xref: /netbsd-src/external/bsd/openldap/dist/tests/data/regressions/its8427/its8427-2 (revision 6db267571823ee3b0a1d61478df085a087f2e990) 
1#! /bin/sh
2# $OpenLDAP$
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2021 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16echo "running defines.sh"
17. $SRCDIR/scripts/defines.sh
18
19if test $WITH_TLS = no ; then
20    echo "TLS support not available, test skipped"
21    exit 0
22fi
23
24if test $BACKLDAP = "ldapno" ; then
25    echo "LDAP backend not available, test skipped"
26    exit 0
27fi
28
29if test "$BACKEND" = "ldap"; then
30    echo "LDAP backend not valid, test skipped"
31    exit 0
32fi
33
34mkdir -p $TESTDIR $DBDIR1
35cp -r $DATADIR/tls $TESTDIR
36
37$SLAPPASSWD -g -n >$CONFIGPWF
38echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
39
40ITS=8427
41ITSDIR=$DATADIR/regressions/its$ITS
42
43echo "Running slapadd to build slapd database..."
44. $CONFFILTER $BACKEND < $TLSCONF > $CONF1
45$SLAPADD -f $CONF1 -l $LDIFORDERED
46RC=$?
47if test $RC != 0 ; then
48    echo "slapadd failed ($RC)!"
49    exit $RC
50fi
51
52echo "database config" >> $CONF1
53echo "include $TESTDIR/configpw.conf" >> $CONF1
54
55echo "Starting slapd listening on $URIP1 and $SURIP2..."
56$SLAPD -f $CONF1 -h "$URIP1 $SURIP2" -d $LVL > $LOG1 2>&1 &
57SERVERPID=$!
58if test $WAIT != 0 ; then
59    echo SERVERPID $SERVERPID
60    read foo
61fi
62KILLPIDS="$SERVERPID"
63
64sleep 1
65
66echo "Using ldapsearch to check that slapd is running..."
67for i in 0 1 2 3 4 5; do
68    $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
69        'objectclass=*' > /dev/null 2>&1
70    RC=$?
71    if test $RC = 0 ; then
72        break
73    fi
74    echo "Waiting 5 seconds for slapd to start..."
75    sleep 5
76done
77
78if test $RC != 0 ; then
79    echo "ldapsearch failed ($RC)!"
80    test $KILLSERVERS != no && kill -HUP $KILLPIDS
81    exit $RC
82fi
83
84echo "database config" >> $CONF2
85echo "include $TESTDIR/configpw.conf" >> $CONF2
86
87echo "Starting proxy slapd on TCP/IP port $PORT3..."
88. $CONFFILTER $BACKEND < $ITSDIR/slapd.conf > $CONF2
89$SLAPD -f $CONF2 -h $URI3 -d $LVL > $LOG2 2>&1 &
90PROXYPID=$!
91if test $WAIT != 0 ; then
92    echo PROXYPID $PROXYPID
93    read foo
94fi
95KILLPIDS="$KILLPIDS $PROXYPID"
96
97sleep 1
98
99echo "Using ldapsearch to check that proxy slapd is running..."
100for i in 0 1 2 3 4 5; do
101    $LDAPSEARCH -s base -b "$MONITOR" -H $URI3 \
102        'objectclass=*' > /dev/null 2>&1
103    RC=$?
104    if test $RC = 0 ; then
105        break
106    fi
107    echo "Waiting 5 seconds for slapd to start..."
108    sleep 5
109done
110
111if test $RC != 0 ; then
112    echo "ldapsearch failed ($RC)!"
113    test $KILLSERVERS != no && kill -HUP $KILLPIDS
114    exit $RC
115fi
116
117echo "Configuring proxy..."
118$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \
119    > $TESTOUT 2>&1 <<EOF
120dn: olcDatabase={2}ldap,cn=config
121changetype: add
122objectClass: olcLDAPConfig
123olcDbUri: $URI1
124olcSuffix: $BASEDN
125olcRootDN: $MANAGERDN
126olcRootPW: $PASSWD
127EOF
128RC=$?
129if test $RC != 0 ; then
130    echo "modification failed ($RC)"
131    test $KILLSERVERS != no && kill -HUP $KILLPIDS
132    exit $RC
133fi
134
135echo "Privileged WhoAmI (proxy uses plain ldap://)..."
136$LDAPWHOAMI -H $URI3 -D "$MANAGERDN" -w $PASSWD
137RC=$?
138if test $RC != 0 ; then
139    echo "ldapwhoami failed ($RC)!"
140    test $KILLSERVERS != no && kill -HUP $KILLPIDS
141    exit $RC
142fi
143
144echo "WhoAmI (proxy uses plain ldap://)..."
145$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen
146RC=$?
147if test $RC != 0 ; then
148    echo "ldapwhoami failed ($RC)!"
149    test $KILLSERVERS != no && kill -HUP $KILLPIDS
150    exit $RC
151fi
152
153echo "Searching (proxy uses plain ldap://)..."
154echo "# Searching (proxy uses plain ldap://)..." > $SEARCHOUT
155$LDAPSEARCH -b "$BASEDN" -H $URI3 \
156    -D "$BABSDN" -w bjensen \
157    '(objectClass=*)' >> $SEARCHOUT 2>&1
158RC=$?
159if test $RC != 0 ; then
160    echo "ldapsearch failed ($RC)!"
161    test $KILLSERVERS != no && kill -HUP $KILLPIDS
162    exit $RC
163fi
164
165echo "Filtering ldapsearch results..."
166$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
167echo "Filtering original ldif used to create database..."
168$LDIFFILTER < $LDIFORDERED > $LDIFFLT
169echo "" >> $LDIFFLT
170echo "Comparing filter output..."
171$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
172
173if test $? != 0 ; then
174    echo "Comparison failed"
175    test $KILLSERVERS != no && kill -HUP $KILLPIDS
176    exit 1
177fi
178
179echo "Reconfiguring database to only allow TLS binds..."
180$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF \
181    > $TESTOUT 2>&1 <<EOF
182dn: olcDatabase={1}$BACKEND,cn=config
183changetype: modify
184add: olcAccess
185olcAccess: to attrs=userPassword by anonymous ssf=2 auth by users read
186olcAccess: to * by users read
187EOF
188RC=$?
189if test $RC != 0 ; then
190    echo "modification failed ($RC)"
191    test $KILLSERVERS != no && kill -HUP $KILLPIDS
192    exit $RC
193fi
194
195echo "Re-configuring proxy to use ldaps:// on privileged connections only..."
196$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \
197    > $TESTOUT 2>&1 <<EOF
198dn: olcDatabase={2}ldap,cn=config
199changetype: delete
200
201dn: olcDatabase={2}ldap,cn=config
202changetype: add
203objectClass: olcLDAPConfig
204olcDbUri: $SURIP2
205olcSuffix: $BASEDN
206olcRootDN: $MANAGERDN
207olcRootPW: $PASSWD
208olcDbIDAssertBind: bindmethod=simple binddn="$MANAGERDN" credentials="$PASSWD" tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
209EOF
210RC=$?
211if test $RC != 0 ; then
212    echo "modification failed ($RC)"
213    test $KILLSERVERS != no && kill -HUP $KILLPIDS
214    exit $RC
215fi
216
217echo "Privileged WhoAmI (proxy uses ldaps://)..."
218$LDAPWHOAMI -H $URI3 -D "$MANAGERDN" -w $PASSWD
219RC=$?
220if test $RC != 0 ; then
221    echo "ldapwhoami failed ($RC)!"
222    test $KILLSERVERS != no && kill -HUP $KILLPIDS
223    exit $RC
224fi
225
226echo "WhoAmI (proxy uses ldaps://), which should fail..."
227$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen
228RC=$?
229case $RC in
23052)
231    ;;
2320)
233    echo "ldapwhoami should have failed ($RC)!"
234    test $KILLSERVERS != no && kill -HUP $KILLPIDS
235    exit 1
236    ;;
237*)
238    echo "ldapwhoami failed ($RC)!"
239    test $KILLSERVERS != no && kill -HUP $KILLPIDS
240    exit $RC
241    ;;
242esac
243
244# FIXME: just adding olcDbStartTLS to the DB doesn't have an effect, why?
245echo "Re-configuring proxy to use ldaps:// everywhere..."
246$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \
247    > $TESTOUT 2>&1 <<EOF
248dn: olcDatabase={2}ldap,cn=config
249changetype: modify
250add: olcDbStartTLS
251olcDbStartTLS: ldaps tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
252EOF
253RC=$?
254if test $RC != 0 ; then
255    echo "modification failed ($RC)"
256    test $KILLSERVERS != no && kill -HUP $KILLPIDS
257    exit $RC
258fi
259
260echo "WhoAmI again (proxy uses ldaps://)..."
261$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen
262RC=$?
263if test $RC != 0 ; then
264    echo "ldapwhoami failed ($RC)!"
265    test $KILLSERVERS != no && kill -HUP $KILLPIDS
266    exit $RC
267fi
268
269echo "Searching (proxy uses ldaps://)..."
270echo "# Searching (proxy uses ldaps://)..." > $SEARCHOUT
271$LDAPSEARCH -b "$BASEDN" -H $URI3 \
272    -D "$BABSDN" -w bjensen \
273    '(objectClass=*)' >> $SEARCHOUT 2>&1
274RC=$?
275if test $RC != 0 ; then
276    echo "ldapsearch failed ($RC)!"
277    test $KILLSERVERS != no && kill -HUP $KILLPIDS
278    exit $RC
279fi
280
281echo "Filtering ldapsearch results..."
282$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
283echo "Comparing filter output..."
284$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
285
286if test $? != 0 ; then
287    echo "Comparison failed"
288    test $KILLSERVERS != no && kill -HUP $KILLPIDS
289    exit 1
290fi
291
292echo "Re-configuring proxy to use LDAP+StartTLS correctly on privileged connections..."
293$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \
294    > $TESTOUT 2>&1 <<EOF
295dn: olcDatabase={2}ldap,cn=config
296changetype: delete
297
298dn: olcDatabase={2}ldap,cn=config
299changetype: add
300objectClass: olcLDAPConfig
301olcDbUri: $URIP1
302olcSuffix: $BASEDN
303olcRootDN: $MANAGERDN
304olcRootPW: $PASSWD
305olcDbIDAssertBind: bindmethod=none tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
306EOF
307RC=$?
308if test $RC != 0 ; then
309    echo "modification failed ($RC)"
310    test $KILLSERVERS != no && kill -HUP $KILLPIDS
311    exit $RC
312fi
313
314echo "Privileged WhoAmI (proxy requests StartTLS)..."
315$LDAPWHOAMI -H $URI3 -D "$MANAGERDN" -w $PASSWD
316RC=$?
317if test $RC != 0 ; then
318    echo "ldapwhoami failed ($RC)!"
319    test $KILLSERVERS != no && kill -HUP $KILLPIDS
320    exit $RC
321fi
322
323echo "WhoAmI (proxy requests StartTLS), which should fail..."
324$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen
325RC=$?
326case $RC in
32749|52) # ACL forbids plaintext binds against userPassword
328    ;;
3290)
330    echo "ldapwhoami should have failed ($RC)!"
331    test $KILLSERVERS != no && kill -HUP $KILLPIDS
332    exit 1
333    ;;
334*)
335    echo "ldapwhoami failed ($RC)!"
336    test $KILLSERVERS != no && kill -HUP $KILLPIDS
337    exit $RC
338    ;;
339esac
340
341# FIXME: just adding olcDbStartTLS to the DB doesn't have an effect, why?
342echo "Re-configuring proxy to use ldaps:// everywhere..."
343$LDAPMODIFY -D cn=config -H $URI3 -y $CONFIGPWF \
344    > $TESTOUT 2>&1 <<EOF
345dn: olcDatabase={2}ldap,cn=config
346changetype: modify
347add: olcDbStartTLS
348olcDbStartTLS: start tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
349EOF
350RC=$?
351if test $RC != 0 ; then
352    echo "modification failed ($RC)"
353    test $KILLSERVERS != no && kill -HUP $KILLPIDS
354    exit $RC
355fi
356
357echo "WhoAmI (proxy requests StartTLS)..."
358$LDAPWHOAMI -H $URI3 -D "$BABSDN" -w bjensen
359RC=$?
360if test $RC != 0 ; then
361    echo "ldapwhoami failed ($RC)!"
362    test $KILLSERVERS != no && kill -HUP $KILLPIDS
363    exit $RC
364fi
365
366echo "Searching (proxy requests StartTLS)..."
367echo "# Searching (proxy requests StartTLS)..." > $SEARCHOUT
368$LDAPSEARCH -b "$BASEDN" -H $URI3 \
369    -D "$BABSDN" -w bjensen \
370    '(objectClass=*)' >> $SEARCHOUT 2>&1
371RC=$?
372if test $RC != 0 ; then
373    echo "ldapsearch failed ($RC)!"
374    test $KILLSERVERS != no && kill -HUP $KILLPIDS
375    exit $RC
376fi
377
378echo "Filtering ldapsearch results..."
379$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
380echo "Comparing filter output..."
381$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
382
383if test $? != 0 ; then
384    echo "Comparison failed"
385    test $KILLSERVERS != no && kill -HUP $KILLPIDS
386    exit 1
387fi
388
389test $KILLSERVERS != no && kill -HUP $KILLPIDS
390
391echo ">>>>> Test succeeded"
392
393test $KILLSERVERS != no && wait
394
395exit 0
396