diff options
Diffstat (limited to '')
-rwxr-xr-x | tests/scripts/lloadd/test005-tls | 272 |
1 files changed, 272 insertions, 0 deletions
diff --git a/tests/scripts/lloadd/test005-tls b/tests/scripts/lloadd/test005-tls new file mode 100755 index 0000000..7d6f87c --- /dev/null +++ b/tests/scripts/lloadd/test005-tls @@ -0,0 +1,272 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2022 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $WITH_TLS = no ; then + echo "TLS support not available, test skipped" + exit 0 +fi + +mkdir -p $TESTDIR $DBDIR1 $DBDIR2 +cp -r $DATADIR/tls $TESTDIR + +cd $TESTWD + +$SLAPPASSWD -g -n >$CONFIGPWF +echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf + +echo "Running slapadd to build slapd database..." +. $CONFFILTER $BACKEND < $TLSSASLCONF > $CONF2 +$SLAPADD -f $CONF2 -l $LDIFORDERED +RC=$? +if test $RC != 0 ; then + echo "slapadd failed ($RC)!" + exit $RC +fi + +echo "Starting a slapd on TCP/IP port $PORT3..." +$SLAPD -f $CONF2 -h $URI3 -d $LVL > $LOG2 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +PID2="$PID" +KILLPIDS="$PID" + +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI3 \ + '(objectclass=*)' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP1 seconds for slapd to start..." + sleep $SLEEP1 +done +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Running slapadd to build slapd database..." +. $CONFFILTER $BACKEND < $CONFTWO > $CONF3 +# FIXME: Hack! +echo "TLSCertificateKeyFile $TESTDIR/tls/private/localhost.key" >>$CONF3 +echo "TLSCertificateFile $TESTDIR/tls/certs/localhost.crt" >>$CONF3 +echo 'authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)' >>$CONF3 +$SLAPADD -f $CONF3 -l $LDIFORDERED +RC=$? +if test $RC != 0 ; then + echo "slapadd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Running slapindex to index slapd database..." +$SLAPINDEX -f $CONF3 +RC=$? +if test $RC != 0 ; then + echo "warning: slapindex failed ($RC)" + echo " assuming no indexing support" +fi + +echo "Starting second slapd on TCP/IP port $PORT4 w/ ldaps..." +$SLAPD -f $CONF3 -h $SURI4 -d $LVL > $LOG3 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +PID2="$PID" +KILLPIDS="$KILLPIDS $PID" + +sleep $SLEEP0 + +echo "Testing slapd searching..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -o tls-reqcert=never -s base -b "$MONITOR" -H $SURI4 \ + '(objectclass=*)' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP1 seconds for slapd to start..." + sleep $SLEEP1 +done +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Starting lloadd on TCP/IP port $PORT1 and ldaps $PORT2..." +. $CONFFILTER $BACKEND < $LLOADDTLSCONF > $CONF1.lloadd +if test $AC_lloadd = lloaddyes; then + $LLOADD -f $CONF1.lloadd -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 & +else + . $CONFFILTER $BACKEND < $SLAPDLLOADCONF | sed -e "s,listen.*,listen \"$URI1 $SURI2\"," > $CONF1.slapd + $SLAPD -f $CONF1.slapd -h $URI6 -d $LVL > $LOG1 2>&1 & +fi +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$KILLPIDS $PID" + +echo "Testing slapd searching..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ + '(objectclass=*)' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP1 seconds for lloadd to start..." + sleep $SLEEP1 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo -n "Using ldapsearch with startTLS with no server cert validation...." +$LDAPSEARCH -o tls-reqcert=never -ZZ -b "" -s base -H $URIP1 \ + '@extensibleObject' > $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch (startTLS) failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +else + echo "success" +fi + +echo -n "Using ldapsearch with startTLS with hard require cert...." +$LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -ZZ -b "" -s base -H $URIP1 \ + '@extensibleObject' > $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch (startTLS) failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +else + echo "success" +fi + +if test $WITH_TLS_TYPE = openssl ; then + echo -n "Using ldapsearch with startTLS and specific protocol version...." + $LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -o tls-protocol-min=3.3 -ZZ -b "" -s base -H $URIP1 \ + '@extensibleObject' > $SEARCHOUT 2>&1 + RC=$? + if test $RC != 0 ; then + echo "ldapsearch (protocol-min) failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + else + echo "success" + fi +fi + +echo -n "Using ldapsearch on $SURI2 with no server cert validation..." +$LDAPSEARCH -o tls-reqcert=never -b "cn=Subschema" -s base -H $SURIP2 \ + '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ + >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch (ldaps) failed($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +else + echo "success" +fi + +echo -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert. Should fail..." +$LDAPSEARCH -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \ + '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ + >> $SEARCHOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +else + echo "failed correctly with error code ($RC)" +fi + +echo -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..." +$LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ + -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \ + '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ + >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch (ldaps) failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +else + echo "success" +fi + +if test $WITH_SASL = no ; then + echo "SASL support not available, skipping client cert authentication" +else + echo -n "Using ldapwhoami with SASL/EXTERNAL...." + $LDAPSASLWHOAMI -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard \ + -o tls-cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \ + -o tls-key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \ + -ZZ -Y EXTERNAL -H $URIP1 \ + > $TESTOUT 2>&1 + RC=$? + if test $RC != 0 ; then + echo "ldapwhoami (startTLS) failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + else + echo "success" + fi + + echo -n "Validating mapped SASL ID..." + echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out + $CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT + + RC=$? + if test $RC != 0 ; then + echo "Comparison failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + else + echo "success" + fi +fi + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +if test $RC != 0 ; then + echo ">>>>> Test failed" +else + echo ">>>>> Test succeeded" + RC=0 +fi + +test $KILLSERVERS != no && wait + +exit $RC |