enable ext/ldap/tests on azure

author: Paweł Tomulik <ptomulik@meil.pw.edu.pl> 2020-07-03 12:49:25 +0200
committer: Nikita Popov <nikita.ppv@gmail.com> 2020-07-10 09:56:02 +0200
commit: b291c926937fdcf3635a8aa3b83571f591c8c022 (patch)
tree: 7dc13fce2a34110251d534cf8ef1f9b018a7cedc
parent: c6ab3084df3abb5f1af1d2efc09799b9b00ce052 (diff)
download: php-git-b291c926937fdcf3635a8aa3b83571f591c8c022.tar.gz
4 files changed, 177 insertions, 1 deletions
diff --git a/azure/apt.yml b/azure/apt.yml
index 2beb625f62..8e51d80629 100644
--- a/azure/apt.yml
+++ b/azure/apt.yml
@@ -7,6 +7,9 @@ steps:
       sudo apt install bison \
                        re2c \
                        locales \
+                       ldap-utils \
+                       openssl \
+                       slapd \
                        language-pack-de \
                        re2c \
                        libgmp-dev \
@@ -29,7 +32,6 @@ steps:
                        libpq-dev \
                        libreadline-dev \
                        libldap2-dev \
-                       libsasl2-dev \
                        libsodium-dev \
                        libargon2-0-dev \
                        postgresql \
diff --git a/azure/setup-slapd.sh b/azure/setup-slapd.sh
new file mode 100755
index 0000000000..72a509f7e0
--- /dev/null
+++ b/azure/setup-slapd.sh
@@ -0,0 +1,169 @@
+#!/bin/sh
+set -ev
+
+# Create TLS certificate
+sudo mkdir -p /etc/ldap/ssl
+
+alt_names() {
+  (
+      (
+        (hostname && hostname -a && hostname -A && hostname -f) |
+        xargs -n 1 |
+        sort -u |
+        sed -e 's/\(\S\+\)/DNS:\1/g'
+      ) && (
+        (hostname -i && hostname -I && echo "127.0.0.1 ::1") |
+        xargs -n 1 |
+        sort -u |
+        sed -e 's/\(\S\+\)/IP:\1/g'
+      )
+  ) | paste -d, -s
+}
+
+sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \
+  -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \
+  -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \
+  -addext "subjectAltName = `alt_names`"
+
+sudo chown -R openldap:openldap /etc/ldap/ssl
+
+# Display the TLS certificate (should be world readable)
+openssl x509 -noout -text -in /etc/ldap/ssl/server.crt
+
+# Point to the certificate generated
+if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then
+  sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf
+  echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf
+fi
+
+# Configure LDAP protocols to serve.
+sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd
+
+# Configure LDAP database.
+DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`;
+
+sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
+
+sudo service slapd restart
+
+sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: $DBDN
+changetype: modify
+replace: olcSuffix
+olcSuffix: dc=my-domain,dc=com
+-
+replace: olcRootDN
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+-
+replace: olcRootPW
+olcRootPW: secret
+
+dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/ssl/server.crt
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ssl/server.crt
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key
+-
+add: olcTLSVerifyClient
+olcTLSVerifyClient: never
+-
+add: olcAuthzRegexp
+olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com
+-
+replace: olcLogLevel
+olcLogLevel: -1
+
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: sssvlv
+-
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+-
+add: olcModuleLoad
+olcModuleLoad: dds
+EOF
+
+sudo service slapd restart
+
+sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: olcOverlay=sssvlv,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcSssVlvConfig
+olcOverlay: sssvlv
+olcSssVlvMax: 10
+olcSssVlvMaxKeys: 5
+
+dn: olcOverlay=ppolicy,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: ppolicy
+### This would clutter our DIT and make tests to fail, while ppolicy does not
+### seem to work as we expect (it does not seem to provide expected controls)
+## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com
+## olcPPolicyHashCleartext: FALSE
+## olcPPolicyUseLockout: TRUE
+
+dn: olcOverlay=dds,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcDdsConfig
+olcOverlay: dds
+EOF
+
+sudo service slapd restart
+
+sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: $DBDN
+changetype: modify
+add: olcDbIndex
+olcDbIndex: entryExpireTimestamp eq
+EOF
+
+sudo service slapd restart
+
+ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF
+dn: dc=my-domain,dc=com
+objectClass: top
+objectClass: organization
+objectClass: dcObject
+dc: my-domain
+o: php ldap tests
+
+### This would clutter our DIT and make tests to fail, while ppolicy does not
+### seem to work as we expect (it does not seem to provide expected controls)
+## dn: ou=pwpolicies,dc=my-domain,dc=com
+## objectClass: top
+## objectClass: organizationalUnit
+## ou: pwpolicies
+##
+## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com
+## objectClass: top
+## objectClass: person
+## objectClass: pwdPolicy
+## cn: default
+## sn: default
+## pwdAttribute: userPassword
+## pwdMaxAge: 2592000
+## pwdExpireWarning: 3600
+## #pwdInHistory: 0
+## pwdCheckQuality: 0
+## pwdMaxFailure: 5
+## pwdLockout: TRUE
+## #pwdLockoutDuration: 0
+## #pwdGraceAuthNLimit: 0
+## #pwdFailureCountInterval: 0
+## pwdMustChange: FALSE
+## pwdMinLength: 3
+## pwdAllowUserChange: TRUE
+## pwdSafeModify: FALSE
+EOF
+
+# Verify TLS connection
+
+ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*'
diff --git a/azure/setup.yml b/azure/setup.yml
index dbf7921c47..523bb3b401 100644
--- a/azure/setup.yml
+++ b/azure/setup.yml
@@ -3,7 +3,11 @@ steps:
       set -e
       sudo service mysql start
       sudo service postgresql start
+      sudo service slapd start
       mysql -uroot -proot -e "CREATE DATABASE IF NOT EXISTS test"
       sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'postgres';"
       sudo -u postgres psql -c "CREATE DATABASE test;"
     displayName: 'Setup'
+  - script: ./azure/setup-slapd.sh
+    displayName: 'Configure slapd'
+
diff --git a/ext/ldap/tests/CONFLICTS b/ext/ldap/tests/CONFLICTS
new file mode 100644
index 0000000000..c1142c3c5c
--- /dev/null
+++ b/ext/ldap/tests/CONFLICTS
@@ -0,0 +1 @@
+ldap
author	Paweł Tomulik <ptomulik@meil.pw.edu.pl>	2020-07-03 12:49:25 +0200
committer	Nikita Popov <nikita.ppv@gmail.com>	2020-07-10 09:56:02 +0200
commit	b291c926937fdcf3635a8aa3b83571f591c8c022 (patch)
tree	7dc13fce2a34110251d534cf8ef1f9b018a7cedc
parent	c6ab3084df3abb5f1af1d2efc09799b9b00ce052 (diff)
download	php-git-b291c926937fdcf3635a8aa3b83571f591c8c022.tar.gz