1#! /bin/sh 2# $OpenLDAP: pkg/ldap/tests/scripts/test022-ppolicy,v 1.17.2.5 2008/02/11 23:26:51 kurt Exp $ 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2008 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16echo "running defines.sh" 17. $SRCDIR/scripts/defines.sh 18 19if test $PPOLICY = ppolicyno; then 20 echo "Password policy overlay not available, test skipped" 21 exit 0 22fi 23 24mkdir -p $TESTDIR $DBDIR1 25 26echo "Starting slapd on TCP/IP port $PORT1..." 27. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1 28$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & 29PID=$! 30if test $WAIT != 0 ; then 31 echo PID $PID 32 read foo 33fi 34KILLPIDS="$PID" 35 36USER="uid=nd, ou=People, dc=example, dc=com" 37PASS=testpassword 38 39sleep 1 40 41echo "Using ldapsearch to check that slapd is running..." 42for i in 0 1 2 3 4 5; do 43 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ 44 'objectclass=*' > /dev/null 2>&1 45 RC=$? 46 if test $RC = 0 ; then 47 break 48 fi 49 echo "Waiting 5 seconds for slapd to start..." 50 sleep 5 51done 52if test $RC != 0 ; then 53 echo "ldapsearch failed ($RC)!" 54 test $KILLSERVERS != no && kill -HUP $KILLPIDS 55 exit $RC 56fi 57 58echo /dev/null > $TESTOUT 59 60echo "Using ldapadd to populate the database..." 61# may need "-e relax" for draft 09, but not yet. 62$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \ 63 $LDIFPPOLICY >> $TESTOUT 2>&1 64RC=$? 65if test $RC != 0 ; then 66 echo "ldapadd failed ($RC)!" 67 test $KILLSERVERS != no && kill -HUP $KILLPIDS 68 exit $RC 69fi 70 71echo "Testing account lockout..." 72$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 73sleep 2 74$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 75sleep 2 76$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 77sleep 2 78$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1 79$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 80COUNT=`grep "Account locked" $SEARCHOUT | wc -l` 81if test $COUNT != 2 ; then 82 echo "Account lockout test failed" 83 test $KILLSERVERS != no && kill -HUP $KILLPIDS 84 exit 1 85fi 86 87echo "Waiting 20 seconds for lockout to reset..." 88sleep 20 89 90$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ 91 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 92RC=$? 93if test $RC != 0 ; then 94 echo "ldapsearch failed ($RC)!" 95 test $KILLSERVERS != no && kill -HUP $KILLPIDS 96 exit $RC 97fi 98 99echo "Testing password expiration" 100echo "Waiting 20 seconds for password to expire..." 101sleep 20 102 103$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ 104 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 105sleep 2 106$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ 107 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 108sleep 2 109$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ 110 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 111sleep 2 112$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ 113 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 114RC=$? 115if test $RC = 0 ; then 116 echo "Password expiration failed ($RC)!" 117 test $KILLSERVERS != no && kill -HUP $KILLPIDS 118 exit 1 119fi 120 121COUNT=`grep "grace logins" $SEARCHOUT | wc -l` 122if test $COUNT != 3 ; then 123 echo "Password expiration test failed" 124 test $KILLSERVERS != no && kill -HUP $KILLPIDS 125 exit 1 126fi 127 128echo "Resetting password to clear expired status" 129$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ 130 -w secret -s $PASS \ 131 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 132RC=$? 133if test $RC != 0 ; then 134 echo "ldappasswd failed ($RC)!" 135 test $KILLSERVERS != no && kill -HUP $KILLPIDS 136 exit $RC 137fi 138 139echo "Filling password history..." 140$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \ 141 $TESTOUT 2>&1 << EOMODS 142dn: uid=nd, ou=People, dc=example, dc=com 143changetype: modify 144delete: userpassword 145userpassword: testpassword 146- 147replace: userpassword 148userpassword: 20urgle12-1 149 150dn: uid=nd, ou=People, dc=example, dc=com 151changetype: modify 152delete: userpassword 153userpassword: 20urgle12-1 154- 155replace: userpassword 156userpassword: 20urgle12-2 157 158dn: uid=nd, ou=People, dc=example, dc=com 159changetype: modify 160delete: userpassword 161userpassword: 20urgle12-2 162- 163replace: userpassword 164userpassword: 20urgle12-3 165 166dn: uid=nd, ou=People, dc=example, dc=com 167changetype: modify 168delete: userpassword 169userpassword: 20urgle12-3 170- 171replace: userpassword 172userpassword: 20urgle12-4 173 174dn: uid=nd, ou=People, dc=example, dc=com 175changetype: modify 176delete: userpassword 177userpassword: 20urgle12-4 178- 179replace: userpassword 180userpassword: 20urgle12-5 181 182dn: uid=nd, ou=People, dc=example, dc=com 183changetype: modify 184delete: userpassword 185userpassword: 20urgle12-5 186- 187replace: userpassword 188userpassword: 20urgle12-6 189 190EOMODS 191RC=$? 192if test $RC != 0 ; then 193 echo "ldapmodify failed ($RC)!" 194 test $KILLSERVERS != no && kill -HUP $KILLPIDS 195 exit $RC 196fi 197echo "Testing password history..." 198$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \ 199 $TESTOUT 2>&1 << EOMODS 200dn: uid=nd, ou=People, dc=example, dc=com 201changetype: modify 202delete: userPassword 203userPassword: 20urgle12-6 204- 205replace: userPassword 206userPassword: 20urgle12-2 207 208EOMODS 209RC=$? 210if test $RC = 0 ; then 211 echo "ldapmodify failed ($RC)!" 212 test $KILLSERVERS != no && kill -HUP $KILLPIDS 213 exit 1 214fi 215 216echo "Testing forced reset..." 217 218$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \ 219 $TESTOUT 2>&1 << EOMODS 220dn: uid=nd, ou=People, dc=example, dc=com 221changetype: modify 222replace: userPassword 223userPassword: testpassword 224- 225replace: pwdReset 226pwdReset: TRUE 227 228EOMODS 229RC=$? 230if test $RC != 0 ; then 231 echo "ldapmodify failed ($RC)!" 232 test $KILLSERVERS != no && kill -HUP $KILLPIDS 233 exit $RC 234fi 235 236$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ 237 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 238RC=$? 239if test $RC = 0 ; then 240 echo "Forced reset failed ($RC)!" 241 test $KILLSERVERS != no && kill -HUP $KILLPIDS 242 exit 1 243fi 244 245COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l` 246if test $COUNT != 1 ; then 247 echo "Forced reset test failed" 248 test $KILLSERVERS != no && kill -HUP $KILLPIDS 249 exit 1 250fi 251 252echo "Clearing forced reset..." 253 254$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \ 255 $TESTOUT 2>&1 << EOMODS 256dn: uid=nd, ou=People, dc=example, dc=com 257changetype: modify 258delete: pwdReset 259 260EOMODS 261RC=$? 262if test $RC != 0 ; then 263 echo "ldapmodify failed ($RC)!" 264 test $KILLSERVERS != no && kill -HUP $KILLPIDS 265 exit $RC 266fi 267 268$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ 269 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 270RC=$? 271if test $RC != 0 ; then 272 echo "Clearing forced reset failed ($RC)!" 273 test $KILLSERVERS != no && kill -HUP $KILLPIDS 274 exit $RC 275fi 276 277echo "Testing Safe modify..." 278 279$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ 280 -w $PASS -s failexpect \ 281 -D "$USER" >> $TESTOUT 2>&1 282RC=$? 283if test $RC = 0 ; then 284 echo "Safe modify test 1 failed ($RC)!" 285 test $KILLSERVERS != no && kill -HUP $KILLPIDS 286 exit 1 287fi 288 289sleep 2 290 291$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ 292 -w $PASS -s failexpect -a $PASS \ 293 -D "$USER" >> $TESTOUT 2>&1 294RC=$? 295if test $RC != 0 ; then 296 echo "Safe modify test 2 failed ($RC)!" 297 test $KILLSERVERS != no && kill -HUP $KILLPIDS 298 exit $RC 299fi 300 301echo "Testing length requirement..." 302 303$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ 304 -w failexpect -a failexpect -s spw \ 305 -D "$USER" > ${TESTOUT}.2 2>&1 306RC=$? 307cat ${TESTOUT}.2 >> $TESTOUT 308if test $RC = 0 ; then 309 echo "Length requirement test failed ($RC)!" 310 test $KILLSERVERS != no && kill -HUP $KILLPIDS 311 exit 1 312fi 313COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` 314if test $COUNT != 1 ; then 315 echo "Length requirement test failed" 316 test $KILLSERVERS != no && kill -HUP $KILLPIDS 317 exit 1 318fi 319 320echo "Testing hashed length requirement..." 321 322$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w failexpect > \ 323 ${TESTOUT}.2 2>&1 << EOMODS 324dn: $USER 325changetype: modify 326delete: userPassword 327userPassword: failexpect 328- 329add: userPassword 330userPassword: {MD5}xxxxxx 331 332EOMODS 333RC=$? 334cat ${TESTOUT}.2 >> $TESTOUT 335if test $RC = 0 ; then 336 echo "Hashed length requirement test failed ($RC)!" 337 test $KILLSERVERS != no && kill -HUP $KILLPIDS 338 exit 1 339fi 340COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` 341if test $COUNT != 1 ; then 342 echo "Hashed length requirement test failed" 343 test $KILLSERVERS != no && kill -HUP $KILLPIDS 344 exit 1 345fi 346 347echo "Testing multiple password add/modify checks..." 348 349$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ 350 $TESTOUT 2>&1 << EOMODS 351dn: cn=Add Should Fail, ou=People, dc=example, dc=com 352changetype: add 353objectClass: inetOrgPerson 354cn: Add Should Fail 355sn: Fail 356userPassword: firstpw 357userPassword: secondpw 358EOMODS 359RC=$? 360if test $RC = 0 ; then 361 echo "Multiple password add test failed ($RC)!" 362 test $KILLSERVERS != no && kill -HUP $KILLPIDS 363 exit 1 364fi 365 366$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ 367 $TESTOUT 2>&1 << EOMODS 368dn: $USER 369changetype: modify 370add: userPassword 371userPassword: firstpw 372userPassword: secondpw 373EOMODS 374RC=$? 375if test $RC = 0 ; then 376 echo "Multiple password modify add test failed ($RC)!" 377 test $KILLSERVERS != no && kill -HUP $KILLPIDS 378 exit 1 379fi 380 381$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ 382 $TESTOUT 2>&1 << EOMODS 383dn: $USER 384changetype: modify 385replace: userPassword 386userPassword: firstpw 387userPassword: secondpw 388EOMODS 389RC=$? 390if test $RC = 0 ; then 391 echo "Multiple password modify replace test failed ($RC)!" 392 test $KILLSERVERS != no && kill -HUP $KILLPIDS 393 exit 1 394fi 395 396test $KILLSERVERS != no && kill -HUP $KILLPIDS 397 398echo ">>>>> Test succeeded" 399 400test $KILLSERVERS != no && wait 401 402exit 0 403