From: Arran Cudbard-Bell Date: Fri, 1 Sep 2023 23:33:12 +0000 (-0600) Subject: ldap: Setup script fixes X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60a582fc14b92894446e1eece6e6a2f596095cb2;p=thirdparty%2Ffreeradius-server.git ldap: Setup script fixes Don't duplicate the ENTIRE script just to start a second LDAP instance. Add paths for homebrew on ARM. Kill existing slapd instances so we don't get errors about the database already existing. ff --- diff --git a/.github/actions/ci-tests/action.yml b/.github/actions/ci-tests/action.yml index aa04fce5e8e..a42e83900ba 100644 --- a/.github/actions/ci-tests/action.yml +++ b/.github/actions/ci-tests/action.yml @@ -191,7 +191,7 @@ runs: mysql-setup.sh \ openresty-setup.sh \ ldap-setup.sh \ - ldap2-setup.sh \ + ldap1-setup.sh \ 389ds-setup.sh \ redis-setup.sh; do diff --git a/scripts/ci/ldap-setup.sh b/scripts/ci/ldap-setup.sh index 2fc7568a0d2..d6fb6c3251b 100755 --- a/scripts/ci/ldap-setup.sh +++ b/scripts/ci/ldap-setup.sh @@ -1,44 +1,75 @@ -#!/bin/sh +#!/usr/bin/env bash # Allow setup script to work with homebrew too -export PATH="/usr/local/opt/openldap/libexec:$PATH" +export PATH="/usr/local/opt/openldap/libexec:/opt/homebrew/opt/openldap/libexec:/opt/symas/lib:$PATH" + +suffix=$(echo "${0##*/}" | sed -E 's/^ldap(.*)-setup.sh$/\1/') + +# Kill any old processes +[ -e "/tmp/slapd${suffix}.pid" ] && kill $(cat /tmp/slapd${suffix}.pid) + +base_dir="/tmp/ldap${suffix}" +cert_dir="${base_dir}/certs" +data_dir="${base_dir}/db" +schema_dir="${base_dir}/schema" + +echo "base_dir \"${data_dir}\"" # Clean out any existing DB -rm -rf /tmp/ldap/db +rm -rf "${data_dir}" # Create directory we can write DB files to -mkdir -p /tmp/ldap/db/ +mkdir -p "${data_dir}" # Change db location to /tmp as we can't write to /var -sed -i -e 's/\/var\/lib\/ldap/\/tmp\/ldap\/db/' src/tests/salt-test-server/salt/ldap/base.ldif +sed -i -e "s/\/var\/lib\/ldap/\/tmp\/ldap${suffix}\/db/" src/tests/salt-test-server/salt/ldap/base${suffix}.ldif # Create a directory we can link schema files into -if [ -d /tmp/ldap/schema ]; then +if [ -d "${schema_dir}" ]; then echo "Schema dir already linked" # Debian elif [ -d /etc/ldap/schema ]; then - ln -fs /etc/ldap/schema /tmp/ldap/schema + ln -fs /etc/ldap/schema "${schema_dir}" # Symas packages elif [ -d /opt/symas/etc/openldap/schema ]; then - ln -fs /opt/symas/etc/openldap/schema /tmp/ldap/schema + ln -fs /opt/symas/etc/openldap/schema "${schema_dir}" # Redhat elif [ -d /etc/openldap/schema ]; then - ln -fs /etc/openldap/schema /tmp/ldap/schema -# macOS (homebrew) + ln -fs /etc/openldap/schema "${schema_dir}" +# macOS (homebrew x86) elif [ -d /usr/local/etc/openldap/schema ]; then - ln -fs /usr/local/etc/openldap/schema /tmp/ldap/schema + ln -fs /usr/local/etc/openldap/schema "${schema_dir}" +# macOS (homebrew ARM) +elif [ -d /opt/homebrew/opt/openldap/schema ]; then + ln -fs /opt/homebrew/opt/openldap/schema "${schema_dir}" else echo "Can't locate OpenLDAP schema dir" exit 1 fi -if [ -e /opt/symas/lib/slapd ]; then - SLAPD=/opt/symas/lib/slapd +# Clean out any old certificates +rm -rf "${cert_dir}" +# Create certificate directory +mkdir -p "${cert_dir}" +# Ensure we have some certs generated +make -C raddb/certs + +# Copy certificates - whilst not stricltly LDAP certs they work fine for these tests +cp raddb/certs/rsa/ca.pem "${cert_dir}/cacert.pem" +cp raddb/certs/rsa/server.pem "${cert_dir}/servercert.pem" +openssl rsa -in raddb/certs/rsa/server.key -out "${cert_dir}/serverkey.pem" -passin pass:whatever + +if [ -z "${suffix}" ]; then + ldap_port="3890" + ldaps_port="6360" + ldap_socket="ldapi://%2Ftmp%2Fldap%2Fsocket" else - SLAPD=slapd + ldap_port=$((3890+${suffix})) + ldaps_port=$((6360+${suffix})) + ldap_socket="ldapi://%2Ftmp%2Fldap${suffix}%2Fsocket" fi # Start slapd -$SLAPD -d any -h "ldap://127.0.0.1:3890/ ldapi://%2Ftmp%2Fldap%2Fsocket" -f scripts/ci/ldap/slapd.conf 2>&1 > /tmp/ldap/slapd.log & +slapd -d any -h "ldap://127.0.0.1:${ldap_port}/ ldaps://127.0.0.1:${ldaps_port}/ ${ldap_socket}" -f scripts/ci/ldap/slapd${suffix}.conf 2>&1 > ${base_dir}/slapd.log & # Wait for LDAP to start sleep 1 @@ -46,7 +77,7 @@ sleep 1 # Add test data count=0 while [ $count -lt 10 ] ; do - if ldapadd -v -x -H ldap://127.0.0.1:3890/ -D "cn=admin,cn=config" -w secret -f src/tests/salt-test-server/salt/ldap/base.ldif ; then + if ldapadd -v -x -H "${ldap_socket}" -D "cn=admin,cn=config" -w secret -f src/tests/salt-test-server/salt/ldap/base${suffix}.ldif ; then break 2 else echo "ldap add failed, retrying..." @@ -58,6 +89,6 @@ done # Exit code gets overwritten, so we check for failure using count if [ $count -eq 10 ]; then echo "Error configuring server" - cat /tmp/ldap/slapd.log + cat ${base_dir}/slapd.log exit 1 fi diff --git a/scripts/ci/ldap/slapd2.conf b/scripts/ci/ldap/slapd1.conf similarity index 81% rename from scripts/ci/ldap/slapd2.conf rename to scripts/ci/ldap/slapd1.conf index 9733c2e6f09..701ef82f8e4 100644 --- a/scripts/ci/ldap/slapd2.conf +++ b/scripts/ci/ldap/slapd1.conf @@ -6,10 +6,10 @@ # # NB: RH Linux schemas in /etc/openldap # -include /tmp/ldap2/schema/core.schema -include /tmp/ldap2/schema/cosine.schema -include /tmp/ldap2/schema/inetorgperson.schema -include /tmp/ldap2/schema/nis.schema +include /tmp/ldap1/schema/core.schema +include /tmp/ldap1/schema/cosine.schema +include /tmp/ldap1/schema/inetorgperson.schema +include /tmp/ldap1/schema/nis.schema include doc/schemas/ldap/openldap/freeradius-policy.schema include doc/schemas/ldap/openldap/freeradius-radius.schema include doc/schemas/ldap/openldap/freeradius-clients.schema @@ -41,9 +41,9 @@ authz-regexp # Note - these will not match the host name so clients need to use # the "allow" option when checking certificates # -TLSCACertificateFile /tmp/ldap2/certs/cacert.pem -TLSCertificateFile /tmp/ldap2/certs/servercert.pem -TLSCertificateKeyFile /tmp/ldap2/certs/serverkey.pem +TLSCACertificateFile /tmp/ldap1/certs/cacert.pem +TLSCertificateFile /tmp/ldap1/certs/servercert.pem +TLSCertificateKeyFile /tmp/ldap1/certs/serverkey.pem ####################################################################### # mdb database definitions @@ -63,7 +63,7 @@ rootdn "cn=admin,dc=nodomain" rootpw secret # The database directory MUST exist prior to running slapd AND # change path as necessary -directory /tmp/ldap2/db/ +directory /tmp/ldap1/db/ # other database parameters # read more in slapd.conf reference section diff --git a/scripts/ci/ldap1-setup.sh b/scripts/ci/ldap1-setup.sh new file mode 120000 index 00000000000..31c95a5cc06 --- /dev/null +++ b/scripts/ci/ldap1-setup.sh @@ -0,0 +1 @@ +ldap-setup.sh \ No newline at end of file diff --git a/scripts/ci/ldap2-setup.sh b/scripts/ci/ldap2-setup.sh deleted file mode 100755 index 889a7975105..00000000000 --- a/scripts/ci/ldap2-setup.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/sh - -# Allow setup script to work with homebrew too -export PATH="/usr/local/opt/openldap/libexec:$PATH" - -# Clean out any existing DB -rm -rf /tmp/ldap2/db -# Create directory we can write DB files to -mkdir -p /tmp/ldap2/db/ - -# Change db location to /tmp as we can't write to /var -sed -i -e 's/\/var\/lib\/ldap/\/tmp\/ldap2\/db/' src/tests/salt-test-server/salt/ldap/base2.ldif - -# Create a directory we can link schema files into -if [ -d /tmp/ldap2/schema ]; then - echo "Schema dir already linked" -# Debian -elif [ -d /etc/ldap/schema ]; then - ln -fs /etc/ldap/schema /tmp/ldap2/schema -# Symas packages -elif [ -d /opt/symas/etc/openldap/schema ]; then - ln -fs /opt/symas/etc/openldap/schema /tmp/ldap2/schema -# Redhat -elif [ -d /etc/openldap/schema ]; then - ln -fs /etc/openldap/schema /tmp/ldap2/schema -# macOS (homebrew) -elif [ -d /usr/local/etc/openldap/schema ]; then - ln -fs /usr/local/etc/openldap/schema /tmp/ldap2/schema -else - echo "Can't locate OpenLDAP schema dir" - exit 1 -fi - -# Clean out any old certificates -rm -rf /tmp/ldap2/certs -# Create certificate directory -mkdir -p /tmp/ldap2/certs - -make -C raddb/certs - -# Copy certificates - whilst not stricltly LDAP certs they work fine for these tests -cp raddb/certs/rsa/ca.pem /tmp/ldap2/certs/cacert.pem -cp raddb/certs/rsa/server.pem /tmp/ldap2/certs/servercert.pem -# OpenLDAP wants an un-encrypted key -openssl rsa -in raddb/certs/rsa/server.key -out /tmp/ldap2/certs/serverkey.pem -passin pass:whatever - -if [ -e /opt/symas/lib/slapd ]; then - SLAPD=/opt/symas/lib/slapd -else - SLAPD=slapd -fi - -# Start slapd -$SLAPD -d any -h "ldap://127.0.0.1:3891/ ldaps://127.0.0.1:6360 ldapi://%2Ftmp%2Fldap2%2Fsocket" -f scripts/ci/ldap/slapd2.conf 2>&1 > /tmp/ldap2/slapd.log & - -# Wait for LDAP to start -sleep 1 - -# Add test data -count=0 -while [ $count -lt 10 ] ; do - if ldapadd -x -v -H ldap://127.0.0.1:3891/ -D "cn=admin,cn=config" -w secret -f src/tests/salt-test-server/salt/ldap/base2.ldif ; then - break 2 - else - echo "ldap add failed, retrying..." - count=$((count+1)) - sleep 1 - fi -done - -# Exit code gets overwritten, so we check for failure using count -if [ $count -eq 10 ]; then - echo "Error configuring server" - cat /tmp/ldap/slapd.log - exit 1 -fi diff --git a/src/tests/modules/ldap/access_state.unlang b/src/tests/modules/ldap/access_state.unlang index 072090ea023..08de6bd0688 100644 --- a/src/tests/modules/ldap/access_state.unlang +++ b/src/tests/modules/ldap/access_state.unlang @@ -18,4 +18,6 @@ if (&reply.Reply-Message != 'User-Suspended') { test_fail } +&reply !* ANY + test_pass diff --git a/src/tests/salt-test-server/salt/ldap/base2.ldif b/src/tests/salt-test-server/salt/ldap/base1.ldif similarity index 98% rename from src/tests/salt-test-server/salt/ldap/base2.ldif rename to src/tests/salt-test-server/salt/ldap/base1.ldif index 82b9110e038..56d83745aec 100644 --- a/src/tests/salt-test-server/salt/ldap/base2.ldif +++ b/src/tests/salt-test-server/salt/ldap/base1.ldif @@ -4,7 +4,7 @@ objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcSuffix: dc=example,dc=com -olcDbDirectory: /tmp/ldap2/db +olcDbDirectory: /tmp/ldap1/db olcRootDN: cn=admin,dc=example,dc=com olcRootPW: {SSHA}SgCZuAcGQA5HlgKi+g5xwVyI2NhXRFYh olcDbIndex: objectClass eq