xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/test022-ppolicy (revision 76c7fc5f6b13ed0b1508e6b313e88e59977ed78e) 
1#! /bin/sh
2# $OpenLDAP$
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2019 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16echo "running defines.sh"
17. $SRCDIR/scripts/defines.sh
18
19if test $PPOLICY = ppolicyno; then
20	echo "Password policy overlay not available, test skipped"
21	exit 0
22fi
23
24mkdir -p $TESTDIR $DBDIR1
25
26$SLAPPASSWD -g -n >$CONFIGPWF
27echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
28
29echo "Starting slapd on TCP/IP port $PORT1..."
30. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
31$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
32PID=$!
33if test $WAIT != 0 ; then
34    echo PID $PID
35    read foo
36fi
37KILLPIDS="$PID"
38
39USER="uid=nd, ou=People, dc=example, dc=com"
40PASS=testpassword
41
42sleep 1
43
44echo "Using ldapsearch to check that slapd is running..."
45for i in 0 1 2 3 4 5; do
46	$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
47		'objectclass=*' > /dev/null 2>&1
48	RC=$?
49	if test $RC = 0 ; then
50		break
51	fi
52	echo "Waiting 5 seconds for slapd to start..."
53	sleep 5
54done
55if test $RC != 0 ; then
56	echo "ldapsearch failed ($RC)!"
57	test $KILLSERVERS != no && kill -HUP $KILLPIDS
58	exit $RC
59fi
60
61echo /dev/null > $TESTOUT
62
63echo "Using ldapadd to populate the database..."
64# may need "-e relax" for draft 09, but not yet.
65$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
66	$LDIFPPOLICY >> $TESTOUT 2>&1
67RC=$?
68if test $RC != 0 ; then
69	echo "ldapadd failed ($RC)!"
70	test $KILLSERVERS != no && kill -HUP $KILLPIDS
71	exit $RC
72fi
73
74echo "Testing account lockout..."
75$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
76sleep 2
77$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
78sleep 2
79$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
80sleep 2
81$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
82$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
83COUNT=`grep "Account locked" $SEARCHOUT | wc -l`
84if test $COUNT != 2 ; then
85	echo "Account lockout test failed"
86	test $KILLSERVERS != no && kill -HUP $KILLPIDS
87	exit 1
88fi
89
90echo "Waiting 20 seconds for lockout to reset..."
91sleep 20
92
93$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
94	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
95RC=$?
96if test $RC != 0 ; then
97	echo "ldapsearch failed ($RC)!"
98	test $KILLSERVERS != no && kill -HUP $KILLPIDS
99	exit $RC
100fi
101
102echo "Testing password expiration"
103echo "Waiting 20 seconds for password to expire..."
104sleep 20
105
106$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
107	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
108sleep 2
109$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
110	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
111sleep 2
112$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
113	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
114sleep 2
115$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
116	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
117RC=$?
118if test $RC = 0 ; then
119	echo "Password expiration failed ($RC)!"
120	test $KILLSERVERS != no && kill -HUP $KILLPIDS
121	exit 1
122fi
123
124COUNT=`grep "grace logins" $SEARCHOUT | wc -l`
125if test $COUNT != 3 ; then
126	echo "Password expiration test failed"
127	test $KILLSERVERS != no && kill -HUP $KILLPIDS
128	exit 1
129fi
130
131echo "Resetting password to clear expired status"
132$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
133	-w secret -s $PASS \
134	-D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
135RC=$?
136if test $RC != 0 ; then
137	echo "ldappasswd failed ($RC)!"
138	test $KILLSERVERS != no && kill -HUP $KILLPIDS
139	exit $RC
140fi
141
142echo "Filling password history..."
143$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
144	$TESTOUT 2>&1 << EOMODS
145dn: uid=nd, ou=People, dc=example, dc=com
146changetype: modify
147delete: userpassword
148userpassword: $PASS
149-
150replace: userpassword
151userpassword: 20urgle12-1
152
153dn: uid=nd, ou=People, dc=example, dc=com
154changetype: modify
155delete: userpassword
156userpassword: 20urgle12-1
157-
158replace: userpassword
159userpassword: 20urgle12-2
160
161dn: uid=nd, ou=People, dc=example, dc=com
162changetype: modify
163delete: userpassword
164userpassword: 20urgle12-2
165-
166replace: userpassword
167userpassword: 20urgle12-3
168
169dn: uid=nd, ou=People, dc=example, dc=com
170changetype: modify
171delete: userpassword
172userpassword: 20urgle12-3
173-
174replace: userpassword
175userpassword: 20urgle12-4
176
177dn: uid=nd, ou=People, dc=example, dc=com
178changetype: modify
179delete: userpassword
180userpassword: 20urgle12-4
181-
182replace: userpassword
183userpassword: 20urgle12-5
184
185dn: uid=nd, ou=People, dc=example, dc=com
186changetype: modify
187delete: userpassword
188userpassword: 20urgle12-5
189-
190replace: userpassword
191userpassword: 20urgle12-6
192
193EOMODS
194RC=$?
195if test $RC != 0 ; then
196	echo "ldapmodify failed ($RC)!"
197	test $KILLSERVERS != no && kill -HUP $KILLPIDS
198	exit $RC
199fi
200echo "Testing password history..."
201$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
202	$TESTOUT 2>&1 << EOMODS
203dn: uid=nd, ou=People, dc=example, dc=com
204changetype: modify
205delete: userPassword
206userPassword: 20urgle12-6
207-
208replace: userPassword
209userPassword: 20urgle12-2
210
211EOMODS
212RC=$?
213if test $RC = 0 ; then
214	echo "ldapmodify failed ($RC)!"
215	test $KILLSERVERS != no && kill -HUP $KILLPIDS
216	exit 1
217fi
218
219echo "Testing forced reset..."
220
221$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
222	$TESTOUT 2>&1 << EOMODS
223dn: uid=nd, ou=People, dc=example, dc=com
224changetype: modify
225replace: userPassword
226userPassword: $PASS
227-
228replace: pwdReset
229pwdReset: TRUE
230
231EOMODS
232RC=$?
233if test $RC != 0 ; then
234	echo "ldapmodify failed ($RC)!"
235	test $KILLSERVERS != no && kill -HUP $KILLPIDS
236	exit $RC
237fi
238
239$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
240	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
241RC=$?
242if test $RC = 0 ; then
243	echo "Forced reset failed ($RC)!"
244	test $KILLSERVERS != no && kill -HUP $KILLPIDS
245	exit 1
246fi
247
248COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
249if test $COUNT != 1 ; then
250	echo "Forced reset test failed"
251	test $KILLSERVERS != no && kill -HUP $KILLPIDS
252	exit 1
253fi
254
255echo "Clearing forced reset..."
256
257$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
258	$TESTOUT 2>&1 << EOMODS
259dn: uid=nd, ou=People, dc=example, dc=com
260changetype: modify
261delete: pwdReset
262
263EOMODS
264RC=$?
265if test $RC != 0 ; then
266	echo "ldapmodify failed ($RC)!"
267	test $KILLSERVERS != no && kill -HUP $KILLPIDS
268	exit $RC
269fi
270
271$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
272	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
273RC=$?
274if test $RC != 0 ; then
275	echo "Clearing forced reset failed ($RC)!"
276	test $KILLSERVERS != no && kill -HUP $KILLPIDS
277	exit $RC
278fi
279
280echo "Testing Safe modify..."
281
282$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
283	-w $PASS -s failexpect \
284	-D "$USER" >> $TESTOUT 2>&1
285RC=$?
286if test $RC = 0 ; then
287	echo "Safe modify test 1 failed ($RC)!"
288	test $KILLSERVERS != no && kill -HUP $KILLPIDS
289	exit 1
290fi
291
292sleep 2
293
294OLDPASS=$PASS
295PASS=successexpect
296
297$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
298	-w $OLDPASS -s $PASS -a $OLDPASS \
299	-D "$USER" >> $TESTOUT 2>&1
300RC=$?
301if test $RC != 0 ; then
302	echo "Safe modify test 2 failed ($RC)!"
303	test $KILLSERVERS != no && kill -HUP $KILLPIDS
304	exit $RC
305fi
306
307echo "Testing length requirement..."
308# check control in response (ITS#5711)
309$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
310	-w $PASS -a $PASS -s 2shr \
311	-D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1
312RC=$?
313cat ${TESTOUT}.2 >> $TESTOUT
314if test $RC = 0 ; then
315	echo "Length requirement test failed ($RC)!"
316	test $KILLSERVERS != no && kill -HUP $KILLPIDS
317	exit 1
318fi
319COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
320if test $COUNT != 1 ; then
321	echo "Length requirement test failed"
322	test $KILLSERVERS != no && kill -HUP $KILLPIDS
323	exit 1
324fi
325COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l`
326if test $COUNT != 1 ; then
327	echo "Control not returned in response"
328	test $KILLSERVERS != no && kill -HUP $KILLPIDS
329	exit 1
330fi
331
332echo "Testing hashed length requirement..."
333
334$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > \
335	${TESTOUT}.2 2>&1 << EOMODS
336dn: $USER
337changetype: modify
338delete: userPassword
339userPassword: $PASS
340-
341add: userPassword
342userPassword: {MD5}xxxxxx
343
344EOMODS
345RC=$?
346cat ${TESTOUT}.2 >> $TESTOUT
347if test $RC = 0 ; then
348	echo "Hashed length requirement test failed ($RC)!"
349	test $KILLSERVERS != no && kill -HUP $KILLPIDS
350	exit 1
351fi
352COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
353if test $COUNT != 1 ; then
354	echo "Hashed length requirement test failed"
355	test $KILLSERVERS != no && kill -HUP $KILLPIDS
356	exit 1
357fi
358
359echo "Testing multiple password add/modify checks..."
360
361$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
362	$TESTOUT 2>&1 << EOMODS
363dn: cn=Add Should Fail, ou=People, dc=example, dc=com
364changetype: add
365objectClass: inetOrgPerson
366cn: Add Should Fail
367sn: Fail
368userPassword: firstpw
369userPassword: secondpw
370EOMODS
371RC=$?
372if test $RC = 0 ; then
373	echo "Multiple password add test failed ($RC)!"
374	test $KILLSERVERS != no && kill -HUP $KILLPIDS
375	exit 1
376fi
377
378$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
379	$TESTOUT 2>&1 << EOMODS
380dn: $USER
381changetype: modify
382add: userPassword
383userPassword: firstpw
384userPassword: secondpw
385EOMODS
386RC=$?
387if test $RC = 0 ; then
388	echo "Multiple password modify add test failed ($RC)!"
389	test $KILLSERVERS != no && kill -HUP $KILLPIDS
390	exit 1
391fi
392
393$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
394	$TESTOUT 2>&1 << EOMODS
395dn: $USER
396changetype: modify
397replace: userPassword
398userPassword: firstpw
399userPassword: secondpw
400EOMODS
401RC=$?
402if test $RC = 0 ; then
403	echo "Multiple password modify replace test failed ($RC)!"
404	test $KILLSERVERS != no && kill -HUP $KILLPIDS
405	exit 1
406fi
407
408if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno"  ; then
409echo ""
410echo "Setting up policy state forwarding test..."
411
412mkdir $DBDIR2
413sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
414echo "Starting slapd consumer on TCP/IP port $PORT2..."
415$SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 &
416PID=$!
417if test $WAIT != 0 ; then
418    echo PID $PID
419    read foo
420fi
421KILLPIDS="$KILLPIDS $PID"
422
423echo "Configuring syncprov on provider..."
424if [ "$SYNCPROV" = syncprovmod ]; then
425	$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
426dn: cn=module,cn=config
427objectclass: olcModuleList
428cn: module
429olcModulePath: $TESTWD/../servers/slapd/overlays
430olcModuleLoad: syncprov.la
431
432EOF
433	RC=$?
434	if test $RC != 0 ; then
435		echo "ldapadd failed for moduleLoad ($RC)!"
436		test $KILLSERVERS != no && kill -HUP $KILLPIDS
437		exit $RC
438	fi
439fi
440
441$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
442dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
443objectClass: olcOverlayConfig
444objectClass: olcSyncProvConfig
445olcOverlay: {1}syncprov
446
447EOF
448RC=$?
449if test $RC != 0 ; then
450    echo "ldapadd failed for provider database config ($RC)!"
451    test $KILLSERVERS != no && kill -HUP $KILLPIDS
452    exit $RC
453fi
454
455echo "Using ldapsearch to check that slapd is running..."
456for i in 0 1 2 3 4 5; do
457	$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
458		'objectclass=*' > /dev/null 2>&1
459	RC=$?
460	if test $RC = 0 ; then
461		break
462	fi
463	echo "Waiting 5 seconds for slapd to start..."
464	sleep 5
465done
466if test $RC != 0 ; then
467	echo "ldapsearch failed ($RC)!"
468	test $KILLSERVERS != no && kill -HUP $KILLPIDS
469	exit $RC
470fi
471
472echo "Configuring syncrepl on consumer..."
473if [ "$BACKLDAP" = ldapmod ]; then
474	$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
475dn: cn=module,cn=config
476objectclass: olcModuleList
477cn: module
478olcModulePath: $TESTWD/../servers/slapd/back-ldap
479olcModuleLoad: back_ldap.la
480
481EOF
482	RC=$?
483	if test $RC != 0 ; then
484		echo "ldapadd failed for moduleLoad ($RC)!"
485		test $KILLSERVERS != no && kill -HUP $KILLPIDS
486		exit $RC
487	fi
488fi
489$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
490dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
491changetype: add
492objectClass: olcOverlayConfig
493objectClass: olcChainConfig
494olcOverlay: {0}chain
495
496dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
497changetype: add
498objectClass: olcLDAPConfig
499objectClass: olcChainDatabase
500olcDBURI: $URI1
501olcDbIDAssertBind: bindmethod=simple
502  binddn="cn=manager,dc=example,dc=com"
503  credentials=secret
504  mode=self
505
506dn: olcDatabase={1}$BACKEND,cn=config
507changetype: modify
508add: olcSyncrepl
509olcSyncrepl: rid=1
510  provider=$URI1
511  binddn="cn=manager,dc=example,dc=com"
512  bindmethod=simple
513  credentials=secret
514  searchbase="dc=example,dc=com"
515  type=refreshAndPersist
516  retry="3 5 300 5"
517-
518add: olcUpdateref
519olcUpdateref: $URI1
520-
521
522dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
523changetype: modify
524replace: olcPPolicyForwardUpdates
525olcPPolicyForwardUpdates: TRUE
526-
527
528EOF
529RC=$?
530if test $RC != 0 ; then
531	echo "ldapmodify failed ($RC)!"
532	test $KILLSERVERS != no && kill -HUP $KILLPIDS
533	exit $RC
534fi
535
536echo "Waiting for consumer to sync..."
537sleep $SLEEP1
538
539echo "Testing policy state forwarding..."
540$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
541RC=$?
542if test $RC != 49 ; then
543	echo "ldapsearch should have failed with 49, got ($RC)!"
544	test $KILLSERVERS != no && kill -HUP $KILLPIDS
545	exit 1
546fi
547
548$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1
549COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l`
550if test $COUNT != 1 ; then
551	echo "Policy state forwarding failed"
552	test $KILLSERVERS != no && kill -HUP $KILLPIDS
553	exit 1
554fi
555
556# End of chaining test
557
558fi
559
560test $KILLSERVERS != no && kill -HUP $KILLPIDS
561
562echo ">>>>> Test succeeded"
563
564test $KILLSERVERS != no && wait
565
566exit 0
567