diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:35:32 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:35:32 +0000 |
commit | 5ea77a75dd2d2158401331879f3c8f47940a732c (patch) | |
tree | d89dc06e9f4850a900f161e25f84e922c4f86cc8 /tests/scripts/test077-sasl-gssapi | |
parent | Initial commit. (diff) | |
download | openldap-upstream/2.5.13+dfsg.tar.xz openldap-upstream/2.5.13+dfsg.zip |
Adding upstream version 2.5.13+dfsg.upstream/2.5.13+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/scripts/test077-sasl-gssapi')
-rwxr-xr-x | tests/scripts/test077-sasl-gssapi | 255 |
1 files changed, 255 insertions, 0 deletions
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi new file mode 100755 index 0000000..4d4e260 --- /dev/null +++ b/tests/scripts/test077-sasl-gssapi @@ -0,0 +1,255 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2022 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $WITH_SASL = no ; then + echo "SASL support not available, test skipped" + exit 0 +fi + +CONFDIR=$TESTDIR/slapd.d +CONFLDIF=$TESTDIR/slapd.ldif + +mkdir -p $TESTDIR $DBDIR1 $CONFDIR +cp -r $DATADIR/tls $TESTDIR +$SLAPPASSWD -g -n >$CONFIGPWF + +echo "Starting KDC for SASL/GSSAPI tests..." +. $SRCDIR/scripts/setup_kdc.sh + +echo "Configuring slapd..." +cat > $CONFLDIF <<EOF +dn: cn=config +objectClass: olcGlobal +cn: config +olcSaslHost: localhost +olcSaslRealm: $KRB5REALM +olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt +olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt +olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file://$ABS_SCHEMADIR/core.ldif + +dn: olcDatabase={0}config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: {0}config +olcRootPW:< file://$TESTDIR/configpw + +EOF +$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF +RC=$? +if test $RC != 0 ; then + echo "slapadd failed ($RC)!" + kill $KDCPROC + exit $RC +fi + +echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." +$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" + +sleep 1 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +grep GSSAPI $TESTOUT +RC=$? +if test $RC != 0 ; then + echo "failed: GSSAPI mechanism not in supportedSASLMechanisms." + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo -n "Using ldapwhoami with SASL/GSSAPI: " +$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +else + echo "success" +fi + +echo -n "Validating mapped SASL/GSSAPI ID: " +echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out +$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT +RC=$? +if test $RC != 0 ; then + echo "Comparison failed" + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +else + echo "success" +fi + +if test $WITH_TLS = no ; then + echo "SASL/GSSAPI: TLS support not available, skipping TLS part." +else + echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: " + $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \ + -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ + > $TESTOUT 2>&1 + RC=$? + if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + else + echo "success" + fi + + echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: " + $LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow \ + -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ + > $TESTOUT 2>&1 + RC=$? + if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + else + echo "success" + fi +fi + +if test $WITH_TLS = no ; then + echo "TLS support not available, skipping channel-binding test" +elif test $HAVE_SASL_GSS_CBIND = no ; then + echo "SASL has no channel-binding support in GSSAPI, test skipped" +else + echo "Testing SASL/GSSAPI with SASL_CBINDING..." + + for acb in "none" "tls-unique" "tls-endpoint" ; do + + echo "Modifying slapd's olcSaslCBinding to ${acb} ..." + $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1 +dn: cn=config +changetype: modify +replace: olcSaslCBinding +olcSaslCBinding: ${acb} +EOF + RC=$? + if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + for icb in "none" "tls-unique" "tls-endpoint" ; do + + # The gnutls implementation of "tls-unique" seems broken + if test $icb = "tls-unique" -o $acb = "tls-unique" ; then + if test $WITH_TLS_TYPE = gnutls ; then + continue + fi + fi + + fail="no" + if test $icb != $acb -a $acb != "none" ; then + # This currently fails in MIT, but it is planned to be + # fixed not to fail like in heimdal - avoid testing. + if test $icb = "none" ; then + continue + fi + # Otherwise unmatching bindings are expected to fail. + fail="yes" + fi + + echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING " + echo -n "(client: ${icb}, server: ${acb}): " + + $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \ + -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ + -o SASL_CBINDING=$icb > $TESTOUT 2>&1 + + RC=$? + if test $RC != 0 ; then + if test $fail = "no" ; then + echo "test failed ($RC)!" + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + elif test $fail = "yes" ; then + echo "failed: command succeeded unexpectedly." + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + fi + + echo "success" + RC=0 + done + done +fi + + +kill $KDCPROC +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +if test $RC != 0 ; then + echo ">>>>> Test failed" +else + echo ">>>>> Test succeeded" + RC=0 +fi + +test $KILLSERVERS != no && wait + +exit $RC |