Make the ldap test working

- The smtp/imap user name is now user@domain.tld
- Make the test_lookup function much more robust: it was now getting
  the correct file from the store.
This commit is contained in:
Antoine Eiche 2023-05-19 10:08:50 +02:00 committed by lewo
parent 8b03ae5701
commit 33554e57ce
3 changed files with 33 additions and 28 deletions

View file

@ -280,8 +280,8 @@ in
userFilter = mkOption { userFilter = mkOption {
type = types.str; type = types.str;
default = "cn=%u"; default = "mail=%u";
example = "(&(objectClass=inetOrgPerson)(cn=%u))"; example = "(&(objectClass=inetOrgPerson)(mail=%u))";
description = '' description = ''
Filter for user lookups in Dovecot. Filter for user lookups in Dovecot.
@ -304,9 +304,9 @@ in
}; };
passFilter = mkOption { passFilter = mkOption {
type = types.str; type = types.nullOr types.str;
default = "cn=%u"; default = "mail=%u";
example = "(&(objectClass=inetOrgPerson)(cn=%u))"; example = "(&(objectClass=inetOrgPerson)(mail=%u))";
description = '' description = ''
Filter for password lookups in Dovecot. Filter for password lookups in Dovecot.
@ -331,7 +331,7 @@ in
uidAttribute = mkOption { uidAttribute = mkOption {
type = types.str; type = types.str;
default = "cn"; default = "mail";
example = "uid"; example = "uid";
description = '' description = ''
The LDAP attribute referencing the account name for a user. The LDAP attribute referencing the account name for a user.

View file

@ -158,7 +158,7 @@ let
(pkgs.writeText "ldap-sender-login-map.cf" '' (pkgs.writeText "ldap-sender-login-map.cf" ''
${commonLdapConfig} ${commonLdapConfig}
query_filter = ${cfg.ldap.postfix.filter} query_filter = ${cfg.ldap.postfix.filter}
result_attribute = ${cfg.ldap.postfix.uidAttribute} result_attribute = ${cfg.ldap.postfix.mailAttribute}
''); '');
ldapVirtualMailboxMap = lib.optionalString (cfg.ldap.enable) ldapVirtualMailboxMap = lib.optionalString (cfg.ldap.enable)

View file

@ -18,6 +18,11 @@ pkgs.nixosTest {
virtualisation.memorySize = 1024; virtualisation.memorySize = 1024;
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
environment.systemPackages = [ environment.systemPackages = [
(pkgs.writeScriptBin "mail-check" '' (pkgs.writeScriptBin "mail-check" ''
${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@ ${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
@ -106,35 +111,35 @@ pkgs.nixosTest {
}; };
testScript = '' testScript = ''
import sys import sys
import re
from glob import glob
machine.start() machine.start()
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
def test_lookup(map, key, expected): # This function retrieves the ldap table file from a postconf
path = glob(f"/nix/store/*-{map}")[0] # command.
value = machine.succeed(f"postmap -q alice@example.com ldap:{path}").rstrip() # A key lookup is achived and the returned value is compared
# to the expected value.
def test_lookup(postconf_cmdline, key, expected):
conf = machine.succeed(postconf_cmdline).rstrip()
ldap_table_path = re.match('.* =.*ldap:(.*)', conf).group(1)
value = machine.succeed(f"postmap -q {key} ldap:{ldap_table_path}").rstrip()
try: try:
assert value == expected assert value == expected
except AssertionError: except AssertionError:
print(f"Expected {map} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr) print(f"Expected {conf} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr)
raise raise
with subtest("Test postmap lookups"): with subtest("Test postmap lookups"):
test_lookup("ldap-virtual-mailbox-map.cf", "alice@example.com", "alice") test_lookup("postconf virtual_mailbox_maps", "alice@example.com", "alice@example.com")
test_lookup("ldap-sender-login-map.cf", "alice", "alice") test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "alice@example.com", "alice@example.com")
test_lookup("ldap-virtual-mailbox-map.cf", "bob@example.com", "alice") test_lookup("postconf virtual_mailbox_maps", "bob@example.com", "bob@example.com")
test_lookup("ldap-sender-login-map.cf", "bob", "alice") test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "bob@example.com", "bob@example.com")
with subtest("Test doveadm lookups"): with subtest("Test doveadm lookups"):
out = machine.succeed("doveadm user -u alice") machine.succeed("doveadm user -u alice@example.com")
machine.log(out) machine.succeed("doveadm user -u bob@example.com")
out = machine.succeed("doveadm user -u bob")
machine.log(out)
with subtest("Test account/mail address binding"): with subtest("Test account/mail address binding"):
machine.fail(" ".join([ machine.fail(" ".join([
@ -142,16 +147,16 @@ pkgs.nixosTest {
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--smtp-username alice", "--smtp-username alice@example.com",
"--imap-host localhost", "--imap-host localhost",
"--imap-username bob", "--imap-username bob@example.com",
"--from-addr bob@example.com", "--from-addr bob@example.com",
"--to-addr aliceb@example.com", "--to-addr aliceb@example.com",
"--src-password-file <(echo '${alicePassword}')", "--src-password-file <(echo '${alicePassword}')",
"--dst-password-file <(echo '${bobPassword}')", "--dst-password-file <(echo '${bobPassword}')",
"--ignore-dkim-spf" "--ignore-dkim-spf"
])) ]))
machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice'") machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice@example.com'")
with subtest("Test mail delivery"): with subtest("Test mail delivery"):
machine.succeed(" ".join([ machine.succeed(" ".join([
@ -159,9 +164,9 @@ pkgs.nixosTest {
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--smtp-username alice", "--smtp-username alice@example.com",
"--imap-host localhost", "--imap-host localhost",
"--imap-username bob", "--imap-username bob@example.com",
"--from-addr alice@example.com", "--from-addr alice@example.com",
"--to-addr bob@example.com", "--to-addr bob@example.com",
"--src-password-file <(echo '${alicePassword}')", "--src-password-file <(echo '${alicePassword}')",