[SSSD] Re: [PATCH]: test ldap provider with TLS or SSL

Dan Lavu Thu, 10 Mar 2016 20:30:23 -0800

Updated patch is attached,

There were a few more packages I had to install to get CI running forDebian, should we had these to the makefile?


root@sssd2:~# apt-get python-openssl

dpkg 
-ihttp://ftp.us.debian.org/debian/pool/main/n/nss-wrapper/libnss-wrapper_1.1.2-1_amd64.deb
dpkg 
-ihttp://security.kali.org/pool/main/l/linux/linux-libc-dev_3.16.7-ckt20-1+deb8u4_amd64.deb



Below are test runs against Debian and Fedora


    fakeroot /usr/bin/python2 /usr/bin/py.test -v --tb=native  .

==============================================================================test session starts===============================================================================platform linux2 -- Python 2.7.9 -- py-1.4.25 -- pytest-2.6.3 --/usr/bin/python2

collected 73 items

ent_test.py::test_assert_passwd_by_name PASSED
ent_test.py::test_assert_passwd_by_uid PASSED
ent_test.py::test_assert_passwd_list PASSED
ent_test.py::test_assert_each_passwd_by_name PASSED
ent_test.py::test_assert_each_passwd_by_uid PASSED
ent_test.py::test_assert_each_passwd_with_name PASSED
ent_test.py::test_assert_each_passwd_with_uid PASSED
ent_test.py::test_assert_passwd PASSED
ent_test.py::test_group_member_matching PASSED
ent_test.py::test_assert_group_by_name PASSED
ent_test.py::test_assert_group_by_gid PASSED
ent_test.py::test_assert_group_list PASSED
ent_test.py::test_assert_each_group_by_name PASSED
ent_test.py::test_assert_each_group_by_gid PASSED
ent_test.py::test_assert_each_group_with_name PASSED
ent_test.py::test_assert_each_group_with_gid PASSED
ent_test.py::test_assert_group PASSED
ldap_local_override_test.py::test_simple_user_override PASSED
ldap_local_override_test.py::test_root_user_override PASSED
ldap_local_override_test.py::test_replace_user_override PASSED
ldap_local_override_test.py::test_remove_user_override PASSED
ldap_local_override_test.py::test_imp_exp_user_override PASSED
ldap_local_override_test.py::test_show_user_override PASSED
ldap_local_override_test.py::test_find_user_override PASSED
ldap_local_override_test.py::test_simple_group_override PASSED
ldap_local_override_test.py::test_root_group_override PASSED
ldap_local_override_test.py::test_replace_group_override PASSED
ldap_local_override_test.py::test_remove_group_override PASSED
ldap_local_override_test.py::test_imp_exp_group_override PASSED
ldap_local_override_test.py::test_regr_2802_override PASSED
ldap_local_override_test.py::test_regr_2757_override PASSED
ldap_local_override_test.py::test_regr_2790_override PASSED
ldap_test.py::test_regression_ticket2163 PASSED
ldap_test.py::test_sanity_rfc2307 PASSED
ldap_test.py::test_sanity_rfc2307_bis PASSED
ldap_test.py::test_refresh_after_cleanup_task PASSED
ldap_test.py::test_add_remove_user PASSED
ldap_test.py::test_add_remove_group_rfc2307 PASSED
ldap_test.py::test_add_remove_group_rfc2307_bis PASSED
ldap_test.py::test_add_remove_membership_rfc2307 PASSED
ldap_test.py::test_add_remove_membership_rfc2307_bis PASSED
ldap_test.py::test_override_homedir PASSED
ldap_test.py::test_fallback_homedir PASSED
ldap_test.py::test_override_shell PASSED
ldap_test.py::test_shell_fallback PASSED
ldap_test.py::test_default_shell PASSED
ldap_test.py::test_vetoed_shells PASSED
test_local_domain.py::test_wrong_LC_ALL PASSED
test_memory_cache.py::test_getpwnam PASSED
test_memory_cache.py::test_getpwnam_with_mc PASSED
test_memory_cache.py::test_getgrnam_simple PASSED
test_memory_cache.py::test_getgrnam_simple_with_mc PASSED
test_memory_cache.py::test_getgrnam_membership PASSED
test_memory_cache.py::test_getgrnam_membership_with_mc PASSED
test_memory_cache.py::test_initgroups PASSED
test_memory_cache.py::test_initgroups_with_mc PASSED
test_memory_cache.py::test_initgroups_fqname_with_mc PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc1 PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc2 PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc3 PASSED
test_memory_cache.py::test_invalidation_of_gids_after_initgroups PASSED
test_memory_cache.py::test_initgroups_without_change_in_membership PASSED
test_memory_cache.py::test_invalidate_user_before_stop PASSED
test_memory_cache.py::test_invalidate_user_after_stop PASSED
test_memory_cache.py::test_invalidate_users_before_stop PASSED
test_memory_cache.py::test_invalidate_users_after_stop PASSED
test_memory_cache.py::test_invalidate_group_before_stop PASSED
test_memory_cache.py::test_invalidate_group_after_stop PASSED
test_memory_cache.py::test_invalidate_groups_before_stop PASSED
test_memory_cache.py::test_invalidate_groups_after_stop PASSED
test_memory_cache.py::test_invalidate_everything_before_stop PASSED
test_memory_cache.py::test_invalidate_everything_after_stop PASSED
test_memory_cache.py::test_removed_mc PASSED

==========================================================================73 passed in 203.82 seconds===========================================================================

rm -f /tmp/sssd-intg.zncqC9vY/var/log/sssd/*
make[1]: Leaving directory '/root/sssd/x86_64/intg/bld/src/tests/intg'
root@sssd2:~/sssd/x86_64# cat /etc/debian_version
8.3







cd "/root/sssd.git/x86_64/../src/tests/intg"; \
nss_wrapper=$(pkg-config --libs nss_wrapper); \
uid_wrapper=$(pkg-config --libs uid_wrapper); \
PATH="$(dirname -- /usr/sbin/slapd):$PATH" \
PATH="/tmp/sssd-intg.icQ2aGpF/sbin:/tmp/sssd-intg.icQ2aGpF/bin:$PATH" \

PATH="/root/sssd.git/x86_64/intg/bld/src/tests/intg:/root/sssd.git/x86_64/../src/tests/intg:$PATH"\PYTHONPATH="/root/sssd.git/x86_64/intg/bld/src/tests/intg:/root/sssd.git/x86_64/../src/tests/intg"\

LDB_MODULES_PATH="/tmp/sssd-intg.icQ2aGpF/lib/ldb" \
LD_PRELOAD="$nss_wrapper $uid_wrapper" \
NSS_WRAPPER_PASSWD="/root/sssd.git/x86_64/intg/bld/src/tests/intg/passwd" \
NSS_WRAPPER_GROUP="/root/sssd.git/x86_64/intg/bld/src/tests/intg/group" \
NSS_WRAPPER_MODULE_SO_PATH="/tmp/sssd-intg.icQ2aGpF/lib/libnss_sss.so.2" \
NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
UID_WRAPPER=1 \
UID_WRAPPER_ROOT=1 \
    fakeroot /usr/bin/python2 /usr/bin/py.test -v --tb=native  .

rootdir: /root/sssd.git/src/tests/intg, inifile:
collected 73 items

ent_test.py::test_assert_passwd_by_name PASSED
ent_test.py::test_assert_passwd_by_uid PASSED
ent_test.py::test_assert_passwd_list PASSED
ent_test.py::test_assert_each_passwd_by_name PASSED
ent_test.py::test_assert_each_passwd_by_uid PASSED
ent_test.py::test_assert_each_passwd_with_name PASSED
ent_test.py::test_assert_each_passwd_with_uid PASSED
ent_test.py::test_assert_passwd PASSED
ent_test.py::test_group_member_matching PASSED
ent_test.py::test_assert_group_by_name PASSED
ent_test.py::test_assert_group_by_gid PASSED
ent_test.py::test_assert_group_list PASSED
ent_test.py::test_assert_each_group_by_name PASSED
ent_test.py::test_assert_each_group_by_gid PASSED
ent_test.py::test_assert_each_group_with_name PASSED
ent_test.py::test_assert_each_group_with_gid PASSED
ent_test.py::test_assert_group PASSED
ldap_local_override_test.py::test_simple_user_override PASSED
ldap_local_override_test.py::test_root_user_override PASSED
ldap_local_override_test.py::test_replace_user_override PASSED
ldap_local_override_test.py::test_remove_user_override PASSED
ldap_local_override_test.py::test_imp_exp_user_override PASSED
ldap_local_override_test.py::test_show_user_override PASSED
ldap_local_override_test.py::test_find_user_override PASSED
ldap_local_override_test.py::test_simple_group_override PASSED
ldap_local_override_test.py::test_root_group_override PASSED
ldap_local_override_test.py::test_replace_group_override PASSED
ldap_local_override_test.py::test_remove_group_override PASSED
ldap_local_override_test.py::test_imp_exp_group_override PASSED
ldap_local_override_test.py::test_regr_2802_override PASSED
ldap_local_override_test.py::test_regr_2757_override PASSED
ldap_local_override_test.py::test_regr_2790_override PASSED
ldap_test.py::test_regression_ticket2163 PASSED
ldap_test.py::test_sanity_rfc2307 PASSED
ldap_test.py::test_sanity_rfc2307_bis PASSED
ldap_test.py::test_refresh_after_cleanup_task PASSED
ldap_test.py::test_add_remove_user PASSED
ldap_test.py::test_add_remove_group_rfc2307 PASSED
ldap_test.py::test_add_remove_group_rfc2307_bis PASSED
ldap_test.py::test_add_remove_membership_rfc2307 PASSED
ldap_test.py::test_add_remove_membership_rfc2307_bis PASSED
ldap_test.py::test_override_homedir PASSED
ldap_test.py::test_fallback_homedir PASSED
ldap_test.py::test_override_shell PASSED
ldap_test.py::test_shell_fallback PASSED
ldap_test.py::test_default_shell PASSED
ldap_test.py::test_vetoed_shells PASSED
test_local_domain.py::test_wrong_LC_ALL PASSED
test_memory_cache.py::test_getpwnam PASSED
test_memory_cache.py::test_getpwnam_with_mc PASSED
test_memory_cache.py::test_getgrnam_simple PASSED
test_memory_cache.py::test_getgrnam_simple_with_mc PASSED
test_memory_cache.py::test_getgrnam_membership PASSED
test_memory_cache.py::test_getgrnam_membership_with_mc PASSED
test_memory_cache.py::test_initgroups PASSED
test_memory_cache.py::test_initgroups_with_mc PASSED
test_memory_cache.py::test_initgroups_fqname_with_mc PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc1 PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc2 PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc3 PASSED
test_memory_cache.py::test_invalidation_of_gids_after_initgroups PASSED
test_memory_cache.py::test_initgroups_without_change_in_membership PASSED
test_memory_cache.py::test_invalidate_user_before_stop PASSED
test_memory_cache.py::test_invalidate_user_after_stop PASSED
test_memory_cache.py::test_invalidate_users_before_stop PASSED
test_memory_cache.py::test_invalidate_users_after_stop PASSED
test_memory_cache.py::test_invalidate_group_before_stop PASSED
test_memory_cache.py::test_invalidate_group_after_stop PASSED
test_memory_cache.py::test_invalidate_groups_before_stop PASSED
test_memory_cache.py::test_invalidate_groups_after_stop PASSED
test_memory_cache.py::test_invalidate_everything_before_stop PASSED
test_memory_cache.py::test_invalidate_everything_after_stop PASSED
test_memory_cache.py::test_removed_mc PASSED

==========================================================================73 passed in 206.11 seconds===========================================================================

rm -f /tmp/sssd-intg.icQ2aGpF/var/log/sssd/*
make[1]: Leaving directory '/root/sssd.git/x86_64/intg/bld/src/tests/intg'
[root@sssd1 x86_64]# cat /etc/fedora-release
Fedora release 23 (Twenty Three)


On 2/29/16 3:18 AM, Jakub Hrozek wrote:

On Sun, Feb 28, 2016 at 08:19:57PM -0500, Dan Lavu wrote:

I've made most of the the suggested changes but I'm going to take sometime
and get the test running on Debian as well (Mostly to find out if /etc/pki
is a Red Hat thing or not). Fedora and Debian are the only distros we are
testing/supporting against correct?

Yes, we support RHEL >= 6, Fedora (all supported versions) and Debian
Testing.

Also wondering if the ci setup issue I'm
seeing applies to apt.

Dan


On 2/26/16 5:53 AM, Jakub Hrozek wrote:

On Thu, Feb 25, 2016 at 05:18:09PM -0500, Dan Lavu wrote:

Here is a patch for https://fedorahosted.org/sssd/ticket/2820

First real patch... criticisms to for what I need to improve on are welcome,
including concepts that I should learn, thanks.

Thanks a lot for the patch!

See my comments inline:

 From 529adb3e0d763a8ee9ba9b4c5b13f933d723e8de Mon Sep 17 00:00:00 2001
From: Dan Lavu <dl...@redhat.com>
Date: Fri, 5 Feb 2016 08:51:07 -0500
Subject: [PATCH] Adding SSL encryption to integration tests.

---
  src/tests/intg/ca.py          | 166 ++++++++++++++++++++++++++++++++++++++++++
  src/tests/intg/ds_openldap.py |  14 ++++
  2 files changed, 180 insertions(+)
  create mode 100644 src/tests/intg/ca.py

diff --git a/src/tests/intg/ca.py b/src/tests/intg/ca.py
new file mode 100644
index 
0000000000000000000000000000000000000000..a44a92e5d5053338dabd7d8d82d2b1d50ec7594e
--- /dev/null
+++ b/src/tests/intg/ca.py
@@ -0,0 +1,166 @@
+#
+# SSSD LOCAL domain tests
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Dan Lavu <d...@redhat.com>
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from OpenSSL import crypto
+from os.path import exists, join
+
+import socket
+import os
+import fnmatch
+
+
+class CA:

It would be nice to use the new-style classes, so class CA(object)

+    """CA Class"""
+
+    def __init__(self, subject=None, country=None, state=None,
+                 city=None, organization=None, unit=None, config_dir=None):
+        if subject is None:
+            self.subject = socket.gethostname()
+        if country is None:
+            self.country = 'US'
+        if state is None:
+            self.state = 'NC'
+        if city is None:
+            self.city = 'Raleigh'
+        if organization is None:
+            self.organization = 'Red Hat'
+        if unit is None:
+            self.unit = 'SSSD'
+        if config_dir is None:
+            self.config_dir = '/etc/pki'

/etc/pki is not writable unless you're root. We should store the certs
in another directory writable by any user. Maybe this is something
Nikolai (CC) could help us with, I know we use fakeroot to set up the
directory structure, but I'm fuzzy on the details, so I don't know
myself which part of the tests we should exactly touch..

Also, does the /etc/pki path exists on Debian and other distributions or
is it Red Hat-centric?

When we have this done, hopefully we can remove the use of
'ldap_auth_disable_tls_never_use_in_production' from our tests?

+
+        self.hostname = socket.gethostname()

This is maybe something to fix in a later iteration of the patch, but I
wonder if it was useful to override the hostname to something else than
what gethostname() reports. Not sure at the moment..

+        self.csr_dir = self.config_dir + '/CA/newcerts'
+        self.key_dir = self.config_dir + '/tls/private'
+        self.cert_dir = self.config_dir + '/tls/certs'
+
+        self.index = int(1000)
+
+
+    def setup(self):
+        """Setup CA using OpenSSL"""
+        cacert = socket.gethostname() + '-ca.crt'
+        cakey = socket.gethostname() + '-ca.key'

Instead of using socket.gethostname(), maybe using self.hostname would
be better here (and elsewhere) ?

+
+        if not exists(join(self.cert_dir, cacert)) or not 
exists(join(self.key_dir, cakey)):
+            key = crypto.PKey()
+            key.generate_key(crypto.TYPE_RSA, 2048)
+
+            ca = crypto.X509()
+            ca.get_subject().C = self.country
+            ca.get_subject().ST = self.state
+            ca.get_subject().L = self.city
+            ca.get_subject().O = self.organization
+            ca.get_subject().OU = self.unit
+            ca.get_subject().CN = self.subject
+            ca.set_serial_number(self.index)
+            ca.gmtime_adj_notBefore(0)
+            ca.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
+            ca.set_issuer(ca.get_subject())
+            ca.set_pubkey(key)
+            ca.sign(key, 'sha1')

>From c4fa0355be7688a3c814a108335a3ff91f4708fd Mon Sep 17 00:00:00 2001
From: Dan Lavu <dl...@redhat.com>
Date: Fri, 5 Feb 2016 08:51:07 -0500
Subject: [PATCH] Adding SSL encryption to integration tests.

---
 src/tests/intg/ca.py          | 163 ++++++++++++++++++++++++++++++++++++++++++
 src/tests/intg/config.py.m4   |   1 +
 src/tests/intg/ds_openldap.py |  19 ++++-
 3 files changed, 182 insertions(+), 1 deletion(-)
 create mode 100644 src/tests/intg/ca.py

diff --git a/src/tests/intg/ca.py b/src/tests/intg/ca.py
new file mode 100644
index 
0000000000000000000000000000000000000000..c7adb7a2f0c2ea7f342c9df1d6ad41dcb2fcc28e
--- /dev/null
+++ b/src/tests/intg/ca.py
@@ -0,0 +1,163 @@
+#
+# SSSD LOCAL domain tests
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Dan Lavu <d...@redhat.com>
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from OpenSSL import crypto
+from os.path import exists, join
+
+import socket
+import os
+import shutil
+import config
+
+
+class CA():
+    """CA Class"""
+
+    def __init__(self, subject=None, country='US', state='NC',
+                 city='Raleigh', organization='Red Hat Inc.', unit='SSSD', 
config_dir=config.SSL_PATH):
+        if subject is None:
+            self.subject = socket.gethostname()
+        self.country = country
+        self.state = state
+        self.city = city
+        self.organization = organization
+        self.unit = unit
+        self.hostname = socket.gethostname()
+        if config.SSL_PATH is not '/tmp':
+            self.config_dir = config_dir
+        else:
+            self.config_dir = config_dir + '/ssl'
+        self.csr_dir = self.config_dir + '/newcerts'
+        self.key_dir = self.config_dir + '/private'
+        self.cert_dir = self.config_dir + '/certs'
+
+        self.index = int(1000)
+
+
+    def setup(self):
+        """Setup CA using OpenSSL"""
+        cacert = self.hostname + '-ca.crt'
+        cakey = self.hostname + '-ca.key'
+
+        if not exists(join(self.cert_dir, cacert)) or not 
exists(join(self.key_dir, cakey)):
+            key = crypto.PKey()
+            key.generate_key(crypto.TYPE_RSA, 2048)
+
+            ca = crypto.X509()
+            ca.get_subject().C = self.country
+            ca.get_subject().ST = self.state
+            ca.get_subject().L = self.city
+            ca.get_subject().O = self.organization
+            ca.get_subject().OU = self.unit
+            ca.get_subject().CN = self.subject
+            ca.set_serial_number(self.index)
+            ca.gmtime_adj_notBefore(0)
+            ca.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
+            ca.set_issuer(ca.get_subject())
+            ca.set_pubkey(key)
+            ca.sign(key, 'sha1')
+
+            if not os.path.exists(self.csr_dir):
+                os.makedirs(self.csr_dir)
+            if not os.path.exists(self.key_dir):
+                os.makedirs(self.key_dir)
+            if not os.path.exists(self.cert_dir):
+                os.makedirs(self.cert_dir)
+
+            open(os.path.join(self.cert_dir, cacert), 'wt').write \
+                (crypto.dump_certificate(crypto.FILETYPE_PEM, ca))
+            open(os.path.join(self.key_dir, cakey), 'wt').write \
+                (crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
+
+
+    def teardown(self):
+        """Teardown CA certificate files"""
+        if os.path.exists(self.config_dir) and not '/tmp':
+            shutil.rmtree(self.config_dir)
+
+
+    def get_ca(self):
+        """Returns CA certificate in ASCII PEM encoding"""
+        ca = crypto.load_certificate(crypto.FILETYPE_PEM, open\
+                    (os.path.join(self.cert_dir, socket.gethostname() + 
'-ca.crt'), 'rt').read())
+        ca_crt = crypto.dump_certificate(crypto.FILETYPE_PEM, ca)
+
+        return ca_crt
+
+
+    def get_cert(self, csr, text=False):
+        """Retrieves certificate
+        required: csr -csr_type
+        optional: text
+            False - will return a pem object type (Default)
+            True - will return the certificate as ASCII
+        """
+        cacert = self.hostname + '-ca.crt'
+        cakey = self.hostname + '-ca.key'
+        ca_crt = crypto.load_certificate(crypto.FILETYPE_PEM, 
open(os.path.join(self.cert_dir, cacert), 'rt').read())
+        ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, 
open(os.path.join(self.key_dir, cakey), 'rt').read())
+
+        cert = crypto.X509()
+        cert.set_subject(csr.get_subject())
+        cert.set_serial_number(self.index+1)
+        cert.gmtime_adj_notBefore(0)
+        cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
+        cert.set_issuer(ca_crt.get_subject())
+        cert.set_pubkey(csr.get_pubkey())
+        cert.sign(ca_key, 'sha1')
+
+        open(os.path.join(self.cert_dir, socket.gethostname() + '.crt'), 'wt')\
+            .write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
+        server_crt = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
+
+        if text is True:
+            return server_crt
+        else:
+            return cert
+
+
+    def request_cert(self, fqdn=None, text=False):
+        """Generates CSR
+        optional: fqdn, socket.gethostname() (Default)
+        optional: text
+            False - will return a pem object type (Default)
+            True - will return the certificate as ASCII
+        """
+        if fqdn is None:
+            fqdn = socket.getfqdn()
+
+        hostname = socket.gethostname()
+        key = crypto.PKey()
+        key.generate_key(crypto.TYPE_RSA, 2048)
+        csr = crypto.X509Req()
+        csr.get_subject().CN = fqdn
+        csr.set_pubkey(key)
+        csr.sign(key, 'sha1')
+
+        open(os.path.join(self.key_dir, hostname + '.key'), 'wt').\
+            write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
+        open(os.path.join(self.csr_dir, hostname + '.csr'), 'wt').\
+            write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr))
+
+        server_csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
+
+        if text is True:
+            return server_csr
+        else:
+            return csr
\ No newline at end of file
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
index 
563127c6ea895508308a4f94689cc4e26ca4cbde..141813fa7a7a5bc9c06e48dfc938885f4eb1d539
 100644
--- a/src/tests/intg/config.py.m4
+++ b/src/tests/intg/config.py.m4
@@ -11,3 +11,4 @@ PID_PATH            = "pidpath"
 PIDFILE_PATH        = PID_PATH + "/sssd.pid"
 LOG_PATH            = "logpath"
 MCACHE_PATH         = "mcpath"
+SSL_PATH            = "/tmp/ssl"
diff --git a/src/tests/intg/ds_openldap.py b/src/tests/intg/ds_openldap.py
index 
fb230a081b58bd4e135585daa5a6ddf8f494861c..dbbbfea660d3c4e0f7c7546663cc8560522ffa37
 100644
--- a/src/tests/intg/ds_openldap.py
+++ b/src/tests/intg/ds_openldap.py
@@ -27,8 +27,10 @@ import errno
 import signal
 import shutil
 import sys
+import socket
 from util import *
 from ds import DS
+from ca import CA
 
 
 def hash_password(password):
@@ -39,7 +41,7 @@ def hash_password(password):
     return "{SSHA}" + base64.standard_b64encode(hash.digest() + salt)
 
 
-class DSOpenLDAP(DS):
+class DSOpenLDAP(DS, CA):
     """OpenLDAP directory server instance."""
 
     def __init__(self, dir, port, base_dn, admin_rdn, admin_pw):
@@ -60,6 +62,9 @@ class DSOpenLDAP(DS):
         self.conf_dir = self.dir + "/etc/ldap"
         self.conf_slapd_d_dir = self.conf_dir + "/slapd.d"
         self.data_dir = self.dir + "/var/lib/ldap"
+        self.ca_inst = CA()
+
+
 
     def _setup_config(self):
         """Setup the instance initial configuration."""
@@ -73,6 +78,13 @@ class DSOpenLDAP(DS):
         uid = os.geteuid()
         gid = os.getegid()
 
+        self.ca_inst.setup()
+        self.ca_inst.get_cert(self.ca_inst.request_cert())
+        fqdn = socket.gethostname()
+        cert = os.path.join(self.ca_inst.cert_dir, fqdn + '.crt')
+        ca_cert = os.path.join(self.ca_inst.cert_dir, fqdn + '-ca.crt')
+        key = os.path.join(self.ca_inst.key_dir, fqdn + '.key')
+
         #
         # Add configuration
         #
@@ -82,6 +94,9 @@ class DSOpenLDAP(DS):
             cn: config
             olcPidFile: {self.pid_path}
             olcArgsFile: {args_file}
+            olcTLSCertificateKeyFile: {key}
+            olcTLSCertificateFile: {cert}
+            olcTLSCACertificatePath: {ca_cert}
             # Read slapd.conf(5) for possible values
             olcLogLevel: none
 
@@ -282,3 +297,5 @@ class DSOpenLDAP(DS):
 
         for path in (self.conf_slapd_d_dir, self.run_dir, self.data_dir):
             shutil.rmtree(path, True)
+
+        self.ca_inst.teardown()
-- 
1.8.3.1

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH]: test ldap provider with TLS or SSL

Reply via email to