Skip to content

Commit

Permalink
ldap: Setup script fixes
Browse files Browse the repository at this point in the history
Don't duplicate the ENTIRE script just to start a second LDAP instance.  Add paths for homebrew on ARM.  Kill existing slapd instances so we don't get errors about the database already existing.

ff
  • Loading branch information
arr2036 committed Sep 2, 2023
1 parent af14b52 commit 60a582f
Show file tree
Hide file tree
Showing 7 changed files with 61 additions and 103 deletions.
2 changes: 1 addition & 1 deletion .github/actions/ci-tests/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ runs:
mysql-setup.sh \
openresty-setup.sh \
ldap-setup.sh \
ldap2-setup.sh \
ldap1-setup.sh \
389ds-setup.sh \
redis-setup.sh; do
Expand Down
65 changes: 48 additions & 17 deletions scripts/ci/ldap-setup.sh
Original file line number Diff line number Diff line change
@@ -1,52 +1,83 @@
#!/bin/sh
#!/usr/bin/env bash

# Allow setup script to work with homebrew too
export PATH="/usr/local/opt/openldap/libexec:$PATH"
export PATH="/usr/local/opt/openldap/libexec:/opt/homebrew/opt/openldap/libexec:/opt/symas/lib:$PATH"

suffix=$(echo "${0##*/}" | sed -E 's/^ldap(.*)-setup.sh$/\1/')

# Kill any old processes
[ -e "/tmp/slapd${suffix}.pid" ] && kill $(cat /tmp/slapd${suffix}.pid)

base_dir="/tmp/ldap${suffix}"
cert_dir="${base_dir}/certs"
data_dir="${base_dir}/db"
schema_dir="${base_dir}/schema"

echo "base_dir \"${data_dir}\""

# Clean out any existing DB
rm -rf /tmp/ldap/db
rm -rf "${data_dir}"
# Create directory we can write DB files to
mkdir -p /tmp/ldap/db/
mkdir -p "${data_dir}"

# Change db location to /tmp as we can't write to /var
sed -i -e 's/\/var\/lib\/ldap/\/tmp\/ldap\/db/' src/tests/salt-test-server/salt/ldap/base.ldif
sed -i -e "s/\/var\/lib\/ldap/\/tmp\/ldap${suffix}\/db/" src/tests/salt-test-server/salt/ldap/base${suffix}.ldif

# Create a directory we can link schema files into
if [ -d /tmp/ldap/schema ]; then
if [ -d "${schema_dir}" ]; then
echo "Schema dir already linked"
# Debian
elif [ -d /etc/ldap/schema ]; then
ln -fs /etc/ldap/schema /tmp/ldap/schema
ln -fs /etc/ldap/schema "${schema_dir}"
# Symas packages
elif [ -d /opt/symas/etc/openldap/schema ]; then
ln -fs /opt/symas/etc/openldap/schema /tmp/ldap/schema
ln -fs /opt/symas/etc/openldap/schema "${schema_dir}"
# Redhat
elif [ -d /etc/openldap/schema ]; then
ln -fs /etc/openldap/schema /tmp/ldap/schema
# macOS (homebrew)
ln -fs /etc/openldap/schema "${schema_dir}"
# macOS (homebrew x86)
elif [ -d /usr/local/etc/openldap/schema ]; then
ln -fs /usr/local/etc/openldap/schema /tmp/ldap/schema
ln -fs /usr/local/etc/openldap/schema "${schema_dir}"
# macOS (homebrew ARM)
elif [ -d /opt/homebrew/opt/openldap/schema ]; then
ln -fs /opt/homebrew/opt/openldap/schema "${schema_dir}"
else
echo "Can't locate OpenLDAP schema dir"
exit 1
fi

if [ -e /opt/symas/lib/slapd ]; then
SLAPD=/opt/symas/lib/slapd
# Clean out any old certificates
rm -rf "${cert_dir}"
# Create certificate directory
mkdir -p "${cert_dir}"
# Ensure we have some certs generated
make -C raddb/certs

# Copy certificates - whilst not stricltly LDAP certs they work fine for these tests
cp raddb/certs/rsa/ca.pem "${cert_dir}/cacert.pem"
cp raddb/certs/rsa/server.pem "${cert_dir}/servercert.pem"
openssl rsa -in raddb/certs/rsa/server.key -out "${cert_dir}/serverkey.pem" -passin pass:whatever

if [ -z "${suffix}" ]; then
ldap_port="3890"
ldaps_port="6360"
ldap_socket="ldapi://%2Ftmp%2Fldap%2Fsocket"
else
SLAPD=slapd
ldap_port=$((3890+${suffix}))
ldaps_port=$((6360+${suffix}))
ldap_socket="ldapi://%2Ftmp%2Fldap${suffix}%2Fsocket"
fi

# Start slapd
$SLAPD -d any -h "ldap://127.0.0.1:3890/ ldapi://%2Ftmp%2Fldap%2Fsocket" -f scripts/ci/ldap/slapd.conf 2>&1 > /tmp/ldap/slapd.log &
slapd -d any -h "ldap://127.0.0.1:${ldap_port}/ ldaps://127.0.0.1:${ldaps_port}/ ${ldap_socket}" -f scripts/ci/ldap/slapd${suffix}.conf 2>&1 > ${base_dir}/slapd.log &

# Wait for LDAP to start
sleep 1

# Add test data
count=0
while [ $count -lt 10 ] ; do
if ldapadd -v -x -H ldap://127.0.0.1:3890/ -D "cn=admin,cn=config" -w secret -f src/tests/salt-test-server/salt/ldap/base.ldif ; then
if ldapadd -v -x -H "${ldap_socket}" -D "cn=admin,cn=config" -w secret -f src/tests/salt-test-server/salt/ldap/base${suffix}.ldif ; then
break 2
else
echo "ldap add failed, retrying..."
Expand All @@ -58,6 +89,6 @@ done
# Exit code gets overwritten, so we check for failure using count
if [ $count -eq 10 ]; then
echo "Error configuring server"
cat /tmp/ldap/slapd.log
cat ${base_dir}/slapd.log
exit 1
fi
16 changes: 8 additions & 8 deletions scripts/ci/ldap/slapd2.conf → scripts/ci/ldap/slapd1.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@
#
# NB: RH Linux schemas in /etc/openldap
#
include /tmp/ldap2/schema/core.schema
include /tmp/ldap2/schema/cosine.schema
include /tmp/ldap2/schema/inetorgperson.schema
include /tmp/ldap2/schema/nis.schema
include /tmp/ldap1/schema/core.schema
include /tmp/ldap1/schema/cosine.schema
include /tmp/ldap1/schema/inetorgperson.schema
include /tmp/ldap1/schema/nis.schema
include doc/schemas/ldap/openldap/freeradius-policy.schema
include doc/schemas/ldap/openldap/freeradius-radius.schema
include doc/schemas/ldap/openldap/freeradius-clients.schema
Expand Down Expand Up @@ -41,9 +41,9 @@ authz-regexp
# Note - these will not match the host name so clients need to use
# the "allow" option when checking certificates
#
TLSCACertificateFile /tmp/ldap2/certs/cacert.pem
TLSCertificateFile /tmp/ldap2/certs/servercert.pem
TLSCertificateKeyFile /tmp/ldap2/certs/serverkey.pem
TLSCACertificateFile /tmp/ldap1/certs/cacert.pem
TLSCertificateFile /tmp/ldap1/certs/servercert.pem
TLSCertificateKeyFile /tmp/ldap1/certs/serverkey.pem

#######################################################################
# mdb database definitions
Expand All @@ -63,7 +63,7 @@ rootdn "cn=admin,dc=nodomain"
rootpw secret
# The database directory MUST exist prior to running slapd AND
# change path as necessary
directory /tmp/ldap2/db/
directory /tmp/ldap1/db/

# other database parameters
# read more in slapd.conf reference section
Expand Down
1 change: 1 addition & 0 deletions scripts/ci/ldap1-setup.sh
76 changes: 0 additions & 76 deletions scripts/ci/ldap2-setup.sh

This file was deleted.

2 changes: 2 additions & 0 deletions src/tests/modules/ldap/access_state.unlang
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,6 @@ if (&reply.Reply-Message != 'User-Suspended') {
test_fail
}

&reply !* ANY

test_pass
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /tmp/ldap2/db
olcDbDirectory: /tmp/ldap1/db
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}SgCZuAcGQA5HlgKi+g5xwVyI2NhXRFYh
olcDbIndex: objectClass eq
Expand Down

0 comments on commit 60a582f

Please sign in to comment.