diff --git a/roles/ldap_server/molecule.yml b/roles/ldap_server/molecule.yml index 10a0f73ea3a974c21b279ca0bf6c7067ade6b167..24e47385781ce16bf6a57d6c1aa51e2813b94ba2 100644 --- a/roles/ldap_server/molecule.yml +++ b/roles/ldap_server/molecule.yml @@ -20,7 +20,25 @@ vagrant: instances: - name: parameters-mandatory.local + interfaces: + - network_name: private_network + type: static + ip: 10.31.127.10 + auto_config: yes + - name: parameters-optional + interfaces: + - network_name: private_network + type: static + ip: 10.31.127.11 + auto_config: yes + + - name: client + interfaces: + - network_name: private_network + type: static + ip: 10.31.127.12 + auto_config: yes verifier: name: testinfra diff --git a/roles/ldap_server/playbook.yml b/roles/ldap_server/playbook.yml index 6c5847d3999cf876ec6ac4accbb0a1b3e95fdfa2..3317965da8cdebaf4d57856bd5d7b1c98254b881 100644 --- a/roles/ldap_server/playbook.yml +++ b/roles/ldap_server/playbook.yml @@ -12,6 +12,15 @@ - role: ldap_server ldap_admin_password: adminpassword + # ldap_client + ldap_client_config: + - comment: CA truststore + option: TLS_CACERT + value: /etc/ssl/certs/testca.cert.pem + - comment: Ensure TLS is enforced + option: TLS_REQCERT + value: demand + # common vars (not the role, global common) tls_private_key_dir: tests/data/x509/ tls_certificate_dir: tests/data/x509/ @@ -25,7 +34,7 @@ ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" backup_clients: - - server: backup + - server: parameters-optional ip: 127.0.0.1 public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" @@ -85,11 +94,11 @@ ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.cert.pem') }}" ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.key.pem') }}" ldap_server_ssf: 0 - ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" + ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" # ldap_client ldap_client_config: - - comment: Set-up CA truststore + - comment: CA truststore option: TLS_CACERT value: /etc/ssl/certs/testca.cert.pem - comment: Ensure TLS is enforced @@ -109,6 +118,7 @@ - hosts: all tasks: + - name: Deploy CA certificate copy: src: tests/data/x509/ca.cert.pem @@ -116,3 +126,11 @@ owner: root group: root mode: 0644 + +- hosts: client + tasks: + + - name: Install tool for teting TCP connectivity + apt: + name: hping3 + state: installed diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 0aca5e5ad2c2f72dc163a3817fbca5edc6f93721..9f07a403a0f7530ef088180827c76ac2f6fb9682 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -4,7 +4,7 @@ debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_domain }}" - name: Set organisation for slapd - debconf: name=slapd question=slapd/organization vtype=string value="{{ ldap_server_organization }}" + debconf: name=slapd question=shared/organization vtype=string value="{{ ldap_server_organization }}" - name: Install slapd apt: name=slapd state=installed @@ -61,14 +61,22 @@ when: ldap_misc_schema_present.stdout == "" - name: Deploy LDAP TLS private key - copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" content="{{ ldap_server_tls_key }}" - mode=0640 owner=root group=openldap + template: + src: "ldap_tls_key.j2" + dest: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" + mode: 0640 + owner: root + group: openldap notify: - Restart slapd - name: Deploy LDAP TLS certificate - copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" content="{{ ldap_server_tls_certificate }}" - mode=0644 owner=root group=root + template: + src: "ldap_tls_cert.j2" + dest: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" + mode: 0644 + owner: root + group: root notify: - Restart slapd diff --git a/roles/ldap_server/templates/ldap_tls_cert.j2 b/roles/ldap_server/templates/ldap_tls_cert.j2 new file mode 100644 index 0000000000000000000000000000000000000000..3ecc806a1f5e19e451410c7da08f6321400650c2 --- /dev/null +++ b/roles/ldap_server/templates/ldap_tls_cert.j2 @@ -0,0 +1 @@ +{{ ldap_server_tls_certificate }} diff --git a/roles/ldap_server/templates/ldap_tls_key.j2 b/roles/ldap_server/templates/ldap_tls_key.j2 new file mode 100644 index 0000000000000000000000000000000000000000..6a2beec7c6d1145b636ccb46ac2aad06acbecd75 --- /dev/null +++ b/roles/ldap_server/templates/ldap_tls_key.j2 @@ -0,0 +1 @@ +{{ ldap_server_tls_key }} diff --git a/roles/ldap_server/tests/test_backup.py b/roles/ldap_server/tests/test_backup.py new file mode 100644 index 0000000000000000000000000000000000000000..5bc631b3deeca2cb9ed3efebd757f1f74628d46b --- /dev/null +++ b/roles/ldap_server/tests/test_backup.py @@ -0,0 +1,61 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory').get_hosts('parameters-optional') + + +def test_database_dump_directory(File, Sudo): + """ + Tests configuration of the directory where database dumps are stored prior + to running backup. + """ + + with Sudo(): + + directory = File('/srv/backup') + + assert directory.is_directory + assert directory.user == 'root' + assert directory.group == 'root' + assert directory.mode == 0o700 + + +def test_database_dump_script(File, Sudo): + """ + Tests if database dump script is deployed correctly. + """ + + with Sudo(): + + script = File('/etc/duply/main/pre.d/ldapdump.sh') + + assert script.is_file + assert script.user == 'root' + assert script.group == 'root' + assert script.mode == 0o700 + + +def test_backup(Command, File, Sudo): + """ + Tests if LDAP directory is correctly backed-up. + """ + + with Sudo(): + + # Remove restore directory in order to make sure restore has worked + # correctly. + Command("rm -rf /root/restore") + + backup_run = Command('duply main backup') + assert backup_run.rc == 0 + + database_dump = File('/srv/backup/slapd.bak') + assert database_dump.is_file + assert 'dn: dc=local' in database_dump.content + + restore_run = Command('duply main restore /root/restore') + assert restore_run.rc == 0 + + restored_database_dump = File('/root/restore/srv/backup/slapd.bak') + assert restored_database_dump.is_file + assert restored_database_dump.content == database_dump.content diff --git a/roles/ldap_server/tests/test_client.py b/roles/ldap_server/tests/test_client.py new file mode 100644 index 0000000000000000000000000000000000000000..bb7d08227076d0491fdadd50e7a3a9cb0d856d24 --- /dev/null +++ b/roles/ldap_server/tests/test_client.py @@ -0,0 +1,21 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory').get_hosts('client') + + +def test_connectivity(Command, Sudo): + + with Sudo(): + + ping = Command('hping3 -S -p 389 -c 1 10.31.127.10') + assert ping.rc == 0 + + ping = Command('hping3 -S -p 636 -c 1 10.31.127.10') + assert ping.rc == 0 + + ping = Command('hping3 -S -p 389 -c 1 10.31.127.11') + assert ping.rc == 0 + + ping = Command('hping3 -S -p 636 -c 1 10.31.127.11') + assert ping.rc == 0 diff --git a/roles/ldap_server/tests/test_default.py b/roles/ldap_server/tests/test_default.py index ef04a32b8c6dc6cc2738e21edb2cf11d1c0c55c9..59b77aa308ff0c562b6acefc1d8a10c7e942184c 100644 --- a/roles/ldap_server/tests/test_default.py +++ b/roles/ldap_server/tests/test_default.py @@ -2,11 +2,184 @@ import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( '.molecule/ansible_inventory').get_hosts('all') +testinfra_hosts.remove("client") -def test_hosts_file(File): - f = File('/etc/hosts') +def test_installed_packages(Package): + """ + Tests if all the necessary packages have been installed. + """ - assert f.exists - assert f.user == 'root' - assert f.group == 'root' + assert Package('slapd').is_installed + assert Package('python-ldap').is_installed + + +def test_ldap_user_group(User): + """ + Tests if LDAP server user is part of group that allows it to traverse TLS + private keys directory. + """ + + assert "ssl-cert" in User('openldap').groups + + +def test_ldap_server_service_sockets_and_ports(Socket): + """ + Tests if LDAP server has been configured to listen on correct sockets. + """ + + assert Socket('tcp://389').is_listening + assert Socket('tcp://636').is_listening + assert Socket('unix:///var/run/slapd/ldapi').is_listening + + +def test_ldap_server_service(Service): + """ + Tests if the LDAP service is enabled and running. + """ + + service = Service('slapd') + + assert service.is_enabled + assert service.is_running + + +def test_syslog_configuration(File, Sudo): + """ + Tests if syslog configuration file has been deployed, and log file was + created correctly (and is being logged to). + """ + + config = File('/etc/rsyslog.d/slapd.conf') + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + + with Sudo(): + log = File('/var/log/slapd.log') + assert log.is_file + assert 'slapd' in log.content + + +def test_log_rotation_configuration(File, Command, Sudo): + """ + Tests if log rotation configuration file has been deployed correctly and has + valid syntax. + """ + + config = File('/etc/logrotate.d/slapd') + + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + + with Sudo(): + + assert Command('logrotate /etc/logrotate.d/slapd').rc == 0 + + +def test_misc_schema_presence(Command, Sudo): + """ + Tests if the misc LDAP schema has been imported. + """ + + with Sudo(): + + misc_schema = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn') + assert misc_schema.rc == 0 + assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout + + +def test_memberof_module(Command, Sudo): + """ + Tests if the memberof overlay has been enabled for the main database. + """ + + with Sudo(): + memberof = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn') + + assert memberof.rc == 0 + assert 'dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config' in memberof.stdout + + +def test_basic_directory_structure(Command, Sudo): + """ + Tests if the base LDAP directory structure has been set-up correctly. + """ + + with Sudo(): + + ous = ["people", "groups", "services"] + + for ou in ous: + + entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=%s,dc=local' % ou) + + assert entry.rc == 0 + assert entry.stdout == """dn: ou=%(ou)s,dc=local +objectClass: organizationalUnit +ou: %(ou)s""" % {'ou': ou} + + +def test_mail_service_entries(Command, Sudo): + """ + Tests if the mail service entries have been set-up correctly. + """ + + with Sudo(): + + entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=mail,ou=services,dc=local') + assert entry.rc == 0 + assert entry.stdout == """dn: ou=mail,ou=services,dc=local +objectClass: organizationalUnit +ou: mail""" + + entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=domains,ou=mail,ou=services,dc=local') + assert entry.rc == 0 + assert entry.stdout == """dn: ou=domains,ou=mail,ou=services,dc=local +objectClass: organizationalUnit +ou: domains""" + + entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=aliases,ou=mail,ou=services,dc=local') + assert entry.rc == 0 + assert entry.stdout == """dn: ou=aliases,ou=mail,ou=services,dc=local +objectClass: organizationalUnit +ou: aliases""" + + +def test_firewall_configuration_file(File, Sudo): + """ + Tests if firewall configuration file has been deployed correctly. + """ + + with Sudo(): + + config = File('/etc/ferm/conf.d/10-ldap.conf') + + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o640 + + +def test_admin_password(Command): + """ + Tests if administrator password has been set correctly. + """ + + login = Command("ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local") + + assert login.rc == 0 + assert login.stdout == "dn:cn=admin,dc=local" + + +def test_temporary_admin_password_file_not_present(File, Sudo): + """ + Tests if the file that temporarily contains the LDAP adminstrator password + has been removed. + """ + + with Sudo(): + assert not File('/root/.ldap_admin_password').exists diff --git a/roles/ldap_server/tests/test_mandatory.py b/roles/ldap_server/tests/test_mandatory.py new file mode 100644 index 0000000000000000000000000000000000000000..1f261da409aa190bd0faf11179bb4e056736874a --- /dev/null +++ b/roles/ldap_server/tests/test_mandatory.py @@ -0,0 +1,159 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory').get_hosts('parameters-mandatory.local') + + +def test_base_entry(Command, Sudo): + """ + Tests if the base entry has been created correctly. + """ + + with Sudo(): + + base_dn = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base") + + assert base_dn.rc == 0 + assert "dc: local" in base_dn.stdout.split("\n") + assert "o: Private" in base_dn.stdout.split("\n") + + +def test_log_level(Command, Sudo): + """ + Tests if the logging level has been set correctly. + """ + + with Sudo(): + + log_level = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel') + + assert log_level.rc == 0 + assert 'olcLogLevel: 256' in log_level.stdout + + +def test_ldap_tls_private_key_file(File, Sudo): + """ + Tests if the TLS private key has been deployed correctly. + """ + + with Sudo(): + + key = File('/etc/ssl/private/parameters-mandatory.local_ldap.key') + + assert key.is_file + assert key.user == 'root' + assert key.group == 'openldap' + assert key.mode == 0o640 + assert key.content == open('tests/data/x509/parameters-mandatory.local_ldap.key').read().rstrip() + + +def test_ldap_tls_certificate_file(File, Sudo): + """ + Tests if the TLS certificate has been deployed correctly. + """ + + with Sudo(): + + cert = File('/etc/ssl/certs/parameters-mandatory.local_ldap.pem') + + assert cert.is_file + assert cert.user == 'root' + assert cert.group == 'root' + assert cert.mode == 0o644 + assert cert.content == open('tests/data/x509/parameters-mandatory.local_ldap.pem').read().rstrip() + + +def test_certificate_validity_check_configuration(File): + """ + Tests if certificate validity check configuration file has been deployed + correctly. + """ + + config = File('/etc/check_certificate/parameters-mandatory.local_ldap.conf') + + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + assert config.content == "/etc/ssl/certs/parameters-mandatory.local_ldap.pem" + + +def test_tls_configuration(Command): + """ + Tests if the TLS has been configured correctly and works. + """ + + starttls = Command('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/') + assert starttls.rc == 0 + assert starttls.stdout == 'anonymous' + + tls = Command('ldapwhoami -x -H ldaps://parameters-mandatory.local/') + assert tls.rc == 0 + assert tls.stdout == 'anonymous' + + old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:636") + assert old_tls_versions_disabled.rc != 0 + assert "CONNECTED" in old_tls_versions_disabled.stdout + + cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:636") + assert cipher.rc == 0 + assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout + + cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:636") + assert cipher.rc != 0 + assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout + + +def test_ssf_configuration(Command, Sudo): + """ + Tests if the SSF olcSecurity configuration has been set-up correctly. + """ + + with Sudo(): + ssf = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity') + + assert ssf.rc == 0 + assert "olcSecurity: ssf=128" in ssf.stdout + + +def test_permissions(Command, Sudo): + """ + Tests if LDAP directory permissions have been set-up correctly. + """ + + with Sudo(): + permissions = Command("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess") + + expected_permissions = """olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn="cn=admin,dc=local" manage by * break +olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none +olcAccess: {2}to dn.base="" by * read +olcAccess: {3}to * by self write by dn="cn=admin,dc=local" write by users read by * none""" + + assert permissions.rc == 0 + assert expected_permissions in permissions.stdout + + +def test_services_login_entries(Command, Sudo): + """ + Tests if the service/consumer login entries have been set correctly. + """ + + with Sudo(): + + entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'") + + assert entries.rc == 0 + assert entries.stdout == "" + + +def test_group_entries(Command, Sudo): + """ + Tests that no group entries have been created out-of-the-box. + """ + + with Sudo(): + + entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'") + + assert entries.rc == 0 + assert entries.stdout == "" diff --git a/roles/ldap_server/tests/test_optional.py b/roles/ldap_server/tests/test_optional.py new file mode 100644 index 0000000000000000000000000000000000000000..ed073eeaca1c3aa4ccdac2acf5f0266d0c9b34f9 --- /dev/null +++ b/roles/ldap_server/tests/test_optional.py @@ -0,0 +1,205 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory').get_hosts('parameters-optional') + + +def test_base_entry(Command, Sudo): + """ + Tests if the base entry has been created correctly. + """ + + with Sudo(): + + base_dn = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base") + + assert base_dn.rc == 0 + assert "dc: local" in base_dn.stdout.split("\n") + assert "o: Example" in base_dn.stdout.split("\n") + + +def test_log_level(Command, Sudo): + """ + Tests if the logging level has been set correctly. + """ + + with Sudo(): + + log_level = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel') + + assert log_level.rc == 0 + assert 'olcLogLevel: 0' in log_level.stdout + + +def test_ldap_tls_private_key_file(File, Sudo): + """ + Tests if the TLS private key has been deployed correctly. + """ + + with Sudo(): + + key = File('/etc/ssl/private/parameters-optional_ldap.key') + + assert key.is_file + assert key.user == 'root' + assert key.group == 'openldap' + assert key.mode == 0o640 + assert key.content == open('tests/data/x509/parameters-optional.key.pem').read().rstrip() + + +def test_ldap_tls_certificate_file(File, Sudo): + """ + Tests if the TLS certificate has been deployed correctly. + """ + + with Sudo(): + + cert = File('/etc/ssl/certs/parameters-optional_ldap.pem') + + assert cert.is_file + assert cert.user == 'root' + assert cert.group == 'root' + assert cert.mode == 0o644 + assert cert.content == open('tests/data/x509/parameters-optional.cert.pem').read().rstrip() + + +def test_certificate_validity_check_configuration(File): + """ + Tests if certificate validity check configuration file has been deployed + correctly. + """ + + config = File('/etc/check_certificate/parameters-optional_ldap.conf') + + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + assert config.content == "/etc/ssl/certs/parameters-optional_ldap.pem" + + +def test_tls_configuration(Command): + """ + Tests if the TLS has been configured correctly and works. + """ + + ldap_starttls = Command('ldapwhoami -Z -x -H ldap://parameters-optional/') + assert ldap_starttls.rc == 0 + assert ldap_starttls.stdout == 'anonymous' + + ldap_tls = Command('ldapwhoami -x -H ldaps://parameters-optional/') + assert ldap_tls.rc == 0 + assert ldap_tls.stdout == 'anonymous' + + old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:636") + assert old_tls_versions_disabled.rc == 0 + assert "CONNECTED" in old_tls_versions_disabled.stdout + + cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:636") + assert cipher.rc == 0 + assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout + + cipher = Command("echo 'Q' | openssl s_client -tls1_1 -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:636") + assert cipher.rc == 0 + assert "ECDHE-RSA-AES128-SHA" in cipher.stdout + + +def test_ssf_configuration(Command, Sudo): + """ + Tests if the SSF olcSecurity configuration has been set-up correctly. + """ + + with Sudo(): + ssf = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity') + + assert ssf.rc == 0 + assert "olcSecurity: ssf=0" in ssf.stdout + + +def test_permissions(Command, Sudo): + """ + Tests if LDAP directory permissions have been set-up correctly. + """ + + with Sudo(): + permissions = Command("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess") + + expected_permissions = "olcAccess: {0}to * " \ + "by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage " \ + "by self write by * read by dn=\"cn=admin,dc=local\" write " \ + "by * none" + + assert permissions.rc == 0 + assert expected_permissions in permissions.stdout + + +def test_services_login_entries(Command, Sudo): + """ + Tests if the service/consumer login entries have been set correctly. + """ + + with Sudo(): + + entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'") + + assert entries.rc == 0 + assert entries.stdout == """dn: cn=consumer1,ou=services,dc=local +objectClass: applicationProcess +objectClass: simpleSecurityObject +userPassword:: Y29uc3VtZXIxcGFzc3dvcmQ= +cn: consumer1 + +dn: cn=consumer2,ou=services,dc=local +objectClass: applicationProcess +objectClass: simpleSecurityObject +userPassword:: Y29uc3VtZXIycGFzc3dvcmQ= +cn: consumer2""" + + +def test_group_entries(Command, Sudo): + """ + Tests that no group entries have been created out-of-the-box. + """ + + with Sudo(): + + entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'") + + assert entries.rc == 0 + assert entries.stdout == """dn: cn=group1,ou=groups,dc=local +objectClass: groupOfUniqueNames +uniqueMember: cn=NONE +cn: group1 + +dn: cn=group2,ou=groups,dc=local +objectClass: groupOfUniqueNames +uniqueMember: cn=NONE +cn: group2""" + + +def test_user_supplied_entries(Command, Sudo): + """ + Tests if user-supplied entries are created correctly. + """ + + with Sudo(): + + john_doe = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=john,dc=local") + assert john_doe.rc == 0 + assert john_doe.stdout == """dn: uid=john,dc=local +objectClass: inetOrgPerson +objectClass: simpleSecurityObject +userPassword:: am9obnBhc3N3b3Jk +cn: John Doe +sn: Doe +uid: john""" + + jane_doe = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=jane,dc=local") + assert jane_doe.rc == 0 + assert jane_doe.stdout == """dn: uid=jane,dc=local +objectClass: inetOrgPerson +objectClass: simpleSecurityObject +userPassword:: amFuZXBhc3N3b3Jk +cn: Jane Doe +sn: Doe +uid: jane"""