Remove huge packages from CI

Thanks to a huge reverse engineering effort

.github/workflows/ci.yml

@@ -35,14 +35,9 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: '3.11'
-      # 389-ds-base is required for defaults.inf, to avoid the error "defaults.inf not found in any well known location!" in dsconf
-      # python3-lib389 is required for dsconf, since we cannot run commands inside the service container and there's no other documented way to create the tree/DIT/backend/suffix/database
       - name: Install package dependencies
         run: |
-          sudo apt-get install -y 389-ds-base python3-lib389 libsasl2-dev python-dev-is-python3 libldap2-dev libssl-dev
-      - name:  Actually create the suffix
-        run: |
-          dsconf -D "cn=Directory Manager" -w "$TEST_PASSWORD" $TEST_LDAP_CONNECTION_STRING backend create --create-suffix --suffix="$TEST_SUFFIX" --be-name="userRoot"
+          sudo apt-get install -y libsasl2-dev python-dev-is-python3 libldap2-dev libssl-dev
       - name: Install Python dependencies
         working-directory: ./aci
         run: |

README.md

@@ -42,7 +42,7 @@ Alternatively, `make_acis.py` can also output a LDIF file.
 [the "sso" repo](https://github.com/WEEE-Open/sso). It requires 389DS configured as in that repo. If you follow the
 instructions there, you'll clone this repo anyway, so it all makes sense, hopefully.
 
-The workflow for making ACIs and testing should be something like this:
+To create ACIs:
 
 ```shell
 cd aci
@@ -55,13 +55,18 @@ pip install -r requirements.txt
 ./make_acis.py -l -s "dc=example,dc=test"
 # Create LDIF file with ACIs for tests:
 ./make_acis.py -l -s "dc=example,dc=test" > aci_tmp.ldif
+```
+To test them:
+
+```shell
+# Run 389DS in a container or in any other way of your choice
+docker run --name dirsrv -p 3389:3389 -e DS_SUFFIX_NAME="dc=example,dc=test" -e DS_DM_PASSWORD="asd" 389ds/dirsrv:latest
 # Required env variables for the tests
-export TEST_PASSWORD="secret1"
-export TEST_LDAP_CONNECTION_STRING="ldap://ldap1.sso.local:389"
+export TEST_PASSWORD="asd"
+export TEST_LDAP_CONNECTION_STRING="ldap://disrv:3389"
 export TEST_SUFFIX="dc=example,dc=test"
 export TEST_ACI_LDIF="aci_tmp.txt"
 export TEST_IMPORT_SCHEMA=1 # To import the schema during tests, do not set at all if you want to import manually
-# Run tests
+# Run tests, this will also create a backend and DIT
 ./test_acis.py
-# Watch test output
 ```

aci/test_acis.py

@@ -93,6 +93,40 @@ def reset_database():
 	global IMPORT_SCHEMA, IMPORT_SCHEMA_DONE
 
 	with LdapConnection("cn=Directory Manager", PASSWORD) as conn:
+		# These entries have been reverse engineered by looking at the LDAP commands generated by this command:
+		# dsconf -D "cn=Directory Manager" localhost backend create --create-suffix --suffix="dc=example,dc=test" --be-name="userRoot"
+		root = 'testAcis'
+		try:
+			conn.add_s(f'cn={root},cn=ldbm database,cn=plugins,cn=config', [
+				('objectClass', [b'top', b'extensibleObject', b'nsBackendInstance']),
+				('cn', [root.encode()]),
+				('nsslapd-suffix', [SUFFIX.encode()]),
+			])
+		except ldap.ALREADY_EXISTS:
+			pass
+		try:
+			# Why \\, instead of \\2C? Dunno, but Apache Directory Studio displays it like that in any case.
+			suffix_ultra_escaped = SUFFIX.replace(',', '\\,').replace('=', '\\3D')
+			suffix_escaped = ldap.dn.escape_dn_chars(SUFFIX)
+			conn.add_s(f'cn={suffix_ultra_escaped},cn=mapping tree,cn=config', [
+				('objectClass', [b'top', b'extensibleObject', b'nsMappingTree']),
+				('cn', [SUFFIX.encode(), suffix_escaped.encode()]),
+				('nsslapd-state', [b"backend"]),
+				('nsslapd-backend', [root.encode()]),
+			])
+		except ldap.ALREADY_EXISTS:
+			pass
+		try:
+			conn.add_s(SUFFIX, [
+				('objectClass', [b'top', b'domain']),
+				('dc', [SUFFIX.split(',')[0].split('=')[1].encode()]),
+				('description', [SUFFIX.encode()]),
+				('aci', [
+					b'(targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");)']),
+			])
+		except ldap.ALREADY_EXISTS:
+			pass
+
 		things = (
 			f'ou=Groups,{SUFFIX}',
 			f'ou=People,{SUFFIX}',