From f7a800ff8ce558380a4fc0cf6170890ff97cea92 Mon Sep 17 00:00:00 2001 From: Antoine Eiche Date: Fri, 19 May 2023 10:08:50 +0200 Subject: [PATCH] Make the ldap test working - The smtp/imap user name is now user@domain.tld - Make the test_lookup function much more robust: it was now getting the correct file from the store. --- default.nix | 12 +++++------ mail-server/postfix.nix | 2 +- tests/ldap.nix | 47 +++++++++++++++++++++++------------------ 3 files changed, 33 insertions(+), 28 deletions(-) diff --git a/default.nix b/default.nix index 4b684d1..86b436d 100644 --- a/default.nix +++ b/default.nix @@ -280,8 +280,8 @@ in userFilter = mkOption { type = types.str; - default = "cn=%u"; - example = "(&(objectClass=inetOrgPerson)(cn=%u))"; + default = "mail=%u"; + example = "(&(objectClass=inetOrgPerson)(mail=%u))"; description = '' Filter for user lookups in Dovecot. @@ -304,9 +304,9 @@ in }; passFilter = mkOption { - type = types.str; - default = "cn=%u"; - example = "(&(objectClass=inetOrgPerson)(cn=%u))"; + type = types.nullOr types.str; + default = "mail=%u"; + example = "(&(objectClass=inetOrgPerson)(mail=%u))"; description = '' Filter for password lookups in Dovecot. @@ -331,7 +331,7 @@ in uidAttribute = mkOption { type = types.str; - default = "cn"; + default = "mail"; example = "uid"; description = '' The LDAP attribute referencing the account name for a user. diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 9ccf7bb..576b8f7 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -158,7 +158,7 @@ let (pkgs.writeText "ldap-sender-login-map.cf" '' ${commonLdapConfig} query_filter = ${cfg.ldap.postfix.filter} - result_attribute = ${cfg.ldap.postfix.uidAttribute} + result_attribute = ${cfg.ldap.postfix.mailAttribute} ''); ldapVirtualMailboxMap = lib.optionalString (cfg.ldap.enable) diff --git a/tests/ldap.nix b/tests/ldap.nix index 6077543..6c8308d 100644 --- a/tests/ldap.nix +++ b/tests/ldap.nix @@ -18,6 +18,11 @@ pkgs.nixosTest { virtualisation.memorySize = 1024; + services.openssh = { + enable = true; + permitRootLogin = "yes"; + }; + environment.systemPackages = [ (pkgs.writeScriptBin "mail-check" '' ${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@ @@ -106,35 +111,35 @@ pkgs.nixosTest { }; testScript = '' import sys - - from glob import glob + import re machine.start() machine.wait_for_unit("multi-user.target") - def test_lookup(map, key, expected): - path = glob(f"/nix/store/*-{map}")[0] - value = machine.succeed(f"postmap -q alice@example.com ldap:{path}").rstrip() + # This function retrieves the ldap table file from a postconf + # command. + # A key lookup is achived and the returned value is compared + # to the expected value. + def test_lookup(postconf_cmdline, key, expected): + conf = machine.succeed(postconf_cmdline).rstrip() + ldap_table_path = re.match('.* =.*ldap:(.*)', conf).group(1) + value = machine.succeed(f"postmap -q {key} ldap:{ldap_table_path}").rstrip() try: assert value == expected except AssertionError: - print(f"Expected {map} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr) + print(f"Expected {conf} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr) raise - with subtest("Test postmap lookups"): - test_lookup("ldap-virtual-mailbox-map.cf", "alice@example.com", "alice") - test_lookup("ldap-sender-login-map.cf", "alice", "alice") + test_lookup("postconf virtual_mailbox_maps", "alice@example.com", "alice@example.com") + test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "alice@example.com", "alice@example.com") - test_lookup("ldap-virtual-mailbox-map.cf", "bob@example.com", "alice") - test_lookup("ldap-sender-login-map.cf", "bob", "alice") + test_lookup("postconf virtual_mailbox_maps", "bob@example.com", "bob@example.com") + test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "bob@example.com", "bob@example.com") with subtest("Test doveadm lookups"): - out = machine.succeed("doveadm user -u alice") - machine.log(out) - - out = machine.succeed("doveadm user -u bob") - machine.log(out) + machine.succeed("doveadm user -u alice@example.com") + machine.succeed("doveadm user -u bob@example.com") with subtest("Test account/mail address binding"): machine.fail(" ".join([ @@ -142,16 +147,16 @@ pkgs.nixosTest { "--smtp-port 587", "--smtp-starttls", "--smtp-host localhost", - "--smtp-username alice", + "--smtp-username alice@example.com", "--imap-host localhost", - "--imap-username bob", + "--imap-username bob@example.com", "--from-addr bob@example.com", "--to-addr aliceb@example.com", "--src-password-file <(echo '${alicePassword}')", "--dst-password-file <(echo '${bobPassword}')", "--ignore-dkim-spf" ])) - machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice'") + machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice@example.com'") with subtest("Test mail delivery"): machine.succeed(" ".join([ @@ -159,9 +164,9 @@ pkgs.nixosTest { "--smtp-port 587", "--smtp-starttls", "--smtp-host localhost", - "--smtp-username alice", + "--smtp-username alice@example.com", "--imap-host localhost", - "--imap-username bob", + "--imap-username bob@example.com", "--from-addr alice@example.com", "--to-addr bob@example.com", "--src-password-file <(echo '${alicePassword}')",