diff options
author | Paweł Tomulik <ptomulik@meil.pw.edu.pl> | 2020-07-03 12:49:25 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-07-10 09:56:02 +0200 |
commit | b291c926937fdcf3635a8aa3b83571f591c8c022 (patch) | |
tree | 7dc13fce2a34110251d534cf8ef1f9b018a7cedc /azure | |
parent | c6ab3084df3abb5f1af1d2efc09799b9b00ce052 (diff) | |
download | php-git-b291c926937fdcf3635a8aa3b83571f591c8c022.tar.gz |
enable ext/ldap/tests on azure
Diffstat (limited to 'azure')
-rw-r--r-- | azure/apt.yml | 4 | ||||
-rwxr-xr-x | azure/setup-slapd.sh | 169 | ||||
-rw-r--r-- | azure/setup.yml | 4 |
3 files changed, 176 insertions, 1 deletions
diff --git a/azure/apt.yml b/azure/apt.yml index 2beb625f62..8e51d80629 100644 --- a/azure/apt.yml +++ b/azure/apt.yml @@ -7,6 +7,9 @@ steps: sudo apt install bison \ re2c \ locales \ + ldap-utils \ + openssl \ + slapd \ language-pack-de \ re2c \ libgmp-dev \ @@ -29,7 +32,6 @@ steps: libpq-dev \ libreadline-dev \ libldap2-dev \ - libsasl2-dev \ libsodium-dev \ libargon2-0-dev \ postgresql \ diff --git a/azure/setup-slapd.sh b/azure/setup-slapd.sh new file mode 100755 index 0000000000..72a509f7e0 --- /dev/null +++ b/azure/setup-slapd.sh @@ -0,0 +1,169 @@ +#!/bin/sh +set -ev + +# Create TLS certificate +sudo mkdir -p /etc/ldap/ssl + +alt_names() { + ( + ( + (hostname && hostname -a && hostname -A && hostname -f) | + xargs -n 1 | + sort -u | + sed -e 's/\(\S\+\)/DNS:\1/g' + ) && ( + (hostname -i && hostname -I && echo "127.0.0.1 ::1") | + xargs -n 1 | + sort -u | + sed -e 's/\(\S\+\)/IP:\1/g' + ) + ) | paste -d, -s +} + +sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \ + -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \ + -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \ + -addext "subjectAltName = `alt_names`" + +sudo chown -R openldap:openldap /etc/ldap/ssl + +# Display the TLS certificate (should be world readable) +openssl x509 -noout -text -in /etc/ldap/ssl/server.crt + +# Point to the certificate generated +if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then + sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf + echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf +fi + +# Configure LDAP protocols to serve. +sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd + +# Configure LDAP database. +DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`; + +sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif + +sudo service slapd restart + +sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF +dn: $DBDN +changetype: modify +replace: olcSuffix +olcSuffix: dc=my-domain,dc=com +- +replace: olcRootDN +olcRootDN: cn=Manager,dc=my-domain,dc=com +- +replace: olcRootPW +olcRootPW: secret + +dn: cn=config +changetype: modify +add: olcTLSCACertificateFile +olcTLSCACertificateFile: /etc/ldap/ssl/server.crt +- +add: olcTLSCertificateFile +olcTLSCertificateFile: /etc/ldap/ssl/server.crt +- +add: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key +- +add: olcTLSVerifyClient +olcTLSVerifyClient: never +- +add: olcAuthzRegexp +olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com +- +replace: olcLogLevel +olcLogLevel: -1 + +dn: cn=module{0},cn=config +changetype: modify +add: olcModuleLoad +olcModuleLoad: sssvlv +- +add: olcModuleLoad +olcModuleLoad: ppolicy +- +add: olcModuleLoad +olcModuleLoad: dds +EOF + +sudo service slapd restart + +sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF +dn: olcOverlay=sssvlv,$DBDN +objectClass: olcOverlayConfig +objectClass: olcSssVlvConfig +olcOverlay: sssvlv +olcSssVlvMax: 10 +olcSssVlvMaxKeys: 5 + +dn: olcOverlay=ppolicy,$DBDN +objectClass: olcOverlayConfig +objectClass: olcPPolicyConfig +olcOverlay: ppolicy +### This would clutter our DIT and make tests to fail, while ppolicy does not +### seem to work as we expect (it does not seem to provide expected controls) +## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com +## olcPPolicyHashCleartext: FALSE +## olcPPolicyUseLockout: TRUE + +dn: olcOverlay=dds,$DBDN +objectClass: olcOverlayConfig +objectClass: olcDdsConfig +olcOverlay: dds +EOF + +sudo service slapd restart + +sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF +dn: $DBDN +changetype: modify +add: olcDbIndex +olcDbIndex: entryExpireTimestamp eq +EOF + +sudo service slapd restart + +ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF +dn: dc=my-domain,dc=com +objectClass: top +objectClass: organization +objectClass: dcObject +dc: my-domain +o: php ldap tests + +### This would clutter our DIT and make tests to fail, while ppolicy does not +### seem to work as we expect (it does not seem to provide expected controls) +## dn: ou=pwpolicies,dc=my-domain,dc=com +## objectClass: top +## objectClass: organizationalUnit +## ou: pwpolicies +## +## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com +## objectClass: top +## objectClass: person +## objectClass: pwdPolicy +## cn: default +## sn: default +## pwdAttribute: userPassword +## pwdMaxAge: 2592000 +## pwdExpireWarning: 3600 +## #pwdInHistory: 0 +## pwdCheckQuality: 0 +## pwdMaxFailure: 5 +## pwdLockout: TRUE +## #pwdLockoutDuration: 0 +## #pwdGraceAuthNLimit: 0 +## #pwdFailureCountInterval: 0 +## pwdMustChange: FALSE +## pwdMinLength: 3 +## pwdAllowUserChange: TRUE +## pwdSafeModify: FALSE +EOF + +# Verify TLS connection + +ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*' diff --git a/azure/setup.yml b/azure/setup.yml index dbf7921c47..523bb3b401 100644 --- a/azure/setup.yml +++ b/azure/setup.yml @@ -3,7 +3,11 @@ steps: set -e sudo service mysql start sudo service postgresql start + sudo service slapd start mysql -uroot -proot -e "CREATE DATABASE IF NOT EXISTS test" sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'postgres';" sudo -u postgres psql -c "CREATE DATABASE test;" displayName: 'Setup' + - script: ./azure/setup-slapd.sh + displayName: 'Configure slapd' + |