#!/bin/sh -e # # Test if the LDAP server is working. # $Id$ LC_ALL=C export LC_ALL . /usr/share/debian-edu-config/testsuite-lib.sh success() { echo "success: $0: $*" ; } error() { echo "error: $0: $*" ; RESULT=1; } if test -r /etc/debian-edu/config ; then . /etc/debian-edu/config fi # Only networked profiles use LDAP if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then : else exit 0 fi RESULT=0 # Locate LDAP server dynamically, by looking up SRV records. The +ndots=2 # argument is tested and found to work with the debian package # bind9-host, and not with the host package. ldap_server_port="$(dig +search +ndots=2 +short _ldap._tcp srv | awk ' (t == "") || ($1 < prio) { prio = $1 t = $4 sub(/\.$/,"",t) p = $3 } END { if (t != "") printf("%s:%d", t, p) } ')" ldap_server="${ldap_server_port%:*}" ldap_server_uri="ldap://${ldap_server_port}" # Test if LDAP server is reachable if ping -c1 $ldap_server > /dev/null 2>&1 ; then success "Dynamically located LDAP server '$ldap_server' is pingable." else error "Dynamically located LDAP server '$ldap_server' is not pingable, continuing tests using DNS alias ldap." # Autodetection failed, use hardcoded DNS name for the rest of the tests ldap_server=ldap.intern ldap_server_uri="ldap://${ldap_server}" fi for file in nslcd.conf ; do if [ -f /etc/$file ] ; then grep -v '^#' /etc/$file | grep -v '^$' | sort | sed "s/^/info: $file: /" else error "/etc/$file is missing." fi done # Verify that NSS is properly configured for netgroups in LDAP. if grep -Eq '^netgroup: +nis *.* +(ldap|sss)$' /etc/nsswitch.conf ; then success "NSS netgroup setting is correct in /etc/nsswitch.conf" else error "NSS netgroup setting is wrong in /etc/nsswitch.conf" fi SERVICES="nslcd" # Roaming workstations use sssd for caching, and not nscd if echo "$PROFILE" | grep -Eq 'Roaming-Workstation' ; then SERVICES="$SERVICES sssd" else ls -l /var/cache/nscd/ | sed "s/^/info: nscd cache: /" nscd -g | sed "s/^/info: nscd statistics: /" SERVICES="$SERVICES nscd" fi printf 'info: SRV record from DNS: ' dig +search +ndots=2 +noall +answer +nocomments _ldap._tcp srv printf 'info: LDAP server from DNS: ' dig +noall +answer +nocomments "$ldap_server" if [ -f /etc/nslcd.conf ] ; then if grep -Eq "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then : else error "ldap/ldap.conf misses definition of HOST ldap" fi else error "/etc/nslcd.conf is missing." fi # test netgroups if ldap2netgroup $ldap_server | grep -q tjener ; then success "ldap2netgroup found 'tjener'" else error "unable to find 'tjener' in 'all-hosts' using ldap2netgroup." fi if netgroup all-hosts | grep -q tjener ; then success "netgroup found 'tjener'" else error "unable to find 'tjener' in 'all-hosts' using netgroup." fi if getent group students >/dev/null; then success "getent found file group 'students'." else error "getent failed to find file group 'students'." fi if getent passwd |grep -z home0; then success "getent found LDAP user (with home0 home)." else error "getent failed to find LDAP user (with home0 home)." fi for service in $SERVICES ; do if /etc/init.d/$service status > /dev/null 2>&1; then success "$service service is operational." else error "$service service is not operational." fi done if [ -x /usr/bin/ldapsearch ] ; then namingContexts="$( ldapsearch -s base -H "${ldap_server_uri}" -b '' -x '*' '+' | \ awk '/^namingContexts:/ {print $2}' | head -1 )" echo info: $0: LDAP rootDSE namingContext: $namingContexts LDAP_MOUNTS="$( ldapsearch -LLL -H "${ldap_server_uri}" -b $namingContexts \ -x '(objectClass=automount)' |\ grep "^cn:" | while read attr val; do echo "$val" done )" echo info: $0: Mountpoints found in ldap: $LDAP_MOUNTS for WANT_MOUNT in /skole tjener / ; do if ! echo $LDAP_MOUNTS | grep -q $WANT_MOUNT ; then error "Missing $WANT_MOUNT mount point in ldap" fi done # Try a search using TLS too group=admins if ldapsearch -ZZ -LLL -H "${ldap_server_uri}" -b $namingContexts \ -x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then success "TLS search on $ldap_server for cn=$group returned OK exit code." elif ldapsearch -ZZ -LLL -H ldap://ldap.intern -b $namingContexts \ -x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then success "TLS search on ldap.intern for cn=$group returned OK exit code." else error "TLS search for cn=$group failed." fi else error "Missing /usr/bin/ldapsearch " fi pubcert=/etc/ssl/certs/debian-edu-server.crt cacert=/etc/ssl/certs/Debian-Edu_rootCA.crt if [ -s $pubcert ] ; then if openssl verify -CAfile $cacert $pubcert; then success "LDAP certificate matches rootCA certificate" else error "LDAP certificate doesn't match rootCA certificate" fi else error "Missing LDAP certificate $pubcert" fi if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | grep -Ec 'pam_krb5.so|pam_ldap.so|pam_sss.so') ] ; then success "Only one PAM module of krb5, ldap and sss is enabled" else error "More than one PAM module of krb5, ldap and sss is enabled" fi # Make sure winbind PAM module isn't active if grep -q pam_winbind.so /etc/pam.d/common-auth; then error "winbind PAM module is active" else success "winbind PAM module is not active" fi if [ -r /etc/ldap/ldap.conf ] ; then if grep -q '^TLS_REQCERT never' /etc/ldap/ldap.conf ; then error "LDAP cert checking turned off in /etc/ldap/ldap.conf" else success "LDAP cert checking not turned off in /etc/ldap/ldap.conf" fi fi if [ -r /etc/nslcd.conf ] ; then if grep -q '^tls_reqcert never' /etc/nslcd.conf ; then error "LDAP cert checking turned off in /etc/nslcd.conf" else success "LDAP cert checking not turned off in /etc/nslcd.conf" fi fi if [ -r /etc/sssd/sssd.conf ] ; then if grep -q '^ldap_tls_reqcert never' /etc/sssd/sssd.conf ; then error "LDAP cert checking turned off in /etc/sssd/sssd.conf" else success "LDAP cert checking not turned off in /etc/sssd/sssd.conf" fi fi exit $RESULT