add tests to drone.yml
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/push Build is failing
Details
This commit is contained in:
parent
4783621d22
commit
d11c6af2ec
12
.drone.yml
12
.drone.yml
|
@ -15,6 +15,16 @@ steps:
|
||||||
- pip install -r requirements.txt
|
- pip install -r requirements.txt
|
||||||
- pip install -r dev-requirements.txt
|
- pip install -r dev-requirements.txt
|
||||||
- cd ceo_common/krb5 && python krb5_build.py && cd ../..
|
- cd ceo_common/krb5 && python krb5_build.py && cd ../..
|
||||||
|
|
||||||
# lint
|
# lint
|
||||||
- flake8
|
- flake8
|
||||||
# add more!
|
|
||||||
|
# unit + integration tests
|
||||||
|
- .drone/phosphoric-acid-setup.sh
|
||||||
|
- pytest -v
|
||||||
|
|
||||||
|
services:
|
||||||
|
- name: auth1
|
||||||
|
image: debian:buster
|
||||||
|
commands:
|
||||||
|
- .drone/auth1-setup.sh
|
||||||
|
|
|
@ -0,0 +1,83 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
|
||||||
|
add_fqdn_to_hosts() {
|
||||||
|
hostname=$1
|
||||||
|
ip_addr=$(getent hosts $hostname | cut -d' ' -f1)
|
||||||
|
sed -E "/${ip_addr}.*\\b${hostname}\\b/d" /etc/hosts > /tmp/hosts
|
||||||
|
cat /tmp/hosts > /etc/hosts
|
||||||
|
rm /tmp/hosts
|
||||||
|
echo "$ip_addr $hostname.csclub.internal $hostname" >> /etc/hosts
|
||||||
|
}
|
||||||
|
|
||||||
|
# set FQDN in /etc/hosts
|
||||||
|
add_fqdn_to_hosts auth1
|
||||||
|
|
||||||
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
|
apt update
|
||||||
|
apt install -y psmisc
|
||||||
|
|
||||||
|
# LDAP
|
||||||
|
apt install -y --no-install-recommends slapd ldap-utils libnss-ldapd sudo-ldap
|
||||||
|
# `service slapd stop` doesn't seem to work
|
||||||
|
killall slapd || true
|
||||||
|
service nslcd stop || true
|
||||||
|
rm -rf /etc/ldap/slapd.d
|
||||||
|
rm /var/lib/ldap/*
|
||||||
|
cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/DB_CONFIG
|
||||||
|
cp .drone/slapd.conf /etc/ldap/slapd.conf
|
||||||
|
cp .drone/ldap.conf /etc/ldap/ldap.conf
|
||||||
|
cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema
|
||||||
|
cp .drone/rfc2307bis.schema /etc/ldap/schema/
|
||||||
|
cp .drone/csc.schema /etc/ldap/schema/
|
||||||
|
chown -R openldap:openldap /etc/ldap/schema/ /var/lib/ldap/ /etc/ldap/
|
||||||
|
sleep 0.5 && service slapd start
|
||||||
|
grep -Eq '^map group member uniqueMember$' /etc/nslcd.conf || \
|
||||||
|
echo 'map group member uniqueMember' >> /etc/nslcd.conf
|
||||||
|
sed -E -i 's/^uri .*$/uri ldap:\/\/auth1.csclub.internal/' /etc/nslcd.conf
|
||||||
|
sed -E -i 's/^base .*$/base dc=csclub,dc=internal/' /etc/nslcd.conf
|
||||||
|
cp .drone/nsswitch.conf /etc/nsswitch.conf
|
||||||
|
service nslcd start
|
||||||
|
ldapadd -c -f .drone/data.ldif -Y EXTERNAL -H ldapi:///
|
||||||
|
|
||||||
|
# KERBEROS
|
||||||
|
apt install -y krb5-admin-server krb5-user libpam-krb5 libsasl2-modules-gssapi-mit sasl2-bin
|
||||||
|
service krb5-admin-server stop || true
|
||||||
|
service krb5-kdc stop || true
|
||||||
|
service saslauthd stop || true
|
||||||
|
cp .drone/krb5.conf /etc/krb5.conf
|
||||||
|
cp .drone/kdc.conf /etc/krb5kdc.conf
|
||||||
|
echo '*/admin *' > /etc/krb5kdc/kadm5.acl
|
||||||
|
rm -f /var/lib/krb5kdc/*
|
||||||
|
echo -e 'krb5\nkrb5' | krb5_newrealm
|
||||||
|
service krb5-kdc start
|
||||||
|
service krb5-admin-server start
|
||||||
|
rm -f /etc/krb5.keytab
|
||||||
|
cat <<EOF | kadmin.local
|
||||||
|
addpol -minlength 4 default
|
||||||
|
addprinc -pw krb5 sysadmin/admin
|
||||||
|
addprinc -pw krb5 ctdalek
|
||||||
|
addprinc -pw krb5 regular1
|
||||||
|
addprinc -randkey host/auth1.csclub.internal
|
||||||
|
addprinc -randkey ldap/auth1.csclub.internal
|
||||||
|
ktadd host/auth1.csclub.internal
|
||||||
|
ktadd ldap/auth1.csclub.internal
|
||||||
|
EOF
|
||||||
|
groupadd keytab || true
|
||||||
|
chgrp keytab /etc/krb5.keytab
|
||||||
|
chmod 640 /etc/krb5.keytab
|
||||||
|
usermod -a -G keytab openldap
|
||||||
|
usermod -a -G sasl openldap
|
||||||
|
cat <<EOF > /usr/lib/sasl2/slapd.conf
|
||||||
|
mech_list: plain login gssapi external
|
||||||
|
pwcheck_method: saslauthd
|
||||||
|
EOF
|
||||||
|
sed -E -i 's/^START=.*$/START=yes/' /etc/default/saslauthd
|
||||||
|
sed -E -i 's/^MECHANISMS=.*$/MECHANISMS="kerberos5"/' /etc/default/saslauthd
|
||||||
|
service saslauthd start
|
||||||
|
killall slapd && sleep 0.5 && service slapd start
|
||||||
|
|
||||||
|
# sync with phosphoric-acid
|
||||||
|
apt install -y netcat-openbsd
|
||||||
|
nc -l 0.0.0.0 9000
|
|
@ -0,0 +1,35 @@
|
||||||
|
# CSC Member Information Schema
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.4.1.27934.1.1.1 NAME 'term'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.4.1.27934.1.1.2 NAME 'program'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.4.1.27934.1.1.3 NAME 'studentid'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.4.1.27934.1.1.4 NAME 'position'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.4.1.27934.1.1.5 NAME 'nonMemberTerm'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.4.1.27934.1.2.1 NAME 'member'
|
||||||
|
SUP top AUXILIARY
|
||||||
|
MUST ( cn $ uid )
|
||||||
|
MAY ( studentid $ program $ term $ nonMemberTerm $ description $ position ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.4.1.27934.1.2.2 NAME 'club'
|
||||||
|
SUP top AUXILIARY
|
||||||
|
MUST ( cn $ uid ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.4.1.27934.1.2.3 NAME 'group'
|
||||||
|
SUP top STRUCTURAL
|
||||||
|
MUST ( cn )
|
||||||
|
MAY ( uniqueMember ) )
|
|
@ -0,0 +1,125 @@
|
||||||
|
dn: dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: dcObject
|
||||||
|
objectClass: organization
|
||||||
|
dc: csclub
|
||||||
|
o: Computer Science Club
|
||||||
|
|
||||||
|
dn: ou=People,dc=csclub,dc=internal
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: People
|
||||||
|
|
||||||
|
dn: ou=Group,dc=csclub,dc=internal
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: Group
|
||||||
|
|
||||||
|
dn: ou=SUDOers,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: SUDOers
|
||||||
|
|
||||||
|
dn: cn=defaults,ou=SUDOers,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: sudoRole
|
||||||
|
cn: defaults
|
||||||
|
sudoOption: !insults
|
||||||
|
sudoOption: !lecture
|
||||||
|
sudoOption: env_reset
|
||||||
|
sudoOption: listpw=never
|
||||||
|
sudoOption: shell_noargs
|
||||||
|
sudoOption: !mail_badpass
|
||||||
|
|
||||||
|
dn: cn=syscom,ou=Group,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: group
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: syscom
|
||||||
|
gidNumber: 10001
|
||||||
|
uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
|
||||||
|
|
||||||
|
dn: cn=%syscom,ou=SUDOers,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: sudoRole
|
||||||
|
cn: %syscom
|
||||||
|
sudoUser: %syscom
|
||||||
|
sudoHost: ALL
|
||||||
|
sudoCommand: ALL
|
||||||
|
sudoRunAsUser: ALL
|
||||||
|
|
||||||
|
dn: cn=adm,ou=Group,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: group
|
||||||
|
objectClass: posixGroup
|
||||||
|
gidNumber: 4
|
||||||
|
cn: adm
|
||||||
|
uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
|
||||||
|
|
||||||
|
dn: cn=office,ou=Group,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: group
|
||||||
|
objectClass: posixGroup
|
||||||
|
gidNumber: 10003
|
||||||
|
cn: office
|
||||||
|
uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
|
||||||
|
|
||||||
|
dn: cn=src,ou=Group,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: group
|
||||||
|
objectClass: posixGroup
|
||||||
|
gidNumber: 40
|
||||||
|
cn: src
|
||||||
|
uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
|
||||||
|
|
||||||
|
dn: cn=staff,ou=Group,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: group
|
||||||
|
objectClass: posixGroup
|
||||||
|
gidNumber: 50
|
||||||
|
cn: staff
|
||||||
|
uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
|
||||||
|
|
||||||
|
dn: uid=ctdalek,ou=People,dc=csclub,dc=internal
|
||||||
|
cn: Calum Dalek
|
||||||
|
userPassword: {SASL}ctdalek@CSCLUB.INTERNAL
|
||||||
|
loginShell: /bin/bash
|
||||||
|
homeDirectory: /users/ctdalek
|
||||||
|
uid: ctdalek
|
||||||
|
uidNumber: 20001
|
||||||
|
gidNumber: 20001
|
||||||
|
objectClass: top
|
||||||
|
objectClass: account
|
||||||
|
objectClass: posixAccount
|
||||||
|
objectClass: shadowAccount
|
||||||
|
objectClass: member
|
||||||
|
program: MAT/Mathematics Computer Science
|
||||||
|
term: s2021
|
||||||
|
|
||||||
|
dn: cn=ctdalek,ou=Group,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: group
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: ctdalek
|
||||||
|
gidNumber: 20001
|
||||||
|
|
||||||
|
dn: uid=regular1,ou=People,dc=csclub,dc=internal
|
||||||
|
cn: Regular One
|
||||||
|
userPassword: {SASL}regular1@CSCLUB.INTERNAL
|
||||||
|
loginShell: /bin/bash
|
||||||
|
homeDirectory: /users/regular1
|
||||||
|
uid: regular1
|
||||||
|
uidNumber: 20002
|
||||||
|
gidNumber: 20002
|
||||||
|
objectClass: top
|
||||||
|
objectClass: account
|
||||||
|
objectClass: posixAccount
|
||||||
|
objectClass: shadowAccount
|
||||||
|
objectClass: member
|
||||||
|
program: MAT/Mathematics Computer Science
|
||||||
|
term: s2021
|
||||||
|
|
||||||
|
dn: cn=regular1,ou=Group,dc=csclub,dc=internal
|
||||||
|
objectClass: top
|
||||||
|
objectClass: group
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: regular1
|
||||||
|
gidNumber: 20002
|
|
@ -0,0 +1,19 @@
|
||||||
|
[kdcdefaults]
|
||||||
|
kdc_ports = 88
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
CSCLUB.INTERNAL = {
|
||||||
|
database_name = /var/lib/krb5kdc/principal
|
||||||
|
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
|
||||||
|
acl_file = /etc/krb5kdc/kadm5.acl
|
||||||
|
key_stash_file = /etc/krb5kdc/stash
|
||||||
|
kdc_ports = 88
|
||||||
|
max_life = 10h 0m 0s
|
||||||
|
max_renewable_life = 7d 0h 0m 0s
|
||||||
|
master_key_type = des3-hmac-sha1
|
||||||
|
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des3-cbc-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
|
||||||
|
default_principal_flags = +preauth
|
||||||
|
iprop_enable = true
|
||||||
|
iprop_slave_poll = 2m
|
||||||
|
iprop_port = 750
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
[libdefaults]
|
||||||
|
default_realm = CSCLUB.INTERNAL
|
||||||
|
|
||||||
|
kdc_timesync = 1
|
||||||
|
ccache_type = 4
|
||||||
|
forwardable = true
|
||||||
|
proxiable = true
|
||||||
|
|
||||||
|
dns_lookup_kdc = false
|
||||||
|
dns_lookup_realm = false
|
||||||
|
|
||||||
|
allow_weak_crypto = true
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
CSCLUB.INTERNAL = {
|
||||||
|
kdc = auth1.csclub.internal
|
||||||
|
admin_server = auth1.csclub.internal
|
||||||
|
}
|
||||||
|
|
||||||
|
[domain_realm]
|
||||||
|
.csclub.internal = CSCLUB.INTERNAL
|
||||||
|
csclub.internal = CSCLUB.INTERNAL
|
||||||
|
|
||||||
|
[logging]
|
||||||
|
kdc = SYSLOG:INFO:AUTH
|
||||||
|
admin_server = SYSLOG:INFO:AUTH
|
||||||
|
default = SYSLOG:INFO:AUTH
|
|
@ -0,0 +1,3 @@
|
||||||
|
BASE dc=csclub,dc=internal
|
||||||
|
URI ldap://auth1.csclub.internal
|
||||||
|
SUDOERS_BASE ou=SUDOers,dc=csclub,dc=internal
|
|
@ -0,0 +1,20 @@
|
||||||
|
# /etc/nsswitch.conf
|
||||||
|
#
|
||||||
|
# Example configuration of GNU Name Service Switch functionality.
|
||||||
|
# If you have the `glibc-doc-reference' and `info' packages installed, try:
|
||||||
|
# `info libc "Name Service Switch"' for information about this file.
|
||||||
|
|
||||||
|
passwd: files ldap
|
||||||
|
group: files ldap
|
||||||
|
shadow: files ldap
|
||||||
|
|
||||||
|
hosts: files dns
|
||||||
|
networks: files
|
||||||
|
|
||||||
|
protocols: db files
|
||||||
|
services: db files
|
||||||
|
ethers: db files
|
||||||
|
rpc: db files
|
||||||
|
|
||||||
|
netgroup: nis
|
||||||
|
sudoers: files ldap
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
|
||||||
|
add_fqdn_to_hosts() {
|
||||||
|
hostname=$1
|
||||||
|
ip_addr=$(getent hosts $hostname | cut -d' ' -f1)
|
||||||
|
sed -E "/${ip_addr}.*\\b${hostname}\\b/d" /etc/hosts > /tmp/hosts
|
||||||
|
cat /tmp/hosts > /etc/hosts
|
||||||
|
rm /tmp/hosts
|
||||||
|
echo "$ip_addr $hostname.csclub.internal $hostname" >> /etc/hosts
|
||||||
|
}
|
||||||
|
|
||||||
|
# set FQDN in /etc/hosts
|
||||||
|
add_fqdn_to_hosts phosphoric-acid
|
||||||
|
add_fqdn_to_hosts auth1
|
||||||
|
|
||||||
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
|
apt update
|
||||||
|
|
||||||
|
# LDAP
|
||||||
|
apt install -y --no-install-recommends libnss-ldapd
|
||||||
|
service nslcd stop || true
|
||||||
|
cp .drone/ldap.conf /etc/ldap/ldap.conf
|
||||||
|
grep -Eq '^map group member uniqueMember$' /etc/nslcd.conf || \
|
||||||
|
echo 'map group member uniqueMember' >> /etc/nslcd.conf
|
||||||
|
sed -E -i 's/^uri .*$/uri ldap:\/\/auth1.csclub.internal/' /etc/nslcd.conf
|
||||||
|
sed -E -i 's/^base .*$/base dc=csclub,dc=internal/' /etc/nslcd.conf
|
||||||
|
cp .drone/nsswitch.conf /etc/nsswitch.conf
|
||||||
|
|
||||||
|
# KERBEROS
|
||||||
|
apt install -y krb5-user libpam-krb5 libsasl2-modules-gssapi-mit
|
||||||
|
cp .drone/krb5.conf /etc/krb5.conf
|
||||||
|
|
||||||
|
# sync with auth1
|
||||||
|
apt install -y netcat-openbsd
|
||||||
|
synced=false
|
||||||
|
# give it 5 minutes
|
||||||
|
for i in {1..60}; do
|
||||||
|
if nc -vz auth1 9000 ; then
|
||||||
|
synced=true
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
sleep 5
|
||||||
|
done
|
||||||
|
test $synced = true
|
||||||
|
|
||||||
|
rm -f /etc/krb5.keytab
|
||||||
|
cat <<EOF | kadmin -p sysadmin/admin
|
||||||
|
krb5
|
||||||
|
addprinc -randkey host/phosphoric-acid.csclub.internal
|
||||||
|
ktadd host/phosphoric-acid.csclub.internal
|
||||||
|
addprinc -randkey ceod/phosphoric-acid.csclub.internal
|
||||||
|
ktadd ceod/phosphoric-acid.csclub.internal
|
||||||
|
addprinc -randkey ceod/admin
|
||||||
|
ktadd ceod/admin
|
||||||
|
EOF
|
||||||
|
service nslcd start
|
||||||
|
|
||||||
|
# initialize the skel directory
|
||||||
|
shopt -s dotglob
|
||||||
|
mkdir -p /users/skel
|
||||||
|
cp /etc/skel/* /users/skel/
|
|
@ -0,0 +1,287 @@
|
||||||
|
# builtin
|
||||||
|
#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
|
||||||
|
# DESC 'An integer uniquely identifying a user in an administrative domain'
|
||||||
|
# EQUALITY integerMatch
|
||||||
|
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
# SINGLE-VALUE )
|
||||||
|
#
|
||||||
|
|
||||||
|
# builtin
|
||||||
|
#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
|
||||||
|
# DESC 'An integer uniquely identifying a group in an
|
||||||
|
# administrative domain'
|
||||||
|
# EQUALITY integerMatch
|
||||||
|
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
# SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos'
|
||||||
|
DESC 'The GECOS field; the common name'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
|
||||||
|
DESC 'The absolute path to the home directory'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
|
||||||
|
DESC 'The path to the login shell'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SUBSTR caseExactIA5SubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
|
||||||
|
DESC 'Netgroup triple'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
|
||||||
|
DESC 'Service port number'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
|
||||||
|
DESC 'Service protocol name'
|
||||||
|
SUP name )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
|
||||||
|
DESC 'IP protocol number'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
|
||||||
|
DESC 'ONC RPC number'
|
||||||
|
EQUALITY integerMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||||
|
SINGLE-VALUE )
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
|
||||||
|
DESC 'IPv4 addresses as a dotted decimal omitting leading
|
||||||
|
zeros or IPv6 addresses as defined in RFC2373'
|
||||||
|
SUP name )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
|
||||||
|
DESC 'IP network as a dotted decimal, eg. 192.168,
|
||||||
|
omitting leading zeros'
|
||||||
|
SUP name
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
|
||||||
|
DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
|
||||||
|
omitting leading zeros'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
|
||||||
|
DESC 'MAC address in maximal, colon separated hex
|
||||||
|
notation, eg. 00:00:92:90:ee:e2'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
|
||||||
|
DESC 'rpc.bootparamd parameter'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
|
||||||
|
DESC 'Boot image name'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
|
||||||
|
DESC 'Name of a A generic NIS map'
|
||||||
|
SUP name )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
|
||||||
|
DESC 'A generic NIS entry'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SUBSTR caseExactIA5SubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
|
||||||
|
DESC 'NIS public key'
|
||||||
|
EQUALITY octetStringMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
|
||||||
|
DESC 'NIS secret key'
|
||||||
|
EQUALITY octetStringMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
|
||||||
|
DESC 'NIS domain'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
|
||||||
|
DESC 'automount Map Name'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SUBSTR caseExactIA5SubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
|
||||||
|
DESC 'Automount Key value'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SUBSTR caseExactIA5SubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
|
||||||
|
DESC 'Automount information'
|
||||||
|
EQUALITY caseExactIA5Match
|
||||||
|
SUBSTR caseExactIA5SubstringsMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
|
||||||
|
DESC 'Abstraction of an account with POSIX attributes'
|
||||||
|
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
|
||||||
|
MAY ( userPassword $ loginShell $ gecos $
|
||||||
|
description ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
|
||||||
|
DESC 'Additional attributes for shadow passwords'
|
||||||
|
MUST uid
|
||||||
|
MAY ( userPassword $ description $
|
||||||
|
shadowLastChange $ shadowMin $ shadowMax $
|
||||||
|
shadowWarning $ shadowInactive $
|
||||||
|
shadowExpire $ shadowFlag ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
|
||||||
|
DESC 'Abstraction of a group of accounts'
|
||||||
|
MUST gidNumber
|
||||||
|
MAY ( userPassword $ memberUid $
|
||||||
|
description ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
|
||||||
|
DESC 'Abstraction an Internet Protocol service.
|
||||||
|
Maps an IP port and protocol (such as tcp or udp)
|
||||||
|
to one or more names; the distinguished value of
|
||||||
|
the cn attribute denotes the services canonical
|
||||||
|
name'
|
||||||
|
MUST ( cn $ ipServicePort $ ipServiceProtocol )
|
||||||
|
MAY description )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
|
||||||
|
DESC 'Abstraction of an IP protocol. Maps a protocol number
|
||||||
|
to one or more names. The distinguished value of the cn
|
||||||
|
attribute denotes the protocols canonical name'
|
||||||
|
MUST ( cn $ ipProtocolNumber )
|
||||||
|
MAY description )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
|
||||||
|
DESC 'Abstraction of an Open Network Computing (ONC)
|
||||||
|
[RFC1057] Remote Procedure Call (RPC) binding.
|
||||||
|
This class maps an ONC RPC number to a name.
|
||||||
|
The distinguished value of the cn attribute denotes
|
||||||
|
the RPC services canonical name'
|
||||||
|
MUST ( cn $ oncRpcNumber )
|
||||||
|
MAY description )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
|
||||||
|
DESC 'Abstraction of a host, an IP device. The distinguished
|
||||||
|
value of the cn attribute denotes the hosts canonical
|
||||||
|
name. Device SHOULD be used as a structural class'
|
||||||
|
MUST ( cn $ ipHostNumber )
|
||||||
|
MAY ( userPassword $ l $ description $ manager ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
|
||||||
|
DESC 'Abstraction of a network. The distinguished value of
|
||||||
|
the cn attribute denotes the networks canonical name'
|
||||||
|
MUST ipNetworkNumber
|
||||||
|
MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
|
||||||
|
DESC 'Abstraction of a netgroup. May refer to other netgroups'
|
||||||
|
MUST cn
|
||||||
|
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
|
||||||
|
DESC 'A generic abstraction of a NIS map'
|
||||||
|
MUST nisMapName
|
||||||
|
MAY description )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
|
||||||
|
DESC 'An entry in a NIS map'
|
||||||
|
MUST ( cn $ nisMapEntry $ nisMapName )
|
||||||
|
MAY description )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
|
||||||
|
DESC 'A device with a MAC address; device SHOULD be
|
||||||
|
used as a structural class'
|
||||||
|
MAY macAddress )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
|
||||||
|
DESC 'A device with boot parameters; device SHOULD be
|
||||||
|
used as a structural class'
|
||||||
|
MAY ( bootFile $ bootParameter ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
|
||||||
|
DESC 'An object with a public and secret key'
|
||||||
|
MUST ( cn $ nisPublicKey $ nisSecretKey )
|
||||||
|
MAY ( uidNumber $ description ) )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
|
||||||
|
DESC 'Associates a NIS domain with a naming context'
|
||||||
|
MUST nisDomain )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
|
||||||
|
MUST ( automountMapName )
|
||||||
|
MAY description )
|
||||||
|
|
||||||
|
objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
|
||||||
|
DESC 'Automount information'
|
||||||
|
MUST ( automountKey $ automountInformation )
|
||||||
|
MAY description )
|
||||||
|
## namedObject is needed for groups without members
|
||||||
|
objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top
|
||||||
|
STRUCTURAL MAY cn )
|
||||||
|
|
|
@ -0,0 +1,107 @@
|
||||||
|
# This is the main slapd configuration file. See slapd.conf(5) for more
|
||||||
|
# info on the configuration options.
|
||||||
|
|
||||||
|
include /etc/ldap/schema/core.schema
|
||||||
|
include /etc/ldap/schema/cosine.schema
|
||||||
|
include /etc/ldap/schema/rfc2307bis.schema
|
||||||
|
include /etc/ldap/schema/inetorgperson.schema
|
||||||
|
include /etc/ldap/schema/sudo.schema
|
||||||
|
include /etc/ldap/schema/csc.schema
|
||||||
|
include /etc/ldap/schema/misc.schema
|
||||||
|
|
||||||
|
pidfile /var/run/slapd/slapd.pid
|
||||||
|
argsfile /var/run/slapd/slapd.args
|
||||||
|
|
||||||
|
#Warning: "stats" is *lots* of logging
|
||||||
|
loglevel sync
|
||||||
|
#loglevel stats config sync acl
|
||||||
|
|
||||||
|
modulepath /usr/lib/ldap
|
||||||
|
moduleload back_hdb
|
||||||
|
moduleload syncprov
|
||||||
|
moduleload auditlog
|
||||||
|
moduleload unique
|
||||||
|
|
||||||
|
sizelimit unlimited
|
||||||
|
timelimit unlimited
|
||||||
|
|
||||||
|
# consider local connections encrypted
|
||||||
|
localssf 128
|
||||||
|
|
||||||
|
# map kerberos users to ldap users
|
||||||
|
sasl-realm CSCLUB.INTERNAL
|
||||||
|
authz-regexp "uid=([^/=]*),cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||||
|
"uid=$1,ou=people,dc=csclub,dc=internal"
|
||||||
|
authz-regexp "uid=ceod/admin,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||||
|
"cn=ceod,dc=csclub,dc=internal"
|
||||||
|
|
||||||
|
access to *
|
||||||
|
by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||||
|
by * break
|
||||||
|
|
||||||
|
# systems committee get full access
|
||||||
|
access to *
|
||||||
|
by dn="cn=ceod,dc=csclub,dc=internal" write
|
||||||
|
by group/group/uniqueMember="cn=syscom,ou=Group,dc=csclub,dc=internal" write
|
||||||
|
by * break
|
||||||
|
|
||||||
|
# allow office staff to add terms
|
||||||
|
# the renewal program may do the same
|
||||||
|
access to attrs=term
|
||||||
|
by group/group/uniqueMember="cn=office,ou=Group,dc=csclub,dc=internal" add
|
||||||
|
by dn="cn=renewal,dc=csclub,dc=internal" add
|
||||||
|
by * read
|
||||||
|
access to attrs=nonMemberTerm
|
||||||
|
by group/group/uniqueMember="cn=office,ou=Group,dc=csclub,dc=internal" add
|
||||||
|
by dn="cn=renewal,dc=csclub,dc=internal" add
|
||||||
|
by * read
|
||||||
|
|
||||||
|
# allow users to change their shells
|
||||||
|
access to attrs=loginShell
|
||||||
|
by self write
|
||||||
|
by * read
|
||||||
|
|
||||||
|
# allow simple authentication
|
||||||
|
access to attrs=userPassword
|
||||||
|
by anonymous auth
|
||||||
|
by * none
|
||||||
|
|
||||||
|
# allow access to attributes of top; they would otherwise be denied below
|
||||||
|
access to attrs=@top
|
||||||
|
by * read
|
||||||
|
|
||||||
|
# default permit
|
||||||
|
access to *
|
||||||
|
by * read
|
||||||
|
|
||||||
|
# main database options
|
||||||
|
# note: the mdb backend has a horrible bug in 2.4.31
|
||||||
|
# that causes indexing to destroy the database
|
||||||
|
database hdb
|
||||||
|
suffix "dc=csclub,dc=internal"
|
||||||
|
directory "/var/lib/ldap"
|
||||||
|
rootdn cn=root,dc=csclub,dc=internal
|
||||||
|
index default eq
|
||||||
|
index objectClass
|
||||||
|
index entryCSN,entryUUID
|
||||||
|
index uid,uidNumber
|
||||||
|
index cn,gidNumber
|
||||||
|
index uniqueMember,memberUid
|
||||||
|
index sudoUser,sudoHost pres,sub,eq
|
||||||
|
index term,nonMemberTerm
|
||||||
|
index mailLocalAddress
|
||||||
|
index modifyTimestamp,createTimestamp
|
||||||
|
|
||||||
|
# log all changes to the directory
|
||||||
|
overlay auditlog
|
||||||
|
auditlog /var/log/ldap/audit.log
|
||||||
|
|
||||||
|
# enforce uniqueness of usernames etc.
|
||||||
|
overlay unique
|
||||||
|
unique_uri ldap:///ou=People,dc=csclub,dc=internal?uid,uidNumber?sub
|
||||||
|
unique_uri ldap:///ou=Group,dc=csclub,dc=internal?cn,gidNumber?sub
|
||||||
|
|
||||||
|
# this is the master server
|
||||||
|
overlay syncprov
|
||||||
|
syncprov-checkpoint 100 10
|
||||||
|
syncprov-sessionlog 100
|
|
@ -24,7 +24,7 @@ class MockMailmanServer:
|
||||||
def _start_loop(self):
|
def _start_loop(self):
|
||||||
asyncio.set_event_loop(self.loop)
|
asyncio.set_event_loop(self.loop)
|
||||||
self.loop.run_until_complete(self.runner.setup())
|
self.loop.run_until_complete(self.runner.setup())
|
||||||
site = web.TCPSite(self.runner, 'localhost', 8002)
|
site = web.TCPSite(self.runner, '127.0.0.1', 8002)
|
||||||
self.loop.run_until_complete(site.start())
|
self.loop.run_until_complete(site.start())
|
||||||
self.loop.run_forever()
|
self.loop.run_forever()
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@ from aiosmtpd.controller import Controller
|
||||||
|
|
||||||
|
|
||||||
class MockSMTPServer:
|
class MockSMTPServer:
|
||||||
def __init__(self, hostname='localhost', port=8025):
|
def __init__(self, hostname='127.0.0.1', port=8025):
|
||||||
self.messages = []
|
self.messages = []
|
||||||
self.controller = Controller(MockHandler(self), hostname, port)
|
self.controller = Controller(MockHandler(self), hostname, port)
|
||||||
|
|
||||||
|
|
|
@ -11,14 +11,14 @@ port = 9987
|
||||||
|
|
||||||
[ldap]
|
[ldap]
|
||||||
admin_principal = ceod/admin
|
admin_principal = ceod/admin
|
||||||
server_url = ldap://ldap-master.csclub.internal
|
server_url = ldap://auth1.csclub.internal
|
||||||
sasl_realm = CSCLUB.INTERNAL
|
sasl_realm = CSCLUB.INTERNAL
|
||||||
users_base = ou=TestPeople,dc=csclub,dc=internal
|
users_base = ou=TestPeople,dc=csclub,dc=internal
|
||||||
groups_base = ou=TestGroup,dc=csclub,dc=internal
|
groups_base = ou=TestGroup,dc=csclub,dc=internal
|
||||||
sudo_base = ou=TestSUDOers,dc=csclub,dc=internal
|
sudo_base = ou=TestSUDOers,dc=csclub,dc=internal
|
||||||
|
|
||||||
[uwldap]
|
[uwldap]
|
||||||
server_url = ldap://ldap-master.csclub.internal
|
server_url = ldap://auth1.csclub.internal
|
||||||
base = ou=TestUWLDAP,dc=csclub,dc=internal
|
base = ou=TestUWLDAP,dc=csclub,dc=internal
|
||||||
|
|
||||||
[members]
|
[members]
|
||||||
|
|
Loading…
Reference in New Issue