Add tests for ldap auth

Makefile

@@ -5,9 +5,11 @@ all-fast: build generate-accounts run fixtures tests clean
 no-build: generate-accounts run fixtures tests clean
 
 build-no-cache:
+	cd test/docker-openldap/ && docker build -f Dockerfile -t ldap --no-cache .
 	docker build --no-cache -t $(NAME) .
 
 build:
+	cd test/docker-openldap/ && docker build -f Dockerfile -t ldap .
 	docker build -t $(NAME) .
 
 generate-accounts:
@@ -69,6 +71,7 @@ run:
 		-v "`pwd`/test":/tmp/docker-mailserver-test \
 		-e DISABLE_CLAMAV=1 \
 		-h mail.my-domain.com -t $(NAME)
+	sleep 20
 	docker run -d --name mail_manual_ssl \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
 		-v "`pwd`/test":/tmp/docker-mailserver-test \
@@ -76,6 +79,27 @@ run:
 		-e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \
 		-e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \
 		-h mail.my-domain.com -t $(NAME)
+	sleep 20
+	docker run -d --name ldap_for_mail \
+		-e LDAP_DOMAIN="localhost.localdomain" \
+		-h mail.my-domain.com -t ldap
+	sleep 20
+	docker run -d --name mail_with_ldap \
+		-v "`pwd`/test/config":/tmp/docker-mailserver \
+		-v "`pwd`/test":/tmp/docker-mailserver-test \
+		-e ENABLE_LDAP=1 \
+		-e LDAP_SERVER_HOST=ldap \
+		-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
+		-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
+		-e ENABLE_SASLAUTHD=1 \
+		-e SASLAUTHD_MECHANISMS=ldap \
+		-e SASLAUTHD_LDAP_SERVER=ldap \
+		-e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
+		-e SASLAUTHD_LDAP_PASSWORD=admin \
+		-e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
+		-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
+		--link ldap_for_mail:ldap \
+		-h mail.my-domain.com -t $(NAME)
 	# Wait for containers to fully start
 	sleep 20
 
@@ -115,7 +139,10 @@ clean:
 		fail-auth-mailer \
 		mail_disabled_amavis \
 		mail_disabled_clamav \
-		mail_manual_ssl
+		mail_manual_ssl \
+		ldap_for_mail \
+		mail_with_ldap
+
 	@if [ -f config/postfix-accounts.cf.bak ]; then\
 		rm -f config/postfix-accounts.cf ;\
 		mv config/postfix-accounts.cf.bak config/postfix-accounts.cf ;\

test/auth/imap-ldap-auth.txt

@@ -0,0 +1,2 @@
+a1 LOGIN some.user@localhost.localdomain secret
+a2 LOGOUT

test/auth/sasl-ldap-smtp-auth.txt

@@ -0,0 +1,5 @@
+EHLO mail
+AUTH LOGIN
+c29tZS51c2VyQGxvY2FsaG9zdC5sb2NhbGRvbWFpbg==
+c2VjcmV0
+QUIT

test/config/dovecot-ldap.conf.ext

@@ -0,0 +1,10 @@
+base                = ou=people,dc=my-domain,dc=com
+default_pass_scheme = SSHA
+dn                  = cn=admin,dc=my-domain,dc=com
+dnpass              = admin
+hosts               = mail.my-domain.com
+ldap_version        = 3
+pass_attrs          = uniqueIdentifier=user,userPassword=password
+pass_filter         = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))
+user_attrs          = mailHomeDirectory=home,mailUidNumber=uid,mailGidNumber=gid,mailStorageDirectory=mail
+user_filter         = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))

test/config/postfix-ldap-aliases.cf

@@ -0,0 +1,8 @@
+bind             = yes
+bind_dn          = cn=admin,dc=my-domain,dc=com
+bind_pw          = admin
+query_filter     = (&(mailAlias=%s)(mailEnabled=TRUE))
+result_attribute = mail
+search_base      = ou=people,dc=my-domain,dc=com
+server_host      = mail.my-domain.com
+version          = 3

test/config/postfix-ldap-groups.cf

@@ -0,0 +1,8 @@
+bind                     = yes
+bind_dn                  = cn=admin,dc=my-domain,dc=com
+bind_pw                  = admin
+query_filter             = (&(mailGroupMember=%s)(mailEnabled=TRUE))
+result_attribute         = mail
+search_base              = ou=people,dc=my-domain,dc=com
+server_host              = mail.my-domain.com
+version                  = 3

test/config/postfix-ldap-users.cf

@@ -0,0 +1,8 @@
+bind             = yes
+bind_dn          = cn=admin,dc=my-domain,dc=com
+bind_pw          = admin
+query_filter     = (&(mail=%s)(mailEnabled=TRUE))
+result_attribute = mail
+search_base      = ou=people,dc=my-domain,dc=com
+server_host      = mail.my-domain.com
+version          = 3

test/docker-openldap/Dockerfile

@@ -0,0 +1,5 @@
+FROM osixia/openldap:1.1.6
+MAINTAINER Dennis Stumm <dstumm95@gmail.com>
+
+ADD bootstrap /container/service/slapd/assets/config/bootstrap
+RUN rm /container/service/slapd/assets/config/bootstrap/schema/mmc/mail.schema

test/docker-openldap/bootstrap/ldif/01_mail-tree.ldif

@@ -0,0 +1,5 @@
+dn: ou=people,dc=localhost,dc=localdomain
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: people

test/docker-openldap/bootstrap/ldif/02_user-email.ldif

@@ -0,0 +1,25 @@
+# -------------------------------------------------------------------- 
+# Create mail accounts
+# -------------------------------------------------------------------- 
+# Some User
+dn: uniqueIdentifier=some.user,ou=people,dc=localhost,dc=localdomain
+changetype: add
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+objectClass: PostfixBookMailAccount
+objectClass: extensibleObject
+cn: Some User
+givenName: User
+mail: some.user@localhost.localdomain
+mailAlias: postmaster@localhost.localdomain
+mailGroupMember: employees@localhost.localdomain 
+mailEnabled: TRUE
+mailGidNumber: 5000
+mailHomeDirectory: /var/mail/localhost.localdomain/some.user/
+mailQuota: 10240
+mailStorageDirectory: maildir:/var/mail/localhost.localdomain/some.user/
+mailUidNumber: 5000
+sn: Some
+uniqueIdentifier: some.user
+userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx

test/docker-openldap/bootstrap/schema/mmc/postfix-book.schema

@@ -0,0 +1,70 @@
+# $Id$
+#
+# State of Mind
+# Private Enterprise Number: 29426
+#
+# OID prefix: 1.3.6.1.4.1.29426
+#
+# Attributes: 1.3.6.1.4.1.29426.1.10.x
+#
+
+
+attributetype ( 1.3.6.1.4.1.29426.1.10.1 NAME 'mailHomeDirectory'
+	DESC 'The absolute path to the mail user home directory'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.29426.1.10.2 NAME 'mailAlias'
+        DESC 'RFC822 Mailbox - mail alias'
+        EQUALITY caseIgnoreIA5Match
+        SUBSTR caseIgnoreIA5SubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
+attributetype ( 1.3.6.1.4.1.29426.1.10.3 NAME 'mailUidNumber'
+        DESC 'UID required to access the mailbox'
+        EQUALITY integerMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.29426.1.10.4 NAME 'mailGidNumber'
+        DESC 'GID required to access the mailbox'
+        EQUALITY integerMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.29426.1.10.5 NAME 'mailEnabled'
+	DESC 'TRUE to enable, FALSE to disable account'
+        EQUALITY booleanMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.29426.1.10.6 NAME 'mailGroupMember'
+	DESC 'Name of a mail distribution list'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.29426.1.10.7 NAME 'mailQuota'
+	DESC 'Mail quota limit in kilobytes'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.29426.1.10.8 NAME 'mailStorageDirectory'
+	DESC 'The absolute path to the mail users mailbox'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+
+#
+# Objects: 1.3.6.1.4.1.29426.1.2.2.x
+#
+
+objectclass ( 1.3.6.1.4.1.29426.1.2.2.1 NAME 'PostfixBookMailAccount'
+        SUP top AUXILIARY
+	DESC 'Mail account used in Postfix Book'
+	MUST ( mail )
+        MAY ( mailHomeDirectory $ mailAlias $ mailGroupMember 
+		$ mailUidNumber $ mailGidNumber $ mailEnabled
+		$ mailQuota $mailStorageDirectory ) )
+
+objectclass ( 1.3.6.1.4.1.29426.1.2.2.2 NAME 'PostfixBookMailForward'
+        SUP top AUXILIARY
+	DESC 'Mail forward used in Postfix Book'
+	MUST ( mail $ mailAlias ))
+

test/email-templates/test-email.txt

@@ -0,0 +1,3 @@
+Subject: Test Message
+
+This is a test mail.

test/tests.bats

@@ -57,6 +57,11 @@
   [ "$status" -eq 1 ]
 }
 
+@test "checking process: saslauthd (saslauthd server enabled)" {
+  run docker exec mail_with_ldap /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'"
+  [ "$status" -eq 0 ]
+}
+
 #
 # imap
 #
@@ -746,3 +751,45 @@
   run ./setup.sh -c mail debug login ls
   [ "$status" -eq 0 ]
 }
+
+#
+# LDAP
+#
+
+# postfix
+@test "checking postfix: ldap lookup works correctly" {
+  run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user@localhost.localdomain ldap:/etc/postfix/ldap-users.cf"
+  [ "$status" -eq 0 ]
+  [ "$output" = "some.user@localhost.localdomain" ]
+  run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@localhost.localdomain ldap:/etc/postfix/ldap-aliases.cf"
+  [ "$status" -eq 0 ]
+  [ "$output" = "some.user@localhost.localdomain" ]
+  run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@localhost.localdomain ldap:/etc/postfix/ldap-groups.cf"
+  [ "$status" -eq 0 ]
+  [ "$output" = "some.user@localhost.localdomain" ]
+}
+
+# dovecot
+@test "checking dovecot: ldap imap connection and authentication works" {
+  run docker exec mail_with_ldap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt"
+  [ "$status" -eq 0 ]
+}
+
+@test "checking dovecot: mail delivery works" {
+  run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@localhost.localdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt"
+  sleep 10
+  run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.user/new | wc -l"
+  [ "$status" -eq 0 ]
+  [ "$output" -eq 1 ]
+}
+
+# saslauthd
+@test "checking saslauthd: sasl ldap authentication works" {
+  run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret"
+  [ "$status" -eq 0 ]
+}
+
+@test "checking saslauthd: ldap smtp authentication" {
+  run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
+  [ "$status" -eq 0 ]
+}