|
1 |
| -#!/usr/bin/env sh |
2 |
| -set -e |
3 |
| -set -x |
4 |
| - |
5 |
| -BASE_PATH=$( cd "`dirname $0`/../test/fixtures/openldap" && pwd ) |
6 |
| -SEED_PATH=$( cd "`dirname $0`/../test/fixtures" && pwd ) |
7 |
| - |
8 |
| -dpkg -s slapd time ldap-utils gnutls-bin ssl-cert > /dev/null ||\ |
9 |
| - DEBIAN_FRONTEND=noninteractive apt-get update -y --force-yes && \ |
10 |
| - DEBIAN_FRONTEND=noninteractive apt-get install -y --force-yes slapd time ldap-utils gnutls-bin ssl-cert |
11 |
| - |
12 |
| -/etc/init.d/slapd stop |
13 |
| - |
14 |
| -TMPDIR=$(mktemp -d) |
15 |
| -cd $TMPDIR |
16 |
| - |
17 |
| -# Delete data and reconfigure. |
18 |
| -cp -v /var/lib/ldap/DB_CONFIG ./DB_CONFIG |
19 |
| -rm -rf /etc/ldap/slapd.d/* |
20 |
| -rm -rf /var/lib/ldap/* |
21 |
| -cp -v ./DB_CONFIG /var/lib/ldap/DB_CONFIG |
22 |
| -slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/slapd.conf.ldif |
23 |
| -# Load memberof and ref-int overlays and configure them. |
24 |
| -slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/memberof.ldif |
25 |
| -# Load retcode overlay and configure |
26 |
| -slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/retcode.ldif |
27 |
| - |
28 |
| -# Add base domain. |
29 |
| -slapadd -F /etc/ldap/slapd.d <<EOM |
30 |
| -dn: dc=rubyldap,dc=com |
31 |
| -objectClass: top |
32 |
| -objectClass: domain |
33 |
| -dc: rubyldap |
34 |
| -EOM |
35 |
| - |
36 |
| -chown -R openldap.openldap /etc/ldap/slapd.d |
37 |
| -chown -R openldap.openldap /var/lib/ldap |
38 |
| - |
39 |
| -/etc/init.d/slapd start |
40 |
| - |
41 |
| -# Import seed data. |
42 |
| -# NOTE: use ldapadd in order for memberOf and refint to apply, instead of: |
43 |
| -# cat $SEED_PATH/seed.ldif | slapadd -F /etc/ldap/slapd.d |
44 |
| -/usr/bin/time ldapadd -x -D "cn=admin,dc=rubyldap,dc=com" -w passworD1 \ |
45 |
| - -h localhost -p 389 \ |
46 |
| - -f $SEED_PATH/seed.ldif |
47 |
| - |
48 |
| -rm -rf $TMPDIR |
49 |
| - |
50 |
| -# SSL |
51 |
| -export CA_CERT="/usr/local/share/ca-certificates/rubyldap-ca.crt" |
52 |
| -export CA_KEY="/etc/ssl/private/rubyldap-ca.key" |
53 |
| - |
54 |
| -# The self-signed fixture CA cert & key are generated by |
55 |
| -# `script/generate-fiuxture-ca` and checked into version control. |
56 |
| -# You shouldn't need to muck with these unless you're writing more |
57 |
| -# TLS/SSL integration tests, and need special magic values in the cert. |
58 |
| - |
59 |
| -cp "${SEED_PATH}/ca/cacert.pem" "${CA_CERT}" |
60 |
| -cp "${SEED_PATH}/ca/cakey.pem" "${CA_KEY}" |
61 |
| - |
62 |
| -# actually add the fixture CA to the system store |
63 |
| -update-ca-certificates |
64 |
| - |
65 |
| -# Make a private key for the server: |
66 |
| -certtool --generate-privkey \ |
67 |
| - --bits 1024 \ |
68 |
| - --outfile /etc/ssl/private/ldap01_slapd_key.pem |
69 |
| - |
70 |
| -sh -c "cat > /etc/ssl/ldap01.info <<EOF |
71 |
| -organization = Example Company |
72 |
| -cn = ldap01.example.com |
73 |
| -dns_name = ldap01.example.com |
74 |
| -dns_name = ldap02.example.com |
75 |
| -dns_name = localhost |
76 |
| -tls_www_server |
77 |
| -encryption_key |
78 |
| -signing_key |
79 |
| -expiration_days = 3650 |
80 |
| -EOF" |
81 |
| - |
82 |
| -# The integration server may be accessed by IP address, in which case |
83 |
| -# we want some of the IPs included in the cert. We skip loopback (127.0.0.1) |
84 |
| -# because that's the IP we use in the integration test for cert name mismatches. |
85 |
| -ADDRS=$(ifconfig -a | grep 'inet addr:' | cut -f 2 -d : | cut -f 1 -d ' ') |
86 |
| -for ip in $ADDRS; do |
87 |
| - if [ "x$ip" = 'x127.0.0.1' ]; then continue; fi |
88 |
| - echo "ip_address = $ip" >> /etc/ssl/ldap01.info |
89 |
| -done |
90 |
| - |
91 |
| -# Create the server certificate |
92 |
| -certtool --generate-certificate \ |
93 |
| - --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \ |
94 |
| - --load-ca-certificate "${CA_CERT}" \ |
95 |
| - --load-ca-privkey "${CA_KEY}" \ |
96 |
| - --template /etc/ssl/ldap01.info \ |
97 |
| - --outfile /etc/ssl/certs/ldap01_slapd_cert.pem |
98 |
| - |
99 |
| -ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF | true |
100 |
| -dn: cn=config |
101 |
| -add: olcTLSCACertificateFile |
102 |
| -olcTLSCACertificateFile: ${CA_CERT} |
103 |
| -- |
104 |
| -add: olcTLSCertificateFile |
105 |
| -olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem |
106 |
| -- |
107 |
| -add: olcTLSCertificateKeyFile |
108 |
| -olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem |
109 |
| -EOF |
110 |
| - |
111 |
| -# LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter |
112 |
| -# refers to an existing LDAP session (listening on TCP port 389) becoming |
113 |
| -# protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct |
114 |
| -# encrypted-from-the-start protocol that operates over TCP port 636. But we |
115 |
| -# enable it for testing here. |
116 |
| -sed -i -e 's|^SLAPD_SERVICES="\(.*\)"|SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"|' /etc/default/slapd |
117 |
| - |
118 |
| -adduser openldap ssl-cert |
119 |
| -chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem |
120 |
| -chmod g+r /etc/ssl/private/ldap01_slapd_key.pem |
121 |
| -chmod o-r /etc/ssl/private/ldap01_slapd_key.pem |
122 |
| - |
123 |
| -# Drop packets on a secondary port used to specific timeout tests |
124 |
| -iptables -A INPUT -p tcp -j DROP --dport 8389 |
125 |
| - |
126 |
| -# Forward a port for Vagrant |
127 |
| -iptables -t nat -A PREROUTING -p tcp --dport 9389 -j REDIRECT --to-port 389 |
128 |
| - |
129 |
| -# fix up /etc/hosts for cert validation |
130 |
| -grep ldap01 /etc/hosts || echo "127.0.0.1 ldap01.example.com" >> /etc/hosts |
131 |
| -grep ldap02 /etc/hosts || echo "127.0.0.1 ldap02.example.com" >> /etc/hosts |
132 |
| -grep bogus /etc/hosts || echo "127.0.0.1 bogus.example.com" >> /etc/hosts |
133 |
| - |
134 |
| -service slapd restart |
0 commit comments