12de962bdSlukem#! /bin/sh 2d11b170bStron# $OpenLDAP$ 32de962bdSlukem## This work is part of OpenLDAP Software <http://www.openldap.org/>. 42de962bdSlukem## 5*e670fd5cSchristos## Copyright 1998-2021 The OpenLDAP Foundation. 62de962bdSlukem## All rights reserved. 72de962bdSlukem## 82de962bdSlukem## Redistribution and use in source and binary forms, with or without 92de962bdSlukem## modification, are permitted only as authorized by the OpenLDAP 102de962bdSlukem## Public License. 112de962bdSlukem## 122de962bdSlukem## A copy of this license is available in the file LICENSE in the 132de962bdSlukem## top-level directory of the distribution or, alternatively, at 142de962bdSlukem## <http://www.OpenLDAP.org/license.html>. 152de962bdSlukem 162de962bdSlukemecho "running defines.sh" 172de962bdSlukem. $SRCDIR/scripts/defines.sh 182de962bdSlukem 192de962bdSlukemecho "### This test requires the LDAP backend and the rwm overlay." 202de962bdSlukemecho "### If available, and explicitly requested, it can use SASL bind;" 212de962bdSlukemecho "### note that SASL must be properly set up, and the requested" 222de962bdSlukemecho "### mechanism must be available. Define SLAPD_USE_SASL={yes|<mech>}," 232de962bdSlukemecho "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]." 242de962bdSlukem 252de962bdSlukemif test $BACKLDAP = "ldapno" ; then 262de962bdSlukem echo "LDAP backend not available, test skipped" 272de962bdSlukem exit 0 282de962bdSlukemfi 292de962bdSlukem 302de962bdSlukemif test $RWM = "rwmno" ; then 312de962bdSlukem echo "Rewrite/remap overlay not available, test skipped" 322de962bdSlukem exit 0 332de962bdSlukemfi 342de962bdSlukem 352de962bdSlukemif test $WITH_SASL = "yes" ; then 362de962bdSlukem if test $USE_SASL != "no" ; then 372de962bdSlukem if test $USE_SASL = "yes" ; then 382de962bdSlukem MECH="DIGEST-MD5" 392de962bdSlukem else 402de962bdSlukem MECH="$USE_SASL" 412de962bdSlukem fi 422de962bdSlukem echo "Using SASL authc[/authz] with mech=$MECH; unset SLAPD_USE_SASL to disable" 432de962bdSlukem else 442de962bdSlukem echo "Using proxyAuthz with simple authc..." 452de962bdSlukem fi 462de962bdSlukemelse 472de962bdSlukem echo "SASL not available; using proxyAuthz with simple authc..." 482de962bdSlukemfi 492de962bdSlukem 502de962bdSlukemmkdir -p $TESTDIR $DBDIR1 $DBDIR2 512de962bdSlukem 522de962bdSlukemecho "Running slapadd to build slapd database..." 53*e670fd5cSchristos. $CONFFILTER $BACKEND < $IDASSERTCONF > $ADDCONF 542de962bdSlukem$SLAPADD -f $ADDCONF -l $LDIFIDASSERT1 -n 1 552de962bdSlukemRC=$? 562de962bdSlukemif test $RC != 0 ; then 572de962bdSlukem echo "slapadd -n 1 failed ($RC)!" 582de962bdSlukem exit $RC 592de962bdSlukemfi 602de962bdSlukem$SLAPADD -f $ADDCONF -l $LDIFIDASSERT2 -n 2 612de962bdSlukemRC=$? 622de962bdSlukemif test $RC != 0 ; then 632de962bdSlukem echo "slapadd -n 2 failed ($RC)!" 642de962bdSlukem exit $RC 652de962bdSlukemfi 662de962bdSlukem 672de962bdSlukemecho "Starting slapd on TCP/IP port $PORT..." 68*e670fd5cSchristos. $CONFFILTER $BACKEND < $IDASSERTCONF > $CONF1 69*e670fd5cSchristos$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & 702de962bdSlukemPID=$! 712de962bdSlukemif test $WAIT != 0 ; then 722de962bdSlukem echo PID $PID 732de962bdSlukem read foo 742de962bdSlukemfi 752de962bdSlukemKILLPIDS="$PID" 762de962bdSlukem 772de962bdSlukemsleep 1 782de962bdSlukem 792de962bdSlukemecho "Using ldapsearch to check that slapd is running..." 802de962bdSlukemfor i in 0 1 2 3 4 5; do 81*e670fd5cSchristos $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ 822de962bdSlukem 'objectclass=*' > /dev/null 2>&1 832de962bdSlukem RC=$? 842de962bdSlukem if test $RC = 0 ; then 852de962bdSlukem break 862de962bdSlukem fi 872de962bdSlukem echo "Waiting 5 seconds for slapd to start..." 882de962bdSlukem sleep 5 892de962bdSlukemdone 902de962bdSlukem 912de962bdSlukemecho "Testing ldapwhoami as proxy US..." 92*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy 932de962bdSlukemRC=$? 942de962bdSlukemif test $RC != 0 ; then 952de962bdSlukem echo "ldapwhoami failed ($RC)!" 962de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 972de962bdSlukem exit $RC 982de962bdSlukemfi 992de962bdSlukem 1002de962bdSlukemAUTHZID="u:it/jaj" 1012de962bdSlukemecho "Testing ldapwhoami as proxy US, $AUTHZID..." 102*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 1032de962bdSlukemRC=$? 104ef2f90d3Sadamif test $RC != 0 && test $BACKEND != null ; then 1052de962bdSlukem echo "ldapwhoami failed ($RC)!" 1062de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1072de962bdSlukem exit $RC 1082de962bdSlukemfi 1092de962bdSlukem 1102de962bdSlukemAUTHZID="u:bjorn" 1112de962bdSlukemecho "Testing ldapwhoami as proxy US, $AUTHZID... (should fail)" 112*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 1132de962bdSlukemRC=$? 1142de962bdSlukemif test $RC != 1 ; then 1152de962bdSlukem echo "ldapwhoami should have failed ($RC)!" 1162de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 117ef2f90d3Sadam exit 1 1182de962bdSlukemfi 1192de962bdSlukem 1202de962bdSlukemAUTHZID="u:bjensen" 1212de962bdSlukemecho "Testing ldapwhoami as proxy US, $AUTHZID... (should fail)" 122*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 1232de962bdSlukemRC=$? 1242de962bdSlukemif test $RC != 1 ; then 1252de962bdSlukem echo "ldapwhoami should have failed ($RC)!" 1262de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 127ef2f90d3Sadam exit 1 1282de962bdSlukemfi 1292de962bdSlukem 1302de962bdSlukemecho "Testing ldapwhoami as proxy IT..." 131*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy 1322de962bdSlukemRC=$? 1332de962bdSlukemif test $RC != 0 ; then 1342de962bdSlukem echo "ldapwhoami failed ($RC)!" 1352de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1362de962bdSlukem exit $RC 1372de962bdSlukemfi 1382de962bdSlukem 1392de962bdSlukemAUTHZID="u:it/jaj" 1402de962bdSlukemecho "Testing ldapwhoami as proxy IT, $AUTHZID... (should fail)" 141*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 1422de962bdSlukemRC=$? 1432de962bdSlukemif test $RC != 1 ; then 1442de962bdSlukem echo "ldapwhoami should have failed ($RC)!" 1452de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 146ef2f90d3Sadam exit 1 1472de962bdSlukemfi 1482de962bdSlukem 1492de962bdSlukemAUTHZID="u:bjorn" 1502de962bdSlukemecho "Testing ldapwhoami as proxy IT, $AUTHZID... (should fail)" 151*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 1522de962bdSlukemRC=$? 1532de962bdSlukemif test $RC != 1 ; then 1542de962bdSlukem echo "ldapwhoami should have failed ($RC)!" 1552de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 156ef2f90d3Sadam exit 1 1572de962bdSlukemfi 1582de962bdSlukem 1592de962bdSlukemAUTHZID="dn:cn=Sandbox,ou=Admin,dc=example,dc=com" 1602de962bdSlukemecho "Testing ldapwhoami as proxy IT, $AUTHZID..." 161*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 1622de962bdSlukemRC=$? 163ef2f90d3Sadamif test $RC != 0 && test $BACKEND != null ; then 1642de962bdSlukem echo "ldapwhoami failed ($RC)!" 1652de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1662de962bdSlukem exit $RC 1672de962bdSlukemfi 1682de962bdSlukem 1692de962bdSlukemAUTHZID="dn:uid=bjorn,ou=People,o=Example,c=US" 1702de962bdSlukemecho "Testing ldapwhoami as bjorn, $AUTHZID..." 171*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID" 1722de962bdSlukemRC=$? 1732de962bdSlukemif test $RC != 0 ; then 1742de962bdSlukem echo "ldapwhoami failed ($RC)!" 1752de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1762de962bdSlukem exit $RC 1772de962bdSlukemfi 1782de962bdSlukem 1792de962bdSlukemAUTHZID="dn:uid=bjorn,ou=People,o=Esempio,c=IT" 1802de962bdSlukemecho "Testing ldapwhoami as bjorn, $AUTHZID..." 181*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID" 1822de962bdSlukemRC=$? 1832de962bdSlukemif test $RC != 0 ; then 1842de962bdSlukem echo "ldapwhoami failed ($RC)!" 1852de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1862de962bdSlukem exit $RC 1872de962bdSlukemfi 1882de962bdSlukem 1894e27b3e8SchristosAUTHZID="u:it/jaj" 1904e27b3e8Schristosecho "Checking another DB's rootdn can't assert identity from another DB..." 191*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID" 1924e27b3e8Schristos 1934e27b3e8SchristosRC=$? 1944e27b3e8Schristosif test $RC != 1 ; then 1954e27b3e8Schristos echo "ldapwhoami should have failed ($RC)!" 1964e27b3e8Schristos test $KILLSERVERS != no && kill -HUP $KILLPIDS 1974e27b3e8Schristos exit 1 1984e27b3e8Schristosfi 1994e27b3e8Schristos 2002de962bdSlukemID="uid=jaj,ou=People,dc=example,dc=it" 2012de962bdSlukemBASE="o=Example,c=US" 2022de962bdSlukemecho "Testing ldapsearch as $ID for \"$BASE\"..." 203*e670fd5cSchristos$LDAPSEARCH -H $URI1 -b "$BASE" \ 2042de962bdSlukem -D "$ID" -w jaj > $SEARCHOUT 2>&1 2052de962bdSlukem 2062de962bdSlukemRC=$? 207ef2f90d3Sadamif test $RC != 0 && test $BACKEND != null ; then 2082de962bdSlukem echo "ldapsearch failed ($RC)!" 2092de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 2102de962bdSlukem exit $RC 2112de962bdSlukemfi 2122de962bdSlukem 2132de962bdSlukemecho "Filtering ldapsearch results..." 214ef2f90d3Sadam$LDIFFILTER -s ldif=e < $SEARCHOUT > $SEARCHFLT 2152de962bdSlukemecho "Filtering original ldif used to create database..." 216ef2f90d3Sadam$LDIFFILTER -s ldif=e < $IDASSERTOUT > $LDIFFLT 2172de962bdSlukemecho "Comparing filter output..." 2182de962bdSlukem$CMP $SEARCHFLT $LDIFFLT > $CMPOUT 2192de962bdSlukem 2202de962bdSlukemif test $? != 0 ; then 2212de962bdSlukem echo "comparison failed - search with identity assertion didn't succeed" 2222de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 2232de962bdSlukem exit 1 2242de962bdSlukemfi 2252de962bdSlukem 2262de962bdSlukemif test $USE_SASL != "no" ; then 2272de962bdSlukem ID="it/jaj" 2282de962bdSlukem BASE="o=Example,c=US" 2292de962bdSlukem echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..." 230*e670fd5cSchristos $LDAPSASLSEARCH -H $URI1 -b "$BASE" \ 2312de962bdSlukem -Q -U "$ID" -w jaj -Y $MECH > $SEARCHOUT 2>&1 2322de962bdSlukem 2332de962bdSlukem RC=$? 2342de962bdSlukem if test $RC != 0 ; then 2352de962bdSlukem echo "ldapsearch failed ($RC)!" 2362de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 2372de962bdSlukem exit $RC 2382de962bdSlukem fi 2392de962bdSlukem 2404e27b3e8Schristos ID="manager" 2414e27b3e8Schristos AUTHZID="u:it/jaj" 2424e27b3e8Schristos echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..." 243*e670fd5cSchristos $LDAPSASLWHOAMI -H $URI1 \ 2444e27b3e8Schristos -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID 2454e27b3e8Schristos 2464e27b3e8Schristos RC=$? 2474e27b3e8Schristos if test $RC != 50 ; then 2484e27b3e8Schristos echo "ldapwhoami should have failed ($RC)!" 2494e27b3e8Schristos test $KILLSERVERS != no && kill -HUP $KILLPIDS 2504e27b3e8Schristos exit 1 2514e27b3e8Schristos fi 2524e27b3e8Schristos 2532de962bdSlukem echo "Filtering ldapsearch results..." 254ef2f90d3Sadam $LDIFFILTER < $SEARCHOUT > $SEARCHFLT 2552de962bdSlukem echo "Filtering original ldif used to create database..." 256ef2f90d3Sadam $LDIFFILTER < $IDASSERTOUT > $LDIFFLT 2572de962bdSlukem echo "Comparing filter output..." 2582de962bdSlukem $CMP $SEARCHFLT $LDIFFLT > $CMPOUT 2592de962bdSlukem 2602de962bdSlukem if test $? != 0 ; then 2612de962bdSlukem echo "comparison failed - search with SASL bind and identity assertion didn't succeed" 2622de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 2632de962bdSlukem exit 1 2642de962bdSlukem fi 2652de962bdSlukemfi 2662de962bdSlukem 2672de962bdSlukemtest $KILLSERVERS != no && kill -HUP $KILLPIDS 2682de962bdSlukem 2692de962bdSlukemecho ">>>>> Test succeeded" 2702de962bdSlukem 2712de962bdSlukemtest $KILLSERVERS != no && wait 2722de962bdSlukem 2732de962bdSlukemexit 0 274