9 files changed, 970 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/ldap/Makefile.am b/third_party/heimdal/tests/ldap/Makefile.am
new file mode 100644
index 0000000..cbc0b7d
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/Makefile.am
@@ -0,0 +1,55 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = krb5.conf
+
+check_SCRIPTS = $(TESTS) slapd-init
+
+TESTS = check-ldap
+
+port = 49188
+
+do_subst = sed \
+	-e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
+	-e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/ldap,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+check-ldap: check-ldap.in Makefile
+	$(do_subst) < $(srcdir)/check-ldap.in > check-ldap.tmp
+	chmod +x check-ldap.tmp
+	mv check-ldap.tmp check-ldap
+
+slapd-init: slapd-init.in Makefile
+	$(do_subst) < $(srcdir)/slapd-init.in > slapd-init.tmp
+	chmod +x slapd-init.tmp
+	mv slapd-init.tmp slapd-init
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+CLEANFILES= \
+	$(TESTS) \
+	check-ldap.tmp \
+	slapd-init.tmp \
+	current-db* \
+	krb5.conf krb5.conf.tmp \
+	modules.conf \
+	cache.krb5 \
+	slapd-init \
+	foopassword \
+	messages.log \
+	slapd.pid
+
+EXTRA_DIST = \
+	NTMakefile \
+	samba.schema \
+	slapd.conf \
+	slapd-stop \
+	check-ldap.in \
+	init.ldif \
+	krb5.conf.in \
+	slapd-init.in
diff --git a/third_party/heimdal/tests/ldap/NTMakefile b/third_party/heimdal/tests/ldap/NTMakefile
new file mode 100644
index 0000000..9c5de09
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/NTMakefile
@@ -0,0 +1,35 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 
+# - Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+# 
+# - Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+# 
+
+RELDIR=tests\ldap 
+
+!include ../../windows/NTMakefile.w32 
+
diff --git a/third_party/heimdal/tests/ldap/check-ldap.in b/third_party/heimdal/tests/ldap/check-ldap.in
new file mode 100644
index 0000000..f73eb6e
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/check-ldap.in
@@ -0,0 +1,153 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2016 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+EGREP="@EGREP@"
+
+R=TEST.H5L.SE
+
+port=@port@
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
+kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+foopassword="fooLongPasswordYo123;"
+
+testfailed="echo test failed; exit 1"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+# If there is no ldap support compiled in, disable test
+if ${kdc} --builtin-hdb | grep ldap > /dev/null ; then
+   :
+else
+    echo "no ldap support"
+    exit 77
+fi
+
+#search for all ldap tools
+
+PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/libexec:/usr/lib/openldap:$PATH
+export PATH
+
+oldifs=$IFS
+IFS=:
+set -- $PATH
+IFS=$oldifs
+for j in slapd slapadd; do
+  for i in $*; do
+    test -n "$i" || i="."
+    if test -x $i/$j; then
+       continue 2
+    fi
+  done
+  echo "$j missing, not running test"
+  exit 77
+done
+
+sh ${objdir}/slapd-init || exit 1
+
+trap "sh ${srcdir}/slapd-stop ; exit 1;" EXIT
+
+rm -f current-db*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p "$foopassword" --use-defaults foo@${R} || exit 1
+${kadmin} add -p "$foopassword" --use-defaults bar@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
+
+${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
+${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
+${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
+
+${kadmin} cpw --random-password suser@${R} > /dev/null|| exit 1
+${kadmin} cpw --password="$foopassword" suser@${R} || exit 1
+
+${kadmin} list '*' > /dev/null || exit 1
+
+echo "$foopassword" > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill ${kdcpid}; echo signal killing kdc; sh ${srcdir}/slapd-stop ; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets";
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "Getting ${server} ticket"
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+
+
+echo "Getting *@$R initial ticket (fail)";
+${kinit} --password-file=${objdir}/foopassword '*'@$R 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+trap "" EXIT
+
+# kill of old slapd
+sh ${srcdir}/slapd-stop
+
+rm -rf db schema
+
+exit $ec
diff --git a/third_party/heimdal/tests/ldap/init.ldif b/third_party/heimdal/tests/ldap/init.ldif
new file mode 100644
index 0000000..371702f
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/init.ldif
@@ -0,0 +1,44 @@
+dn: o=TEST,dc=H5L,dc=SE
+objectclass: organization
+o: Test
+
+dn: ou=kerberosPrincipals,o=TEST,dc=H5L,dc=SE
+objectclass: organizationalUnit
+ou: kerberosPrincipals
+
+dn: uid=suser,ou=kerberosPrincipals,o=TEST,dc=H5L,dc=SE
+cn: root
+sn: root
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+gidNumber: 0
+uid: suser
+uidNumber: 0
+homeDirectory: /root
+loginShell: /bin/bash
+gecos: Netbios root user
+structuralObjectClass: inetOrgPerson
+creatorsName: cn=root,dc=test,dc=h5l,dc=se
+userPassword: password
+objectClass: krb5KDCEntry
+krb5KeyVersionNumber: 2
+krb5PrincipalName: suser@TEST.H5L.SE
+objectClass: sambaSamAccount
+sambaHomePath: \\admin1\suser
+sambaPwdCanChange: 1159699688
+sambaPwdLastSet: 1159699688
+sambaPrimaryGroupSID: S-1-5-21-3017333096-1338036268-1966094567-512
+sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
+ 00000000
+sambaLMPassword: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+sambaNTPassword: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+sambaLogonTime: 0
+sambaLogoffTime: 2147483647
+sambaKickoffTime: 2147483647
+sambaPwdMustChange: 2147483647
+sambaHomeDrive: H:
+sambaAcctFlags: [U          ]
+sambaSID: S-1-5-21-3017333096-1338036268-1966094567-1000
diff --git a/third_party/heimdal/tests/ldap/krb5.conf.in b/third_party/heimdal/tests/ldap/krb5.conf.in
new file mode 100644
index 0000000..e5f1a17
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/krb5.conf.in
@@ -0,0 +1,26 @@
+# $Id$
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+        plugin_dir = @objdir@/../../lib/hdb @objdir@/../../lib/hdb/.libs
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+
+[kdc]
+	database = {
+		dbname = ldapi://.%2Fldap-socket:OU=KerberosPrincipals,o=test,DC=h5l,DC=se
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+                log_file = @objdir@/log.current-db.log
+	}
+
+[hdb]
+	db-dir = @objdir@
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
diff --git a/third_party/heimdal/tests/ldap/samba.schema b/third_party/heimdal/tests/ldap/samba.schema
new file mode 100644
index 0000000..549a708
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/samba.schema
@@ -0,0 +1,554 @@
+##
+## schema file for OpenLDAP 2.x
+## Schema for storing Samba user accounts and group maps in LDAP
+## OIDs are owned by the Samba Team
+##
+## Prerequisite schemas - uid         (cosine.schema)
+##                      - displayName (inetorgperson.schema)
+##                      - gidNumber   (nis.schema)
+##
+## 1.3.6.1.4.1.7165.2.1.x - attributetypes
+## 1.3.6.1.4.1.7165.2.2.x - objectclasses
+##
+## Printer support
+## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes
+## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses
+##
+## Samba4
+## 1.3.6.1.4.1.7165.4.1.x - attributetypes
+## 1.3.6.1.4.1.7165.4.2.x - objectclasses
+## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
+## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
+## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
+##
+## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
+##
+## Run the 'get_next_oid' bash script in this directory to find the 
+## next available OID for attribute type and object classes.
+##
+##   $ ./get_next_oid
+##   attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME ....
+##   objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME ....
+##
+## Also ensure that new entries adhere to the declaration style
+## used throughout this file
+##
+##    <attributetype|objectclass> ( 1.3.6.1.4.1.7165.2.XX.XX NAME ....
+##                               ^ ^                        ^
+##
+## The spaces are required for the get_next_oid script (and for 
+## readability).
+##
+## ------------------------------------------------------------------
+
+# objectIdentifier SambaRoot 1.3.6.1.4.1.7165
+# objectIdentifier Samba3 SambaRoot:2
+# objectIdentifier Samba3Attrib Samba3:1
+# objectIdentifier Samba3ObjectClass Samba3:2
+# objectIdentifier Samba4 SambaRoot:4
+
+########################################################################
+##                            HISTORICAL                              ##
+########################################################################
+
+##
+## Password hashes
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
+#	DESC 'LanManager Passwd'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
+#	DESC 'NT Passwd'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+##
+## Account flags in string format ([UWDX     ])
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
+#	DESC 'Account Flags'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+
+##
+## Password timestamps & policies
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
+#	DESC 'NT pwdLastSet'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
+#	DESC 'NT logonTime'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
+#	DESC 'NT logoffTime'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
+#	DESC 'NT kickoffTime'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
+#	DESC 'NT pwdCanChange'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
+#	DESC 'NT pwdMustChange'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+##
+## string settings
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
+#	DESC 'NT homeDrive'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
+#	DESC 'NT scriptPath'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
+#	DESC 'NT profilePath'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
+#	DESC 'userWorkstations'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
+#	DESC 'smbHome'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain'
+#	DESC 'Windows NT domain to which the user belongs'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+
+##
+## user and group RID
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
+#	DESC 'NT rid'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
+#	DESC 'NT Group RID'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+##
+## The smbPasswordEntry objectclass has been depreciated in favor of the
+## sambaAccount objectclass
+##
+#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY
+#        DESC 'Samba smbpasswd entry'
+#        MUST ( uid $ uidNumber )
+#        MAY  ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags ))
+
+#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+#	DESC 'Samba Account'
+#	MUST ( uid $ rid )
+#	MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
+#               logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
+#               displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
+#               description $ userWorkstations $ primaryGroupID $ domain ))
+
+#objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
+#	DESC 'Samba Auxiliary Account'
+#	MUST ( uid $ rid )
+#	MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
+#              logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
+#              displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
+#              description $ userWorkstations $ primaryGroupID $ domain ))
+
+########################################################################
+##                        END OF HISTORICAL                           ##
+########################################################################
+
+#######################################################################
+##                Attributes used by Samba 3.0 schema                ##
+#######################################################################
+
+##
+## Password hashes
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
+	DESC 'LanManager Password'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
+	DESC 'MD4 hash of the unicode password'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+##
+## Account flags in string format ([UWDX     ])
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
+	DESC 'Account Flags'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+
+##
+## Password timestamps & policies
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
+	DESC 'Timestamp of the last password update'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
+	DESC 'Timestamp of when the user is allowed to update the password'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
+	DESC 'Timestamp of when the password will expire'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
+	DESC 'Timestamp of last logon'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
+	DESC 'Timestamp of last logoff'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
+	DESC 'Timestamp of when the user will be logged off automatically'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
+	DESC 'Bad password attempt count'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
+	DESC 'Time of the last bad password attempt'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
+	DESC 'Logon Hours'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
+
+##
+## string settings
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
+	DESC 'Driver letter of home directory mapping'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
+	DESC 'Logon script path'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
+	DESC 'Roaming profile path'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
+	DESC 'List of user workstations the user is allowed to logon to'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
+	DESC 'Home directory UNC path'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
+	DESC 'Windows NT domain to which the user belongs'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
+	DESC 'Base64 encoded user parameter string'
+	EQUALITY caseExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
+	DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
+
+##
+## SID, of any type
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
+	DESC 'Security ID'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseExactIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
+##
+## Primary group SID, compatible with ntSid
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
+	DESC 'Primary Group Security ID'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
+	DESC 'Security ID List'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+
+##
+## group mapping attributes
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
+	DESC 'NT Group Type'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+##
+## Store info on the domain
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
+	DESC 'Next NT rid to give our for users'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
+	DESC 'Next NT rid to give out for groups'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
+	DESC 'Next NT rid to give out for anything'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
+	DESC 'Base at which the samba RID generation algorithm should operate'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
+	DESC 'Share Name'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
+	DESC 'Option Name'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
+	DESC 'A boolean option'
+	EQUALITY booleanMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
+	DESC 'An integer option'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
+	DESC 'A string option'
+	EQUALITY caseExactIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
+	DESC 'A string list option'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
+##	SUP name )
+
+##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
+##	DESC 'Privileges List'
+##	EQUALITY caseIgnoreIA5Match
+##	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
+	DESC 'Trust Password Flags'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# "min password length"
+attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
+	DESC 'Minimal password length (default: 5)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "password history"
+attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
+	DESC 'Length of Password History Entries (default: 0 => off)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "user must logon to change password"
+attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
+	DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "maximum password age"
+attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
+	DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "minimum password age"
+attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
+	DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "lockout duration"
+attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
+	DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "reset count minutes"
+attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
+	DESC 'Reset time after lockout in minutes (default: 30)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "bad lockout attempt"
+attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
+	DESC 'Lockout users after bad logon attempts (default: 0 => off)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "disconnect time"
+attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
+	DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "refuse machine password change"
+attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
+	DESC 'Allow Machine Password changes (default: 0 => off)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+
+
+
+#######################################################################
+##              objectClasses used by Samba 3.0 schema               ##
+#######################################################################
+
+## The X.500 data model (and therefore LDAPv3) says that each entry can
+## only have one structural objectclass.  OpenLDAP 2.0 does not enforce
+## this currently but will in v2.1
+
+##
+## added new objectclass (and OID) for 3.0 to help us deal with backwards
+## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
+	DESC 'Samba 3.0 Auxilary SAM Account'
+	MUST ( uid $ sambaSID )
+	MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
+	       sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
+	       sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
+               displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
+	       sambaProfilePath $ description $ sambaUserWorkstations $
+	       sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
+	       sambaBadPasswordCount $ sambaBadPasswordTime $
+	       sambaPasswordHistory $ sambaLogonHours))
+
+##
+## Group mapping info
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
+	DESC 'Samba Group Mapping'
+	MUST ( gidNumber $ sambaSID $ sambaGroupType )
+	MAY  ( displayName $ description $ sambaSIDList ))
+
+##
+## Trust password for trust relationships (any kind)
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
+	DESC 'Samba Trust Password'
+	MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
+	MAY ( sambaSID $ sambaPwdLastSet ))
+
+##
+## Whole-of-domain info
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
+	DESC 'Samba Domain Information'
+	MUST ( sambaDomainName $ 
+	       sambaSID ) 
+	MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
+	      sambaAlgorithmicRidBase $ 
+	      sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
+	      sambaMaxPwdAge $ sambaMinPwdAge $
+	      sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $
+	      sambaForceLogoff $ sambaRefuseMachinePwdChange ))
+
+##
+## used for idmap_ldap module
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
+        DESC 'Pool for allocating UNIX uids/gids'
+        MUST ( uidNumber $ gidNumber ) )
+
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
+        DESC 'Mapping from a SID to an ID'
+        MUST ( sambaSID )
+	MAY ( uidNumber $ gidNumber ) )
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
+	DESC 'Structural Class for a SID'
+	MUST ( sambaSID ) )
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
+	DESC 'Samba Configuration Section'
+	MAY ( description ) )
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
+	DESC 'Samba Share Section'
+	MUST ( sambaShareName )
+	MAY ( description ) )
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL
+	DESC 'Samba Configuration Option'
+	MUST ( sambaOptionName )
+	MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ 
+	      sambaStringListoption $ description ) )
+
+
+## retired during privilege rewrite
+##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
+##	DESC 'Samba Privilege'
+##	MUST ( sambaSID )
+##	MAY ( sambaPrivilegeList ) )
diff --git a/third_party/heimdal/tests/ldap/slapd-init.in b/third_party/heimdal/tests/ldap/slapd-init.in
new file mode 100644
index 0000000..f6e9fe9
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/slapd-init.in
@@ -0,0 +1,58 @@
+#!/bin/sh 
+# $Id$
+
+srcdir=@srcdir@
+
+rm -rf db schema
+mkdir db
+
+# kill of old slapd if running
+sh "${srcdir}/slapd-stop" > /dev/null
+
+SCHEMA_NEEDED="hdb core nis cosine inetorgperson openldap samba"
+
+SCHEMA_PATHS="${srcdir}/../../lib/hdb ${srcdir} /etc/ldap/schema /etc/openldap/schema /private/etc/openldap/schema /usr/share/openldap/schema"
+
+test -d schema || mkdir schema
+
+# setup needed schema files
+for f in $SCHEMA_NEEDED; do
+    if [ ! -r schema/$f.schema ]; then
+	for d in $SCHEMA_PATHS ; do
+	    if [ -r $d/$f.schema ] ; then
+		cp $d/$f.schema schema/$f.schema
+		continue 2
+	    fi
+	done
+	echo "SKIPPING TESTS: you need the following schema file: $f.schema"
+	exit 1
+    fi
+done
+
+touch modules.conf || exit 1
+
+if ! slapadd -d 0 -f "${srcdir}/slapd.conf" < "${srcdir}/init.ldif"; then
+    echo "moduleload back_bdb.la"   >> modules.conf
+    if ! slapadd -d 0 -f "${srcdir}/slapd.conf" < "${srcdir}/init.ldif"; then
+        echo "modulepath /usr/lib/ldap"  > modules.conf
+        echo "moduleload back_bdb.la"   >> modules.conf
+        slapadd -d 0 -f "${srcdir}/slapd.conf" < "${srcdir}/init.ldif" || exit 1
+    fi
+fi
+
+cp "`which slapd`" . || true # fails if running
+
+echo "starting slapd"
+./slapd -d0 -f "${srcdir}/slapd.conf" -h ldapi://.%2Fldap-socket &
+slapd_pid=$!
+
+tries=0
+while kill -0 $slapd_pid && [ ! -S ldap-socket ] && 
+      ! ldapsearch -l 2 -w '' -D '' -b "o=TEST,dc=H5L,dc=SE" -s base -H ldapi://.%2Fldap-socket >/dev/null &&
+      [ $tries -lt 30 ]; do
+    sleep 1
+    tries=`expr 1 + $tries`
+done
+
+kill -0 $slapd_pid || exit 1
+[ -S ldap-socket ] || exit 1
diff --git a/third_party/heimdal/tests/ldap/slapd-stop b/third_party/heimdal/tests/ldap/slapd-stop
new file mode 100644
index 0000000..278d98a
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/slapd-stop
@@ -0,0 +1,18 @@
+#!/bin/sh 
+# $Id$
+
+echo stoping slapd
+
+# kill of old slapd
+if [ -f slapd.pid ]; then
+    kill `cat slapd.pid`
+    sleep 5
+fi
+if [ -f slapd.pid ]; then
+    kill -9 `cat slapd.pid`
+    rm -f slapd.pid
+    sleep 5
+fi
+
+exit 0
+
diff --git a/third_party/heimdal/tests/ldap/slapd.conf b/third_party/heimdal/tests/ldap/slapd.conf
new file mode 100644
index 0000000..caec472
--- /dev/null
+++ b/third_party/heimdal/tests/ldap/slapd.conf
@@ -0,0 +1,27 @@
+loglevel 0
+
+include schema/core.schema
+include schema/cosine.schema
+include schema/inetorgperson.schema
+include schema/openldap.schema
+include schema/nis.schema
+include schema/hdb.schema
+include schema/samba.schema
+
+
+pidfile		slapd.pid
+argsfile	slapd.args
+
+access to * by * write
+
+allow update_anon bind_anon_dn
+
+include modules.conf
+
+defaultsearchbase "o=TEST,dc=H5L,dc=SE"
+
+database	bdb
+suffix		"o=TEST,dc=H5L,dc=SE"
+directory	db
+index           objectClass eq
+index           uid eq