From Fedora Project Wiki

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[Category:Test Days]]
[[Category:QA Templates]]
{|border="1"
{|border="1"
|-style="color: white; background-color: #3074c2; font-weight: bold"  
|-style="color: white; background-color: #3074c2; font-weight: bold"  
Line 54: Line 57:
|-
|-
| autofs
| autofs
| jvcelak
|  
| {{result|pass}}
|  
|-
|-
| krb5-workstation
| krb5-workstation
Line 63: Line 66:
| nss_ldap
| nss_ldap
| omoris
| omoris
| {{result|pass}}
|  
|-
|-
| nss-pam-ldapd
| nss-pam-ldapd
| omoris
| omoris
| {{result|pass}}
|  
|-
|-
| openssh
| openssh
| mvadkert
| mvadkert
| {{result|pass}}
|  
|-
|-
| pam_ldap
| pam_ldap
| omoris
| omoris
| {{result|pass}}
|  
|-
|-
| python-ldap
| python-ldap
| jvcelak
|  
| {{result|pass}}
|  
|-
|-
| ruby-ldap
| ruby-ldap
| alich
| alich
| {{result|pass}}
|  
|-
|-
| sssd
| sssd
| shanks
| shanks
| {{result|pass}}
|  
|-
|-
| sudo
| sudo
| alich
| alich
| {{result|pass}}
|  
|-
|-
| libuser
| libuser
| mvadkert
| mvadkert
| {{result|pass}}
|  
|-
|-
| nfs-utils-lib
| nfs-utils-lib
Line 102: Line 105:
|-
|-
| quota
| quota
| mvadkert
|  
| {{result|pass}}
|  
|-
|-
|}
|}
Line 170: Line 173:
|-
|-
| php
| php
| jgorig
|  
| {{result|pass}}
|  
|-
|-
| postgresql
| postgresql
Line 178: Line 181:
|-
|-
| proftpd
| proftpd
| jgorig
|  
| {{result|pass}}
|  
|-
|-
| pure-ftpd
| pure-ftpd
Line 494: Line 497:


{{admon/warning|Test OpenLDAP with MozNSS primarily|Please, use mainly openldap03. The other servers are only for reference, to reveal possible behavior changes.}}
{{admon/warning|Test OpenLDAP with MozNSS primarily|Please, use mainly openldap03. The other servers are only for reference, to reveal possible behavior changes.}}
{{admon/caution|Test Day is over|The servers are no longer available.}}


{|
{|
Line 514: Line 515:
* For '''read-write''' access use bind name ''cn=Tester,dc=silver,dc=testday'' and password ''openldap''. Subtree ''ou=free,dc=base,dc=testday'' is ready for your experiments. Please create some organization unit with your name under it, not to conflict with other testers. (Don't forgot to replace dc=silver correctly for other servers.)
* For '''read-write''' access use bind name ''cn=Tester,dc=silver,dc=testday'' and password ''openldap''. Subtree ''ou=free,dc=base,dc=testday'' is ready for your experiments. Please create some organization unit with your name under it, not to conflict with other testers. (Don't forgot to replace dc=silver correctly for other servers.)


(read-write access is now set up for openldap02 - use the cn=Tester user)
(read-write access is not set up for openldap02 yet)


== How to test? ==
== How to test? ==
Line 697: Line 698:
#* olcRootPW: <admin-user-password-hash>
#* olcRootPW: <admin-user-password-hash>
# update /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif
# update /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif
#* olcAccess: {0}to *  by dn.base="cn=manager,dc=copper,dc=testday" read  by * none
#* olcAccess: {0}to *  by dn.base="cn=manager,dc=copper,dc=testday" read  by * non
# start your server: <code>service slapd start</code>
# start your server: <code>service slapd start</code>
# try your serve functionality
# try your serve functionality
Line 705: Line 706:
#* download example [http://jvcelak.fedorapeople.org/testday-101014/root_copper.ldif root DN nodes] (LDIF)
#* download example [http://jvcelak.fedorapeople.org/testday-101014/root_copper.ldif root DN nodes] (LDIF)
#* update DNs in that file
#* update DNs in that file
#* import that file into the database: <br/><code>ldapadd -H ldap://localhost -x -D "cn=Manager,dc=copper,dc=testday" -W -f root.ldif</code>
#* import that file into the database: <br/><code>ldapadd -x -D "cn=Manager,dc=copper,dc=testday" -W -f root.ldif</code>
# install BDB configuration file
# install BDB configuration file
#* <code>cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG</code>
#* <code>cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_EXAMPLE</code>
# restart your server: <code>service slapd restart</code>
# restart your server: <code>service slapd restart</code>
# '''your server is now configured and running without TLS'''
# '''your server is now configured and running without TLS'''
Line 800: Line 801:
* output looked fine
* output looked fine


'''[jvcelak] Tested program: openldap-2.4.23-1.fc15.x86_64 openldap-2.4.21-10.fc13.x86_64'''
'''[jvcelak] Tested openldap-servers'''
* reported bug #641946 (slapd init script gets stuck in an infinite loop)
* reported bug #641946 (slapd init script gets stuck in an infinite loop)
* OK: CA signed certificates (now used on silver and bronze)
* OK: CA signed certificates (now used on silver and bronze)
Line 807: Line 808:
* OK: Ldap backend with TLS, works as a proxy (tested including loops)
* OK: Ldap backend with TLS, works as a proxy (tested including loops)
* OK: self-signed certificates
* OK: self-signed certificates
* OK: delta-syncrepl with TLS
** verification with OpenSSL fails when connecting to localhost (host name doesn't match)
** verification with OpenSSL fails when connecting to localhost (host name doesn't match)
** verification with MozNSS works well when connecting to localhost or hostname
** verification with MozNSS works well when connecting to localhost or hostname
** verification with MozNSS fails when using certificate and hostname doesn't match
** verification with MozNSS fails when using certificate and hostname doesn't match
* MozNSS error messages often miss explanation (like -8172 Unknown error)
* MozNSS error messages often miss explanation (like -8172 Unknown error)
'''[mvadkert] Tested program: openssh-5.5p1-21.fc14.2.x86_64'''
* omoris and jvcelak added openssh.scheme and a test user
* tested with ssh-ldap-helper
root@freedom openldap]# /usr/libexec/openssh/ssh-ldap-helper -vvv -f /etc/openldap/ldap.conf -s user2
debug1: Reading configuration data /etc/openldap/ldap.conf
debug3: === Configuration ===
debug3: URI ldaps://openldap03.fedoraproject.org
debug3: Host openldap03.fedoraproject.org
debug3: Port 636
debug3: SSL Yes
debug3: Ldap_Version 3
debug3: Base ou=omoris,ou=free,dc=gold,dc=testday
debug3: BindDN cn=Tester,dc=gold,dc=testday
debug3: BindPW openldap
debug3: Scope Sub
[snip]
debug1: LDAP do connect
debug3: Set TLS CA cert dir /etc/openldap/cacerts
debug3: Set TLS check peer to 1
debug3: LDAP initialize ldaps://openldap03.fedoraproject.org
[snip]
debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=user2))
ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAQEAsDA+I14oBeVd7ceujknbvc3i2Qfnx2Q1vPatRcwPfWLF2H4fPUuUypkJjswvJXxZun+7h1tNpZPMvKCxMLNph4follk35MXT01LZYtW3rs3bdYL+9vBO7ns1+MDrrusotM3f+j90VhPVn5MhgPABVAaSVoTGn058d/N/R1pMMvnRrKhBYlLG0Yb4WesvJQCL9GkbPqjn7tWZQNbDqnIA/TgYe87ES7rsC8ZFObSYYhWXJqnYb8ysQRVLTRUxE/EzYWM0YUIuYIN9eRzUJW9rFmlVDalUjzwIK6dkhkl4xN3vX5lSL3OCJlwIxUoQLK2P9fEvbPlxd9IRSQNWFJO2HQ==mvadkert@dhcp-lab-118.englab.brq.redhat.com
debug2: LDAP process user finished
debug1: LDAP do close
debug2: LDAP do close OK
'''[jvcelak] Tested program: python-ldap-2.3.12-1.fc15.x86_64'''
* not tested very deeply, basic operations work:
#!/usr/bin/python
import ldap
import ldap.modlist as modlist
l = ldap.initialize("ldaps://openldap03.fedoraproject.org", trace_level = 1)
l.simple_bind_s("cn=Tester,dc=gold,dc=testday", "openldap")
ldif = modlist.addModlist({
"objectClass" : [ "organizationalUnit", "top" ],
"ou" : [ "jvcelak" ],
})
l.add_s("ou=jvcelak,ou=free,dc=gold,dc=testday", ldif)
print l.search_s("dc=gold,dc=testday", ldap.SCOPE_SUBTREE, "(cn=Manager)")
l.delete_s("ou=jvcelak,ou=free,dc=gold,dc=testday")
l.unbind_s()
'''[mvadkert] Tested program: libuser-0.56.18-2.fc14'''
* tested all libuser commands - found bug in lpasswd #643022
* generally works well after good setup in /etc/libuser.conf
'''[omoris] Tested program: pam_ldap-185-5.fc14'''
* tested password change, ssh connection, password change via ssh connection
* no problems, works fine
* testes via beakerlib using already prepared testcases
'''[omoris] Tested program: nss_ldap-265-6.fc14 & nss-pam-ldapd.i686 0:0.7.7-1.fc14 '''
* tested getent, id of ldap users
* no problems, works fine
* testes via beakerlib using already prepared testcases
'''[mvadkert] Tested program: quota-3.17-13.fc14.x86_64'''
* mail stored in surname in LDAP user, quota works as expected with ldaps :)
'''[amarecek] Tested program: sudo-1.7.4p4-3.fc14.x86_64'''
* rights escalation with ldap users only
* rights escalation with local users and ldap groups
* rights escalation with ldap users containing white spaces (also "su" tested)
* rights escalation with ldap groups containing white spaces
'''[jgorig] Tested program: php-ldap-5.3.3-1.fc14.x86_64'''
* basic operations works
<?php
$conn = ldap_connect("openldap03.fedoraproject.org");
if(!$conn) exit(ldap_error($conn));
$ret = ldap_start_tls($conn);
if(!$ret) exit(ldap_error($conn));
$r = ldap_bind($conn, "cn=Tester,dc=gold,dc=testday", "openldap");
if(!$r) exit(ldap_error($conn));
$data["objectClass"][0] = "organizationalUnit";
$data["objectClass"][1] = "top";
$data["ou"] = "Testovac";
ldap_add($conn, "ou=Testovac,ou=free,dc=gold,dc=testday", $data);
$sr = ldap_search($conn, "dc=gold,dc=testday", "ou=Testovac");
print_r(ldap_get_entries($conn, $sr));
ldap_delete($conn, "ou=Testovac,ou=free,dc=gold,dc=testday");
ldap_close($conn);
'''[amarecek] Tested program: ruby-1.8.7.302-1.fc14.x86_64, ruby-ldap-0.9.7-10.fc12.x86_64'''
* simple connection works
#!/bin/env ruby
require 'ldap'
_host = 'openldap03.fedoraproject.org'
_port = 389
_binddn = 'cn=Tester,dc=gold,dc=testday'
_bindpw = 'openldap'
_base = 'ou=alich,ou=free,dc=gold,dc=testday'
connection = LDAP::Conn.new(_host, _port)
connection.bind(_binddn, _bindpw)
connection.perror("bind")
scope = LDAP::LDAP_SCOPE_SUBTREE
attrs = ['dn', 'cn']
items = ['posixAccount', 'posixGroup']
items.each { |item|
        filter = "(objectClass=#{item})"
        begin
                connection.search(_base, scope, filter) { |record|
                        print "DN: #{record.dn}\n"
                        print "ATTRS: #{record.attrs}\n"
                        print "\tCN: #{record.vals('cn')}\n"
                        print "#{record.to_hash}\n"
                }
        rescue LDAP::ResultError
                connection.perror("search")
                exit 1
        end
        connection.perror("search")
}
connection.unbind
* all data were found successfully
'''[jvcelak] Tested program: autofs-5.0.5-31.fc15.x86_64'''
* reported bug #643045 (outdated autofs.schema in openldap-servers)
* automounter connects to LDAP server with TLS (ldap:// + requiretls, ldaps://)
* automountMap successfully found
* referring to another server using ldap:server:dn works
* volumes mounted as expected
'''[shanks] Tested program: sssd-1.3.0-35.fc14.x86_64
* Not tested deeply, basic operation of LDAP ID and auth works:
[sssd[be[LDAP]]] [get_server_status] (7): Status of server 'fed14sssdldap.gsr.pnq.redhat.com' is 'working'
[sssd[be[LDAP]]] [be_resolve_server_done] (4): Found address for server fed14sssdldap.gsr.pnq.redhat.com: [10.65.201.183]
[sssd[be[LDAP]]] [sdap_connect_send] (4): Executing START TLS
[sssd[be[LDAP]]] [sdap_ldap_connect_callback_add] (9): New LDAP connection to [ldap://fed14sssdldap.gsr.pnq.redhat.com:389] with fd [26].
[sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xe7e280], ldap[0xea1220]
[sssd[be[LDAP]]] [sdap_connect_done] (3): START TLS result: Success(0), Start TLS request accepted.Server willing to negotiate SSL.
[sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 389 of server 'fed14sssdldap.gsr.pnq.redhat.com' as 'working'
[sssd[be[LDAP]]] [set_server_common_status] (4): Marking server 'fed14sssdldap.gsr.pnq.redhat.com' as 'working'
[sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0xec7d50
[sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0xec78c0
[sssd[be[LDAP]]] [ldb] (9): tevent: Destroying timer event 0xec78c0 "ltdb_timeout"
[sssd[be[LDAP]]] [ldb] (9): tevent: Ending timer event 0xec7d50 "ltdb_callback"
[sssd[be[LDAP]]] [find_password_expiration_attributes] (9): No password policy requested.
[sssd[be[LDAP]]] [simple_bind_send] (4): Executing simple bind as: uid=puser1,ou=People,dc=example,dc=com
[sssd[be[LDAP]]] [simple_bind_send] (8): ldap simple bind sent, msgid = 2
[sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xec79e0], ldap[0xea1220]
[sssd[be[LDAP]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
[sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xec79e0], ldap[0xea1220]
[sssd[be[LDAP]]] [simple_bind_done] (5): Server returned no controls.
[sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Success(0), (null)
'''[jgorig] Tested program: proftpd-1.3.3b-1.fc14.x86_64'''
* user authentication works
* [http://www.mustuniversityaccreditation.com Mustuniversity]
* [http://www.aboutmustuniversity.com Must University]
[[Category:Fedora 14 Test Days]]
Please note that all contributions to Fedora Project Wiki are considered to be released under the Attribution-Share Alike 4.0 International (see Fedora Project Wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please solve the following task below and enter the answer in the box (more info):

Cancel Editing help (opens in new window)