From: Nick Porter Date: Wed, 13 Apr 2022 09:25:40 +0000 (+0100) Subject: Add config for testing RFC4533 LDAP server X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8e83334ed12213fefe8afb412cca336c9e851ca;p=thirdparty%2Ffreeradius-server.git Add config for testing RFC4533 LDAP server --- diff --git a/src/tests/ldap_sync/rfc4533/config/radiusd.conf b/src/tests/ldap_sync/rfc4533/config/radiusd.conf new file mode 100644 index 00000000000..eace6b87a7d --- /dev/null +++ b/src/tests/ldap_sync/rfc4533/config/radiusd.conf @@ -0,0 +1,208 @@ +# -*- text -*- +# +# test configuration file. Do not install/ +# +# $id: $ +# + +# +# Minimal radiusd.conf for testing +# + +testdir = $ENV{TESTDIR} +output = $ENV{OUTPUT} +run_dir = ${output} +raddb = raddb +pidfile = ${run_dir}/radiusd.pid +panic_action = "gdb -batch -x src/tests/panic.gdb %e %p > ${run_dir}/gdb.log 2>&1; cat ${run_dir}/gdb.log" + +maindir = ${raddb} +radacctdir = ${run_dir}/radacct +modconfdir = ${maindir}/mods-config +certdir = ${maindir}/certs +cadir = ${maindir}/certs +test_port = $ENV{TEST_PORT} + +# Only for testing! +# Setting this on a production system is a BAD IDEA. +security { + allow_vulnerable_openssl = yes +} + +# Only during migration +migrate { + tmpl_tokenize_all_nested = yes +} + +global { + ldap { + ldap_debug = 0x0801 + } +} + +policy { + linelogprep { + &control.Tmp-String-0 := "%{Packet-Type} %{LDAP-Sync.DN} %{LDAP-Sync.Entry-DN} %{Proto.radius.User-Name}" + } + + grouplog { + foreach &Tmp-String-1 { + &control.Tmp-String-0 := "Group member %{Foreach-Variable-0}" + linelog + } + } + + $INCLUDE ${maindir}/policy.d/ +} + +client localhost { + ipaddr = 127.0.0.1 + secret = testing123 +} + +modules { + + # + # Minimal LDAP module config to allow queries + # to fake initial cookie + # + ldap { + server = $ENV{RFC4533_TEST_SERVER} + identity = 'cn=admin,dc=example,dc=com' + password = 'secret' + base_dn = 'dc=example,dc=com' + user { + base_dn = "ou=people,${..base_dn}" + } + } + + linelog { + format = "%{control.Tmp-String-0}" + destination = file + + file { + filename = ${run_dir}/linelog.out + } + } + + linelog cookielog { + format = "Cookie = %{control.Tmp-String-0}" + destination = file + + file { + filename = ${run_dir}/cookielog.out + } + } + + always reject { + rcode = reject + } + always fail { + rcode = fail + } + always ok { + rcode = ok + } + always handled { + rcode = handled + } + always invalid { + rcode = invalid + } + always disallow { + rcode = disallow + } + always notfound { + rcode = notfound + } + always noop { + rcode = noop + } + always updated { + rcode = updated + } +} + +# +# This virtual server connects to an LDAP server and listens +# for packets received as the result of directory changes. +# +server test { + namespace = ldap_sync + + listen { + transport = ldap + + ldap { + server = $ENV{RFC4533_TEST_SERVER} + identity = 'cn=admin,dc=example,dc=com' + password = 'secret' + + options { + res_timeout = 120 + srv_timelimit = 60 + idle = 60 + probes = 3 + interval = 3 + reconnection_delay = 10 + } + } + + sync { + base_dn = "ou=people,dc=example,dc=com" + filter = "(objectClass=posixAccount)" + + update { + &Proto.radius.User-Name = 'uid' + &Password.With-Header = 'userPassword' + } + } + + sync { + base_dn = "ou=groups,dc=example,dc=com" + filter = "(objectClass=groupOfNames)" + scope = "sub" + + update { + &Tmp-String-1 += "member" + } + } + } + + load Cookie { + &control.Tmp-String-0 := "%{ldap:ldap:///%{LDAP-Sync.Directory-Root-DN}?contextCSN?base}" + + if (&control.Tmp-String-0 != "") { + &reply.LDAP-Sync.Cookie := "rid=000,csn=%{control.Tmp-String-0}" + updated + } + } + + store Cookie { + &control.Tmp-String-0 := &LDAP-Sync.Cookie + cookielog + } + + recv Add { + linelogprep + linelog + grouplog + } + + recv Modify { + linelogprep + linelog + grouplog + } + + recv Delete { + linelogprep + linelog + grouplog + } + + recv Present { + linelogprep + linelog + } +}