3 Provides unit tests and examples for the <Nslcd> lens.
8 let real_file = "# /etc/nslcd.conf
9 # nslcd configuration file. See nslcd.conf(5)
12 # Specifies the number of threads to start that can handle requests and perform LDAP queries.
15 # The user and group nslcd should run as.
19 # This option controls the way logging is done.
22 # The location at which the LDAP server(s) should be reachable.
23 uri ldaps://XXX.XXX.XXX ldaps://YYY.YYY.YYY
25 # The search base that will be used for all queries.
28 # The LDAP protocol version to use.
31 # The DN to bind with for normal lookups.
32 binddn cn=annonymous,dc=example,dc=net
36 # The DN used for password modifications by root.
37 rootpwmoddn cn=admin,dc=example,dc=com
39 # The password used for password modifications by root.
43 # SASL authentication options
47 sasl_authzid dn:cn=annonymous,dc=example,dc=net
48 sasl_secprops noanonymous,noplain,minssf=0,maxssf=2,maxbufsize=65535
51 # Kerberos authentication options
54 # Search/mapping options
56 # Specifies the base distinguished name (DN) to use as search base.
57 base dc=people,dc=example,dc=com
58 base dc=morepeople,dc=example,dc=com
59 base alias dc=aliases,dc=example,dc=com
60 base alias dc=morealiases,dc=example,dc=com
61 base group dc=group,dc=example,dc=com
62 base group dc=moregroup,dc=example,dc=com
63 base passwd dc=users,dc=example,dc=com
65 # Specifies the search scope (subtree, onelevel, base or children).
70 # Specifies the policy for dereferencing aliases.
73 # Specifies whether automatic referral chasing should be enabled.
76 # The FILTER is an LDAP search filter to use for a specific map.
77 filter group (objectClass=posixGroup)
79 # This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes.
80 map passwd homeDirectory \"${homeDirectory:-/home/$uid}\"
81 map passwd loginShell \"${loginShell:-/bin/bash}\"
82 map shadow userPassword myPassword
84 # Timing/reconnect options
86 # Specifies the time limit (in seconds) to use when connecting to the directory server.
89 # Specifies the time limit (in seconds) to wait for a response from the LDAP server.
92 # Specifies the period if inactivity (in seconds) after which the connection to the LDAP server will be closed.
95 # Specifies the number of seconds to sleep when connecting to all LDAP servers fails.
96 reconnect_sleeptime 10
98 # Specifies the time after which the LDAP server is considered to be permanently unavailable.
99 reconnect_retrytime 10
103 # Specifies whether to use SSL/TLS or not (the default is not to).
105 # Specifies what checks to perform on a server-supplied certificate.
107 # Specifies the directory containing X.509 certificates for peer authentication.
108 tls_cacertdir /etc/ssl/ca
109 # Specifies the path to the X.509 certificate for peer authentication.
110 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
111 # Specifies the path to an entropy source.
112 tls_randfile /dev/random
113 # Specifies the ciphers to use for TLS.
115 # Specifies the path to the file containing the local certificate for client TLS authentication.
116 tls_cert /etc/ssl/certs/cert.pem
117 # Specifies the path to the file containing the private key for client TLS authentication.
118 tls_key /etc/ssl/private/cert.pem
122 nss_initgroups_ignoreusers user1,user2,user3
124 nss_nested_groups yes
125 nss_getgrent_skipmembers yes
126 nss_disable_enumeration yes
127 validnames /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i
129 pam_authc_ppolicy yes
130 pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))
131 pam_password_prohibit_message \"MESSAGE LONG AND WITH SPACES\"
132 reconnect_invalidate nfsidmap,db2,db3
137 test Nslcd.lns get real_file =
138 { "#comment" = "/etc/nslcd.conf" }
139 { "#comment" = "nslcd configuration file. See nslcd.conf(5)" }
140 { "#comment" = "for details." }
142 { "#comment" = "Specifies the number of threads to start that can handle requests and perform LDAP queries." }
145 { "#comment" = "The user and group nslcd should run as." }
149 { "#comment" = "This option controls the way logging is done." }
150 { "log" = "syslog info" }
152 { "#comment" = "The location at which the LDAP server(s) should be reachable." }
154 { "1" = "ldaps://XXX.XXX.XXX" }
155 { "2" = "ldaps://YYY.YYY.YYY" }
158 { "#comment" = "The search base that will be used for all queries." }
159 { "base" = "dc=XXX,dc=XXX" }
161 { "#comment" = "The LDAP protocol version to use." }
162 { "ldap_version" = "3" }
164 { "#comment" = "The DN to bind with for normal lookups." }
165 { "binddn" = "cn=annonymous,dc=example,dc=net" }
166 { "bindpw" = "secret" }
169 { "#comment" = "The DN used for password modifications by root." }
170 { "rootpwmoddn" = "cn=admin,dc=example,dc=com" }
172 { "#comment" = "The password used for password modifications by root." }
173 { "rootpwmodpw" = "XXXXXX" }
176 { "#comment" = "SASL authentication options" }
177 { "sasl_mech" = "OTP" }
178 { "sasl_realm" = "realm" }
179 { "sasl_authcid" = "authcid" }
180 { "sasl_authzid" = "dn:cn=annonymous,dc=example,dc=net" }
181 { "sasl_secprops" = "noanonymous,noplain,minssf=0,maxssf=2,maxbufsize=65535" }
182 { "sasl_canonicalize" = "yes" }
184 { "#comment" = "Kerberos authentication options" }
185 { "krb5_ccname" = "ccname" }
187 { "#comment" = "Search/mapping options" }
189 { "#comment" = "Specifies the base distinguished name (DN) to use as search base." }
190 { "base" = "dc=people,dc=example,dc=com" }
191 { "base" = "dc=morepeople,dc=example,dc=com" }
193 { "alias" = "dc=aliases,dc=example,dc=com" }
196 { "alias" = "dc=morealiases,dc=example,dc=com" }
199 { "group" = "dc=group,dc=example,dc=com" }
202 { "group" = "dc=moregroup,dc=example,dc=com" }
205 { "passwd" = "dc=users,dc=example,dc=com" }
208 { "#comment" = "Specifies the search scope (subtree, onelevel, base or children)." }
214 { "aliases" = "sub" }
217 { "#comment" = "Specifies the policy for dereferencing aliases." }
218 { "deref" = "never" }
220 { "#comment" = "Specifies whether automatic referral chasing should be enabled." }
221 { "referrals" = "yes" }
223 { "#comment" = "The FILTER is an LDAP search filter to use for a specific map." }
225 { "group" = "(objectClass=posixGroup)" }
228 { "#comment" = "This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes." }
231 { "homeDirectory" = "\"${homeDirectory:-/home/$uid}\"" }
236 { "loginShell" = "\"${loginShell:-/bin/bash}\"" }
241 { "userPassword" = "myPassword" }
245 { "#comment" = "Timing/reconnect options" }
247 { "#comment" = "Specifies the time limit (in seconds) to use when connecting to the directory server." }
248 { "bind_timelimit" = "30" }
250 { "#comment" = "Specifies the time limit (in seconds) to wait for a response from the LDAP server." }
251 { "timelimit" = "5" }
253 { "#comment" = "Specifies the period if inactivity (in seconds) after which the connection to the LDAP server will be closed." }
254 { "idle_timelimit" = "10" }
256 { "#comment" = "Specifies the number of seconds to sleep when connecting to all LDAP servers fails." }
257 { "reconnect_sleeptime" = "10" }
259 { "#comment" = "Specifies the time after which the LDAP server is considered to be permanently unavailable." }
260 { "reconnect_retrytime" = "10" }
262 { "#comment" = "SSL/TLS options" }
264 { "#comment" = "Specifies whether to use SSL/TLS or not (the default is not to)." }
265 { "ssl" = "start_tls" }
266 { "#comment" = "Specifies what checks to perform on a server-supplied certificate." }
267 { "tls_reqcert" = "never" }
268 { "#comment" = "Specifies the directory containing X.509 certificates for peer authentication." }
269 { "tls_cacertdir" = "/etc/ssl/ca" }
270 { "#comment" = "Specifies the path to the X.509 certificate for peer authentication." }
271 { "tls_cacertfile" = "/etc/ssl/certs/ca-certificates.crt" }
272 { "#comment" = "Specifies the path to an entropy source." }
273 { "tls_randfile" = "/dev/random" }
274 { "#comment" = "Specifies the ciphers to use for TLS." }
275 { "tls_ciphers" = "TLSv1" }
276 { "#comment" = "Specifies the path to the file containing the local certificate for client TLS authentication." }
277 { "tls_cert" = "/etc/ssl/certs/cert.pem" }
278 { "#comment" = "Specifies the path to the file containing the private key for client TLS authentication." }
279 { "tls_key" = "/etc/ssl/private/cert.pem" }
281 { "#comment" = "Other options" }
282 { "pagesize" = "100" }
283 { "nss_initgroups_ignoreusers"
288 { "nss_min_uid" = "1000" }
289 { "nss_nested_groups" = "yes" }
290 { "nss_getgrent_skipmembers" = "yes" }
291 { "nss_disable_enumeration" = "yes" }
292 { "validnames" = "/^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i" }
293 { "ignorecase" = "yes" }
294 { "pam_authc_ppolicy" = "yes" }
295 { "pam_authz_search" = "(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))" }
296 { "pam_password_prohibit_message" = "MESSAGE LONG AND WITH SPACES" }
297 { "reconnect_invalidate" = "nfsidmap,db2,db3" }
298 { "cache" = "dn2uid 1s 2h" }
302 (* Test a simple parameter *)
303 test Nslcd.lns put "pagesize 9999\n" after
304 set "/pagesize" "1000" =
307 (* Test base parameter *)
308 test Nslcd.lns put "\n" after
309 set "/base" "dc=example,dc=com" =
310 "\nbase dc=example,dc=com\n"
312 test Nslcd.lns put "base dc=change,dc=me\n" after
313 set "/base" "dc=example,dc=com" =
314 "base dc=example,dc=com\n"
316 test Nslcd.lns put "\n" after
317 set "/base/passwd" "dc=example,dc=com" =
318 "\nbase passwd dc=example,dc=com\n"
320 test Nslcd.lns put "base passwd dc=change,dc=me\n" after
321 set "/base[passwd]/passwd" "dc=example,dc=com";
322 set "/base[shadow]/shadow" "dc=example,dc=com" =
323 "base passwd dc=example,dc=com\nbase shadow dc=example,dc=com\n"
325 (* Test scope entry *)
326 test Nslcd.lns put "\n" after
330 test Nslcd.lns put "scope one\n" after
331 set "/scope" "subtree" =
334 test Nslcd.lns put "\n" after
335 set "/scope/passwd" "base" =
336 "\nscope passwd base\n"
338 test Nslcd.lns put "scope shadow onelevel\n" after
339 set "/scope[passwd]/passwd" "subtree";
340 set "/scope[shadow]/shadow" "base" =
341 "scope shadow base\nscope passwd subtree\n"
343 (* Test filter entry *)
344 test Nslcd.lns put "\n" after
345 set "/filter/passwd" "(objectClass=posixAccount)" =
346 "\nfilter passwd (objectClass=posixAccount)\n"
348 test Nslcd.lns put "filter shadow (objectClass=posixAccount)\n" after
349 set "/filter[passwd]/passwd" "(objectClass=Account)";
350 set "/filter[shadow]/shadow" "(objectClass=Account)" =
351 "filter shadow (objectClass=Account)\nfilter passwd (objectClass=Account)\n"
354 test Nslcd.lns put "map passwd loginShell ab\n" after
355 set "/map/passwd/loginShell" "bc" =
356 "map passwd loginShell bc\n"
358 test Nslcd.lns put "map passwd loginShell ab\n" after
359 set "/map[2]/passwd/homeDirectory" "bc" =
360 "map passwd loginShell ab\nmap passwd homeDirectory bc\n"
362 test Nslcd.lns put "map passwd loginShell ab\n" after
363 set "/map[passwd/homeDirectory]/passwd/homeDirectory" "bc" =
364 "map passwd loginShell ab\nmap passwd homeDirectory bc\n"
366 test Nslcd.lns put "map passwd loginShell ab\nmap passwd homeDirectory ab\n" after
367 set "/map[passwd/homeDirectory]/passwd/homeDirectory" "bc" =
368 "map passwd loginShell ab\nmap passwd homeDirectory bc\n"
371 (* Test simple entries *)
372 let simple = "uid nslcd\n"
374 test Nslcd.lns get simple =
377 (* Test simple entries with spaces at the end *)
378 let simple_spaces = "uid nslcd \n"
380 test Nslcd.lns get simple_spaces =
383 (* Test multi valued entries *)
385 let multi_valued = "cache 1 2 \n"
387 test Nslcd.lns get multi_valued =
390 let multi_valued_real = "map passwd homeDirectory ${homeDirectory:-/home/$uid}\n"
392 test Nslcd.lns get multi_valued_real =
395 { "homeDirectory" = "${homeDirectory:-/home/$uid}" }
401 let simple_multiline = "uid nslcd\ngid nslcd\n"
403 test Nslcd.lns get simple_multiline =
408 let multiline_separators = "\n\n \nuid nslcd \ngid nslcd \n"
410 test Nslcd.lns get multiline_separators =