diff options
Diffstat (limited to 'tests/data/regressions/its8427/its8427-2')
| -rwxr-xr-x | tests/data/regressions/its8427/its8427-2 | 395 |
1 files changed, 395 insertions, 0 deletions
diff --git a/tests/data/regressions/its8427/its8427-2 b/tests/data/regressions/its8427/its8427-2 new file mode 100755 index 0000000..ca2ef7d --- /dev/null +++ b/tests/data/regressions/its8427/its8427-2 @@ -0,0 +1,395 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2022 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $WITH_TLS = no ; then + echo "TLS support not available, test skipped" + exit 0 +fi + +if test $BACKLDAP = "ldapno" ; then + echo "LDAP backend not available, test skipped" + exit 0 +fi + +if test "$BACKEND" = "ldap"; then + echo "LDAP backend not valid, test skipped" + exit 0 +fi + +mkdir -p $TESTDIR $DBDIR1 +cp -r $DATADIR/tls $TESTDIR + +$SLAPPASSWD -g -n >$CONFIGPWF +echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf + +ITS=8427 +ITSDIR=$DATADIR/regressions/its$ITS + +echo "Running slapadd to build slapd database..." +. $CONFFILTER $BACKEND < $TLSCONF > $CONF1 +$SLAPADD -f $CONF1 -l $LDIFORDERED +RC=$? +if test $RC != 0 ; then + echo "slapadd failed ($RC)!" + exit $RC +fi + +echo "database config" >> $CONF1 +echo "include $TESTDIR/configpw.conf" >> $CONF1 + +echo "Starting slapd listening on $URIP1 and $SURIP2..." +$SLAPD -f $CONF1 -h "$URIP1 $SURIP2" -d $LVL > $LOG1 2>&1 & +SERVERPID=$! +if test $WAIT != 0 ; then + echo SERVERPID $SERVERPID + read foo +fi +KILLPIDS="$SERVERPID" + +sleep 1 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "database config" >> $CONF2 +echo "include $TESTDIR/configpw.conf" >> $CONF2 + +echo "Starting proxy slapd on TCP/IP port $PORT3..." +. $CONFFILTER $BACKEND < $ITSDIR/slapd.conf > $CONF2 +$SLAPD -f $CONF2 -h $URI3 -d $LVL > $LOG2 2>&1 & +PROXYPID=$! +if test $WAIT != 0 ; then + echo PROXYPID $PROXYPID + read foo +fi +KILLPIDS="$KILLPIDS $PROXYPID" + +sleep 1 + +echo "Using ldapsearch to check that proxy slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI3 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Configuring proxy..." +$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \ + > $TESTOUT 2>&1 <<EOF +dn: olcDatabase={2}ldap,cn=config +changetype: add +objectClass: olcLDAPConfig +olcDbUri: $URI1 +olcSuffix: $BASEDN +olcRootDN: $MANAGERDN +olcRootPW: $PASSWD +EOF +RC=$? +if test $RC != 0 ; then + echo "modification failed ($RC)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Privileged WhoAmI (proxy uses plain ldap://)..." +$LDAPWHOAMI -H $URI3 -D "$MANAGERDN" -w $PASSWD +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "WhoAmI (proxy uses plain ldap://)..." +$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Searching (proxy uses plain ldap://)..." +echo "# Searching (proxy uses plain ldap://)..." > $SEARCHOUT +$LDAPSEARCH -b "$BASEDN" -H $URI3 \ + -D "$BABSDN" -w bjensen \ + '(objectClass=*)' >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Filtering ldapsearch results..." +$LDIFFILTER < $SEARCHOUT > $SEARCHFLT +echo "Filtering original ldif used to create database..." +$LDIFFILTER < $LDIFORDERED > $LDIFFLT +echo "" >> $LDIFFLT +echo "Comparing filter output..." +$CMP $SEARCHFLT $LDIFFLT > $CMPOUT + +if test $? != 0 ; then + echo "Comparison failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Reconfiguring database to only allow TLS binds..." +$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF \ + > $TESTOUT 2>&1 <<EOF +dn: olcDatabase={1}$BACKEND,cn=config +changetype: modify +add: olcAccess +olcAccess: to attrs=userPassword by anonymous ssf=2 auth by users read +olcAccess: to * by users read +EOF +RC=$? +if test $RC != 0 ; then + echo "modification failed ($RC)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Re-configuring proxy to use ldaps:// on privileged connections only..." +$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \ + > $TESTOUT 2>&1 <<EOF +dn: olcDatabase={2}ldap,cn=config +changetype: delete + +dn: olcDatabase={2}ldap,cn=config +changetype: add +objectClass: olcLDAPConfig +olcDbUri: $SURIP2 +olcSuffix: $BASEDN +olcRootDN: $MANAGERDN +olcRootPW: $PASSWD +olcDbIDAssertBind: bindmethod=simple binddn="$MANAGERDN" credentials="$PASSWD" tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt +EOF +RC=$? +if test $RC != 0 ; then + echo "modification failed ($RC)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Privileged WhoAmI (proxy uses ldaps://)..." +$LDAPWHOAMI -H $URI3 -D "$MANAGERDN" -w $PASSWD +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "WhoAmI (proxy uses ldaps://), which should fail..." +$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen +RC=$? +case $RC in +52) + ;; +0) + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + ;; +*) + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + ;; +esac + +# FIXME: just adding olcDbStartTLS to the DB doesn't have an effect, why? +echo "Re-configuring proxy to use ldaps:// everywhere..." +$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \ + > $TESTOUT 2>&1 <<EOF +dn: olcDatabase={2}ldap,cn=config +changetype: modify +add: olcDbStartTLS +olcDbStartTLS: ldaps tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt +EOF +RC=$? +if test $RC != 0 ; then + echo "modification failed ($RC)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "WhoAmI again (proxy uses ldaps://)..." +$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Searching (proxy uses ldaps://)..." +echo "# Searching (proxy uses ldaps://)..." > $SEARCHOUT +$LDAPSEARCH -b "$BASEDN" -H $URI3 \ + -D "$BABSDN" -w bjensen \ + '(objectClass=*)' >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Filtering ldapsearch results..." +$LDIFFILTER < $SEARCHOUT > $SEARCHFLT +echo "Comparing filter output..." +$CMP $SEARCHFLT $LDIFFLT > $CMPOUT + +if test $? != 0 ; then + echo "Comparison failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Re-configuring proxy to use LDAP+StartTLS correctly on privileged connections..." +$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \ + > $TESTOUT 2>&1 <<EOF +dn: olcDatabase={2}ldap,cn=config +changetype: delete + +dn: olcDatabase={2}ldap,cn=config +changetype: add +objectClass: olcLDAPConfig +olcDbUri: $URIP1 +olcSuffix: $BASEDN +olcRootDN: $MANAGERDN +olcRootPW: $PASSWD +olcDbIDAssertBind: bindmethod=none tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt +EOF +RC=$? +if test $RC != 0 ; then + echo "modification failed ($RC)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Privileged WhoAmI (proxy requests StartTLS)..." +$LDAPWHOAMI -H $URI3 -D "$MANAGERDN" -w $PASSWD +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "WhoAmI (proxy requests StartTLS), which should fail..." +$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen +RC=$? +case $RC in +49|52) # ACL forbids plaintext binds against userPassword + ;; +0) + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + ;; +*) + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + ;; +esac + +# FIXME: just adding olcDbStartTLS to the DB doesn't have an effect, why? +echo "Re-configuring proxy to use ldaps:// everywhere..." +$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \ + > $TESTOUT 2>&1 <<EOF +dn: olcDatabase={2}ldap,cn=config +changetype: modify +add: olcDbStartTLS +olcDbStartTLS: start tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt +EOF +RC=$? +if test $RC != 0 ; then + echo "modification failed ($RC)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "WhoAmI (proxy requests StartTLS)..." +$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Searching (proxy requests StartTLS)..." +echo "# Searching (proxy requests StartTLS)..." > $SEARCHOUT +$LDAPSEARCH -b "$BASEDN" -H $URI3 \ + -D "$BABSDN" -w bjensen \ + '(objectClass=*)' >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Filtering ldapsearch results..." +$LDIFFILTER < $SEARCHOUT > $SEARCHFLT +echo "Comparing filter output..." +$CMP $SEARCHFLT $LDIFFLT > $CMPOUT + +if test $? != 0 ; then + echo "Comparison failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0 |