|
1 | | -#!/usr/bin/env sh |
2 | | -set -e |
3 | | -set -x |
4 | | - |
5 | | -BASE_PATH=$( cd "`dirname $0`/../test/fixtures/openldap" && pwd ) |
6 | | -SEED_PATH=$( cd "`dirname $0`/../test/fixtures" && pwd ) |
7 | | - |
8 | | -dpkg -s slapd time ldap-utils gnutls-bin ssl-cert > /dev/null ||\ |
9 | | - DEBIAN_FRONTEND=noninteractive apt-get update -y --force-yes && \ |
10 | | - DEBIAN_FRONTEND=noninteractive apt-get install -y --force-yes slapd time ldap-utils gnutls-bin ssl-cert |
11 | | - |
12 | | -/etc/init.d/slapd stop |
13 | | - |
14 | | -TMPDIR=$(mktemp -d) |
15 | | -cd $TMPDIR |
16 | | - |
17 | | -# Delete data and reconfigure. |
18 | | -cp -v /var/lib/ldap/DB_CONFIG ./DB_CONFIG |
19 | | -rm -rf /etc/ldap/slapd.d/* |
20 | | -rm -rf /var/lib/ldap/* |
21 | | -cp -v ./DB_CONFIG /var/lib/ldap/DB_CONFIG |
22 | | -slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/slapd.conf.ldif |
23 | | -# Load memberof and ref-int overlays and configure them. |
24 | | -slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/memberof.ldif |
25 | | -# Load retcode overlay and configure |
26 | | -slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/retcode.ldif |
27 | | - |
28 | | -# Add base domain. |
29 | | -slapadd -F /etc/ldap/slapd.d <<EOM |
30 | | -dn: dc=rubyldap,dc=com |
31 | | -objectClass: top |
32 | | -objectClass: domain |
33 | | -dc: rubyldap |
34 | | -EOM |
35 | | - |
36 | | -chown -R openldap.openldap /etc/ldap/slapd.d |
37 | | -chown -R openldap.openldap /var/lib/ldap |
38 | | - |
39 | | -/etc/init.d/slapd start |
40 | | - |
41 | | -# Import seed data. |
42 | | -# NOTE: use ldapadd in order for memberOf and refint to apply, instead of: |
43 | | -# cat $SEED_PATH/seed.ldif | slapadd -F /etc/ldap/slapd.d |
44 | | -/usr/bin/time ldapadd -x -D "cn=admin,dc=rubyldap,dc=com" -w passworD1 \ |
45 | | - -h localhost -p 389 \ |
46 | | - -f $SEED_PATH/seed.ldif |
47 | | - |
48 | | -rm -rf $TMPDIR |
49 | | - |
50 | | -# SSL |
51 | | -export CA_CERT="/usr/local/share/ca-certificates/rubyldap-ca.crt" |
52 | | -export CA_KEY="/etc/ssl/private/rubyldap-ca.key" |
53 | | - |
54 | | -# The self-signed fixture CA cert & key are generated by |
55 | | -# `script/generate-fiuxture-ca` and checked into version control. |
56 | | -# You shouldn't need to muck with these unless you're writing more |
57 | | -# TLS/SSL integration tests, and need special magic values in the cert. |
58 | | - |
59 | | -cp "${SEED_PATH}/ca/cacert.pem" "${CA_CERT}" |
60 | | -cp "${SEED_PATH}/ca/cakey.pem" "${CA_KEY}" |
61 | | - |
62 | | -# actually add the fixture CA to the system store |
63 | | -update-ca-certificates |
64 | | - |
65 | | -# Make a private key for the server: |
66 | | -certtool --generate-privkey \ |
67 | | - --bits 1024 \ |
68 | | - --outfile /etc/ssl/private/ldap01_slapd_key.pem |
69 | | - |
70 | | -sh -c "cat > /etc/ssl/ldap01.info <<EOF |
71 | | -organization = Example Company |
72 | | -cn = ldap01.example.com |
73 | | -dns_name = ldap01.example.com |
74 | | -dns_name = ldap02.example.com |
75 | | -dns_name = localhost |
76 | | -tls_www_server |
77 | | -encryption_key |
78 | | -signing_key |
79 | | -expiration_days = 3650 |
80 | | -EOF" |
81 | | - |
82 | | -# The integration server may be accessed by IP address, in which case |
83 | | -# we want some of the IPs included in the cert. We skip loopback (127.0.0.1) |
84 | | -# because that's the IP we use in the integration test for cert name mismatches. |
85 | | -ADDRS=$(ifconfig -a | grep 'inet addr:' | cut -f 2 -d : | cut -f 1 -d ' ') |
86 | | -for ip in $ADDRS; do |
87 | | - if [ "x$ip" = 'x127.0.0.1' ]; then continue; fi |
88 | | - echo "ip_address = $ip" >> /etc/ssl/ldap01.info |
89 | | -done |
90 | | - |
91 | | -# Create the server certificate |
92 | | -certtool --generate-certificate \ |
93 | | - --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \ |
94 | | - --load-ca-certificate "${CA_CERT}" \ |
95 | | - --load-ca-privkey "${CA_KEY}" \ |
96 | | - --template /etc/ssl/ldap01.info \ |
97 | | - --outfile /etc/ssl/certs/ldap01_slapd_cert.pem |
98 | | - |
99 | | -ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF | true |
100 | | -dn: cn=config |
101 | | -add: olcTLSCACertificateFile |
102 | | -olcTLSCACertificateFile: ${CA_CERT} |
103 | | -- |
104 | | -add: olcTLSCertificateFile |
105 | | -olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem |
106 | | -- |
107 | | -add: olcTLSCertificateKeyFile |
108 | | -olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem |
109 | | -EOF |
110 | | - |
111 | | -# LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter |
112 | | -# refers to an existing LDAP session (listening on TCP port 389) becoming |
113 | | -# protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct |
114 | | -# encrypted-from-the-start protocol that operates over TCP port 636. But we |
115 | | -# enable it for testing here. |
116 | | -sed -i -e 's|^SLAPD_SERVICES="\(.*\)"|SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"|' /etc/default/slapd |
117 | | - |
118 | | -adduser openldap ssl-cert |
119 | | -chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem |
120 | | -chmod g+r /etc/ssl/private/ldap01_slapd_key.pem |
121 | | -chmod o-r /etc/ssl/private/ldap01_slapd_key.pem |
122 | | - |
123 | | -# Drop packets on a secondary port used to specific timeout tests |
124 | | -iptables -A INPUT -p tcp -j DROP --dport 8389 |
125 | | - |
126 | | -# Forward a port for Vagrant |
127 | | -iptables -t nat -A PREROUTING -p tcp --dport 9389 -j REDIRECT --to-port 389 |
128 | | - |
129 | | -# fix up /etc/hosts for cert validation |
130 | | -grep ldap01 /etc/hosts || echo "127.0.0.1 ldap01.example.com" >> /etc/hosts |
131 | | -grep ldap02 /etc/hosts || echo "127.0.0.1 ldap02.example.com" >> /etc/hosts |
132 | | -grep bogus /etc/hosts || echo "127.0.0.1 bogus.example.com" >> /etc/hosts |
133 | | - |
134 | | -service slapd restart |
0 commit comments