diff options
Diffstat (limited to '')
-rwxr-xr-x | tests/scripts/test076-authid-rewrite | 640 |
1 files changed, 640 insertions, 0 deletions
diff --git a/tests/scripts/test076-authid-rewrite b/tests/scripts/test076-authid-rewrite new file mode 100755 index 0000000..7799d88 --- /dev/null +++ b/tests/scripts/test076-authid-rewrite @@ -0,0 +1,640 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2022 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $WITH_SASL = no; then + echo "SASL authentication not available, test skipped" + exit 0 +fi + +CONFDIR=$TESTDIR/slapd.d +MECH=DIGEST-MD5 + +mkdir -p $TESTDIR $CONFDIR $DBDIR1 + +$SLAPPASSWD -g -n >$CONFIGPWF + +echo "Starting slapd on TCP/IP port $PORT1... $PWD" +. $CONFFILTER $BACKEND < $DYNAMICCONF > $CONFLDIF +$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF +cd $TESTDIR +$SLAPD -F ./slapd.d -h $URI1 -d $LVL > $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" +cd $TESTWD + +sleep 1 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Checking whether $MECH is supported..." +$LDAPSEARCH -s base -b "" -H $URI1 \ + 'objectClass=*' supportedSASLMechanisms > $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +grep "supportedSASLMechanisms: $MECH" $SEARCHOUT > $TESTOUT +RC=$? +if test $RC != 0 ; then + echo "SASL mechanism $MECH is not available, test skipped" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 0 +fi + +echo "Adding schema and database..." +$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +include: file://$ABS_SCHEMADIR/core.ldif + +include: file://$ABS_SCHEMADIR/cosine.ldif + +include: file://$ABS_SCHEMADIR/inetorgperson.ldif + +include: file://$ABS_SCHEMADIR/openldap.ldif + +include: file://$ABS_SCHEMADIR/nis.ldif +EOF +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed for schema config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +if [ "$BACKENDTYPE" = mod ]; then + $LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND +olcModuleLoad: back_$BACKEND.la +EOF + RC=$? + if test $RC != 0 ; then + echo "ldapadd failed for backend config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +fi + +$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: olcDatabase={1}$BACKEND,cn=config +objectClass: olcDatabaseConfig +objectClass: olc${BACKEND}Config +olcDatabase: {1}$BACKEND +olcSuffix: $BASEDN +olcDbDirectory: $DBDIR1 +olcRootDN: $MANAGERDN +olcRootPW: $PASSWD +EOF +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed for database config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +if test $INDEXDB = indexdb ; then + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: olcDatabase={1}$BACKEND,cn=config +changetype: modify +add: olcDbIndex +olcDbIndex: objectClass,entryUUID,entryCSN eq +olcDbIndex: cn,uid pres,eq,sub +EOF + RC=$? + if test $RC != 0 ; then + echo "ldapmodify failed for index config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +fi + +echo "Using ldapadd to populate the database..." +$LDAPADD -H $URI1 -D "$MANAGERDN" -w $PASSWD < $LDIFORDERED >>$TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Adding olcAuthzRegexp rule for static mapping..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthzRegexp +olcAuthzRegexp: uid=manager,cn=[^,]+,cn=auth $MANAGERDN +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Adding olcAuthzRegexp rule to search by uid..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthzRegexp +olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=\$1) +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Inserting olcAuthzRegexp rule before the last..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthzRegexp +olcAuthzRegexp: {1}uid=babs,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjensen) +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Deleting the first olcAuthzRegexp rule..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthzRegexp +olcAuthzRegexp: {0} +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD +RC=$? +if test $RC != 49; then + echo "ldapwhoami unexpected result ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Updating an olcAuthzRegexp rule in place..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthzRegexp +olcAuthzRegexp: {0} +- +add: olcAuthzRegexp +olcAuthzRegexp: {0}uid=biff,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjorn) +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen +RC=$? +if test $RC != 49; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=biff +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjorn +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Deleting all olcAuthzRegexp rules..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthzRegexp +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 49; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Initializing olcAuthIDRewrite engine..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthIDRewrite +olcAuthIDRewrite: rewriteEngine ON +olcAuthIDRewrite: rewriteContext authid +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Adding olcAuthIDRewrite rule for static mapping..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthIDRewrite +olcAuthIDRewrite: rewriteRule uid=manager,cn=[^,]+,cn=auth $MANAGERDN : +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Adding olcAuthIDRewrite rule to search by uid..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthIDRewrite +olcAuthIDRewrite: rewriteRule uid=([^,]+),cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=\$1) : +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Inserting olcAuthIDRewrite rule before the last..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthIDRewrite +olcAuthIDRewrite: {3}rewriteRule uid=babs,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjensen) : +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Deleting the first olcAuthIDRewrite rule..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthIDRewrite +olcAuthIDRewrite: {2} +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD +RC=$? +if test $RC != 49; then + echo "ldapwhoami unexpected result ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Updating an olcAuthIDRewrite rule in place..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthIDRewrite +olcAuthIDRewrite: {2} +- +add: olcAuthIDRewrite +olcAuthIDRewrite: {2}rewriteRule uid=biff,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjorn) : +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen +RC=$? +if test $RC != 49; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=biff +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjorn +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Deleting all olcAuthIDRewrite rules..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthIDRewrite +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID +RC=$? +if test $RC != 49; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0 |