test_mariadb_migration():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
db = connect(data['address'], data['user'], data['password'], data['dbname'])
cursor = db.cursor()
if 'FIRST_RUN' in environ:
sql = """CREATE TABLE test (col CHAR(20) NOT NULL)"""
cursor.execute(sql)
sql = """INSERT INTO test (col) VALUES ("test")"""
cursor.execute(sql)
db.commit()
sql = """SELECT * FROM test"""
cursor.execute(sql)
results = cursor.fetchall()
assert len(results) == 1
results[0] == ('test',)
cursor.close()
db.close()
def test_mariadb_insert():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
db = connect(data['address'], data['user'], data['password'], data['dbname'])
cursor = db.cursor()
sql = """INSERT INTO test (col) VALUES ("test2")"""
cursor.execute(sql)
db.commit()
#
sql = """SELECT * FROM test WHERE col = 'test2'"""
cursor.execute(sql)
results = cursor.fetchall()
assert len(results) == 1
results[0] == ('test2',)
cursor.close()
db.close()
def test_mariadb_delete():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/mariadb.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
db = connect(data['address'], data['user'], data['password'], data['dbname'])
cursor = db.cursor()
sql = """DELETE FROM test WHERE col = 'test2'"""
cursor.execute(sql)
db.commit()
#
sql = """SELECT * FROM test WHERE col = 'test2'"""
cursor.execute(sql)
results = cursor.fetchall()
assert len(results) == 0
cursor.close()
db.close()

20
seed/nextcloud/DEBUG.md
View file

@ -34,23 +34,3 @@ php /usr/share/nextcloud/occ ldap:check-user gnunux@gnunux.info
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login" su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login"
Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password
## The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available.
Vérification :
```
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:list"|grep know
```
Suppression de cache nextcloud :
```
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:app:set --value 0 oidc_login last_updated_well_known"
```
Sur lemonldap, le script de création du fichier .well-known :
```
/usr/local/lib/sbin/interne_well_known.pl
```

1
seed/openldap/dictionaries/21_openldap-server.xml
View file

@ -14,7 +14,6 @@
<file>/secrets/admin_ldap.pwd</file> <file>/secrets/admin_ldap.pwd</file>
<file engine="none">/sysusers.d/risotto-openldap.conf</file> <file engine="none">/sysusers.d/risotto-openldap.conf</file>
<file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file> <file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
<file>/tests/openldap.yml</file>
</service> </service>
</services> </services>

43
seed/openldap/templates/config_acl.ldif
View file

@ -1,22 +1,10 @@
%set %%name_family = 'gnunux'
%set %%dns = {} %set %%dns = {}
%set %%groups = [] %set %%groups = []
%%groups.append('cn=remote_test0,' + %%ldapclient_base_dn)%slurp
%%groups.append('cn=remote_test1,' + %%ldapclient_base_dn)%slurp
%%groups.append('cn=remote_test2,' + %%ldapclient_base_dn)%slurp
%%dns.setdefault(None, []).append(('cn=remote_test0,' + %%ldapclient_base_dn, 'read'))%slurp
%%dns.setdefault('all', []).append(('cn=remote_test1,' + %%ldapclient_base_dn, 'read'))%slurp
%%dns.setdefault(%%name_family, []).append(('cn=remote_test2,' + %%ldapclient_base_dn, 'read'))%slurp
%for %%remote in %%accounts.remotes %for %%remote in %%accounts.remotes
%set %%name = %%normalize_family(%%remote) %set %%name = %%normalize_family(%%remote)
%set %%family = %%accounts['remote_' + %%name]['family_' + %%name] %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
%%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp %%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
%if %%accounts['remote_' + %%name]['read_only_' + %%name] %%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
%set %%right = 'read'
%else
%set %%right = 'write'
%end if
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%right))%slurp
%end for %end for
dn: olcDatabase={2}mdb,cn=config dn: olcDatabase={2}mdb,cn=config
changetype:modify changetype:modify
@ -33,28 +21,19 @@ olcAccess: {1}to dn.subtree="%%ldap_group_dn"
%set %%aclidx = 2 %set %%aclidx = 2
%for %%family, %%remotes in %%dns.items() %for %%family, %%remotes in %%dns.items()
%if %%family == 'all' %if %%family == 'all'
%continue olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
%end if %else
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)" olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
%end if
by self read by self read
%for %%remote in %%remotes %for %%remote in %%remotes
by dn="%%remote[0]" %%remote[1] by dn="%%remote[0]" %slurp
%if %%remote[1]
read
%else
write
%end if
%end for %end for
%if %%family != 'all' and 'all' in %%dns %set %%aclidx += 1
%for %%remote in %%dns['all']
by dn="%%remote[0]" %%remote[1]
%end for
%end if
%set %%aclidx += 1
%if %%family != 'all'
by * none by * none
%end if
%end for %end for
%if 'all' in %%dns
olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
by self read
%for %%remote in %%dns['all']
by dn="%%remote[0]" %%remote[1]
%end for
by * none
%end if

40
seed/openldap/templates/openldap.yml
View file

@ -1,40 +0,0 @@
%set %%username = "rougail_test@silique.fr"
%set %%username_family = "rougail_test@gnunux.info"
%set %%familydn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='gnunux')
address: %%ip_eth0
admin_dn: %%ldapclient_user
admin_password: %%ldapclient_user_password
user_dn: cn=%%username,%%ldap_user_dn
user_password: %%get_password(server_name=%%ldap_server_address, username=%%username, description="ldap user", type="cleartext", hide=%%hide_secret, temporary=True)
user_family_dn: cn=%%username_family,%%familydn
user_family_password: %%get_password(server_name=%%ldap_server_address, username=%%username_family, description="ldap family user", type="cleartext", hide=%%hide_secret, temporary=True)
base_account_dn: %%ldap_account_dn
base_user_dn: %%ldap_user_dn
base_family_dn: %%familydn
base_group_dn: %%ldap_group_dn
%for %%idx in %%range(3)
%set %%name = 'remote_test' + %%str(%%idx)
remote%%idx: cn=%%name,%%ldapclient_base_dn
remote_password%%idx: %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)
%end for
users:
%for %%user in %%accounts.users.ldap_user_mail
%%user: cn=%%user,%%ldap_user_dn
%end for
%for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
%%user: cn=%%user,%%families
%end for
%end for
groups:
users:
%for %%user in %%accounts.users.ldap_user_mail
- cn=%%user,%%ldap_user_dn
%end for
%for %%family in %%accounts.families
%%family:
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
- cn=%%user,%%families
%end for
%end for

13
seed/openldap/templates/users.ldif
View file

@ -1,4 +1,3 @@
%set name_family = 'gnunux'
# BaseDN # BaseDN
%set groups = {} %set groups = {}
dn: %%ldapclient_base_dn dn: %%ldapclient_base_dn
@ -12,21 +11,13 @@ objectClass: organizationalUnit
%end if %end if
# Remote # Remote
%set %%acc = []
%for %%idx in %%range(3)
%set %%name = 'remote_test' + %%str(%%idx)
%%acc.append(('cn=' + %%name + ',' + %%ldapclient_base_dn, %%name, %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)))%slurp
%end for
%for %%remote in %%accounts.remotes %for %%remote in %%accounts.remotes
%set %%name = %%normalize_family(%%remote) %set %%name = %%normalize_family(%%remote)
%%acc.append((%%accounts['remote_' + %%name]['dn_' + %%name], %%remote, %%accounts['remote_' + %%name]['password_' + %%name]))%slurp dn: %%accounts['remote_' + %%name]['dn_' + %%name]
%end for
%for %%dn, %%remote, %%password in %%acc
dn: %%dn
cn: %%remote cn: %%remote
sn: %%remote sn: %%remote
uid: %%remote uid: %%remote
userPassword:: %%ssha_encode(%%password) userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
objectClass: top objectClass: top
objectClass: inetOrgPerson objectClass: inetOrgPerson

32
seed/openldap/templates/users_mod.ldif
View file

@ -1,27 +1,16 @@
%set groups = {}
# Remote # Remote
%set %%acc = []
%for %%idx in %%range(3)
%set %%name = 'remote_test' + %%str(%%idx)
%%acc.append(('cn=' + %%name + ',' + %%ldapclient_base_dn, %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)))%slurp
%end for
%for %%remote in %%accounts.remotes %for %%remote in %%accounts.remotes
%set %%name = %%normalize_family(%%remote) %set %%name = %%normalize_family(%%remote)
%%acc.append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['password_' + %%name]))%slurp dn: %%accounts['remote_' + %%name]['dn_' + %%name]
%end for
%for %%dn, %%password in %%acc
dn: %%dn
changetype: modify changetype: modify
replace: userPassword replace: userPassword
userPassword:: %%ssha_encode(%%password) userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
%end for %end for
# Users # Users
%set %%users = %%ldap_user_dn %set %%users = %%ldap_user_dn
%for %%user in %%accounts.users.ldap_user_mail %for %%user in %%accounts.users.ldap_user_mail
%set %%userdn = 'cn=' + %%user + ',' + %%users dn: cn=%%user,%%users
%%groups.setdefault('users', []).append(%%userdn)%slurp
dn: %%userdn
changetype: modify changetype: modify
#add: objectClass #add: objectClass
#objectClass: inetLocalMailRecipient #objectClass: inetLocalMailRecipient
@ -39,9 +28,7 @@ mailLocalAddress: %%alias
%for %%family in %%accounts.families %for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family) %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family] %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
%set %%userdn = 'cn=' + %%user + ',' + %%families dn: cn=%%user,%%families
%%groups.setdefault(%%family, []).append(%%userdn)%slurp
dn: %%userdn
changetype: modify changetype: modify
#add: objectClass #add: objectClass
#objectClass: inetLocalMailRecipient #objectClass: inetLocalMailRecipient
@ -56,14 +43,3 @@ mailLocalAddress: %%alias
%end for %end for
%end for %end for
# Groups
%set %%groupdn = %%ldap_group_dn
%for %%group, %%members in %%groups.items()
dn: cn=%%group,%%groupdn
changetype: modify
replace: member
%for %%member in %%members
member: %%member
%end for
%end for

162
seed/openldap/tests/test_openldap.py
View file

@ -1,162 +0,0 @@
from yaml import load, SafeLoader
from os import environ
from pytest import raises
from ldap import NO_SUCH_OBJECT, INVALID_CREDENTIALS, OPT_X_TLS_NEVER, OPT_X_TLS_REQUIRE_CERT, SCOPE_SUBTREE, set_option, initialize
def test_ldap_wrong_password():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
with raises(INVALID_CREDENTIALS):
l.simple_bind_s(data['admin_dn'], 'a')
def test_ldap_admin():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
l.simple_bind_s(data['admin_dn'], data['admin_password'])
assert l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
def test_ldap_accounts():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
l.simple_bind_s(data['admin_dn'], data['admin_password'])
for dn, attrs in l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn']):
cn = attrs['cn'][0].decode()
assert cn in data['users']
assert data['users'][cn] == dn
del data['users'][cn]
# all users are retrieved
assert not data['users']
def test_ldap_groups():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
l.simple_bind_s(data['admin_dn'], data['admin_password'])
for dn, attrs in l.search_s(data['base_group_dn'], SCOPE_SUBTREE,'(objectClass=groupOfNames)',['cn', 'member']):
cn = attrs['cn'][0].decode()
assert cn in data['groups']
assert set(data['groups'][cn]) == set([member.decode() for member in attrs['member']])
del data['groups'][cn]
# all groups are retrieved
assert not data['groups']
def test_ldap_user():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
l.simple_bind_s(data['user_dn'], data['user_password'])
def test_ldap_user_family():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
l.simple_bind_s(data['user_family_dn'], data['user_family_password'])
def test_ldap_remote_auth():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
l.simple_bind_s(data['remote0'], data['remote_password0'])
l.simple_bind_s(data['remote1'], data['remote_password1'])
l.simple_bind_s(data['remote2'], data['remote_password2'])
def test_ldap_remote_base():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
#
l.simple_bind_s(data['remote0'], data['remote_password0'])
with raises(NO_SUCH_OBJECT):
l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
#
l.simple_bind_s(data['remote1'], data['remote_password1'])
l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
#
l.simple_bind_s(data['remote2'], data['remote_password2'])
with raises(NO_SUCH_OBJECT):
l.search_s(data['base_account_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
def test_ldap_remote_users():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
#
l.simple_bind_s(data['remote0'], data['remote_password0'])
l.search_s(data['base_user_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
#
l.simple_bind_s(data['remote1'], data['remote_password1'])
l.search_s(data['base_user_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
#
l.simple_bind_s(data['remote2'], data['remote_password2'])
with raises(NO_SUCH_OBJECT):
l.search_s(data['base_user_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
def test_ldap_remote_family():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
#
l.simple_bind_s(data['remote0'], data['remote_password0'])
with raises(NO_SUCH_OBJECT):
l.search_s(data['base_family_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
#
l.simple_bind_s(data['remote1'], data['remote_password1'])
l.search_s(data['base_family_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
#
l.simple_bind_s(data['remote2'], data['remote_password2'])
l.search_s(data['base_family_dn'], SCOPE_SUBTREE,'(objectClass=inetOrgPerson)',['cn'])
def test_ldap_remote_group():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/openldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
set_option(OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS_NEVER)
l = initialize(f'ldaps://{data["address"]}')
#
l.simple_bind_s(data['remote0'], data['remote_password0'])
l.search_s(data['base_group_dn'], SCOPE_SUBTREE,'(objectClass=groupOfNames)',['cn'])
#
l.simple_bind_s(data['remote1'], data['remote_password1'])
l.search_s(data['base_group_dn'], SCOPE_SUBTREE,'(objectClass=groupOfNames)',['cn'])
#
l.simple_bind_s(data['remote2'], data['remote_password2'])
l.search_s(data['base_group_dn'], SCOPE_SUBTREE,'(objectClass=groupOfNames)',['cn'])