1(* 2Module: Test_Nslcd 3 Provides unit tests and examples for the <Nslcd> lens. 4*) 5 6module Test_nslcd = 7 8let real_file = "# /etc/nslcd.conf 9# nslcd configuration file. See nslcd.conf(5) 10# for details. 11 12# Specifies the number of threads to start that can handle requests and perform LDAP queries. 13threads 5 14 15# The user and group nslcd should run as. 16uid nslcd 17gid nslcd 18 19# This option controls the way logging is done. 20log syslog info 21 22# The location at which the LDAP server(s) should be reachable. 23uri ldaps://XXX.XXX.XXX ldaps://YYY.YYY.YYY 24 25# The search base that will be used for all queries. 26base dc=XXX,dc=XXX 27 28# The LDAP protocol version to use. 29ldap_version 3 30 31# The DN to bind with for normal lookups. 32binddn cn=annonymous,dc=example,dc=net 33bindpw secret 34 35 36# The DN used for password modifications by root. 37rootpwmoddn cn=admin,dc=example,dc=com 38 39# The password used for password modifications by root. 40rootpwmodpw XXXXXX 41 42 43# SASL authentication options 44sasl_mech OTP 45sasl_realm realm 46sasl_authcid authcid 47sasl_authzid dn:cn=annonymous,dc=example,dc=net 48sasl_secprops noanonymous,noplain,minssf=0,maxssf=2,maxbufsize=65535 49sasl_canonicalize yes 50 51# Kerberos authentication options 52krb5_ccname ccname 53 54# Search/mapping options 55 56# Specifies the base distinguished name (DN) to use as search base. 57base dc=people,dc=example,dc=com 58base dc=morepeople,dc=example,dc=com 59base alias dc=aliases,dc=example,dc=com 60base alias dc=morealiases,dc=example,dc=com 61base group dc=group,dc=example,dc=com 62base group dc=moregroup,dc=example,dc=com 63base passwd dc=users,dc=example,dc=com 64 65# Specifies the search scope (subtree, onelevel, base or children). 66scope sub 67scope passwd sub 68scope aliases sub 69 70# Specifies the policy for dereferencing aliases. 71deref never 72 73# Specifies whether automatic referral chasing should be enabled. 74referrals yes 75 76# The FILTER is an LDAP search filter to use for a specific map. 77filter group (objectClass=posixGroup) 78 79# This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes. 80map passwd homeDirectory \"${homeDirectory:-/home/$uid}\" 81map passwd loginShell \"${loginShell:-/bin/bash}\" 82map shadow userPassword myPassword 83 84# Timing/reconnect options 85 86# Specifies the time limit (in seconds) to use when connecting to the directory server. 87bind_timelimit 30 88 89# Specifies the time limit (in seconds) to wait for a response from the LDAP server. 90timelimit 5 91 92# Specifies the period if inactivity (in seconds) after which the connection to the LDAP server will be closed. 93idle_timelimit 10 94 95# Specifies the number of seconds to sleep when connecting to all LDAP servers fails. 96reconnect_sleeptime 10 97 98# Specifies the time after which the LDAP server is considered to be permanently unavailable. 99reconnect_retrytime 10 100 101# SSL/TLS options 102 103# Specifies whether to use SSL/TLS or not (the default is not to). 104ssl start_tls 105# Specifies what checks to perform on a server-supplied certificate. 106tls_reqcert never 107# Specifies the directory containing X.509 certificates for peer authentication. 108tls_cacertdir /etc/ssl/ca 109# Specifies the path to the X.509 certificate for peer authentication. 110tls_cacertfile /etc/ssl/certs/ca-certificates.crt 111# Specifies the path to an entropy source. 112tls_randfile /dev/random 113# Specifies the ciphers to use for TLS. 114tls_ciphers TLSv1 115# Specifies the path to the file containing the local certificate for client TLS authentication. 116tls_cert /etc/ssl/certs/cert.pem 117# Specifies the path to the file containing the private key for client TLS authentication. 118tls_key /etc/ssl/private/cert.pem 119 120# Other options 121pagesize 100 122nss_initgroups_ignoreusers user1,user2,user3 123nss_min_uid 1000 124nss_nested_groups yes 125nss_getgrent_skipmembers yes 126nss_disable_enumeration yes 127validnames /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i 128ignorecase yes 129pam_authc_ppolicy yes 130pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*)))) 131pam_password_prohibit_message \"MESSAGE LONG AND WITH SPACES\" 132reconnect_invalidate nfsidmap,db2,db3 133cache dn2uid 1s 2h 134 135" 136 137test Nslcd.lns get real_file = 138 { "#comment" = "/etc/nslcd.conf" } 139 { "#comment" = "nslcd configuration file. See nslcd.conf(5)" } 140 { "#comment" = "for details." } 141 { } 142 { "#comment" = "Specifies the number of threads to start that can handle requests and perform LDAP queries." } 143 { "threads" = "5" } 144 { } 145 { "#comment" = "The user and group nslcd should run as." } 146 { "uid" = "nslcd" } 147 { "gid" = "nslcd" } 148 { } 149 { "#comment" = "This option controls the way logging is done." } 150 { "log" = "syslog info" } 151 { } 152 { "#comment" = "The location at which the LDAP server(s) should be reachable." } 153 { "uri" 154 { "1" = "ldaps://XXX.XXX.XXX" } 155 { "2" = "ldaps://YYY.YYY.YYY" } 156 } 157 { } 158 { "#comment" = "The search base that will be used for all queries." } 159 { "base" = "dc=XXX,dc=XXX" } 160 { } 161 { "#comment" = "The LDAP protocol version to use." } 162 { "ldap_version" = "3" } 163 { } 164 { "#comment" = "The DN to bind with for normal lookups." } 165 { "binddn" = "cn=annonymous,dc=example,dc=net" } 166 { "bindpw" = "secret" } 167 { } 168 { } 169 { "#comment" = "The DN used for password modifications by root." } 170 { "rootpwmoddn" = "cn=admin,dc=example,dc=com" } 171 { } 172 { "#comment" = "The password used for password modifications by root." } 173 { "rootpwmodpw" = "XXXXXX" } 174 { } 175 { } 176 { "#comment" = "SASL authentication options" } 177 { "sasl_mech" = "OTP" } 178 { "sasl_realm" = "realm" } 179 { "sasl_authcid" = "authcid" } 180 { "sasl_authzid" = "dn:cn=annonymous,dc=example,dc=net" } 181 { "sasl_secprops" = "noanonymous,noplain,minssf=0,maxssf=2,maxbufsize=65535" } 182 { "sasl_canonicalize" = "yes" } 183 { } 184 { "#comment" = "Kerberos authentication options" } 185 { "krb5_ccname" = "ccname" } 186 { } 187 { "#comment" = "Search/mapping options" } 188 { } 189 { "#comment" = "Specifies the base distinguished name (DN) to use as search base." } 190 { "base" = "dc=people,dc=example,dc=com" } 191 { "base" = "dc=morepeople,dc=example,dc=com" } 192 { "base" 193 { "alias" = "dc=aliases,dc=example,dc=com" } 194 } 195 { "base" 196 { "alias" = "dc=morealiases,dc=example,dc=com" } 197 } 198 { "base" 199 { "group" = "dc=group,dc=example,dc=com" } 200 } 201 { "base" 202 { "group" = "dc=moregroup,dc=example,dc=com" } 203 } 204 { "base" 205 { "passwd" = "dc=users,dc=example,dc=com" } 206 } 207 { } 208 { "#comment" = "Specifies the search scope (subtree, onelevel, base or children)." } 209 { "scope" = "sub" } 210 { "scope" 211 { "passwd" = "sub" } 212 } 213 { "scope" 214 { "aliases" = "sub" } 215 } 216 { } 217 { "#comment" = "Specifies the policy for dereferencing aliases." } 218 { "deref" = "never" } 219 { } 220 { "#comment" = "Specifies whether automatic referral chasing should be enabled." } 221 { "referrals" = "yes" } 222 { } 223 { "#comment" = "The FILTER is an LDAP search filter to use for a specific map." } 224 { "filter" 225 { "group" = "(objectClass=posixGroup)" } 226 } 227 { } 228 { "#comment" = "This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes." } 229 { "map" 230 { "passwd" 231 { "homeDirectory" = "\"${homeDirectory:-/home/$uid}\"" } 232 } 233 } 234 { "map" 235 { "passwd" 236 { "loginShell" = "\"${loginShell:-/bin/bash}\"" } 237 } 238 } 239 { "map" 240 { "shadow" 241 { "userPassword" = "myPassword" } 242 } 243 } 244 { } 245 { "#comment" = "Timing/reconnect options" } 246 { } 247 { "#comment" = "Specifies the time limit (in seconds) to use when connecting to the directory server." } 248 { "bind_timelimit" = "30" } 249 { } 250 { "#comment" = "Specifies the time limit (in seconds) to wait for a response from the LDAP server." } 251 { "timelimit" = "5" } 252 { } 253 { "#comment" = "Specifies the period if inactivity (in seconds) after which the connection to the LDAP server will be closed." } 254 { "idle_timelimit" = "10" } 255 { } 256 { "#comment" = "Specifies the number of seconds to sleep when connecting to all LDAP servers fails." } 257 { "reconnect_sleeptime" = "10" } 258 { } 259 { "#comment" = "Specifies the time after which the LDAP server is considered to be permanently unavailable." } 260 { "reconnect_retrytime" = "10" } 261 { } 262 { "#comment" = "SSL/TLS options" } 263 { } 264 { "#comment" = "Specifies whether to use SSL/TLS or not (the default is not to)." } 265 { "ssl" = "start_tls" } 266 { "#comment" = "Specifies what checks to perform on a server-supplied certificate." } 267 { "tls_reqcert" = "never" } 268 { "#comment" = "Specifies the directory containing X.509 certificates for peer authentication." } 269 { "tls_cacertdir" = "/etc/ssl/ca" } 270 { "#comment" = "Specifies the path to the X.509 certificate for peer authentication." } 271 { "tls_cacertfile" = "/etc/ssl/certs/ca-certificates.crt" } 272 { "#comment" = "Specifies the path to an entropy source." } 273 { "tls_randfile" = "/dev/random" } 274 { "#comment" = "Specifies the ciphers to use for TLS." } 275 { "tls_ciphers" = "TLSv1" } 276 { "#comment" = "Specifies the path to the file containing the local certificate for client TLS authentication." } 277 { "tls_cert" = "/etc/ssl/certs/cert.pem" } 278 { "#comment" = "Specifies the path to the file containing the private key for client TLS authentication." } 279 { "tls_key" = "/etc/ssl/private/cert.pem" } 280 { } 281 { "#comment" = "Other options" } 282 { "pagesize" = "100" } 283 { "nss_initgroups_ignoreusers" 284 { "1" = "user1" } 285 { "2" = "user2" } 286 { "3" = "user3" } 287 } 288 { "nss_min_uid" = "1000" } 289 { "nss_nested_groups" = "yes" } 290 { "nss_getgrent_skipmembers" = "yes" } 291 { "nss_disable_enumeration" = "yes" } 292 { "validnames" = "/^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i" } 293 { "ignorecase" = "yes" } 294 { "pam_authc_ppolicy" = "yes" } 295 { "pam_authz_search" = "(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))" } 296 { "pam_password_prohibit_message" = "MESSAGE LONG AND WITH SPACES" } 297 { "reconnect_invalidate" = "nfsidmap,db2,db3" } 298 { "cache" = "dn2uid 1s 2h" } 299 { } 300(* Test writes *) 301 302(* Test a simple parameter *) 303test Nslcd.lns put "pagesize 9999\n" after 304 set "/pagesize" "1000" = 305 "pagesize 1000\n" 306 307(* Test base parameter *) 308test Nslcd.lns put "\n" after 309 set "/base" "dc=example,dc=com" = 310 "\nbase dc=example,dc=com\n" 311 312test Nslcd.lns put "base dc=change,dc=me\n" after 313 set "/base" "dc=example,dc=com" = 314 "base dc=example,dc=com\n" 315 316test Nslcd.lns put "\n" after 317 set "/base/passwd" "dc=example,dc=com" = 318 "\nbase passwd dc=example,dc=com\n" 319 320test Nslcd.lns put "base passwd dc=change,dc=me\n" after 321 set "/base[passwd]/passwd" "dc=example,dc=com"; 322 set "/base[shadow]/shadow" "dc=example,dc=com" = 323 "base passwd dc=example,dc=com\nbase shadow dc=example,dc=com\n" 324 325(* Test scope entry *) 326test Nslcd.lns put "\n" after 327 set "/scope" "sub" = 328 "\nscope sub\n" 329 330test Nslcd.lns put "scope one\n" after 331 set "/scope" "subtree" = 332 "scope subtree\n" 333 334test Nslcd.lns put "\n" after 335 set "/scope/passwd" "base" = 336 "\nscope passwd base\n" 337 338test Nslcd.lns put "scope shadow onelevel\n" after 339 set "/scope[passwd]/passwd" "subtree"; 340 set "/scope[shadow]/shadow" "base" = 341 "scope shadow base\nscope passwd subtree\n" 342 343(* Test filter entry *) 344test Nslcd.lns put "\n" after 345 set "/filter/passwd" "(objectClass=posixAccount)" = 346 "\nfilter passwd (objectClass=posixAccount)\n" 347 348test Nslcd.lns put "filter shadow (objectClass=posixAccount)\n" after 349 set "/filter[passwd]/passwd" "(objectClass=Account)"; 350 set "/filter[shadow]/shadow" "(objectClass=Account)" = 351 "filter shadow (objectClass=Account)\nfilter passwd (objectClass=Account)\n" 352 353(* Test map entry *) 354test Nslcd.lns put "map passwd loginShell ab\n" after 355 set "/map/passwd/loginShell" "bc" = 356 "map passwd loginShell bc\n" 357 358test Nslcd.lns put "map passwd loginShell ab\n" after 359 set "/map[2]/passwd/homeDirectory" "bc" = 360 "map passwd loginShell ab\nmap passwd homeDirectory bc\n" 361 362test Nslcd.lns put "map passwd loginShell ab\n" after 363 set "/map[passwd/homeDirectory]/passwd/homeDirectory" "bc" = 364 "map passwd loginShell ab\nmap passwd homeDirectory bc\n" 365 366test Nslcd.lns put "map passwd loginShell ab\nmap passwd homeDirectory ab\n" after 367 set "/map[passwd/homeDirectory]/passwd/homeDirectory" "bc" = 368 "map passwd loginShell ab\nmap passwd homeDirectory bc\n" 369 370 371(* Test simple entries *) 372let simple = "uid nslcd\n" 373 374test Nslcd.lns get simple = 375{ "uid" = "nslcd" } 376 377(* Test simple entries with spaces at the end *) 378let simple_spaces = "uid nslcd \n" 379 380test Nslcd.lns get simple_spaces = 381{ "uid" = "nslcd" } 382 383(* Test multi valued entries *) 384 385let multi_valued = "cache 1 2 \n" 386 387test Nslcd.lns get multi_valued = 388{ "cache" = "1 2" } 389 390let multi_valued_real = "map passwd homeDirectory ${homeDirectory:-/home/$uid}\n" 391 392test Nslcd.lns get multi_valued_real = 393{ "map" 394 { "passwd" 395 { "homeDirectory" = "${homeDirectory:-/home/$uid}" } 396 } 397} 398 399(* Test multiline *) 400 401let simple_multiline = "uid nslcd\ngid nslcd\n" 402 403test Nslcd.lns get simple_multiline = 404{"uid" = "nslcd"} 405{"gid" = "nslcd"} 406 407 408let multiline_separators = "\n\n \nuid nslcd \ngid nslcd \n" 409 410test Nslcd.lns get multiline_separators = 411{} 412{} 413{} 414{"uid" = "nslcd"} 415{"gid" = "nslcd"} 416