Latest revision |
Your text |
Line 1: |
Line 1: |
| | [[Category:Test Days]] |
| | [[Category:QA Templates]] |
| | |
| {|border="1" | | {|border="1" |
| |-style="color: white; background-color: #3074c2; font-weight: bold" | | |-style="color: white; background-color: #3074c2; font-weight: bold" |
Line 38: |
Line 41: |
| |- | | |- |
| | openldap-clients | | | openldap-clients |
| | omoris | | | omoris |
| | {{result|pass}} | | | |
| |- | | |- |
| | openldap-servers | | | openldap-servers |
| | omoris | | | omoris |
| | {{result|pass}} | | | |
| |- | | |- |
| | am-utils | | | am-utils |
Line 54: |
Line 57: |
| |- | | |- |
| | autofs | | | autofs |
| | jvcelak | | | |
| | {{result|pass}} | | | |
| |- | | |- |
| | krb5-workstation | | | krb5-workstation |
Line 63: |
Line 66: |
| | nss_ldap | | | nss_ldap |
| | omoris | | | omoris |
| | {{result|pass}} | | | |
| |- | | |- |
| | nss-pam-ldapd | | | nss-pam-ldapd |
| | omoris | | | omoris |
| | {{result|pass}} | | | |
| |- | | |- |
| | openssh | | | openssh |
| | mvadkert | | | mvadkert |
| | {{result|pass}} | | | |
| |- | | |- |
| | pam_ldap | | | pam_ldap |
| | omoris | | | omoris |
| | {{result|pass}} | | | |
| |- | | |- |
| | python-ldap | | | python-ldap |
| | jvcelak | | | |
| | {{result|pass}} | | | |
| |- | | |- |
| | ruby-ldap | | | ruby-ldap |
| | alich | | | alich |
| | {{result|pass}} | | | |
| |- | | |- |
| | sssd | | | sssd |
| | shanks | | | |
| | {{result|pass}} | | | |
| |- | | |- |
| | sudo | | | sudo |
| | alich | | | alich |
| | {{result|pass}} | | | |
| |- | | |- |
| | libuser | | | libuser |
| | mvadkert | | | mvadkert |
| | {{result|pass}} | | | |
| |- | | |- |
| | nfs-utils-lib | | | nfs-utils-lib |
Line 102: |
Line 105: |
| |- | | |- |
| | quota | | | quota |
| | mvadkert | | | |
| | {{result|pass}} | | | |
| |- | | |- |
| |} | | |} |
Line 134: |
Line 137: |
| |- | | |- |
| | curl | | | curl |
| | ksrot | | | |
| | {{result|pass}} | | | |
| |- | | |- |
| | dhcp | | | dhcp |
Line 170: |
Line 173: |
| |- | | |- |
| | php | | | php |
| | jgorig | | | |
| | {{result|pass}} | | | |
| |- | | |- |
| | postgresql | | | postgresql |
Line 178: |
Line 181: |
| |- | | |- |
| | proftpd | | | proftpd |
| | jgorig | | | |
| | {{result|pass}} | | | |
| |- | | |- |
| | pure-ftpd | | | pure-ftpd |
Line 493: |
Line 496: |
| {{admon/note|You can use your server|You don't have to use our testing servers. Feel free to configure yours, we provide [[#OpenLDAP_server_2|nice step by step guide.]]}} | | {{admon/note|You can use your server|You don't have to use our testing servers. Feel free to configure yours, we provide [[#OpenLDAP_server_2|nice step by step guide.]]}} |
|
| |
|
| {{admon/warning|Test OpenLDAP with MozNSS primarily|Please, use mainly openldap03. The other servers are only for reference, to reveal possible behavior changes.}} | | {{admon/caution|Servers are not ready|Servers are running, some data will be loaded soon.}} |
| | |
| {{admon/caution|Test Day is over|The servers are no longer available.}}
| |
|
| |
|
| {| | | {| |
Line 504: |
Line 505: |
| | openldap02.fedoraproject.org || 389 Directory Server || 389-ds-base-1.2.7.a1 || dc=example,dc=com | | | openldap02.fedoraproject.org || 389 Directory Server || 389-ds-base-1.2.7.a1 || dc=example,dc=com |
| |- | | |- |
| | '''openldap03.fedoraproject.org''' || OpenLDAP + MozNSS || openldap-servers-2.4.22-7.fc14.x86_64 || dc=gold,dc=testday | | | openldap03.fedoraproject.org || OpenLDAP + MozNSS || openldap-servers-2.4.22-7.fc14.x86_64 || dc=gold,dc=testday |
| |} | | |} |
|
| |
|
| Download [http://jvcelak.fedorapeople.org/testday-101014/cacert.pem OpenLDAP Testday CA certificate] (PEM format). Certificates of testing servers are signed by this CA. | | Download [http://jvcelak.fedorapeople.org/testday-101014/cacert.pem OpenLDAP Testday CA certificate] (PEM format). Certificates of testing servers are signed by this CA. |
|
| |
| ==== Accessing our servers ====
| |
|
| |
| * You can use anonymous bind for '''read only''' access.
| |
| * For '''read-write''' access use bind name ''cn=Tester,dc=silver,dc=testday'' and password ''openldap''. Subtree ''ou=free,dc=base,dc=testday'' is ready for your experiments. Please create some organization unit with your name under it, not to conflict with other testers. (Don't forgot to replace dc=silver correctly for other servers.)
| |
|
| |
| (read-write access is now set up for openldap02 - use the cn=Tester user)
| |
|
| |
|
| == How to test? == | | == How to test? == |
Line 696: |
Line 690: |
| #* olcRootDN: cn=Manager,dc=copper,dc=testday | | #* olcRootDN: cn=Manager,dc=copper,dc=testday |
| #* olcRootPW: <admin-user-password-hash> | | #* olcRootPW: <admin-user-password-hash> |
| # update /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif | | # update /etc/openldap/slapd.d/cn=config/{2}monitor.ldif |
| #* olcAccess: {0}to * by dn.base="cn=manager,dc=copper,dc=testday" read by * none | | #* olcAccess: {0}to * by dn.base="cn=manager,dc=copper,dc=testday" read by * non |
| # start your server: <code>service slapd start</code> | | # start your server: <code>service slapd start</code> |
| # try your serve functionality | | # try your serve functionality |
Line 705: |
Line 699: |
| #* download example [http://jvcelak.fedorapeople.org/testday-101014/root_copper.ldif root DN nodes] (LDIF) | | #* download example [http://jvcelak.fedorapeople.org/testday-101014/root_copper.ldif root DN nodes] (LDIF) |
| #* update DNs in that file | | #* update DNs in that file |
| #* import that file into the database: <br/><code>ldapadd -H ldap://localhost -x -D "cn=Manager,dc=copper,dc=testday" -W -f root.ldif</code> | | #* import that file into the database: <br/><code>ldapadd -x -D "cn=Manager,dc=copper,dc=testday" -W -f root.ldif</code> |
| # install BDB configuration file | | # install BDB configuration file |
| #* <code>cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG</code> | | #* <code>cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_EXAMPLE</code> |
| # restart your server: <code>service slapd restart</code> | | # restart your server: <code>service slapd restart</code> |
| # '''your server is now configured and running without TLS''' | | # '''your server is now configured and running without TLS''' |
Line 727: |
Line 721: |
|
| |
|
| === Generating certificates === | | === Generating certificates === |
|
| |
| ===== Use your own CA =====
| |
|
| |
|
| There are more possibilities. The easiest way is installing '''TinyCA''' GUI, which will handle everything you need. You need not perform this task on your testing system. | | There are more possibilities. The easiest way is installing '''TinyCA''' GUI, which will handle everything you need. You need not perform this task on your testing system. |
Line 759: |
Line 751: |
| # configure your server and any clients to use/accept your CA | | # configure your server and any clients to use/accept your CA |
|
| |
|
| ===== Use our public sub CA with TinyCA =====
| | You can also test certificates generated by sub CAs. And client certificate authorization. |
| | |
| # download [http://jvcelak.fedorapeople.org/testday-101014/testday-public-ca.tar.gz public testday sub CA]
| |
| # move the file into <code>~/.TinyCA</code>
| |
| # extract the file: <code>tar xf testday-public-ca.tar.gz</code>
| |
| # CA is ready, use it in TinyCA<br />CA password is: ''openldap''
| |
| # you have to add this CA certificate onto server
| |
| ## append it to your olcTLSCACertificateFile (really file, not option in config)
| |
| ## or use olcTLSCACertificatePath instead of olcTLSCACertificateFile
| |
| | |
| ===== Other ways =====
| |
| | |
| * [http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html OpenLDAP TLS guide] (can be used as well)
| |
|
| |
|
| == Test Results == | | == Test Results == |
Line 786: |
Line 766: |
| * bug #123456 was filed | | * bug #123456 was filed |
| * bug #123457 was filed | | * bug #123457 was filed |
|
| |
|
| |
| '''[omoris] Tested program: openldap-servers-2.4.22-7.fc14.i686 openldap-clients-2.4.22-7.fc14.i686'''
| |
| * executed upstream self-test included in source rpm
| |
| * all passed
| |
|
| |
| '''[ksrot] Tested program: curl-7.21.0-5.fc14.x86_64'''
| |
| * tried the query LDAP database using following commands:
| |
| curl 'ldap://openldap03.fedoraproject.org/dc=gold,dc=testday??sub'
| |
| curl --cacert /etc/testday/cacert.pem 'ldaps://openldap03.fedoraproject.org/dc=gold,dc=testday??sub'
| |
| curl 'ldap://openldap01.fedoraproject.org/dc=silver,dc=testday??sub'
| |
| curl --cacert /etc/testday/cacert.pem 'ldaps://openldap01.fedoraproject.org/dc=silver,dc=testday??sub'
| |
| * output looked fine
| |
|
| |
| '''[jvcelak] Tested program: openldap-2.4.23-1.fc15.x86_64 openldap-2.4.21-10.fc13.x86_64'''
| |
| * reported bug #641946 (slapd init script gets stuck in an infinite loop)
| |
| * OK: CA signed certificates (now used on silver and bronze)
| |
| * OK: sub-CA signed certificates (now used on gold)
| |
| * OK: referral chasing with TLS (tested including loops)
| |
| * OK: Ldap backend with TLS, works as a proxy (tested including loops)
| |
| * OK: self-signed certificates
| |
| * OK: delta-syncrepl with TLS
| |
| ** verification with OpenSSL fails when connecting to localhost (host name doesn't match)
| |
| ** verification with MozNSS works well when connecting to localhost or hostname
| |
| ** verification with MozNSS fails when using certificate and hostname doesn't match
| |
| * MozNSS error messages often miss explanation (like -8172 Unknown error)
| |
|
| |
| '''[mvadkert] Tested program: openssh-5.5p1-21.fc14.2.x86_64'''
| |
| * omoris and jvcelak added openssh.scheme and a test user
| |
| * tested with ssh-ldap-helper
| |
| root@freedom openldap]# /usr/libexec/openssh/ssh-ldap-helper -vvv -f /etc/openldap/ldap.conf -s user2
| |
| debug1: Reading configuration data /etc/openldap/ldap.conf
| |
| debug3: === Configuration ===
| |
| debug3: URI ldaps://openldap03.fedoraproject.org
| |
| debug3: Host openldap03.fedoraproject.org
| |
| debug3: Port 636
| |
| debug3: SSL Yes
| |
| debug3: Ldap_Version 3
| |
| debug3: Base ou=omoris,ou=free,dc=gold,dc=testday
| |
| debug3: BindDN cn=Tester,dc=gold,dc=testday
| |
| debug3: BindPW openldap
| |
| debug3: Scope Sub
| |
| [snip]
| |
| debug1: LDAP do connect
| |
| debug3: Set TLS CA cert dir /etc/openldap/cacerts
| |
| debug3: Set TLS check peer to 1
| |
| debug3: LDAP initialize ldaps://openldap03.fedoraproject.org
| |
| [snip]
| |
| debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=user2))
| |
| ssh-rsa
| |
| AAAAB3NzaC1yc2EAAAABIwAAAQEAsDA+I14oBeVd7ceujknbvc3i2Qfnx2Q1vPatRcwPfWLF2H4fPUuUypkJjswvJXxZun+7h1tNpZPMvKCxMLNph4follk35MXT01LZYtW3rs3bdYL+9vBO7ns1+MDrrusotM3f+j90VhPVn5MhgPABVAaSVoTGn058d/N/R1pMMvnRrKhBYlLG0Yb4WesvJQCL9GkbPqjn7tWZQNbDqnIA/TgYe87ES7rsC8ZFObSYYhWXJqnYb8ysQRVLTRUxE/EzYWM0YUIuYIN9eRzUJW9rFmlVDalUjzwIK6dkhkl4xN3vX5lSL3OCJlwIxUoQLK2P9fEvbPlxd9IRSQNWFJO2HQ==mvadkert@dhcp-lab-118.englab.brq.redhat.com
| |
| debug2: LDAP process user finished
| |
| debug1: LDAP do close
| |
| debug2: LDAP do close OK
| |
|
| |
| '''[jvcelak] Tested program: python-ldap-2.3.12-1.fc15.x86_64'''
| |
|
| |
| * not tested very deeply, basic operations work:
| |
| #!/usr/bin/python
| |
|
| |
| import ldap
| |
| import ldap.modlist as modlist
| |
|
| |
| l = ldap.initialize("ldaps://openldap03.fedoraproject.org", trace_level = 1)
| |
| l.simple_bind_s("cn=Tester,dc=gold,dc=testday", "openldap")
| |
|
| |
| ldif = modlist.addModlist({
| |
| "objectClass" : [ "organizationalUnit", "top" ],
| |
| "ou" : [ "jvcelak" ],
| |
| })
| |
| l.add_s("ou=jvcelak,ou=free,dc=gold,dc=testday", ldif)
| |
|
| |
| print l.search_s("dc=gold,dc=testday", ldap.SCOPE_SUBTREE, "(cn=Manager)")
| |
|
| |
| l.delete_s("ou=jvcelak,ou=free,dc=gold,dc=testday")
| |
|
| |
| l.unbind_s()
| |
|
| |
| '''[mvadkert] Tested program: libuser-0.56.18-2.fc14'''
| |
| * tested all libuser commands - found bug in lpasswd #643022
| |
| * generally works well after good setup in /etc/libuser.conf
| |
|
| |
| '''[omoris] Tested program: pam_ldap-185-5.fc14'''
| |
| * tested password change, ssh connection, password change via ssh connection
| |
| * no problems, works fine
| |
| * testes via beakerlib using already prepared testcases
| |
|
| |
| '''[omoris] Tested program: nss_ldap-265-6.fc14 & nss-pam-ldapd.i686 0:0.7.7-1.fc14 '''
| |
| * tested getent, id of ldap users
| |
| * no problems, works fine
| |
| * testes via beakerlib using already prepared testcases
| |
|
| |
| '''[mvadkert] Tested program: quota-3.17-13.fc14.x86_64'''
| |
| * mail stored in surname in LDAP user, quota works as expected with ldaps :)
| |
|
| |
| '''[amarecek] Tested program: sudo-1.7.4p4-3.fc14.x86_64'''
| |
| * rights escalation with ldap users only
| |
| * rights escalation with local users and ldap groups
| |
| * rights escalation with ldap users containing white spaces (also "su" tested)
| |
| * rights escalation with ldap groups containing white spaces
| |
|
| |
| '''[jgorig] Tested program: php-ldap-5.3.3-1.fc14.x86_64'''
| |
| * basic operations works
| |
| <?php
| |
| $conn = ldap_connect("openldap03.fedoraproject.org");
| |
| if(!$conn) exit(ldap_error($conn));
| |
|
| |
| $ret = ldap_start_tls($conn);
| |
| if(!$ret) exit(ldap_error($conn));
| |
|
| |
| $r = ldap_bind($conn, "cn=Tester,dc=gold,dc=testday", "openldap");
| |
| if(!$r) exit(ldap_error($conn));
| |
|
| |
| $data["objectClass"][0] = "organizationalUnit";
| |
| $data["objectClass"][1] = "top";
| |
| $data["ou"] = "Testovac";
| |
|
| |
| ldap_add($conn, "ou=Testovac,ou=free,dc=gold,dc=testday", $data);
| |
|
| |
| $sr = ldap_search($conn, "dc=gold,dc=testday", "ou=Testovac");
| |
| print_r(ldap_get_entries($conn, $sr));
| |
|
| |
| ldap_delete($conn, "ou=Testovac,ou=free,dc=gold,dc=testday");
| |
|
| |
| ldap_close($conn);
| |
|
| |
| '''[amarecek] Tested program: ruby-1.8.7.302-1.fc14.x86_64, ruby-ldap-0.9.7-10.fc12.x86_64'''
| |
| * simple connection works
| |
| #!/bin/env ruby
| |
| require 'ldap'
| |
| _host = 'openldap03.fedoraproject.org'
| |
| _port = 389
| |
| _binddn = 'cn=Tester,dc=gold,dc=testday'
| |
| _bindpw = 'openldap'
| |
| _base = 'ou=alich,ou=free,dc=gold,dc=testday'
| |
| connection = LDAP::Conn.new(_host, _port)
| |
| connection.bind(_binddn, _bindpw)
| |
| connection.perror("bind")
| |
| scope = LDAP::LDAP_SCOPE_SUBTREE
| |
| attrs = ['dn', 'cn']
| |
| items = ['posixAccount', 'posixGroup']
| |
| items.each { |item|
| |
| filter = "(objectClass=#{item})"
| |
| begin
| |
| connection.search(_base, scope, filter) { |record|
| |
| print "DN: #{record.dn}\n"
| |
| print "ATTRS: #{record.attrs}\n"
| |
| print "\tCN: #{record.vals('cn')}\n"
| |
| print "#{record.to_hash}\n"
| |
| }
| |
| rescue LDAP::ResultError
| |
| connection.perror("search")
| |
| exit 1
| |
| end
| |
| connection.perror("search")
| |
| }
| |
| connection.unbind
| |
| * all data were found successfully
| |
|
| |
| '''[jvcelak] Tested program: autofs-5.0.5-31.fc15.x86_64'''
| |
| * reported bug #643045 (outdated autofs.schema in openldap-servers)
| |
| * automounter connects to LDAP server with TLS (ldap:// + requiretls, ldaps://)
| |
| * automountMap successfully found
| |
| * referring to another server using ldap:server:dn works
| |
| * volumes mounted as expected
| |
|
| |
| '''[shanks] Tested program: sssd-1.3.0-35.fc14.x86_64
| |
| * Not tested deeply, basic operation of LDAP ID and auth works:
| |
| [sssd[be[LDAP]]] [get_server_status] (7): Status of server 'fed14sssdldap.gsr.pnq.redhat.com' is 'working'
| |
| [sssd[be[LDAP]]] [be_resolve_server_done] (4): Found address for server fed14sssdldap.gsr.pnq.redhat.com: [10.65.201.183]
| |
| [sssd[be[LDAP]]] [sdap_connect_send] (4): Executing START TLS
| |
| [sssd[be[LDAP]]] [sdap_ldap_connect_callback_add] (9): New LDAP connection to [ldap://fed14sssdldap.gsr.pnq.redhat.com:389] with fd [26].
| |
| [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xe7e280], ldap[0xea1220]
| |
| [sssd[be[LDAP]]] [sdap_connect_done] (3): START TLS result: Success(0), Start TLS request accepted.Server willing to negotiate SSL.
| |
| [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 389 of server 'fed14sssdldap.gsr.pnq.redhat.com' as 'working'
| |
| [sssd[be[LDAP]]] [set_server_common_status] (4): Marking server 'fed14sssdldap.gsr.pnq.redhat.com' as 'working'
| |
| [sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0xec7d50
| |
|
| |
| [sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0xec78c0
| |
|
| |
| [sssd[be[LDAP]]] [ldb] (9): tevent: Destroying timer event 0xec78c0 "ltdb_timeout"
| |
|
| |
| [sssd[be[LDAP]]] [ldb] (9): tevent: Ending timer event 0xec7d50 "ltdb_callback"
| |
|
| |
| [sssd[be[LDAP]]] [find_password_expiration_attributes] (9): No password policy requested.
| |
| [sssd[be[LDAP]]] [simple_bind_send] (4): Executing simple bind as: uid=puser1,ou=People,dc=example,dc=com
| |
| [sssd[be[LDAP]]] [simple_bind_send] (8): ldap simple bind sent, msgid = 2
| |
| [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xec79e0], ldap[0xea1220]
| |
| [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
| |
| [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xec79e0], ldap[0xea1220]
| |
| [sssd[be[LDAP]]] [simple_bind_done] (5): Server returned no controls.
| |
| [sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Success(0), (null)
| |
|
| |
|
| |
| '''[jgorig] Tested program: proftpd-1.3.3b-1.fc14.x86_64'''
| |
| * user authentication works
| |
| * [http://www.mustuniversityaccreditation.com Mustuniversity]
| |
| * [http://www.aboutmustuniversity.com Must University]
| |
|
| |
| [[Category:Fedora 14 Test Days]]
| |