xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/lloadd/test005-tls (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2) 
1*e670fd5cSchristos#! /bin/sh
2*e670fd5cSchristos# $OpenLDAP$
3*e670fd5cSchristos## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4*e670fd5cSchristos##
5*e670fd5cSchristos## Copyright 1998-2021 The OpenLDAP Foundation.
6*e670fd5cSchristos## All rights reserved.
7*e670fd5cSchristos##
8*e670fd5cSchristos## Redistribution and use in source and binary forms, with or without
9*e670fd5cSchristos## modification, are permitted only as authorized by the OpenLDAP
10*e670fd5cSchristos## Public License.
11*e670fd5cSchristos##
12*e670fd5cSchristos## A copy of this license is available in the file LICENSE in the
13*e670fd5cSchristos## top-level directory of the distribution or, alternatively, at
14*e670fd5cSchristos## <http://www.OpenLDAP.org/license.html>.
15*e670fd5cSchristos
16*e670fd5cSchristosecho "running defines.sh"
17*e670fd5cSchristos. $SRCDIR/scripts/defines.sh
18*e670fd5cSchristos
19*e670fd5cSchristosif test $WITH_TLS = no ; then
20*e670fd5cSchristos        echo "TLS support not available, test skipped"
21*e670fd5cSchristos        exit 0
22*e670fd5cSchristosfi
23*e670fd5cSchristos
24*e670fd5cSchristosmkdir -p $TESTDIR $DBDIR1 $DBDIR2
25*e670fd5cSchristoscp -r $DATADIR/tls $TESTDIR
26*e670fd5cSchristos
27*e670fd5cSchristoscd $TESTWD
28*e670fd5cSchristos
29*e670fd5cSchristos$SLAPPASSWD -g -n >$CONFIGPWF
30*e670fd5cSchristosecho "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
31*e670fd5cSchristos
32*e670fd5cSchristosecho "Running slapadd to build slapd database..."
33*e670fd5cSchristos. $CONFFILTER $BACKEND < $TLSSASLCONF > $CONF2
34*e670fd5cSchristos$SLAPADD -f $CONF2 -l $LDIFORDERED
35*e670fd5cSchristosRC=$?
36*e670fd5cSchristosif test $RC != 0 ; then
37*e670fd5cSchristos    echo "slapadd failed ($RC)!"
38*e670fd5cSchristos    exit $RC
39*e670fd5cSchristosfi
40*e670fd5cSchristos
41*e670fd5cSchristosecho "Starting a slapd on TCP/IP port $PORT3..."
42*e670fd5cSchristos$SLAPD -f $CONF2 -h $URI3 -d $LVL > $LOG2 2>&1 &
43*e670fd5cSchristosPID=$!
44*e670fd5cSchristosif test $WAIT != 0 ; then
45*e670fd5cSchristos    echo PID $PID
46*e670fd5cSchristos    read foo
47*e670fd5cSchristosfi
48*e670fd5cSchristosPID2="$PID"
49*e670fd5cSchristosKILLPIDS="$PID"
50*e670fd5cSchristos
51*e670fd5cSchristosfor i in 0 1 2 3 4 5; do
52*e670fd5cSchristos    $LDAPSEARCH -s base -b "$MONITOR" -H $URI3 \
53*e670fd5cSchristos        '(objectclass=*)' > /dev/null 2>&1
54*e670fd5cSchristos    RC=$?
55*e670fd5cSchristos    if test $RC = 0 ; then
56*e670fd5cSchristos        break
57*e670fd5cSchristos    fi
58*e670fd5cSchristos    echo "Waiting $SLEEP1 seconds for slapd to start..."
59*e670fd5cSchristos    sleep $SLEEP1
60*e670fd5cSchristosdone
61*e670fd5cSchristosif test $RC != 0 ; then
62*e670fd5cSchristos    echo "ldapsearch failed ($RC)!"
63*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
64*e670fd5cSchristos    exit $RC
65*e670fd5cSchristosfi
66*e670fd5cSchristos
67*e670fd5cSchristosecho "Running slapadd to build slapd database..."
68*e670fd5cSchristos. $CONFFILTER $BACKEND < $CONFTWO > $CONF3
69*e670fd5cSchristos# FIXME: Hack!
70*e670fd5cSchristosecho "TLSCertificateKeyFile $TESTDIR/tls/private/localhost.key" >>$CONF3
71*e670fd5cSchristosecho "TLSCertificateFile $TESTDIR/tls/certs/localhost.crt" >>$CONF3
72*e670fd5cSchristosecho 'authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)' >>$CONF3
73*e670fd5cSchristos$SLAPADD -f $CONF3 -l $LDIFORDERED
74*e670fd5cSchristosRC=$?
75*e670fd5cSchristosif test $RC != 0 ; then
76*e670fd5cSchristos    echo "slapadd failed ($RC)!"
77*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
78*e670fd5cSchristos    exit $RC
79*e670fd5cSchristosfi
80*e670fd5cSchristos
81*e670fd5cSchristosecho "Running slapindex to index slapd database..."
82*e670fd5cSchristos$SLAPINDEX -f $CONF3
83*e670fd5cSchristosRC=$?
84*e670fd5cSchristosif test $RC != 0 ; then
85*e670fd5cSchristos    echo "warning: slapindex failed ($RC)"
86*e670fd5cSchristos    echo "  assuming no indexing support"
87*e670fd5cSchristosfi
88*e670fd5cSchristos
89*e670fd5cSchristosecho "Starting second slapd on TCP/IP port $PORT4 w/ ldaps..."
90*e670fd5cSchristos$SLAPD -f $CONF3 -h $SURI4 -d $LVL > $LOG3 2>&1 &
91*e670fd5cSchristosPID=$!
92*e670fd5cSchristosif test $WAIT != 0 ; then
93*e670fd5cSchristos    echo PID $PID
94*e670fd5cSchristos    read foo
95*e670fd5cSchristosfi
96*e670fd5cSchristosPID2="$PID"
97*e670fd5cSchristosKILLPIDS="$KILLPIDS $PID"
98*e670fd5cSchristos
99*e670fd5cSchristossleep $SLEEP0
100*e670fd5cSchristos
101*e670fd5cSchristosecho "Testing slapd searching..."
102*e670fd5cSchristosfor i in 0 1 2 3 4 5; do
103*e670fd5cSchristos    $LDAPSEARCH -o tls-reqcert=never -s base -b "$MONITOR" -H $SURI4 \
104*e670fd5cSchristos        '(objectclass=*)' > /dev/null 2>&1
105*e670fd5cSchristos    RC=$?
106*e670fd5cSchristos    if test $RC = 0 ; then
107*e670fd5cSchristos        break
108*e670fd5cSchristos    fi
109*e670fd5cSchristos    echo "Waiting $SLEEP1 seconds for slapd to start..."
110*e670fd5cSchristos    sleep $SLEEP1
111*e670fd5cSchristosdone
112*e670fd5cSchristosif test $RC != 0 ; then
113*e670fd5cSchristos    echo "ldapsearch failed ($RC)!"
114*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
115*e670fd5cSchristos    exit $RC
116*e670fd5cSchristosfi
117*e670fd5cSchristos
118*e670fd5cSchristosecho "Starting lloadd on TCP/IP port $PORT1 and ldaps $PORT2..."
119*e670fd5cSchristos. $CONFFILTER $BACKEND < $LLOADDTLSCONF > $CONF1.lloadd
120*e670fd5cSchristosif test $AC_lloadd = lloaddyes; then
121*e670fd5cSchristos    $LLOADD -f $CONF1.lloadd -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 &
122*e670fd5cSchristoselse
123*e670fd5cSchristos    . $CONFFILTER $BACKEND < $SLAPDLLOADCONF | sed -e "s,listen.*,listen \"$URI1 $SURI2\"," > $CONF1.slapd
124*e670fd5cSchristos    $SLAPD -f $CONF1.slapd -h $URI6 -d $LVL > $LOG1 2>&1 &
125*e670fd5cSchristosfi
126*e670fd5cSchristosPID=$!
127*e670fd5cSchristosif test $WAIT != 0 ; then
128*e670fd5cSchristos    echo PID $PID
129*e670fd5cSchristos    read foo
130*e670fd5cSchristosfi
131*e670fd5cSchristosKILLPIDS="$KILLPIDS $PID"
132*e670fd5cSchristos
133*e670fd5cSchristosecho "Testing slapd searching..."
134*e670fd5cSchristosfor i in 0 1 2 3 4 5; do
135*e670fd5cSchristos    $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
136*e670fd5cSchristos        '(objectclass=*)' > /dev/null 2>&1
137*e670fd5cSchristos    RC=$?
138*e670fd5cSchristos    if test $RC = 0 ; then
139*e670fd5cSchristos        break
140*e670fd5cSchristos    fi
141*e670fd5cSchristos    echo "Waiting $SLEEP1 seconds for lloadd to start..."
142*e670fd5cSchristos    sleep $SLEEP1
143*e670fd5cSchristosdone
144*e670fd5cSchristos
145*e670fd5cSchristosif test $RC != 0 ; then
146*e670fd5cSchristos    echo "ldapsearch failed ($RC)!"
147*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
148*e670fd5cSchristos    exit $RC
149*e670fd5cSchristosfi
150*e670fd5cSchristos
151*e670fd5cSchristosecho -n "Using ldapsearch with startTLS with no server cert validation...."
152*e670fd5cSchristos$LDAPSEARCH -o tls-reqcert=never -ZZ -b "" -s base -H $URIP1 \
153*e670fd5cSchristos    '@extensibleObject' > $SEARCHOUT 2>&1
154*e670fd5cSchristosRC=$?
155*e670fd5cSchristosif test $RC != 0 ; then
156*e670fd5cSchristos    echo "ldapsearch (startTLS) failed ($RC)!"
157*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
158*e670fd5cSchristos    exit $RC
159*e670fd5cSchristoselse
160*e670fd5cSchristos    echo "success"
161*e670fd5cSchristosfi
162*e670fd5cSchristos
163*e670fd5cSchristosecho -n "Using ldapsearch with startTLS with hard require cert...."
164*e670fd5cSchristos$LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -ZZ -b "" -s base -H $URIP1 \
165*e670fd5cSchristos    '@extensibleObject' > $SEARCHOUT 2>&1
166*e670fd5cSchristosRC=$?
167*e670fd5cSchristosif test $RC != 0 ; then
168*e670fd5cSchristos    echo "ldapsearch (startTLS) failed ($RC)!"
169*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
170*e670fd5cSchristos    exit $RC
171*e670fd5cSchristoselse
172*e670fd5cSchristos    echo "success"
173*e670fd5cSchristosfi
174*e670fd5cSchristos
175*e670fd5cSchristosif test $WITH_TLS_TYPE = openssl ; then
176*e670fd5cSchristos    echo -n "Using ldapsearch with startTLS and specific protocol version...."
177*e670fd5cSchristos    $LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -o tls-protocol-min=3.3 -ZZ -b "" -s base -H $URIP1 \
178*e670fd5cSchristos        '@extensibleObject' > $SEARCHOUT 2>&1
179*e670fd5cSchristos    RC=$?
180*e670fd5cSchristos    if test $RC != 0 ; then
181*e670fd5cSchristos        echo "ldapsearch (protocol-min) failed ($RC)!"
182*e670fd5cSchristos        test $KILLSERVERS != no && kill -HUP $KILLPIDS
183*e670fd5cSchristos        exit $RC
184*e670fd5cSchristos    else
185*e670fd5cSchristos        echo "success"
186*e670fd5cSchristos    fi
187*e670fd5cSchristosfi
188*e670fd5cSchristos
189*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with no server cert validation..."
190*e670fd5cSchristos$LDAPSEARCH -o tls-reqcert=never -b "cn=Subschema" -s base -H $SURIP2 \
191*e670fd5cSchristos    '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
192*e670fd5cSchristos    >> $SEARCHOUT  2>&1
193*e670fd5cSchristosRC=$?
194*e670fd5cSchristosif test $RC != 0 ; then
195*e670fd5cSchristos    echo "ldapsearch (ldaps) failed($RC)!"
196*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
197*e670fd5cSchristos    exit $RC
198*e670fd5cSchristoselse
199*e670fd5cSchristos    echo "success"
200*e670fd5cSchristosfi
201*e670fd5cSchristos
202*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert.  Should fail..."
203*e670fd5cSchristos$LDAPSEARCH -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \
204*e670fd5cSchristos    '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
205*e670fd5cSchristos    >> $SEARCHOUT  2>&1
206*e670fd5cSchristosRC=$?
207*e670fd5cSchristosif test $RC = 0 ; then
208*e670fd5cSchristos    echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"
209*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
210*e670fd5cSchristos    exit 1
211*e670fd5cSchristoselse
212*e670fd5cSchristos    echo "failed correctly with error code ($RC)"
213*e670fd5cSchristosfi
214*e670fd5cSchristos
215*e670fd5cSchristosecho -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..."
216*e670fd5cSchristos$LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
217*e670fd5cSchristos    -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \
218*e670fd5cSchristos    '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
219*e670fd5cSchristos    >> $SEARCHOUT  2>&1
220*e670fd5cSchristosRC=$?
221*e670fd5cSchristosif test $RC != 0 ; then
222*e670fd5cSchristos    echo "ldapsearch (ldaps) failed ($RC)!"
223*e670fd5cSchristos    test $KILLSERVERS != no && kill -HUP $KILLPIDS
224*e670fd5cSchristos    exit $RC
225*e670fd5cSchristoselse
226*e670fd5cSchristos    echo "success"
227*e670fd5cSchristosfi
228*e670fd5cSchristos
229*e670fd5cSchristosif test $WITH_SASL = no ; then
230*e670fd5cSchristos    echo "SASL support not available, skipping client cert authentication"
231*e670fd5cSchristoselse
232*e670fd5cSchristos    echo -n "Using ldapwhoami with SASL/EXTERNAL...."
233*e670fd5cSchristos    $LDAPSASLWHOAMI -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard \
234*e670fd5cSchristos        -o tls-cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \
235*e670fd5cSchristos        -o tls-key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \
236*e670fd5cSchristos        -ZZ -Y EXTERNAL -H $URIP1 \
237*e670fd5cSchristos        > $TESTOUT 2>&1
238*e670fd5cSchristos    RC=$?
239*e670fd5cSchristos    if test $RC != 0 ; then
240*e670fd5cSchristos        echo "ldapwhoami (startTLS) failed ($RC)!"
241*e670fd5cSchristos        test $KILLSERVERS != no && kill -HUP $KILLPIDS
242*e670fd5cSchristos        exit $RC
243*e670fd5cSchristos    else
244*e670fd5cSchristos        echo "success"
245*e670fd5cSchristos    fi
246*e670fd5cSchristos
247*e670fd5cSchristos    echo -n "Validating mapped SASL ID..."
248*e670fd5cSchristos    echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out
249*e670fd5cSchristos    $CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
250*e670fd5cSchristos
251*e670fd5cSchristos    RC=$?
252*e670fd5cSchristos    if test $RC != 0 ; then
253*e670fd5cSchristos        echo "Comparison failed"
254*e670fd5cSchristos        test $KILLSERVERS != no && kill -HUP $KILLPIDS
255*e670fd5cSchristos        exit $RC
256*e670fd5cSchristos    else
257*e670fd5cSchristos        echo "success"
258*e670fd5cSchristos    fi
259*e670fd5cSchristosfi
260*e670fd5cSchristos
261*e670fd5cSchristostest $KILLSERVERS != no && kill -HUP $KILLPIDS
262*e670fd5cSchristos
263*e670fd5cSchristosif test $RC != 0 ; then
264*e670fd5cSchristos    echo ">>>>> Test failed"
265*e670fd5cSchristoselse
266*e670fd5cSchristos    echo ">>>>> Test succeeded"
267*e670fd5cSchristos    RC=0
268*e670fd5cSchristosfi
269*e670fd5cSchristos
270*e670fd5cSchristostest $KILLSERVERS != no && wait
271*e670fd5cSchristos
272*e670fd5cSchristosexit $RC
273