xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/test022-ppolicy (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2) 
12de962bdSlukem#! /bin/sh
2d11b170bStron# $OpenLDAP$
32de962bdSlukem## This work is part of OpenLDAP Software <http://www.openldap.org/>.
42de962bdSlukem##
5*e670fd5cSchristos## Copyright 1998-2021 The OpenLDAP Foundation.
62de962bdSlukem## All rights reserved.
72de962bdSlukem##
82de962bdSlukem## Redistribution and use in source and binary forms, with or without
92de962bdSlukem## modification, are permitted only as authorized by the OpenLDAP
102de962bdSlukem## Public License.
112de962bdSlukem##
122de962bdSlukem## A copy of this license is available in the file LICENSE in the
132de962bdSlukem## top-level directory of the distribution or, alternatively, at
142de962bdSlukem## <http://www.OpenLDAP.org/license.html>.
152de962bdSlukem
162de962bdSlukemecho "running defines.sh"
172de962bdSlukem. $SRCDIR/scripts/defines.sh
182de962bdSlukem
192de962bdSlukemif test $PPOLICY = ppolicyno; then
202de962bdSlukem	echo "Password policy overlay not available, test skipped"
212de962bdSlukem	exit 0
222de962bdSlukemfi
232de962bdSlukem
242de962bdSlukemmkdir -p $TESTDIR $DBDIR1
252de962bdSlukem
264e6df137Slukem$SLAPPASSWD -g -n >$CONFIGPWF
274e6df137Slukemecho "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
284e6df137Slukem
292de962bdSlukemecho "Starting slapd on TCP/IP port $PORT1..."
30*e670fd5cSchristos. $CONFFILTER $BACKEND < $PPOLICYCONF > $CONF1
31*e670fd5cSchristos$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 &
322de962bdSlukemPID=$!
332de962bdSlukemif test $WAIT != 0 ; then
342de962bdSlukem    echo PID $PID
352de962bdSlukem    read foo
362de962bdSlukemfi
372de962bdSlukemKILLPIDS="$PID"
382de962bdSlukem
392de962bdSlukemUSER="uid=nd, ou=People, dc=example, dc=com"
402de962bdSlukemPASS=testpassword
41*e670fd5cSchristosPWADMIN="uid=ndadmin, ou=People, dc=example, dc=com"
42*e670fd5cSchristosADMINPASSWD=testpw
432de962bdSlukem
442de962bdSlukemsleep 1
452de962bdSlukem
462de962bdSlukemecho "Using ldapsearch to check that slapd is running..."
472de962bdSlukemfor i in 0 1 2 3 4 5; do
48*e670fd5cSchristos	$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
492de962bdSlukem		'objectclass=*' > /dev/null 2>&1
502de962bdSlukem	RC=$?
512de962bdSlukem	if test $RC = 0 ; then
522de962bdSlukem		break
532de962bdSlukem	fi
542de962bdSlukem	echo "Waiting 5 seconds for slapd to start..."
552de962bdSlukem	sleep 5
562de962bdSlukemdone
572de962bdSlukemif test $RC != 0 ; then
582de962bdSlukem	echo "ldapsearch failed ($RC)!"
592de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
602de962bdSlukem	exit $RC
612de962bdSlukemfi
622de962bdSlukem
632de962bdSlukemecho /dev/null > $TESTOUT
642de962bdSlukem
65*e670fd5cSchristosecho "Testing redundant ppolicy instance..."
66*e670fd5cSchristos$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
67*e670fd5cSchristosdn: olcOverlay=ppolicy,olcDatabase={1}$BACKEND,cn=config
68*e670fd5cSchristosobjectClass: olcOverlayConfig
69*e670fd5cSchristosobjectClass: olcPPolicyConfig
70*e670fd5cSchristosolcOverlay: ppolicy
71*e670fd5cSchristosolcPPolicyDefault: cn=duplicate policy,ou=policies,dc=example,dc=com
72*e670fd5cSchristosEOF
73*e670fd5cSchristosRC=$?
74*e670fd5cSchristosif test $RC = 0 ; then
75*e670fd5cSchristos	echo "ldapadd should have failed ($RC)!"
76*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
77*e670fd5cSchristos	exit 1
78*e670fd5cSchristosfi
79*e670fd5cSchristos
802de962bdSlukemecho "Using ldapadd to populate the database..."
81*e670fd5cSchristos$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -e '!relax' \
82*e670fd5cSchristos	< $LDIFPPOLICY >> $TESTOUT 2>&1
832de962bdSlukemRC=$?
842de962bdSlukemif test $RC != 0 ; then
852de962bdSlukem	echo "ldapadd failed ($RC)!"
862de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
872de962bdSlukem	exit $RC
882de962bdSlukemfi
892de962bdSlukem
902de962bdSlukemecho "Testing account lockout..."
91*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
922de962bdSlukemsleep 2
93*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
942de962bdSlukemsleep 2
95*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
962de962bdSlukemsleep 2
97*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
98*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
992de962bdSlukemCOUNT=`grep "Account locked" $SEARCHOUT | wc -l`
1002de962bdSlukemif test $COUNT != 2 ; then
1012de962bdSlukem	echo "Account lockout test failed"
1022de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
1032de962bdSlukem	exit 1
1042de962bdSlukemfi
1052de962bdSlukem
106*e670fd5cSchristosDELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \
107*e670fd5cSchristos    -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*seconds_before_unlock=\(\d*\)/\1/p'`
1082de962bdSlukem
109*e670fd5cSchristosecho "Waiting $DELAY seconds for lockout to reset..."
110*e670fd5cSchristossleep $DELAY
111*e670fd5cSchristossleep 1
112*e670fd5cSchristos
113*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
1142de962bdSlukem	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
1152de962bdSlukemRC=$?
1162de962bdSlukemif test $RC != 0 ; then
1172de962bdSlukem	echo "ldapsearch failed ($RC)!"
1182de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
1192de962bdSlukem	exit $RC
1202de962bdSlukemfi
1212de962bdSlukem
122*e670fd5cSchristosDELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \
123*e670fd5cSchristos    -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'`
1242de962bdSlukem
125*e670fd5cSchristosecho "Testing password expiration"
126*e670fd5cSchristosecho "Waiting $DELAY seconds for password to expire..."
127*e670fd5cSchristossleep $DELAY
128*e670fd5cSchristossleep 1
129*e670fd5cSchristos
130*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
1312de962bdSlukem	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
1322de962bdSlukemsleep 2
133*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
1342de962bdSlukem	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
1352de962bdSlukemsleep 2
136*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
1372de962bdSlukem	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
1382de962bdSlukemsleep 2
139*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
1402de962bdSlukem	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
1412de962bdSlukemRC=$?
1422de962bdSlukemif test $RC = 0 ; then
1432de962bdSlukem	echo "Password expiration failed ($RC)!"
1442de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
1452de962bdSlukem	exit 1
1462de962bdSlukemfi
1472de962bdSlukem
1482de962bdSlukemCOUNT=`grep "grace logins" $SEARCHOUT | wc -l`
1492de962bdSlukemif test $COUNT != 3 ; then
1502de962bdSlukem	echo "Password expiration test failed"
1512de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
1522de962bdSlukem	exit 1
1532de962bdSlukemfi
1542de962bdSlukem
1552de962bdSlukemecho "Resetting password to clear expired status"
156*e670fd5cSchristos$LDAPPASSWD -H $URI1 \
1572de962bdSlukem	-w secret -s $PASS \
1582de962bdSlukem	-D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
1592de962bdSlukemRC=$?
1602de962bdSlukemif test $RC != 0 ; then
1612de962bdSlukem	echo "ldappasswd failed ($RC)!"
1622de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
1632de962bdSlukem	exit $RC
1642de962bdSlukemfi
1652de962bdSlukem
1662de962bdSlukemecho "Filling password history..."
167*e670fd5cSchristos$LDAPMODIFY -v -D "$USER" -H $URI1 -w $PASS >> \
1682de962bdSlukem	$TESTOUT 2>&1 << EOMODS
169*e670fd5cSchristosdn: $USER
1702de962bdSlukemchangetype: modify
1712de962bdSlukemdelete: userpassword
1724e6df137Slukemuserpassword: $PASS
1732de962bdSlukem-
1742de962bdSlukemreplace: userpassword
1752de962bdSlukemuserpassword: 20urgle12-1
1762de962bdSlukem
177*e670fd5cSchristosdn: $USER
1782de962bdSlukemchangetype: modify
1792de962bdSlukemdelete: userpassword
1802de962bdSlukemuserpassword: 20urgle12-1
1812de962bdSlukem-
1822de962bdSlukemreplace: userpassword
1832de962bdSlukemuserpassword: 20urgle12-2
1842de962bdSlukem
185*e670fd5cSchristosdn: $USER
1862de962bdSlukemchangetype: modify
1872de962bdSlukemdelete: userpassword
1882de962bdSlukemuserpassword: 20urgle12-2
1892de962bdSlukem-
1902de962bdSlukemreplace: userpassword
1912de962bdSlukemuserpassword: 20urgle12-3
1922de962bdSlukem
193*e670fd5cSchristosdn: $USER
1942de962bdSlukemchangetype: modify
1952de962bdSlukemdelete: userpassword
1962de962bdSlukemuserpassword: 20urgle12-3
1972de962bdSlukem-
1982de962bdSlukemreplace: userpassword
1992de962bdSlukemuserpassword: 20urgle12-4
2002de962bdSlukem
201*e670fd5cSchristosdn: $USER
2022de962bdSlukemchangetype: modify
2032de962bdSlukemdelete: userpassword
2042de962bdSlukemuserpassword: 20urgle12-4
2052de962bdSlukem-
2062de962bdSlukemreplace: userpassword
2072de962bdSlukemuserpassword: 20urgle12-5
2082de962bdSlukem
209*e670fd5cSchristosdn: $USER
2102de962bdSlukemchangetype: modify
2112de962bdSlukemdelete: userpassword
2122de962bdSlukemuserpassword: 20urgle12-5
2132de962bdSlukem-
2142de962bdSlukemreplace: userpassword
2152de962bdSlukemuserpassword: 20urgle12-6
2162de962bdSlukem
2172de962bdSlukemEOMODS
2182de962bdSlukemRC=$?
2192de962bdSlukemif test $RC != 0 ; then
2202de962bdSlukem	echo "ldapmodify failed ($RC)!"
2212de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
2222de962bdSlukem	exit $RC
2232de962bdSlukemfi
2242de962bdSlukemecho "Testing password history..."
225*e670fd5cSchristos$LDAPMODIFY -v -D "$USER" -H $URI1 -w 20urgle12-6 >> \
2262de962bdSlukem	$TESTOUT 2>&1 << EOMODS
227*e670fd5cSchristosdn: $USER
2282de962bdSlukemchangetype: modify
2292de962bdSlukemdelete: userPassword
2302de962bdSlukemuserPassword: 20urgle12-6
2312de962bdSlukem-
2322de962bdSlukemreplace: userPassword
2332de962bdSlukemuserPassword: 20urgle12-2
2342de962bdSlukem
2352de962bdSlukemEOMODS
2362de962bdSlukemRC=$?
2372de962bdSlukemif test $RC = 0 ; then
2382de962bdSlukem	echo "ldapmodify failed ($RC)!"
2392de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
2402de962bdSlukem	exit 1
2412de962bdSlukemfi
2422de962bdSlukem
243*e670fd5cSchristosecho "Testing failed logins when password/policy missing..."
244*e670fd5cSchristos
245*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 \
246*e670fd5cSchristos	-D "uid=test, ou=People,$BASEDN" -w hasnopolicy \
247*e670fd5cSchristos	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
248*e670fd5cSchristosRC=$?
249*e670fd5cSchristosif test $RC = 0 ; then
250*e670fd5cSchristos	echo "Password accepted ($RC)!"
251*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
252*e670fd5cSchristos	exit 1
253*e670fd5cSchristosfi
254*e670fd5cSchristos
255*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$BASEDN" -w hasnopw \
256*e670fd5cSchristos	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
257*e670fd5cSchristosRC=$?
258*e670fd5cSchristosif test $RC = 0 ; then
259*e670fd5cSchristos	echo "Password accepted ($RC)!"
260*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
261*e670fd5cSchristos	exit 1
262*e670fd5cSchristosfi
263*e670fd5cSchristos
264*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$BASEDN" \* \+ > $SEARCHOUT 2>&1
265*e670fd5cSchristosCOUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l`
266*e670fd5cSchristosif test $COUNT != 0 ; then
267*e670fd5cSchristos	echo "Failed login stored on an account without policy and or password"
268*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
269*e670fd5cSchristos	exit 1
270*e670fd5cSchristosfi
271*e670fd5cSchristos
2722de962bdSlukemecho "Testing forced reset..."
2732de962bdSlukem
274*e670fd5cSchristos$LDAPMODIFY -v -D "$PWADMIN" -H $URI1 -w $ADMINPASSWD >> \
2752de962bdSlukem	$TESTOUT 2>&1 << EOMODS
276*e670fd5cSchristosdn: $USER
2772de962bdSlukemchangetype: modify
2782de962bdSlukemreplace: userPassword
2794e6df137SlukemuserPassword: $PASS
2802de962bdSlukem
2812de962bdSlukemEOMODS
2822de962bdSlukemRC=$?
2832de962bdSlukemif test $RC != 0 ; then
2842de962bdSlukem	echo "ldapmodify failed ($RC)!"
2852de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
2862de962bdSlukem	exit $RC
2872de962bdSlukemfi
2882de962bdSlukem
289*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
2902de962bdSlukem	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
2912de962bdSlukemRC=$?
2922de962bdSlukemif test $RC = 0 ; then
2932de962bdSlukem	echo "Forced reset failed ($RC)!"
2942de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
2952de962bdSlukem	exit 1
2962de962bdSlukemfi
2972de962bdSlukem
2982de962bdSlukemCOUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
2992de962bdSlukemif test $COUNT != 1 ; then
3002de962bdSlukem	echo "Forced reset test failed"
3012de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
3022de962bdSlukem	exit 1
3032de962bdSlukemfi
3042de962bdSlukem
3052de962bdSlukemecho "Clearing forced reset..."
3062de962bdSlukem
307*e670fd5cSchristos$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
3082de962bdSlukem	$TESTOUT 2>&1 << EOMODS
309*e670fd5cSchristosdn: $USER
3102de962bdSlukemchangetype: modify
3112de962bdSlukemdelete: pwdReset
3122de962bdSlukem
3132de962bdSlukemEOMODS
3142de962bdSlukemRC=$?
3152de962bdSlukemif test $RC != 0 ; then
3162de962bdSlukem	echo "ldapmodify failed ($RC)!"
3172de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
3182de962bdSlukem	exit $RC
3192de962bdSlukemfi
3202de962bdSlukem
321*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
3222de962bdSlukem	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
3232de962bdSlukemRC=$?
3242de962bdSlukemif test $RC != 0 ; then
3252de962bdSlukem	echo "Clearing forced reset failed ($RC)!"
3262de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
3272de962bdSlukem	exit $RC
3282de962bdSlukemfi
3292de962bdSlukem
3302de962bdSlukemecho "Testing Safe modify..."
3312de962bdSlukem
332*e670fd5cSchristos$LDAPPASSWD -H $URI1 \
3332de962bdSlukem	-w $PASS -s failexpect \
3342de962bdSlukem	-D "$USER" >> $TESTOUT 2>&1
3352de962bdSlukemRC=$?
3362de962bdSlukemif test $RC = 0 ; then
3372de962bdSlukem	echo "Safe modify test 1 failed ($RC)!"
3382de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
3392de962bdSlukem	exit 1
3402de962bdSlukemfi
3412de962bdSlukem
3422de962bdSlukemsleep 2
3432de962bdSlukem
3444e6df137SlukemOLDPASS=$PASS
3454e6df137SlukemPASS=successexpect
3464e6df137Slukem
347*e670fd5cSchristos$LDAPPASSWD -H $URI1 \
3484e6df137Slukem	-w $OLDPASS -s $PASS -a $OLDPASS \
3492de962bdSlukem	-D "$USER" >> $TESTOUT 2>&1
3502de962bdSlukemRC=$?
3512de962bdSlukemif test $RC != 0 ; then
3522de962bdSlukem	echo "Safe modify test 2 failed ($RC)!"
3532de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
3542de962bdSlukem	exit $RC
3552de962bdSlukemfi
3562de962bdSlukem
3572de962bdSlukemecho "Testing length requirement..."
3584e6df137Slukem# check control in response (ITS#5711)
359*e670fd5cSchristos$LDAPPASSWD -H $URI1 \
3604e6df137Slukem	-w $PASS -a $PASS -s 2shr \
3614e6df137Slukem	-D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1
3622de962bdSlukemRC=$?
3632de962bdSlukemcat ${TESTOUT}.2 >> $TESTOUT
3642de962bdSlukemif test $RC = 0 ; then
3652de962bdSlukem	echo "Length requirement test failed ($RC)!"
3662de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
3672de962bdSlukem	exit 1
3682de962bdSlukemfi
3692de962bdSlukemCOUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
3702de962bdSlukemif test $COUNT != 1 ; then
3712de962bdSlukem	echo "Length requirement test failed"
3722de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
3732de962bdSlukem	exit 1
3742de962bdSlukemfi
3754e6df137SlukemCOUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l`
3764e6df137Slukemif test $COUNT != 1 ; then
3774e6df137Slukem	echo "Control not returned in response"
3784e6df137Slukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
3794e6df137Slukem	exit 1
3804e6df137Slukemfi
3812de962bdSlukem
382*e670fd5cSchristos$LDAPPASSWD -H $URI1 \
383*e670fd5cSchristos	-w $PASS -a $PASS -s passwordthatistoolong \
384*e670fd5cSchristos	-D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1
385*e670fd5cSchristosRC=$?
386*e670fd5cSchristoscat ${TESTOUT}.2 >> $TESTOUT
387*e670fd5cSchristosCOUNT=`grep "Password is too long for policy" ${TESTOUT}.2 | wc -l`
388*e670fd5cSchristosif test $COUNT != 1 ; then
389*e670fd5cSchristos	echo "Control not returned in response"
390*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
391*e670fd5cSchristos	exit 1
392*e670fd5cSchristosfi
393*e670fd5cSchristos
3942de962bdSlukemecho "Testing hashed length requirement..."
3952de962bdSlukem
396*e670fd5cSchristos$LDAPMODIFY -H $URI1 -D "$USER" -w $PASS > \
3972de962bdSlukem	${TESTOUT}.2 2>&1 << EOMODS
3982de962bdSlukemdn: $USER
3992de962bdSlukemchangetype: modify
4002de962bdSlukemdelete: userPassword
4014e6df137SlukemuserPassword: $PASS
4022de962bdSlukem-
4032de962bdSlukemadd: userPassword
4042de962bdSlukemuserPassword: {MD5}xxxxxx
4052de962bdSlukem
4062de962bdSlukemEOMODS
4072de962bdSlukemRC=$?
4082de962bdSlukemcat ${TESTOUT}.2 >> $TESTOUT
4092de962bdSlukemif test $RC = 0 ; then
4102de962bdSlukem	echo "Hashed length requirement test failed ($RC)!"
4112de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
4122de962bdSlukem	exit 1
4132de962bdSlukemfi
4142de962bdSlukemCOUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
4152de962bdSlukemif test $COUNT != 1 ; then
4162de962bdSlukem	echo "Hashed length requirement test failed"
4172de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
4182de962bdSlukem	exit 1
4192de962bdSlukemfi
4202de962bdSlukem
4212de962bdSlukemecho "Testing multiple password add/modify checks..."
4222de962bdSlukem
423*e670fd5cSchristos$LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \
4242de962bdSlukem	$TESTOUT 2>&1 << EOMODS
4252de962bdSlukemdn: cn=Add Should Fail, ou=People, dc=example, dc=com
4262de962bdSlukemchangetype: add
4272de962bdSlukemobjectClass: inetOrgPerson
4282de962bdSlukemcn: Add Should Fail
4292de962bdSlukemsn: Fail
4302de962bdSlukemuserPassword: firstpw
4312de962bdSlukemuserPassword: secondpw
4322de962bdSlukemEOMODS
4332de962bdSlukemRC=$?
4342de962bdSlukemif test $RC = 0 ; then
4352de962bdSlukem	echo "Multiple password add test failed ($RC)!"
4362de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
4372de962bdSlukem	exit 1
4382de962bdSlukemfi
4392de962bdSlukem
440*e670fd5cSchristos$LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \
4412de962bdSlukem	$TESTOUT 2>&1 << EOMODS
4422de962bdSlukemdn: $USER
4432de962bdSlukemchangetype: modify
4442de962bdSlukemadd: userPassword
4452de962bdSlukemuserPassword: firstpw
4462de962bdSlukemuserPassword: secondpw
4472de962bdSlukemEOMODS
4482de962bdSlukemRC=$?
4492de962bdSlukemif test $RC = 0 ; then
4502de962bdSlukem	echo "Multiple password modify add test failed ($RC)!"
4512de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
4522de962bdSlukem	exit 1
4532de962bdSlukemfi
4542de962bdSlukem
455*e670fd5cSchristos$LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \
4562de962bdSlukem	$TESTOUT 2>&1 << EOMODS
4572de962bdSlukemdn: $USER
4582de962bdSlukemchangetype: modify
4592de962bdSlukemreplace: userPassword
4602de962bdSlukemuserPassword: firstpw
4612de962bdSlukemuserPassword: secondpw
4622de962bdSlukemEOMODS
4632de962bdSlukemRC=$?
4642de962bdSlukemif test $RC = 0 ; then
4652de962bdSlukem	echo "Multiple password modify replace test failed ($RC)!"
4662de962bdSlukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
4672de962bdSlukem	exit 1
4682de962bdSlukemfi
4692de962bdSlukem
470*e670fd5cSchristosecho "Testing idle password expiration"
471*e670fd5cSchristosecho "Reconfiguring policy to replace expiration with idle expiration..."
472*e670fd5cSchristos$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
473*e670fd5cSchristos	$TESTOUT 2>&1 << EOMODS
474*e670fd5cSchristosdn: cn=Standard Policy, ou=Policies, dc=example, dc=com
475*e670fd5cSchristoschangetype: modify
476*e670fd5cSchristosdelete: pwdMaxAge
477*e670fd5cSchristos-
478*e670fd5cSchristosadd: pwdMaxIdle
479*e670fd5cSchristospwdMaxIdle: 15
480*e670fd5cSchristos
481*e670fd5cSchristosEOMODS
482*e670fd5cSchristosRC=$?
483*e670fd5cSchristosif test $RC != 0 ; then
484*e670fd5cSchristos	echo "ldapmodify failed ($RC)!"
485*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
486*e670fd5cSchristos	exit $RC
487*e670fd5cSchristosfi
488*e670fd5cSchristos
489*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
490*e670fd5cSchristos	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
491*e670fd5cSchristos
492*e670fd5cSchristosDELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \
493*e670fd5cSchristos    -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'`
494*e670fd5cSchristos
495*e670fd5cSchristosecho "Waiting $DELAY seconds for password to expire..."
496*e670fd5cSchristossleep $DELAY
497*e670fd5cSchristossleep 1
498*e670fd5cSchristos
499*e670fd5cSchristos$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
500*e670fd5cSchristos	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
501*e670fd5cSchristosRC=$?
502*e670fd5cSchristosif test $RC != 49 ; then
503*e670fd5cSchristos	echo "Password idle expiration failed ($RC)!"
504*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
505*e670fd5cSchristos	exit 1
506*e670fd5cSchristosfi
507*e670fd5cSchristos
508*e670fd5cSchristosecho "Reverting policy changes..."
509*e670fd5cSchristos$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
510*e670fd5cSchristos	$TESTOUT 2>&1 << EOMODS
511*e670fd5cSchristosdn: cn=Standard Policy, ou=Policies, dc=example, dc=com
512*e670fd5cSchristoschangetype: modify
513*e670fd5cSchristosdelete: pwdMaxIdle
514*e670fd5cSchristos-
515*e670fd5cSchristosadd: pwdMaxAge
516*e670fd5cSchristospwdMaxAge: 30
517*e670fd5cSchristos
518*e670fd5cSchristosEOMODS
519*e670fd5cSchristosRC=$?
520*e670fd5cSchristosif test $RC != 0 ; then
521*e670fd5cSchristos	echo "ldapmodify failed ($RC)!"
522*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
523*e670fd5cSchristos	exit $RC
524*e670fd5cSchristosfi
525*e670fd5cSchristos
5264e6df137Slukemif test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno"  ; then
5274e6df137Slukemecho ""
5284e6df137Slukemecho "Setting up policy state forwarding test..."
5294e6df137Slukem
5304e6df137Slukemmkdir $DBDIR2
5314e6df137Slukemsed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
5324e6df137Slukemecho "Starting slapd consumer on TCP/IP port $PORT2..."
533*e670fd5cSchristos$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
5344e6df137SlukemPID=$!
5354e6df137Slukemif test $WAIT != 0 ; then
5364e6df137Slukem    echo PID $PID
5374e6df137Slukem    read foo
5384e6df137Slukemfi
5394e6df137SlukemKILLPIDS="$KILLPIDS $PID"
5404e6df137Slukem
5414e6df137Slukemecho "Configuring syncprov on provider..."
5424e6df137Slukemif [ "$SYNCPROV" = syncprovmod ]; then
5434e6df137Slukem	$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
5444e6df137Slukemdn: cn=module,cn=config
5454e6df137Slukemobjectclass: olcModuleList
5464e6df137Slukemcn: module
5474e6df137SlukemolcModulePath: $TESTWD/../servers/slapd/overlays
5484e6df137SlukemolcModuleLoad: syncprov.la
5494e6df137Slukem
5504e6df137SlukemEOF
5514e6df137Slukem	RC=$?
5524e6df137Slukem	if test $RC != 0 ; then
5534e6df137Slukem		echo "ldapadd failed for moduleLoad ($RC)!"
5544e6df137Slukem		test $KILLSERVERS != no && kill -HUP $KILLPIDS
5554e6df137Slukem		exit $RC
5564e6df137Slukem	fi
5574e6df137Slukemfi
5584e6df137Slukem
5594e6df137Slukem$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
5604e6df137Slukemdn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
5614e6df137SlukemobjectClass: olcOverlayConfig
5624e6df137SlukemobjectClass: olcSyncProvConfig
5634e6df137SlukemolcOverlay: {1}syncprov
5644e6df137Slukem
5654e6df137SlukemEOF
5664e6df137SlukemRC=$?
5674e6df137Slukemif test $RC != 0 ; then
5684e6df137Slukem    echo "ldapadd failed for provider database config ($RC)!"
5694e6df137Slukem    test $KILLSERVERS != no && kill -HUP $KILLPIDS
5704e6df137Slukem    exit $RC
5714e6df137Slukemfi
5724e6df137Slukem
5734e6df137Slukemecho "Using ldapsearch to check that slapd is running..."
5744e6df137Slukemfor i in 0 1 2 3 4 5; do
5754e6df137Slukem	$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
5764e6df137Slukem		'objectclass=*' > /dev/null 2>&1
5774e6df137Slukem	RC=$?
5784e6df137Slukem	if test $RC = 0 ; then
5794e6df137Slukem		break
5804e6df137Slukem	fi
5814e6df137Slukem	echo "Waiting 5 seconds for slapd to start..."
5824e6df137Slukem	sleep 5
5834e6df137Slukemdone
5844e6df137Slukemif test $RC != 0 ; then
5854e6df137Slukem	echo "ldapsearch failed ($RC)!"
5864e6df137Slukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
5874e6df137Slukem	exit $RC
5884e6df137Slukemfi
5894e6df137Slukem
5904e6df137Slukemecho "Configuring syncrepl on consumer..."
5914e6df137Slukemif [ "$BACKLDAP" = ldapmod ]; then
5924e6df137Slukem	$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
5934e6df137Slukemdn: cn=module,cn=config
5944e6df137Slukemobjectclass: olcModuleList
5954e6df137Slukemcn: module
5964e6df137SlukemolcModulePath: $TESTWD/../servers/slapd/back-ldap
5974e6df137SlukemolcModuleLoad: back_ldap.la
5984e6df137Slukem
5994e6df137SlukemEOF
6004e6df137Slukem	RC=$?
6014e6df137Slukem	if test $RC != 0 ; then
6024e6df137Slukem		echo "ldapadd failed for moduleLoad ($RC)!"
6034e6df137Slukem		test $KILLSERVERS != no && kill -HUP $KILLPIDS
6044e6df137Slukem		exit $RC
6054e6df137Slukem	fi
6064e6df137Slukemfi
6074e6df137Slukem$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
6084e6df137Slukemdn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
6094e6df137Slukemchangetype: add
6104e6df137SlukemobjectClass: olcOverlayConfig
6114e6df137SlukemobjectClass: olcChainConfig
6124e6df137SlukemolcOverlay: {0}chain
6134e6df137Slukem
6144e6df137Slukemdn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
6154e6df137Slukemchangetype: add
6164e6df137SlukemobjectClass: olcLDAPConfig
6174e6df137SlukemobjectClass: olcChainDatabase
6184e6df137SlukemolcDBURI: $URI1
6194e6df137SlukemolcDbIDAssertBind: bindmethod=simple
6204e6df137Slukem  binddn="cn=manager,dc=example,dc=com"
6214e6df137Slukem  credentials=secret
6224e6df137Slukem  mode=self
6234e6df137Slukem
6244e6df137Slukemdn: olcDatabase={1}$BACKEND,cn=config
6254e6df137Slukemchangetype: modify
6264e6df137Slukemadd: olcSyncrepl
6274e6df137SlukemolcSyncrepl: rid=1
6284e6df137Slukem  provider=$URI1
6294e6df137Slukem  binddn="cn=manager,dc=example,dc=com"
6304e6df137Slukem  bindmethod=simple
6314e6df137Slukem  credentials=secret
6324e6df137Slukem  searchbase="dc=example,dc=com"
6334e6df137Slukem  type=refreshAndPersist
6344e6df137Slukem  retry="3 5 300 5"
6354e6df137Slukem-
6364e6df137Slukemadd: olcUpdateref
6374e6df137SlukemolcUpdateref: $URI1
6384e6df137Slukem-
6394e6df137Slukem
6404e6df137Slukemdn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
6414e6df137Slukemchangetype: modify
6424e6df137Slukemreplace: olcPPolicyForwardUpdates
6434e6df137SlukemolcPPolicyForwardUpdates: TRUE
6444e6df137Slukem-
6454e6df137Slukem
6464e6df137SlukemEOF
6474e6df137SlukemRC=$?
6484e6df137Slukemif test $RC != 0 ; then
6494e6df137Slukem	echo "ldapmodify failed ($RC)!"
6504e6df137Slukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
6514e6df137Slukem	exit $RC
6524e6df137Slukemfi
6534e6df137Slukem
6544e6df137Slukemecho "Waiting for consumer to sync..."
6554e6df137Slukemsleep $SLEEP1
6564e6df137Slukem
6574e6df137Slukemecho "Testing policy state forwarding..."
6584e6df137Slukem$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
659d11b170bStronRC=$?
660d11b170bStronif test $RC != 49 ; then
661d11b170bStron	echo "ldapsearch should have failed with 49, got ($RC)!"
662d11b170bStron	test $KILLSERVERS != no && kill -HUP $KILLPIDS
663d11b170bStron	exit 1
664d11b170bStronfi
665d11b170bStron
6664e6df137Slukem$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1
6674e6df137SlukemCOUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l`
6684e6df137Slukemif test $COUNT != 1 ; then
6694e6df137Slukem	echo "Policy state forwarding failed"
6704e6df137Slukem	test $KILLSERVERS != no && kill -HUP $KILLPIDS
6714e6df137Slukem	exit 1
6724e6df137Slukemfi
6734e6df137Slukem
6744e6df137Slukem# End of chaining test
6754e6df137Slukem
6764e6df137Slukemfi
6774e6df137Slukem
678*e670fd5cSchristosecho ""
679*e670fd5cSchristosecho "Testing obsolete Netscape ppolicy controls..."
680*e670fd5cSchristosecho "Enabling Netscape controls..."
681*e670fd5cSchristos$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
682*e670fd5cSchristos	$TESTOUT 2>&1 << EOMODS
683*e670fd5cSchristosdn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
684*e670fd5cSchristoschangetype: modify
685*e670fd5cSchristosreplace: olcPPolicySendNetscapeControls
686*e670fd5cSchristosolcPPolicySendNetscapeControls: TRUE
687*e670fd5cSchristos-
688*e670fd5cSchristos
689*e670fd5cSchristosEOMODS
690*e670fd5cSchristosRC=$?
691*e670fd5cSchristosif test $RC != 0 ; then
692*e670fd5cSchristos	echo "ldapmodify failed ($RC)!"
693*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
694*e670fd5cSchristos	exit $RC
695*e670fd5cSchristosfi
696*e670fd5cSchristos
697*e670fd5cSchristosecho "Reconfiguring policy to remove grace logins..."
698*e670fd5cSchristos$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
699*e670fd5cSchristos	$TESTOUT 2>&1 << EOMODS
700*e670fd5cSchristosdn: cn=Standard Policy, ou=Policies, dc=example, dc=com
701*e670fd5cSchristoschangetype: modify
702*e670fd5cSchristosdelete: pwdGraceAuthnLimit
703*e670fd5cSchristos-
704*e670fd5cSchristosreplace: pwdMaxAge
705*e670fd5cSchristospwdMaxAge: 15
706*e670fd5cSchristos-
707*e670fd5cSchristos
708*e670fd5cSchristosEOMODS
709*e670fd5cSchristosRC=$?
710*e670fd5cSchristosif test $RC != 0 ; then
711*e670fd5cSchristos	echo "ldapmodify failed ($RC)!"
712*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
713*e670fd5cSchristos	exit $RC
714*e670fd5cSchristosfi
715*e670fd5cSchristos
716*e670fd5cSchristosOLDPASS=$PASS
717*e670fd5cSchristosPASS=newpass
718*e670fd5cSchristos$LDAPPASSWD -H $URI1 \
719*e670fd5cSchristos	-w secret -s $PASS \
720*e670fd5cSchristos	-D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
721*e670fd5cSchristosRC=$?
722*e670fd5cSchristosif test $RC != 0 ; then
723*e670fd5cSchristos	echo "Setting new password failed ($RC)!"
724*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
725*e670fd5cSchristos	exit $RC
726*e670fd5cSchristosfi
727*e670fd5cSchristos
728*e670fd5cSchristosecho "Clearing forced reset..."
729*e670fd5cSchristos$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
730*e670fd5cSchristos	$TESTOUT 2>&1 << EOMODS
731*e670fd5cSchristosdn: $USER
732*e670fd5cSchristoschangetype: modify
733*e670fd5cSchristosdelete: pwdReset
734*e670fd5cSchristos
735*e670fd5cSchristosEOMODS
736*e670fd5cSchristos
737*e670fd5cSchristosDELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \
738*e670fd5cSchristos    -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'`
739*e670fd5cSchristosDELAY=`expr $DELAY - 10`
740*e670fd5cSchristos
741*e670fd5cSchristosecho "Testing password expiration"
742*e670fd5cSchristosecho "Waiting $DELAY seconds for password to expire..."
743*e670fd5cSchristossleep $DELAY
744*e670fd5cSchristos
745*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
746*e670fd5cSchristos	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
747*e670fd5cSchristossleep 3
748*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
749*e670fd5cSchristos	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
750*e670fd5cSchristossleep 3
751*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
752*e670fd5cSchristos	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
753*e670fd5cSchristossleep 3
754*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
755*e670fd5cSchristos	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
756*e670fd5cSchristossleep 3
757*e670fd5cSchristos$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
758*e670fd5cSchristos	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
759*e670fd5cSchristosRC=$?
760*e670fd5cSchristosif test $RC = 0 ; then
761*e670fd5cSchristos	echo "Password expiration failed ($RC)!"
762*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
763*e670fd5cSchristos	exit 1
764*e670fd5cSchristosfi
765*e670fd5cSchristosCOUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l`
766*e670fd5cSchristosif test $COUNT = 0 ; then
767*e670fd5cSchristos	echo "Password expiring warning test failed!"
768*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
769*e670fd5cSchristos	exit 1
770*e670fd5cSchristosfi
771*e670fd5cSchristos
7722de962bdSlukemtest $KILLSERVERS != no && kill -HUP $KILLPIDS
7732de962bdSlukem
7742de962bdSlukemecho ">>>>> Test succeeded"
7752de962bdSlukem
7762de962bdSlukemtest $KILLSERVERS != no && wait
7772de962bdSlukem
7782de962bdSlukemexit 0
779