From d7523544f6229fdf6cdfe89688cfd079e549b760 Mon Sep 17 00:00:00 2001 From: Dean Welch Date: Wed, 24 Apr 2024 11:24:46 +0100 Subject: [PATCH] Use samba ad container for ldap --- .github/workflows/ldap_acceptance.yml | 6 +++++ spec/acceptance/ldap_spec.rb | 17 ++++++++------ test/ldap/Dockerfile | 14 ++++++++++++ test/ldap/docker-compose.yml | 25 ++++++++++++++++++++ test/ldap/samba-ad-run.sh | 33 +++++++++++++++++++++++++++ test/ldap/samba-ad-setup.sh | 31 +++++++++++++++++++++++++ 6 files changed, 119 insertions(+), 7 deletions(-) create mode 100644 test/ldap/Dockerfile create mode 100644 test/ldap/docker-compose.yml create mode 100755 test/ldap/samba-ad-run.sh create mode 100755 test/ldap/samba-ad-setup.sh diff --git a/.github/workflows/ldap_acceptance.yml b/.github/workflows/ldap_acceptance.yml index 37241bb4b8662..f994b55db1a93 100644 --- a/.github/workflows/ldap_acceptance.yml +++ b/.github/workflows/ldap_acceptance.yml @@ -75,6 +75,12 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Run samba/ldap docker container + working-directory: 'test/ldap' + run: | + docker compose build + docker compose up --wait -d + - name: Setup Ruby env: BUNDLE_WITHOUT: "coverage development pcap" diff --git a/spec/acceptance/ldap_spec.rb b/spec/acceptance/ldap_spec.rb index d5907b9b5b0de..4c702020d37b5 100644 --- a/spec/acceptance/ldap_spec.rb +++ b/spec/acceptance/ldap_spec.rb @@ -14,10 +14,10 @@ datastore: { global: {}, module: { - username: ENV.fetch('LDAP_USERNAME', 'uid=admin,ou=system'), - password: ENV.fetch('LDAP_PASSWORD', 'secret'), + username: ENV.fetch('LDAP_USERNAME', "'DEV-AD\\Administrator'"), + password: ENV.fetch('LDAP_PASSWORD', 'admin123!'), rhost: ENV.fetch('LDAP_RHOST', '127.0.0.1'), - rport: ENV.fetch('LDAP_RPORT', '10389'), + rport: ENV.fetch('LDAP_RPORT', '389'), ssl: ENV.fetch('LDAP_SSL', 'false') } } @@ -54,7 +54,7 @@ all: { required: [ /Discovered base DN/, - /Query returned 1 result/ + /Query returned 4 results/ ] } } @@ -68,8 +68,10 @@ all: { required: [ /Discovering base DN\(s\) automatically/, - /Storing LDAP data for base DN='dc=wimpi,dc=net' in loot/, - /5 entries, 1 creds found in 'dc=wimpi,dc=net'/ + /Dumping data for root DSE/, + /Searching base DN='DC=ldap,DC=example,DC=com'/, + /Storing LDAP data for base DN='DC=ldap,DC=example,DC=com' in loot/, + /266 entries, 0 creds found in 'DC=ldap,DC=example,DC=com'./ ] } } @@ -79,11 +81,12 @@ platforms: %i[linux osx windows], targets: [:rhost], skipped: false, - datastore: { TARGET_USER: 'test' }, + datastore: { TARGET_USER: 'administrator' }, lines: { all: { required: [ /Discovering base DN automatically/, + /Discovered base DN: DC=ldap,DC=example,DC=com/, /The msDS-KeyCredentialLink field is empty./ ] } diff --git a/test/ldap/Dockerfile b/test/ldap/Dockerfile new file mode 100644 index 0000000000000..d1f6eefd49f4e --- /dev/null +++ b/test/ldap/Dockerfile @@ -0,0 +1,14 @@ +FROM ubuntu:20.04 + +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install samba krb5-config winbind smbclient +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install iproute2 +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install openssl +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install vim +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install ldap-utils + +RUN rm /etc/krb5.conf +RUN mkdir -p /opt/ad-scripts + +WORKDIR /opt/ad-scripts + +CMD chmod +x *.sh && ./samba-ad-setup.sh && ./samba-ad-run.sh diff --git a/test/ldap/docker-compose.yml b/test/ldap/docker-compose.yml new file mode 100644 index 0000000000000..7e50f7fdebeb0 --- /dev/null +++ b/test/ldap/docker-compose.yml @@ -0,0 +1,25 @@ +version: '3.7' + +services: + ldap: + tty: true + network_mode: bridge + hostname: ldap.example.com + ports: + - "389:389" + - "636:636" + cap_add: + - SYS_ADMIN + environment: + SMB_ADMIN_PASSWORD: admin123! + volumes: + - ./:/opt/ad-scripts + healthcheck: + test: ldapsearch -x -H ldap://localhost:389 -b '' -D DEV-AD\\Administrator -w admin123! + interval: 10s + timeout: 5s + retries: 5 + start_period: 5s + build: + context: . + dockerfile: Dockerfile diff --git a/test/ldap/samba-ad-run.sh b/test/ldap/samba-ad-run.sh new file mode 100755 index 0000000000000..1cbf0baa2b8c1 --- /dev/null +++ b/test/ldap/samba-ad-run.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +[ -f /var/lib/samba/.setup ] || { + >&2 echo "[ERROR] Samba is not setup yet, which should happen automatically. Look for errors!" + exit 127 +} + +cat << EOF > /var/lib/samba/private/smb.conf +# Global parameters +[global] + dns forwarder = 192.168.65.7 + #server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate + server services = ldap + + netbios name = LDAP + realm = LDAP.EXAMPLE.COM + server role = active directory domain controller + workgroup = DEV-AD + idmap_ldb:use rfc2307 = yes + ldap server require strong auth = no + allow dns updates = disabled +[sysvol] + path = /var/lib/samba/sysvol + read only = No + +[netlogon] + path = /var/lib/samba/sysvol/ldap.example.com/scripts + read only = No +EOF + +samba -i -s /var/lib/samba/private/smb.conf diff --git a/test/ldap/samba-ad-setup.sh b/test/ldap/samba-ad-setup.sh new file mode 100755 index 0000000000000..a5683d201ff56 --- /dev/null +++ b/test/ldap/samba-ad-setup.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e + +info () { + echo "[INFO] $@" +} + +info "Running setup" + +# Check if samba is setup +[ -f /var/lib/samba/.setup ] && info "Already setup..." && exit 0 + +info "Provisioning domain controller..." + +info "Given admin password: ${SMB_ADMIN_PASSWORD}" + +rm /etc/samba/smb.conf + +samba-tool domain provision\ + --server-role=dc\ + --use-rfc2307\ + --dns-backend=SAMBA_INTERNAL\ + --realm=`hostname`\ + --domain=DEV-AD\ + --adminpass=${SMB_ADMIN_PASSWORD}\ + --option='server services = ldap' + +mv /etc/samba/smb.conf /var/lib/samba/private/smb.conf + +touch /var/lib/samba/.setup