#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software .
##
## Copyright 1998-2024 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## .
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
if test $AUTOCA = autocano; then
echo "Automatic CA overlay not available, test skipped"
exit 0
fi
if test $BACKEND = ldif ; then
# autoca tries to modify an entry in a search response,
# which deadlocks because the tree is readlocked by the search.
echo "Test does not support $BACKEND backend, test skipped"
exit 0
fi
CFDIR=$TESTDIR/slapd.d
mkdir -p $TESTDIR $CFDIR $DBDIR1
$SLAPPASSWD -g -n >$CONFIGPWF
#
# Test operation of autoca:
# - configure over ldap without TLS
# - populate over ldap
# - add host entry
# - add autoca overlay
# - generate server and user certs
# - check for TLS operation
#
echo "Starting slapd on TCP/IP port $PORT1..."
. $CONFFILTER $BACKEND < $DYNAMICCONF > $CONFLDIF
$SLAPADD -F $CFDIR -n 0 -l $CONFLDIF
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
exit $RC
fi
$SLAPD -F $CFDIR -h $URIP1 -d $LVL > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
read foo
fi
KILLPIDS="$PID"
cd $TESTWD
sleep 1
echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "" -H $URIP1 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Adding schema and databases on slapd..."
$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <>$TESTOUT 2>&1
include: file://$ABS_SCHEMADIR/core.ldif
include: file://$ABS_SCHEMADIR/cosine.ldif
include: file://$ABS_SCHEMADIR/inetorgperson.ldif
include: file://$ABS_SCHEMADIR/openldap.ldif
include: file://$ABS_SCHEMADIR/nis.ldif
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for schema config ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
nullExclude="" nullOK=""
test $BACKEND = null && nullExclude="# " nullOK="OK"
if [ "$BACKENDTYPE" = mod ]; then
$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <>$TESTOUT 2>&1
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
olcModuleLoad: back_$BACKEND.la
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for backend config ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
fi
$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <>$TESTOUT 2>&1
dn: olcDatabase={1}$BACKEND,cn=config
objectClass: olcDatabaseConfig
${nullExclude}objectClass: olc${BACKEND}Config
olcDatabase: {1}$BACKEND
olcSuffix: $BASEDN
${nullExclude}olcDbDirectory: $DBDIR1
olcRootDN: $MANAGERDN
olcRootPW: $PASSWD
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for database config ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
if test $INDEXDB = indexdb ; then
$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <>$TESTOUT 2>&1
dn: olcDatabase={1}$BACKEND,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: objectClass,entryUUID,entryCSN eq
olcDbIndex: cn,uid pres,eq,sub
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd modify for database config ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
fi
echo "Using ldapadd to populate slapd..."
$LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD -f $LDIFORDERED \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for database populate ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Adding server entries to slapd..."
$LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD <> $TESTOUT 2>&1
dn: ou=Servers,$BASEDN
objectClass: organizationalUnit
ou: Servers
dn: cn=localhost,ou=Servers,$BASEDN
objectClass: device
objectClass: ipHost
cn: localhost
ipHostNumber: 127.0.0.1
dn: cn=www.example.com,ou=Servers,$BASEDN
objectClass: device
objectClass: ipHost
cn: localhost
ipHostNumber: 93.184.216.34
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for database populate ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Inserting autoca overlay on slapd..."
if [ "$AUTOCA" = autocamod ]; then
$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF < $TESTOUT 2>&1
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: $TESTWD/../servers/slapd/overlays
olcModuleLoad: autoca.la
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed for moduleLoad ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
fi
$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <> $TESTOUT 2>&1
dn: olcOverlay=autoca,olcDatabase={1}$BACKEND,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAutoCAConfig
olcOverlay: autoca
olcAutoCAlocalDN: cn=localhost,ou=Servers,$BASEDN
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed for autoca config ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Using ldapsearch to retrieve CA cert..."
$LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \
'objectclass=*' 'cACertificate;binary' > $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Setting up CA cert..."
echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/cacert.pem
sed -e "/^dn:/d" -e "s/cACertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/cacert.pem
echo "-----END CERTIFICATE-----" >> $TESTDIR/cacert.pem
echo "Using ldapsearch to generate localhost cert..."
$LDAPSEARCH -b cn=localhost,ou=Servers,$BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \
-A 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary' >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Using ldapsearch to attempt TLS..."
unset LDAPNOINIT
LDAPTLS_CACERT=$TESTDIR/cacert.pem
export LDAPTLS_CACERT
$LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
'objectclass=*' >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
if test $WITH_SASL = no ; then
echo "SASL support not available, skipping client cert authentication"
else
# note - the attrs are being saved in raw DER form.
# they need to be base64 encoded into PEM for most programs to use them
# so we ignore those files for now.
echo "Using ldapsearch to generate user cert..."
$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
-T $TESTDIR -t 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary' >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Using ldapsearch to retrieve user cert..."
$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
'objectclass=*' 'userCertificate;binary' > $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Setting up user cert..."
echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/usercert.pem
sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userCertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/usercert.pem
echo "-----END CERTIFICATE-----" >> $TESTDIR/usercert.pem
echo "Using ldapsearch to retrieve user key..."
$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
'objectclass=*' 'userPrivateKey;binary' > $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Setting up user key..."
echo "-----BEGIN PRIVATE KEY-----" > $TESTDIR/userkey.pem
sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userPrivateKey;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/userkey.pem
echo "-----END PRIVATE KEY-----" >> $TESTDIR/userkey.pem
LDAPTLS_CERT=$TESTDIR/usercert.pem
LDAPTLS_KEY=$TESTDIR/userkey.pem
export LDAPTLS_CERT
export LDAPTLS_KEY
echo "Setting TLSVerifyClient to try..."
$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <> $TESTOUT 2>&1
dn: cn=config
changetype: modify
replace: olcTLSVerifyClient
olcTLSVerifyClient: try
EOF
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed for autoca config ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
$CLIENTDIR/ldapwhoami -Y EXTERNAL -H $URIP1 -ZZ
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
fi
test $KILLSERVERS != no && kill -HUP $KILLPIDS
echo ">>>>> Test succeeded"
test $KILLSERVERS != no && wait
exit 0