diff options
author | Stefan Seelmann <mail@stefan-seelmann.de> | 2021-06-17 07:03:08 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-17 07:03:08 +0300 |
commit | fa240c3a07e58811be5eb7681f612063f6c20a14 (patch) | |
tree | 30488b9876fa8c3d8a5d156c05b344785f172c91 /tools | |
parent | b53667ab3b87afcfcd6f1b1df90d733636cfc888 (diff) |
Use Kerby for GSSAPI tests and enable SASL in 389ds (#29)
Diffstat (limited to 'tools')
-rw-r--r-- | tools/testlab/README.md | 77 | ||||
-rw-r--r-- | tools/testlab/kerby-data/backend/json-backend.json | 116 | ||||
-rw-r--r-- | tools/testlab/kerby-data/conf/adminClient.conf | 23 | ||||
-rw-r--r-- | tools/testlab/kerby-data/conf/adminServer.conf | 24 | ||||
-rw-r--r-- | tools/testlab/kerby-data/conf/backend.conf | 20 | ||||
-rw-r--r-- | tools/testlab/kerby-data/conf/kdc.conf | 23 | ||||
-rw-r--r-- | tools/testlab/kerby-data/conf/krb5.conf | 29 | ||||
-rw-r--r-- | tools/testlab/kerby-data/keytabs/admin.keytab | bin | 0 -> 148 bytes | |||
-rw-r--r-- | tools/testlab/krb5.conf | 29 | ||||
-rw-r--r-- | tools/testlab/ldap.keytab | bin | 0 -> 328 bytes |
10 files changed, 341 insertions, 0 deletions
diff --git a/tools/testlab/README.md b/tools/testlab/README.md new file mode 100644 index 000000000..288766fcc --- /dev/null +++ b/tools/testlab/README.md @@ -0,0 +1,77 @@ +# Test Lab + +## Host preparation + +To be able to access the services with their FQDN add aliases to the `/etc/hosts`. +Note that this is a hack rather than a proper solution. + +``` +/etc/hosts: +127.0.0.100 kerby.example.com +127.0.0.101 openldap.example.com +127.0.0.102 fedora389ds.example.com +``` + +## Apache Kerby as Kerberos KDC + +Uses Docker image `coheigea/kerby`, source at https://github.com/coheigea/testcases/tree/master/apache/docker/kerby. + +Start the Kerby server + +``` +docker run -it --rm --name kerby -h kerby.example.com -u $(id -u):$(id -g) -p 60088:60088/tcp -p 60088:60088/udp -v $(pwd)/tools/testlab/kerby-data:/kerby-data coheigea/kerby +``` + +Initial creation of service accounts and keytabs: + +``` +docker exec -it kerby bash +stty rows 24 columns 80 +sh bin/kadmin.sh /kerby-data/conf/ -k /kerby-data/keytabs/admin.keytab + +addprinc -pw secret hnelson@EXAMPLE.COM + +addprinc -pw randall ldap/openldap.example.com@EXAMPLE.COM +ktadd -k /kerby-data/keytabs/ldap.keytab ldap/openldap.example.com@EXAMPLE.COM +addprinc -pw randall ldap/fedora389ds.example.com@EXAMPLE.COM +ktadd -k /kerby-data/keytabs/ldap.keytab ldap/fedora389ds.example.com@EXAMPLE.COM +``` + +## OpenLDAP + +``` +docker run -it --rm --name openldap -h openldap.example.com -p 20389:389 -p 20636:636 -e LDAP_TLS_VERIFY_CLIENT=never -v $(pwd)/tools/testlab/ldap.keytab:/etc/krb5.keytab -v $(pwd)/tools/testlab/krb5.conf:/etc/krb5.conf osixia/openldap:1.5.0 +``` + +## Fedora 389ds + +``` +docker run -it --rm --name fedora389ds -h fedora389ds.example.com -p 21389:3389 -p 21636:3636 -e DS_DM_PASSWORD=admin -v $(pwd)/tools/testlab/ldap.keytab:/etc/krb5.keytab -v $(pwd)/tools/testlab/krb5.conf:/etc/krb5.conf 389ds/dirsrv bash -c "zypper install -y cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi; set -m; /usr/lib/dirsrv/dscontainer -r & while ! /usr/lib/dirsrv/dscontainer -H; do sleep 5; done; sleep 5; /usr/sbin/dsconf localhost backend create --suffix dc=example,dc=org --be-name example; fg" +``` + +## Usage + +### GSSAPI authentication + +``` +export KRB5_CONFIG=$(pwd)/tools/testlab/krb5.conf +echo "secret" | kinit hnelson +ldapwhoami -H ldap://openldap.example.com:20389 -Y GSSAPI -N +ldapwhoami -H ldap://fedora389ds.example.com:21389 -Y GSSAPI -N +``` + +### UI integration tests + +``` +docker run -it --rm --cpus="1.5" \ + -u $(id -u):$(id -g) \ + -v ~/.m2:/home/hnelson/.m2 \ + -v $(pwd):/home/hnelson/project \ + -v $(pwd)/tools/testlab/krb5.conf:/etc/krb5.conf \ + --link=kerby:kerby.example.com \ + --link=openldap:openldap.example.com -e OPENLDAP_HOST=openldap.example.com -e OPENLDAP_PORT=389 -e OPENLDAP_PORT_SSL=636 \ + --link=fedora389ds:fedora389ds.example.com -e FEDORA_389DS_HOST=fedora389ds.example.com -e FEDORA_389DS_PORT=3389 -e FEDORA_389DS_PORT_SSL=3636 \ + apachedirectory/maven-build:jdk-11 bash -c "mvn -V -f pom-first.xml clean install && mvn -V clean install -Denable-ui-tests" + +``` + diff --git a/tools/testlab/kerby-data/backend/json-backend.json b/tools/testlab/kerby-data/backend/json-backend.json new file mode 100644 index 000000000..0d47acd41 --- /dev/null +++ b/tools/testlab/kerby-data/backend/json-backend.json @@ -0,0 +1,116 @@ +{ + "adminprotocol/localhost@EXAMPLE.COM": { + "principal": "adminprotocol/localhost@EXAMPLE.COM", + "keyVersion": 1, + "kdcFlags": 0, + "disabled": false, + "locked": false, + "expireTime": "253402300799900", + "createdTime": "1528713224740", + "keys": { + "AES128_CTS_HMAC_SHA1_96": { + "kvno": 1, + "key": "3019A003020111A112041091CDC8A37ADE5268236C840523F87038" + }, + "DES3_CBC_SHA1": { + "kvno": 1, + "key": "3021A003020110A11A0418F7AE8A9B6D7AF2E59D49DF193476CE511FFE1091C464A823" + } + } + }, + "ldap/fedora389ds.example.com@EXAMPLE.COM": { + "principal": "ldap/fedora389ds.example.com@EXAMPLE.COM", + "keyVersion": 1, + "kdcFlags": 0, + "disabled": false, + "locked": false, + "expireTime": "253402300799900", + "createdTime": "1623646752731", + "keys": { + "DES3_CBC_SHA1": { + "kvno": 1, + "key": "3021A003020110A11A04182A1FF2DFC47AB0B0E068EA3D3476AE19511ACDE6970D5467" + }, + "AES128_CTS_HMAC_SHA1_96": { + "kvno": 1, + "key": "3019A003020111A1120410B13B78BDE0374D463D877871A3C8B88F" + } + } + }, + "krbtgt/EXAMPLE.COM@EXAMPLE.COM": { + "principal": "krbtgt/EXAMPLE.COM@EXAMPLE.COM", + "keyVersion": 1, + "kdcFlags": 0, + "disabled": false, + "locked": false, + "expireTime": "253402300799900", + "createdTime": "1528713224693", + "keys": { + "AES128_CTS_HMAC_SHA1_96": { + "kvno": 1, + "key": "3019A003020111A1120410BF87D478614F7A6D76C0462F2AD180AE" + }, + "DES3_CBC_SHA1": { + "kvno": 1, + "key": "3021A003020110A11A0418627F34BF7F261964F1E55B5849B3D583BCD0795E34FB317A" + } + } + }, + "ldap/openldap.example.com@EXAMPLE.COM": { + "principal": "ldap/openldap.example.com@EXAMPLE.COM", + "keyVersion": 1, + "kdcFlags": 0, + "disabled": false, + "locked": false, + "expireTime": "253402300799900", + "createdTime": "1623646740945", + "keys": { + "DES3_CBC_SHA1": { + "kvno": 1, + "key": "3021A003020110A11A0418DA0458C110D9435776F4BC32BFAE1C94624A7A402979D6F8" + }, + "AES128_CTS_HMAC_SHA1_96": { + "kvno": 1, + "key": "3019A003020111A11204106A8382B60767C62E8766B741F92406A4" + } + } + }, + "hnelson@EXAMPLE.COM": { + "principal": "hnelson@EXAMPLE.COM", + "keyVersion": 1, + "kdcFlags": 0, + "disabled": false, + "locked": false, + "expireTime": "253402300799900", + "createdTime": "1623569412700", + "keys": { + "DES3_CBC_SHA1": { + "kvno": 1, + "key": "3021A003020110A11A04185707CE2952922C1C8CBF43C23D8F8C5E9E8CF75D3E4A5E25" + }, + "AES128_CTS_HMAC_SHA1_96": { + "kvno": 1, + "key": "3019A003020111A1120410AD214B38B69DFCCAACF15F346D417B90" + } + } + }, + "kadmin/EXAMPLE.COM@EXAMPLE.COM": { + "principal": "kadmin/EXAMPLE.COM@EXAMPLE.COM", + "keyVersion": 1, + "kdcFlags": 0, + "disabled": false, + "locked": false, + "expireTime": "253402300799900", + "createdTime": "1528713224726", + "keys": { + "AES128_CTS_HMAC_SHA1_96": { + "kvno": 1, + "key": "3019A003020111A112041064F2D24DE79182AD88AC9A60ED6F9983" + }, + "DES3_CBC_SHA1": { + "kvno": 1, + "key": "3021A003020110A11A04189BCBA454B3FB4A540746ECC1D3A283BCFBD307A15BE5EA1C" + } + } + } +}
\ No newline at end of file diff --git a/tools/testlab/kerby-data/conf/adminClient.conf b/tools/testlab/kerby-data/conf/adminClient.conf new file mode 100644 index 000000000..7c6909bf3 --- /dev/null +++ b/tools/testlab/kerby-data/conf/adminClient.conf @@ -0,0 +1,23 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +[libdefaults] +default_realm = EXAMPLE.COM +admin_port = 65417 +keytab_file = admin.keytab +protocol = adminprotocol +server_name = localhost diff --git a/tools/testlab/kerby-data/conf/adminServer.conf b/tools/testlab/kerby-data/conf/adminServer.conf new file mode 100644 index 000000000..08af51ce8 --- /dev/null +++ b/tools/testlab/kerby-data/conf/adminServer.conf @@ -0,0 +1,24 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +[libdefaults] +default_realm = EXAMPLE.COM +admin_realm = EXAMPLE.COM +admin_port = 65417 +keytab_file = protocol.keytab +protocol = adminprotocol +server_name = localhost diff --git a/tools/testlab/kerby-data/conf/backend.conf b/tools/testlab/kerby-data/conf/backend.conf new file mode 100644 index 000000000..3bbe481ed --- /dev/null +++ b/tools/testlab/kerby-data/conf/backend.conf @@ -0,0 +1,20 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +kdc_identity_backend = org.apache.kerby.kerberos.kdc.identitybackend.JsonIdentityBackend +backend.json.dir = /kerby-data/backend diff --git a/tools/testlab/kerby-data/conf/kdc.conf b/tools/testlab/kerby-data/conf/kdc.conf new file mode 100644 index 000000000..34f29730c --- /dev/null +++ b/tools/testlab/kerby-data/conf/kdc.conf @@ -0,0 +1,23 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +[kdcdefaults] + kdc_host = kerby.example.com + kdc_udp_port = 60088 + kdc_tcp_port = 60088 + kdc_realm = EXAMPLE.COM diff --git a/tools/testlab/kerby-data/conf/krb5.conf b/tools/testlab/kerby-data/conf/krb5.conf new file mode 100644 index 000000000..669285924 --- /dev/null +++ b/tools/testlab/kerby-data/conf/krb5.conf @@ -0,0 +1,29 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +[libdefaults] + kdc_realm = EXAMPLE.COM + default_realm = EXAMPLE.COM + udp_preference_limit = 4096 + kdc_tcp_port = 60088 + kdc_udp_port = 60088 + +[realms] + EXAMPLE.COM = { + kdc = localhost:60088 + }
\ No newline at end of file diff --git a/tools/testlab/kerby-data/keytabs/admin.keytab b/tools/testlab/kerby-data/keytabs/admin.keytab Binary files differnew file mode 100644 index 000000000..55e1addeb --- /dev/null +++ b/tools/testlab/kerby-data/keytabs/admin.keytab diff --git a/tools/testlab/krb5.conf b/tools/testlab/krb5.conf new file mode 100644 index 000000000..b6f93690f --- /dev/null +++ b/tools/testlab/krb5.conf @@ -0,0 +1,29 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +[libdefaults] + kdc_realm = EXAMPLE.COM + default_realm = EXAMPLE.COM + udp_preference_limit = 1 + kdc_tcp_port = 60088 + kdc_udp_port = 60088 + +[realms] + EXAMPLE.COM = { + kdc = kerby.example.com:60088 + } diff --git a/tools/testlab/ldap.keytab b/tools/testlab/ldap.keytab Binary files differnew file mode 100644 index 000000000..11e270038 --- /dev/null +++ b/tools/testlab/ldap.keytab |