1#! /bin/sh 2# $OpenLDAP$ 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2020 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16echo "running defines.sh" 17. $SRCDIR/scripts/defines.sh 18 19echo "### This test requires the LDAP backend and the rwm overlay." 20echo "### If available, and explicitly requested, it can use SASL bind;" 21echo "### note that SASL must be properly set up, and the requested" 22echo "### mechanism must be available. Define SLAPD_USE_SASL={yes|<mech>}," 23echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]." 24 25if test $BACKLDAP = "ldapno" ; then 26 echo "LDAP backend not available, test skipped" 27 exit 0 28fi 29 30if test $RWM = "rwmno" ; then 31 echo "Rewrite/remap overlay not available, test skipped" 32 exit 0 33fi 34 35if test $THREADS = "threadsno" ; then 36 echo "Need threads support, test skipped" 37 exit 0 38fi 39 40if test $WITH_SASL = "yes" ; then 41 if test $USE_SASL != "no" ; then 42 if test $USE_SASL = "yes" ; then 43 MECH="DIGEST-MD5" 44 else 45 MECH="$USE_SASL" 46 fi 47 echo "Using SASL authc[/authz] with mech=$MECH; unset SLAPD_USE_SASL to disable" 48 else 49 echo "Using proxyAuthz with simple authc..." 50 fi 51else 52 echo "SASL not available; using proxyAuthz with simple authc..." 53fi 54 55mkdir -p $TESTDIR $DBDIR1 $DBDIR2 56 57echo "Running slapadd to build slapd database..." 58. $CONFFILTER $BACKEND $MONITORDB < $IDASSERTCONF > $ADDCONF 59$SLAPADD -f $ADDCONF -l $LDIFIDASSERT1 -n 1 60RC=$? 61if test $RC != 0 ; then 62 echo "slapadd -n 1 failed ($RC)!" 63 exit $RC 64fi 65$SLAPADD -f $ADDCONF -l $LDIFIDASSERT2 -n 2 66RC=$? 67if test $RC != 0 ; then 68 echo "slapadd -n 2 failed ($RC)!" 69 exit $RC 70fi 71 72echo "Starting slapd on TCP/IP port $PORT..." 73. $CONFFILTER $BACKEND $MONITORDB < $IDASSERTCONF > $CONF1 74$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & 75PID=$! 76if test $WAIT != 0 ; then 77 echo PID $PID 78 read foo 79fi 80KILLPIDS="$PID" 81 82sleep 1 83 84echo "Using ldapsearch to check that slapd is running..." 85for i in 0 1 2 3 4 5; do 86 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ 87 'objectclass=*' > /dev/null 2>&1 88 RC=$? 89 if test $RC = 0 ; then 90 break 91 fi 92 echo "Waiting 5 seconds for slapd to start..." 93 sleep 5 94done 95 96echo "Testing ldapwhoami as proxy US..." 97$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy 98RC=$? 99if test $RC != 0 ; then 100 echo "ldapwhoami failed ($RC)!" 101 test $KILLSERVERS != no && kill -HUP $KILLPIDS 102 exit $RC 103fi 104 105AUTHZID="u:it/jaj" 106echo "Testing ldapwhoami as proxy US, $AUTHZID..." 107$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 108RC=$? 109if test $RC != 0 && test $BACKEND != null ; then 110 echo "ldapwhoami failed ($RC)!" 111 test $KILLSERVERS != no && kill -HUP $KILLPIDS 112 exit $RC 113fi 114 115AUTHZID="u:bjorn" 116echo "Testing ldapwhoami as proxy US, $AUTHZID... (should fail)" 117$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 118RC=$? 119if test $RC != 1 ; then 120 echo "ldapwhoami should have failed ($RC)!" 121 test $KILLSERVERS != no && kill -HUP $KILLPIDS 122 exit 1 123fi 124 125AUTHZID="u:bjensen" 126echo "Testing ldapwhoami as proxy US, $AUTHZID... (should fail)" 127$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 128RC=$? 129if test $RC != 1 ; then 130 echo "ldapwhoami should have failed ($RC)!" 131 test $KILLSERVERS != no && kill -HUP $KILLPIDS 132 exit 1 133fi 134 135echo "Testing ldapwhoami as proxy IT..." 136$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy 137RC=$? 138if test $RC != 0 ; then 139 echo "ldapwhoami failed ($RC)!" 140 test $KILLSERVERS != no && kill -HUP $KILLPIDS 141 exit $RC 142fi 143 144AUTHZID="u:it/jaj" 145echo "Testing ldapwhoami as proxy IT, $AUTHZID... (should fail)" 146$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 147RC=$? 148if test $RC != 1 ; then 149 echo "ldapwhoami should have failed ($RC)!" 150 test $KILLSERVERS != no && kill -HUP $KILLPIDS 151 exit 1 152fi 153 154AUTHZID="u:bjorn" 155echo "Testing ldapwhoami as proxy IT, $AUTHZID... (should fail)" 156$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 157RC=$? 158if test $RC != 1 ; then 159 echo "ldapwhoami should have failed ($RC)!" 160 test $KILLSERVERS != no && kill -HUP $KILLPIDS 161 exit 1 162fi 163 164AUTHZID="dn:cn=Sandbox,ou=Admin,dc=example,dc=com" 165echo "Testing ldapwhoami as proxy IT, $AUTHZID..." 166$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 167RC=$? 168if test $RC != 0 && test $BACKEND != null ; then 169 echo "ldapwhoami failed ($RC)!" 170 test $KILLSERVERS != no && kill -HUP $KILLPIDS 171 exit $RC 172fi 173 174AUTHZID="dn:uid=bjorn,ou=People,o=Example,c=US" 175echo "Testing ldapwhoami as bjorn, $AUTHZID..." 176$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID" 177RC=$? 178if test $RC != 0 ; then 179 echo "ldapwhoami failed ($RC)!" 180 test $KILLSERVERS != no && kill -HUP $KILLPIDS 181 exit $RC 182fi 183 184AUTHZID="dn:uid=bjorn,ou=People,o=Esempio,c=IT" 185echo "Testing ldapwhoami as bjorn, $AUTHZID..." 186$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID" 187RC=$? 188if test $RC != 0 ; then 189 echo "ldapwhoami failed ($RC)!" 190 test $KILLSERVERS != no && kill -HUP $KILLPIDS 191 exit $RC 192fi 193 194AUTHZID="u:it/jaj" 195echo "Checking another DB's rootdn can't assert identity from another DB..." 196$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID" 197 198RC=$? 199if test $RC != 1 ; then 200 echo "ldapwhoami should have failed ($RC)!" 201 test $KILLSERVERS != no && kill -HUP $KILLPIDS 202 exit 1 203fi 204 205ID="uid=jaj,ou=People,dc=example,dc=it" 206BASE="o=Example,c=US" 207echo "Testing ldapsearch as $ID for \"$BASE\"..." 208$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ 209 -D "$ID" -w jaj > $SEARCHOUT 2>&1 210 211RC=$? 212if test $RC != 0 && test $BACKEND != null ; then 213 echo "ldapsearch failed ($RC)!" 214 test $KILLSERVERS != no && kill -HUP $KILLPIDS 215 exit $RC 216fi 217 218echo "Filtering ldapsearch results..." 219$LDIFFILTER -s ldif=e < $SEARCHOUT > $SEARCHFLT 220echo "Filtering original ldif used to create database..." 221$LDIFFILTER -s ldif=e < $IDASSERTOUT > $LDIFFLT 222echo "Comparing filter output..." 223$CMP $SEARCHFLT $LDIFFLT > $CMPOUT 224 225if test $? != 0 ; then 226 echo "comparison failed - search with identity assertion didn't succeed" 227 test $KILLSERVERS != no && kill -HUP $KILLPIDS 228 exit 1 229fi 230 231if test $USE_SASL != "no" ; then 232 ID="it/jaj" 233 BASE="o=Example,c=US" 234 echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..." 235 $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ 236 -Q -U "$ID" -w jaj -Y $MECH > $SEARCHOUT 2>&1 237 238 RC=$? 239 if test $RC != 0 ; then 240 echo "ldapsearch failed ($RC)!" 241 test $KILLSERVERS != no && kill -HUP $KILLPIDS 242 exit $RC 243 fi 244 245 ID="manager" 246 AUTHZID="u:it/jaj" 247 echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..." 248 $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \ 249 -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID 250 251 RC=$? 252 if test $RC != 50 ; then 253 echo "ldapwhoami should have failed ($RC)!" 254 test $KILLSERVERS != no && kill -HUP $KILLPIDS 255 exit 1 256 fi 257 258 echo "Filtering ldapsearch results..." 259 $LDIFFILTER < $SEARCHOUT > $SEARCHFLT 260 echo "Filtering original ldif used to create database..." 261 $LDIFFILTER < $IDASSERTOUT > $LDIFFLT 262 echo "Comparing filter output..." 263 $CMP $SEARCHFLT $LDIFFLT > $CMPOUT 264 265 if test $? != 0 ; then 266 echo "comparison failed - search with SASL bind and identity assertion didn't succeed" 267 test $KILLSERVERS != no && kill -HUP $KILLPIDS 268 exit 1 269 fi 270fi 271 272test $KILLSERVERS != no && kill -HUP $KILLPIDS 273 274echo ">>>>> Test succeeded" 275 276test $KILLSERVERS != no && wait 277 278exit 0 279