Use samba ad container for ldap

rapid7 · Apr 24, 2024 · d752354 · d752354
1 parent 463200c
commit d752354
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 7 deletions.
diff --git a/.github/workflows/ldap_acceptance.yml b/.github/workflows/ldap_acceptance.yml
@@ -75,6 +75,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Run samba/ldap docker container
+        working-directory: 'test/ldap'
+        run: |
+          docker compose build
+          docker compose up --wait -d
+
       - name: Setup Ruby
         env:
           BUNDLE_WITHOUT: "coverage development pcap"

diff --git a/spec/acceptance/ldap_spec.rb b/spec/acceptance/ldap_spec.rb
@@ -14,10 +14,10 @@
         datastore: {
           global: {},
           module: {
-            username: ENV.fetch('LDAP_USERNAME', 'uid=admin,ou=system'),
-            password: ENV.fetch('LDAP_PASSWORD', 'secret'),
+            username: ENV.fetch('LDAP_USERNAME', "'DEV-AD\\Administrator'"),
+            password: ENV.fetch('LDAP_PASSWORD', 'admin123!'),
             rhost: ENV.fetch('LDAP_RHOST', '127.0.0.1'),
-            rport: ENV.fetch('LDAP_RPORT', '10389'),
+            rport: ENV.fetch('LDAP_RPORT', '389'),
             ssl: ENV.fetch('LDAP_SSL', 'false')
           }
         }
@@ -54,7 +54,7 @@
             all: {
               required: [
                 /Discovered base DN/,
-                /Query returned 1 result/
+                /Query returned 4 results/
               ]
             }
           }
@@ -68,8 +68,10 @@
             all: {
               required: [
                 /Discovering base DN\(s\) automatically/,
-                /Storing LDAP data for base DN='dc=wimpi,dc=net' in loot/,
-                /5 entries, 1 creds found in 'dc=wimpi,dc=net'/
+                /Dumping data for root DSE/,
+                /Searching base DN='DC=ldap,DC=example,DC=com'/,
+                /Storing LDAP data for base DN='DC=ldap,DC=example,DC=com' in loot/,
+                /266 entries, 0 creds found in 'DC=ldap,DC=example,DC=com'./
               ]
             }
           }
@@ -79,11 +81,12 @@
           platforms: %i[linux osx windows],
           targets: [:rhost],
           skipped: false,
-          datastore: { TARGET_USER: 'test' },
+          datastore: { TARGET_USER: 'administrator' },
           lines: {
             all: {
               required: [
                 /Discovering base DN automatically/,
+                /Discovered base DN: DC=ldap,DC=example,DC=com/,
                 /The msDS-KeyCredentialLink field is empty./
               ]
             }

diff --git a/test/ldap/Dockerfile b/test/ldap/Dockerfile
@@ -0,0 +1,14 @@
+FROM ubuntu:20.04
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install samba krb5-config winbind smbclient
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install iproute2
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install openssl
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install vim
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install ldap-utils
+
+RUN rm /etc/krb5.conf
+RUN mkdir -p /opt/ad-scripts
+
+WORKDIR /opt/ad-scripts
+
+CMD chmod +x *.sh && ./samba-ad-setup.sh && ./samba-ad-run.sh
diff --git a/test/ldap/docker-compose.yml b/test/ldap/docker-compose.yml
@@ -0,0 +1,25 @@
+version: '3.7'
+
+services:
+  ldap:
+    tty: true
+    network_mode: bridge
+    hostname: ldap.example.com
+    ports:
+      - "389:389"
+      - "636:636"
+    cap_add:
+      - SYS_ADMIN
+    environment:
+      SMB_ADMIN_PASSWORD: admin123!
+    volumes:
+      - ./:/opt/ad-scripts
+    healthcheck:
+      test: ldapsearch -x -H ldap://localhost:389 -b '' -D DEV-AD\\Administrator -w admin123!
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 5s
+    build:
+      context: .
+      dockerfile: Dockerfile
diff --git a/test/ldap/samba-ad-run.sh b/test/ldap/samba-ad-run.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+[ -f /var/lib/samba/.setup ] || {
+    >&2 echo "[ERROR] Samba is not setup yet, which should happen automatically. Look for errors!"
+    exit 127
+}
+
+cat << EOF > /var/lib/samba/private/smb.conf
+# Global parameters
+[global]
+	dns forwarder = 192.168.65.7
+	#server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
+	server services = ldap
+
+	netbios name = LDAP
+	realm = LDAP.EXAMPLE.COM
+	server role = active directory domain controller
+	workgroup = DEV-AD
+	idmap_ldb:use rfc2307 = yes
+	ldap server require strong auth = no
+	allow dns updates = disabled
+[sysvol]
+	path = /var/lib/samba/sysvol
+	read only = No
+
+[netlogon]
+	path = /var/lib/samba/sysvol/ldap.example.com/scripts
+	read only = No
+EOF
+
+samba -i -s /var/lib/samba/private/smb.conf
diff --git a/test/ldap/samba-ad-setup.sh b/test/ldap/samba-ad-setup.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+info () {
+    echo "[INFO] $@"
+}
+
+info "Running setup"
+
+# Check if samba is setup
+[ -f /var/lib/samba/.setup ] && info "Already setup..." && exit 0
+
+info "Provisioning domain controller..."
+
+info "Given admin password: ${SMB_ADMIN_PASSWORD}"
+
+rm /etc/samba/smb.conf
+
+samba-tool domain provision\
+ --server-role=dc\
+ --use-rfc2307\
+ --dns-backend=SAMBA_INTERNAL\
+ --realm=`hostname`\
+ --domain=DEV-AD\
+ --adminpass=${SMB_ADMIN_PASSWORD}\
+ --option='server services = ldap'
+
+mv /etc/samba/smb.conf /var/lib/samba/private/smb.conf
+
+touch /var/lib/samba/.setup