diff options
Diffstat (limited to '')
-rwxr-xr-x | tests/scripts/test022-ppolicy | 673 |
1 files changed, 673 insertions, 0 deletions
diff --git a/tests/scripts/test022-ppolicy b/tests/scripts/test022-ppolicy new file mode 100755 index 0000000..78b2059 --- /dev/null +++ b/tests/scripts/test022-ppolicy @@ -0,0 +1,673 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2021 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $PPOLICY = ppolicyno; then + echo "Password policy overlay not available, test skipped" + exit 0 +fi + +mkdir -p $TESTDIR $DBDIR1 + +$SLAPPASSWD -g -n >$CONFIGPWF +echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf + +echo "Starting slapd on TCP/IP port $PORT1..." +. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1 +$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" + +USER="uid=nd, ou=People, dc=example, dc=com" +PASS=testpassword + +sleep 1 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo /dev/null > $TESTOUT + +echo "Testing redundant ppolicy instance..." +$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 +dn: olcOverlay=ppolicy,olcDatabase={1}$BACKEND,cn=config +objectClass: olcOverlayConfig +objectClass: olcPPolicyConfig +olcOverlay: ppolicy +olcPPolicyDefault: cn=duplicate policy,ou=policies,dc=example,dc=com +EOF +RC=$? +if test $RC = 0 ; then + echo "ldapadd should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Using ldapadd to populate the database..." +# may need "-e relax" for draft 09, but not yet. +$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \ + $LDIFPPOLICY >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing account lockout..." +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 +COUNT=`grep "Account locked" $SEARCHOUT | wc -l` +if test $COUNT != 2 ; then + echo "Account lockout test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Waiting 20 seconds for lockout to reset..." +sleep 20 + +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing password expiration" +echo "Waiting 20 seconds for password to expire..." +sleep 20 + +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "Password expiration failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +COUNT=`grep "grace logins" $SEARCHOUT | wc -l` +if test $COUNT != 3 ; then + echo "Password expiration test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Resetting password to clear expired status" +$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ + -w secret -s $PASS \ + -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldappasswd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Filling password history..." +$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \ + $TESTOUT 2>&1 << EOMODS +dn: $USER +changetype: modify +delete: userpassword +userpassword: $PASS +- +replace: userpassword +userpassword: 20urgle12-1 + +dn: $USER +changetype: modify +delete: userpassword +userpassword: 20urgle12-1 +- +replace: userpassword +userpassword: 20urgle12-2 + +dn: $USER +changetype: modify +delete: userpassword +userpassword: 20urgle12-2 +- +replace: userpassword +userpassword: 20urgle12-3 + +dn: $USER +changetype: modify +delete: userpassword +userpassword: 20urgle12-3 +- +replace: userpassword +userpassword: 20urgle12-4 + +dn: $USER +changetype: modify +delete: userpassword +userpassword: 20urgle12-4 +- +replace: userpassword +userpassword: 20urgle12-5 + +dn: $USER +changetype: modify +delete: userpassword +userpassword: 20urgle12-5 +- +replace: userpassword +userpassword: 20urgle12-6 + +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi +echo "Testing password history..." +$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \ + $TESTOUT 2>&1 << EOMODS +dn: $USER +changetype: modify +delete: userPassword +userPassword: 20urgle12-6 +- +replace: userPassword +userPassword: 20urgle12-2 + +EOMODS +RC=$? +if test $RC = 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Testing forced reset..." + +$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \ + $TESTOUT 2>&1 << EOMODS +dn: $USER +changetype: modify +replace: userPassword +userPassword: $PASS +- +replace: pwdReset +pwdReset: TRUE + +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "Forced reset failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l` +if test $COUNT != 1 ; then + echo "Forced reset test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Clearing forced reset..." + +$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \ + $TESTOUT 2>&1 << EOMODS +dn: $USER +changetype: modify +delete: pwdReset + +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "Clearing forced reset failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing Safe modify..." + +$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ + -w $PASS -s failexpect \ + -D "$USER" >> $TESTOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "Safe modify test 1 failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +sleep 2 + +OLDPASS=$PASS +PASS=successexpect + +$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ + -w $OLDPASS -s $PASS -a $OLDPASS \ + -D "$USER" >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "Safe modify test 2 failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing length requirement..." +# check control in response (ITS#5711) +$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ + -w $PASS -a $PASS -s 2shr \ + -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1 +RC=$? +cat ${TESTOUT}.2 >> $TESTOUT +if test $RC = 0 ; then + echo "Length requirement test failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi +COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` +if test $COUNT != 1 ; then + echo "Length requirement test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi +COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l` +if test $COUNT != 1 ; then + echo "Control not returned in response" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Testing hashed length requirement..." + +$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > \ + ${TESTOUT}.2 2>&1 << EOMODS +dn: $USER +changetype: modify +delete: userPassword +userPassword: $PASS +- +add: userPassword +userPassword: {MD5}xxxxxx + +EOMODS +RC=$? +cat ${TESTOUT}.2 >> $TESTOUT +if test $RC = 0 ; then + echo "Hashed length requirement test failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi +COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` +if test $COUNT != 1 ; then + echo "Hashed length requirement test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Testing multiple password add/modify checks..." + +$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ + $TESTOUT 2>&1 << EOMODS +dn: cn=Add Should Fail, ou=People, dc=example, dc=com +changetype: add +objectClass: inetOrgPerson +cn: Add Should Fail +sn: Fail +userPassword: firstpw +userPassword: secondpw +EOMODS +RC=$? +if test $RC = 0 ; then + echo "Multiple password add test failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ + $TESTOUT 2>&1 << EOMODS +dn: $USER +changetype: modify +add: userPassword +userPassword: firstpw +userPassword: secondpw +EOMODS +RC=$? +if test $RC = 0 ; then + echo "Multiple password modify add test failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ + $TESTOUT 2>&1 << EOMODS +dn: $USER +changetype: modify +replace: userPassword +userPassword: firstpw +userPassword: secondpw +EOMODS +RC=$? +if test $RC = 0 ; then + echo "Multiple password modify replace test failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then +echo "" +echo "Setting up policy state forwarding test..." + +mkdir $DBDIR2 +sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2 +echo "Starting slapd consumer on TCP/IP port $PORT2..." +$SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$KILLPIDS $PID" + +echo "Configuring syncprov on provider..." +if [ "$SYNCPROV" = syncprovmod ]; then + $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 +dn: cn=module,cn=config +objectclass: olcModuleList +cn: module +olcModulePath: $TESTWD/../servers/slapd/overlays +olcModuleLoad: syncprov.la + +EOF + RC=$? + if test $RC != 0 ; then + echo "ldapadd failed for moduleLoad ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +fi + +$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 +dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: {1}syncprov + +EOF +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed for provider database config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Configuring syncrepl on consumer..." +if [ "$BACKLDAP" = ldapmod ]; then + $LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 +dn: cn=module,cn=config +objectclass: olcModuleList +cn: module +olcModulePath: $TESTWD/../servers/slapd/back-ldap +olcModuleLoad: back_ldap.la + +EOF + RC=$? + if test $RC != 0 ; then + echo "ldapadd failed for moduleLoad ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +fi +$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 +dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config +changetype: add +objectClass: olcOverlayConfig +objectClass: olcChainConfig +olcOverlay: {0}chain + +dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config +changetype: add +objectClass: olcLDAPConfig +objectClass: olcChainDatabase +olcDBURI: $URI1 +olcDbIDAssertBind: bindmethod=simple + binddn="cn=manager,dc=example,dc=com" + credentials=secret + mode=self + +dn: olcDatabase={1}$BACKEND,cn=config +changetype: modify +add: olcSyncrepl +olcSyncrepl: rid=1 + provider=$URI1 + binddn="cn=manager,dc=example,dc=com" + bindmethod=simple + credentials=secret + searchbase="dc=example,dc=com" + type=refreshAndPersist + retry="3 5 300 5" +- +add: olcUpdateref +olcUpdateref: $URI1 +- + +dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config +changetype: modify +replace: olcPPolicyForwardUpdates +olcPPolicyForwardUpdates: TRUE +- + +EOF +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Waiting for consumer to sync..." +sleep $SLEEP1 + +echo "Testing policy state forwarding..." +$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 +RC=$? +if test $RC != 49 ; then + echo "ldapsearch should have failed with 49, got ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1 +COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l` +if test $COUNT != 1 ; then + echo "Policy state forwarding failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +# End of chaining test + +fi + +echo "" +echo "Testing obsolete Netscape ppolicy controls..." +echo "Enabling Netscape controls..." +$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \ + $TESTOUT 2>&1 << EOMODS +dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config +changetype: modify +replace: olcPPolicySendNetscapeControls +olcPPolicySendNetscapeControls: TRUE +- + +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Reconfiguring policy to remove grace logins..." +$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ + $TESTOUT 2>&1 << EOMODS +dn: cn=Standard Policy, ou=Policies, dc=example, dc=com +changetype: modify +delete: pwdGraceAuthnLimit +- +replace: pwdMaxAge +pwdMaxAge: 15 +- + +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +OLDPASS=$PASS +PASS=newpass +$LDAPPASSWD -H $URI1 \ + -w secret -s $PASS \ + -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "Setting new password failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Clearing forced reset..." +$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ + $TESTOUT 2>&1 << EOMODS +dn: $USER +changetype: modify +delete: pwdReset + +EOMODS + +DELAY=10 + +echo "Testing password expiration" +echo "Waiting $DELAY seconds for password to expire..." +sleep $DELAY + +$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +sleep 3 +$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +sleep 3 +$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +sleep 3 +$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +sleep 3 +$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "Password expiration failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi +COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l` +if test $COUNT = 0 ; then + echo "Password expiring warning test failed!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0 |