Add nsswitch and PAM tests

6 files changed, 577 insertions, 0 deletions

diff --git a/tests/test36-schema-nsswitch/before.sh b/tests/test36-schema-nsswitch/before.sh
new file mode 100755
index 0000000..3c8e7d6
--- /dev/null
+++ b/tests/test36-schema-nsswitch/before.sh
@@ -0,0 +1,141 @@
+#!/bin/sh
+testuser1="testuser1:**:1234:2345:Test User 1:/home/testuser1:/bin/sh"
+testuser2="testuser2:***:12345:23456:Test User 2:/home/testuser2:/bin/sh"
+testuser3="testuser3, for real:***:123456:234567:Test User 3:/home/testuser2:/bin/sh"
+testgroup1="testgroup1:****:3456:testuser1,testuser2"
+testgroup2="testgroup2:*****:34567:testuser1,testuser2"
+testgroup3="testgroup3, for real:*****:345678:testuser1,testuser2"
+
+searches() {
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixaccount)(uid=testuser1))" \
+		dn uid userpassword uidnumber gidnumber gecos loginshell homedirectory |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixaccount)(uidnumber=1234))" \
+		dn uid userpassword uidnumber gidnumber gecos loginshell homedirectory |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixaccount)(uid=testuser2))" \
+		dn uid userpassword uidnumber gidnumber gecos loginshell homedirectory |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixaccount)(uidnumber=12345))" \
+		dn uid userpassword uidnumber gidnumber gecos loginshell homedirectory |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixaccount)(uid=testuser3, for real))" \
+		dn uid userpassword uidnumber gidnumber gecos loginshell homedirectory |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixaccount)(uidnumber=123456))" \
+		dn uid userpassword uidnumber gidnumber gecos loginshell homedirectory |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixgroup)(cn=testgroup1))" \
+		dn cn userpassword gidnumber memberuid |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixgroup)(gidnumber=3456))" \
+		dn cn userpassword gidnumber memberuid |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixgroup)(cn=testgroup2))" \
+		dn cn userpassword gidnumber memberuid |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixgroup)(gidnumber=34567))" \
+		dn cn userpassword gidnumber memberuid |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixgroup)(cn=testgroup3, for real))" \
+		dn cn userpassword gidnumber memberuid |\
+	$LDIFSORT
+	search -b cn=compat,cn=accounts,dc=example,dc=com \
+		"(&(objectclass=posixgroup)(gidnumber=345678))" \
+		dn cn userpassword gidnumber memberuid |\
+	$LDIFSORT
+}
+
+# Initialize the user database.
+echo -n > "$WRAPPERS_PASSWD"
+echo -n > "$WRAPPERS_GROUP"
+
+# Test that we can't see these users.
+echo '[nothing]'
+searches
+
+# Add the entries.
+echo "$testuser1" >> "$WRAPPERS_PASSWD"
+echo "$testuser2" >> "$WRAPPERS_PASSWD"
+echo "$testuser3" >> "$WRAPPERS_PASSWD"
+echo "$testgroup1" >> "$WRAPPERS_GROUP"
+echo "$testgroup2" >> "$WRAPPERS_GROUP"
+echo "$testgroup3" >> "$WRAPPERS_GROUP"
+
+# Test that we can see these users and groups now.
+echo '[all entries]'
+searches
+
+# Nuke the entries.
+echo -n > "$WRAPPERS_PASSWD"
+echo -n > "$WRAPPERS_GROUP"
+
+# Test that we can still see these users, since they're in the cache now.
+echo '[all entries]'
+searches
+
+# Try to bind to each of the group entries in turn, and test that we can no
+# longer see the groups, since they should've been thrown out of the cache.
+echo -n > wrap_pam
+echo "[auth to testgroup1]"
+simplebind -D 'cn=testgroup1,cn=groups,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w nope
+echo "[auth to testgroup2]"
+simplebind -D 'cn=testgroup2,cn=groups,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w nope
+echo "[auth to testgroup3, for real]"
+simplebind -D 'cn=testgroup3\2C for real,cn=groups,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w nope
+echo '[just users]'
+searches
+
+# Try to bind to each of the user entries in turn.
+cat > wrap_pam << EOF
+testuser1:authtok:0:0
+testuser2:authtok:0:0
+testuser3, for real:authtok:SUCCESS:NEW_AUTHTOK_REQD
+EOF
+echo "[auth:AUTH_ERR]"
+simplebind -D 'uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w nope
+echo "[auth:OK]"
+simplebind -D 'uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w authtok
+echo "[acct:NEW_AUTHTOK_REQD]"
+simplebind -D 'uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w authtok
+
+# Test that we can still see the users.
+echo '[still just users]'
+searches
+
+# Try to bind to each of the entries in turn.
+cat > wrap_pam << EOF
+testuser1:authtok:MAXTRIES
+testuser2:authtok:PERM_DENIED
+testuser3, for real:authtok:0:ACCT_EXPIRED
+EOF
+echo "[auth:MAXTRIES]"
+simplebind -D 'uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w authtok
+echo "[auth:PERM_DENIED]"
+simplebind -D 'uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w authtok
+echo "[acct:ACCT_EXPIRED]"
+simplebind -D 'uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com' \
+	   -w authtok
+
+# Test that we can still see just the users.
+echo '[yup, still just users]'
+searches
diff --git a/tests/test36-schema-nsswitch/before.txt b/tests/test36-schema-nsswitch/before.txt
new file mode 100644
index 0000000..3c5262e
--- /dev/null
+++ b/tests/test36-schema-nsswitch/before.txt
@@ -0,0 +1,356 @@
+[nothing]
+[all entries]
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: cn=testgroup1,cn=groups,cn=compat,cn=accounts,dc=example,dc=com
+cn: testgroup1
+gidnumber: 3456
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup1,cn=groups,cn=compat,cn=accounts,dc=example,dc=com
+cn: testgroup1
+gidnumber: 3456
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup2,cn=groups,cn=compat,cn=accounts,dc=example,dc=com
+cn: testgroup2
+gidnumber: 34567
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup2,cn=groups,cn=compat,cn=accounts,dc=example,dc=com
+cn: testgroup2
+gidnumber: 34567
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup3\2C for real,cn=groups,cn=compat,cn=accounts,dc=example,dc=co
+ m
+cn: testgroup3, for real
+gidnumber: 345678
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup3\2C for real,cn=groups,cn=compat,cn=accounts,dc=example,dc=co
+ m
+cn: testgroup3, for real
+gidnumber: 345678
+memberuid: testuser1
+memberuid: testuser2
+
+[all entries]
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: cn=testgroup1,cn=groups,cn=compat,cn=accounts,dc=example,dc=com
+cn: testgroup1
+gidnumber: 3456
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup1,cn=groups,cn=compat,cn=accounts,dc=example,dc=com
+cn: testgroup1
+gidnumber: 3456
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup2,cn=groups,cn=compat,cn=accounts,dc=example,dc=com
+cn: testgroup2
+gidnumber: 34567
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup2,cn=groups,cn=compat,cn=accounts,dc=example,dc=com
+cn: testgroup2
+gidnumber: 34567
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup3\2C for real,cn=groups,cn=compat,cn=accounts,dc=example,dc=co
+ m
+cn: testgroup3, for real
+gidnumber: 345678
+memberuid: testuser1
+memberuid: testuser2
+
+dn: cn=testgroup3\2C for real,cn=groups,cn=compat,cn=accounts,dc=example,dc=co
+ m
+cn: testgroup3, for real
+gidnumber: 345678
+memberuid: testuser1
+memberuid: testuser2
+
+[auth to testgroup1]
+ldap_bind: No such object (32)
+[auth to testgroup2]
+ldap_bind: No such object (32)
+[auth to testgroup3, for real]
+ldap_bind: No such object (32)
+[just users]
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+[auth:AUTH_ERR]
+ldap_bind: Invalid credentials (49)
+[auth:OK]
+# extended LDIF
+#
+# LDAPv3
+# base <> with scope baseObject
+# filter: (objectclass=*)
+# requesting: dn: 
+#
+
+#
+dn:
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 2
+# numEntries: 1
+[acct:NEW_AUTHTOK_REQD]
+ldap_bind: Invalid credentials (49)
+[still just users]
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+[auth:MAXTRIES]
+ldap_bind: Constraint violation (19)
+[auth:PERM_DENIED]
+ldap_bind: Server is unwilling to perform (53)
+[acct:ACCT_EXPIRED]
+ldap_bind: Invalid credentials (49)
+[yup, still just users]
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser1,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser1
+uidnumber: 1234
+gidnumber: 2345
+gecos: Test User 1
+loginshell: /bin/sh
+homedirectory: /home/testuser1
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser2,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser2
+uidnumber: 12345
+gidnumber: 23456
+gecos: Test User 2
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
+dn: uid=testuser3\2C for real,cn=users,cn=compat,cn=accounts,dc=example,dc=com
+uid: testuser3, for real
+uidnumber: 123456
+gidnumber: 234567
+gecos: Test User 3
+loginshell: /bin/sh
+homedirectory: /home/testuser2
+
diff --git a/tests/test36-schema-nsswitch/description.txt b/tests/test36-schema-nsswitch/description.txt
new file mode 100644
index 0000000..34b4f4b
--- /dev/null
+++ b/tests/test36-schema-nsswitch/description.txt
@@ -0,0 +1 @@
+nsswitch and PAM tests
diff --git a/tests/test36-schema-nsswitch/dse.ldif b/tests/test36-schema-nsswitch/dse.ldif
new file mode 100644
index 0000000..e9c14f9
--- /dev/null
+++ b/tests/test36-schema-nsswitch/dse.ldif
@@ -0,0 +1,39 @@
+dn: cn=compat-passwd,cn=Schema Compatibility,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+cn: compat-passwd
+schema-compat-container-group: cn=compat,cn=Accounts,dc=example,dc=com
+schema-compat-container-rdn: cn=Users
+schema-compat-lookup-nsswitch: user
+schema-compat-nsswitch-min-id: 0
+schema-compat-check-access: yes
+schema-compat-search-base: cn=Users,cn=Accounts,dc=example,dc=com
+schema-compat-search-filter: (|(objectClass=extensibleObject)(objectClass=posixAccount))
+schema-compat-entry-rdn: uid=%{uid}
+schema-compat-entry-attribute: objectclass=posixAccount
+schema-compat-entry-attribute: uidNumber=%{uidNumber}
+schema-compat-entry-attribute: gidNumber=%{gidNumber}
+schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
+schema-compat-entry-attribute: loginShell=%{loginShell}
+schema-compat-entry-attribute: cn=%{cn}
+schema-compat-entry-attribute: gecos=%{gecos:-%{cn}}
+schema-compat-entry-attribute: userPassword=%{userPassword}
+
+dn: cn=compat-group,cn=Schema Compatibility,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+cn: compat-group
+schema-compat-container-group: cn=compat,cn=Accounts,dc=example,dc=com
+schema-compat-container-rdn: cn=Groups
+schema-compat-lookup-nsswitch: group
+schema-compat-nsswitch-min-id: 0
+schema-compat-check-access: yes
+schema-compat-search-base: cn=Groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-filter: (|(objectClass=extensibleObject)(objectClass=posixAccount))
+schema-compat-entry-rdn: cn=%{cn}
+schema-compat-entry-attribute: objectclass=posixGroup
+schema-compat-entry-attribute: userPassword=%{userPassword}
+schema-compat-entry-attribute: gidNumber=%{gidNumber}
+schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
+schema-compat-entry-attribute: memberUid=%{memberUid}
+
diff --git a/tests/test36-schema-nsswitch/plugin-need-wrappers.txt b/tests/test36-schema-nsswitch/plugin-need-wrappers.txt
new file mode 100644
index 0000000..4143046
--- /dev/null
+++ b/tests/test36-schema-nsswitch/plugin-need-wrappers.txt
@@ -0,0 +1,3 @@
+WRAPPERS_PASSWD=$BTESTDIR/$TEST/wrap_passwd
+WRAPPERS_GROUP=$BTESTDIR/$TEST/wrap_group
+WRAPPERS_PAM_CREDS=$BTESTDIR/$TEST/wrap_pam
diff --git a/tests/test36-schema-nsswitch/userRoot.ldif b/tests/test36-schema-nsswitch/userRoot.ldif
new file mode 100644
index 0000000..a98f6b6
--- /dev/null
+++ b/tests/test36-schema-nsswitch/userRoot.ldif
@@ -0,0 +1,37 @@
+# users, accounts, example.com
+dn: cn=users,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: users
+
+# tuser1, users, accounts, example.com
+dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser1
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1003
+gecos: Tim User
+sn: User
+homeDirectory: /home/tuser1
+cn: Tim User
+uidNumber: 1101
+description: __no_upg__
+
+# tuser2, users, accounts, example.com
+dn: uid=tuser2,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser2
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+sn: User
+homeDirectory: /home/tuser2
+cn: Timmy User
+uidNumber: 1102
+description: __no_upg__
+