12de962bdSlukem#! /bin/sh 2d11b170bStron# $OpenLDAP$ 32de962bdSlukem## This work is part of OpenLDAP Software <http://www.openldap.org/>. 42de962bdSlukem## 5*e670fd5cSchristos## Copyright 1998-2021 The OpenLDAP Foundation. 62de962bdSlukem## All rights reserved. 72de962bdSlukem## 82de962bdSlukem## Redistribution and use in source and binary forms, with or without 92de962bdSlukem## modification, are permitted only as authorized by the OpenLDAP 102de962bdSlukem## Public License. 112de962bdSlukem## 122de962bdSlukem## A copy of this license is available in the file LICENSE in the 132de962bdSlukem## top-level directory of the distribution or, alternatively, at 142de962bdSlukem## <http://www.OpenLDAP.org/license.html>. 152de962bdSlukem 16ef2f90d3Sadamcase "$BACKEND" in ldif | null) 17ef2f90d3Sadam echo "$BACKEND backend does not support access controls, test skipped" 182de962bdSlukem exit 0 192de962bdSlukem ;; 202de962bdSlukemesac 212de962bdSlukem 222de962bdSlukemecho "running defines.sh" 232de962bdSlukem. $SRCDIR/scripts/defines.sh 242de962bdSlukem 252de962bdSlukemif test "$ACI" = "acino" ; then 262de962bdSlukem echo "ACI not enabled, test skipped" 272de962bdSlukem exit 0 282de962bdSlukemfi 292de962bdSlukem 302de962bdSlukemmkdir -p $TESTDIR $DBDIR1 312de962bdSlukem 322de962bdSlukemecho "Running slapadd to build slapd database..." 33*e670fd5cSchristos. $CONFFILTER $BACKEND < $ACICONF > $CONF1 342de962bdSlukem$SLAPADD -f $CONF1 -l $LDIFORDERED 352de962bdSlukemRC=$? 362de962bdSlukemif test $RC != 0 ; then 372de962bdSlukem echo "slapadd failed ($RC)!" 382de962bdSlukem exit $RC 392de962bdSlukemfi 402de962bdSlukem 412de962bdSlukemecho "Starting slapd on TCP/IP port $PORT1..." 42*e670fd5cSchristos$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & 432de962bdSlukemPID=$! 442de962bdSlukemif test $WAIT != 0 ; then 452de962bdSlukem echo PID $PID 462de962bdSlukem read foo 472de962bdSlukemfi 482de962bdSlukemKILLPIDS="$PID" 492de962bdSlukem 502de962bdSlukemsleep 1 512de962bdSlukem 522de962bdSlukemecho "Testing slapd ACI access control..." 532de962bdSlukemfor i in 0 1 2 3 4 5; do 54*e670fd5cSchristos $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ 552de962bdSlukem 'objectclass=*' > /dev/null 2>&1 562de962bdSlukem RC=$? 572de962bdSlukem if test $RC = 0 ; then 582de962bdSlukem break 592de962bdSlukem fi 602de962bdSlukem echo "Waiting 5 seconds for slapd to start..." 612de962bdSlukem sleep 5 622de962bdSlukemdone 632de962bdSlukem 642de962bdSlukemif test $RC != 0 ; then 652de962bdSlukem echo "ldapsearch failed ($RC)!" 662de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 672de962bdSlukem exit $RC 682de962bdSlukemfi 692de962bdSlukem 702de962bdSlukemcat /dev/null > $SEARCHOUT 712de962bdSlukemcat /dev/null > $TESTOUT 722de962bdSlukem 732de962bdSlukem# Search must fail 742de962bdSlukemBASEDN="dc=example,dc=com" 752de962bdSlukemecho "Searching \"$BASEDN\" (should fail)..." 762de962bdSlukemecho "# Searching \"$BASEDN\" (should fail)..." >> $SEARCHOUT 77*e670fd5cSchristos$LDAPSEARCH -s base -b "$BASEDN" -H $URI1 \ 782de962bdSlukem '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT 792de962bdSlukemRC=$? 802de962bdSlukemif test $RC != 32 ; then 812de962bdSlukem echo "ldapsearch should have failed with noSuchObject ($RC)!" 822de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 832de962bdSlukem if test $RC = 0 ; then 842de962bdSlukem exit -1 852de962bdSlukem fi 862de962bdSlukem exit $RC 872de962bdSlukemfi 882de962bdSlukem 892de962bdSlukem# Bind must fail 902de962bdSlukemBINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 912de962bdSlukemBINDPW=bjensen 922de962bdSlukemecho "Testing ldapwhoami as ${BINDDN} (should fail)..." 93*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "$BINDDN" -w $BINDPW 942de962bdSlukemRC=$? 952de962bdSlukemif test $RC = 0 ; then 962de962bdSlukem echo "ldapwhoami should have failed!" 972de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 982de962bdSlukem exit -1 992de962bdSlukemfi 1002de962bdSlukem 1012de962bdSlukem# Populate ACIs 1022de962bdSlukemecho "Writing ACIs as \"$MANAGERDN\"..." 103*e670fd5cSchristos$LDAPMODIFY -D "$MANAGERDN" -w $PASSWD -H $URI1 \ 1042de962bdSlukem >> $TESTOUT 2>&1 << EOMODS0 1052de962bdSlukemdn: dc=example,dc=com 1062de962bdSlukemchangetype: modify 1072de962bdSlukemadd: OpenLDAPaci 1082de962bdSlukemOpenLDAPaci: 0#subtree#grant;d,c,s,r;[all]#group/groupOfUniqueNames/uniqueMe 1092de962bdSlukem mber#cn=ITD Staff,ou=Groups,dc=example,dc=com 1102de962bdSlukemOpenLDAPaci: 1#entry#grant;d;[all]#public# 1112de962bdSlukem 1122de962bdSlukemdn: ou=People,dc=example,dc=com 1132de962bdSlukemchangetype: modify 1142de962bdSlukemadd: OpenLDAPaci 1152de962bdSlukemOpenLDAPaci: 0#subtree#grant;x;userPassword#public# 1162de962bdSlukemOpenLDAPaci: 1#subtree#grant;w;userPassword#self# 1172de962bdSlukemOpenLDAPaci: 2#subtree#grant;w;userPassword#access-id#cn=Bjorn Jensen,ou=Inf 1182de962bdSlukem ormation Technology Division,ou=People,dc=example,dc=com 1192de962bdSlukem 1202de962bdSlukemdn: ou=Groups,dc=example,dc=com 1212de962bdSlukemchangetype: modify 1222de962bdSlukemadd: OpenLDAPaci 1232de962bdSlukemOpenLDAPaci: 0#entry#grant;s;[all]#public# 1242de962bdSlukemOpenLDAPaci: 1#children#grant;r;member;r;uniqueMember#access-id#cn=Bjorn Jen 1252de962bdSlukem sen,ou=Information Technology Division,ou=People,dc=example,dc=com 1262de962bdSlukemEOMODS0 1272de962bdSlukemRC=$? 1282de962bdSlukemif test $RC != 0 ; then 1292de962bdSlukem echo "ldapmodify failed ($RC)!" 1302de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1312de962bdSlukem exit $RC 1322de962bdSlukemfi 1332de962bdSlukem 1342de962bdSlukem# Search must succeed with no results 1352de962bdSlukemBASEDN="dc=example,dc=com" 1362de962bdSlukemecho "Searching \"$BASEDN\" (should succeed with no results)..." 1372de962bdSlukemecho "# Searching \"$BASEDN\" (should succeed with no results)..." >> $SEARCHOUT 138*e670fd5cSchristos$LDAPSEARCH -s base -b "$BASEDN" -H $URI1 \ 1392de962bdSlukem '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT 1402de962bdSlukemRC=$? 1412de962bdSlukemif test $RC != 0 ; then 1422de962bdSlukem ### TEMPORARY (see ITS#3963) 1432de962bdSlukem echo "ldapsearch failed ($RC)! IGNORED..." 1442de962bdSlukem ###echo "ldapsearch failed ($RC)!" 1452de962bdSlukem ###test $KILLSERVERS != no && kill -HUP $KILLPIDS 1462de962bdSlukem ###exit $RC 1472de962bdSlukemfi 1482de962bdSlukem 1492de962bdSlukemBINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 1502de962bdSlukemBINDPW=bjensen 1512de962bdSlukemecho "Testing ldapwhoami as ${BINDDN}..." 152*e670fd5cSchristos$LDAPWHOAMI -H $URI1 -D "$BINDDN" -w $BINDPW 1532de962bdSlukemRC=$? 1542de962bdSlukemif test $RC != 0 ; then 1552de962bdSlukem echo "ldapwhoami failed ($RC)!" 1562de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1572de962bdSlukem exit $RC 1582de962bdSlukemfi 1592de962bdSlukem 1602de962bdSlukem# Search must succeed 1612de962bdSlukemBINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 1622de962bdSlukemBINDPW=bjorn 1632de962bdSlukemBASEDN="dc=example,dc=com" 1642de962bdSlukemecho "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." 1652de962bdSlukemecho "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." >> $SEARCHOUT 166*e670fd5cSchristos$LDAPSEARCH -s base -b "$BASEDN" -H $URI1 \ 1672de962bdSlukem -D "$BINDDN" -w "$BINDPW" \ 1682de962bdSlukem '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 1692de962bdSlukemRC=$? 1702de962bdSlukemif test $RC != 0 ; then 1712de962bdSlukem echo "ldapsearch failed ($RC)!" 1722de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1732de962bdSlukem exit $RC 1742de962bdSlukemfi 1752de962bdSlukem 1762de962bdSlukem# Passwd must succeed 1772de962bdSlukemBINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 1782de962bdSlukemBINDPW=bjorn 1792de962bdSlukemTGT="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 1802de962bdSlukemNEWPW=jdoe 1812de962bdSlukemecho "Setting \"$TGT\" password..." 182*e670fd5cSchristos$LDAPPASSWD -H $URI1 \ 1832de962bdSlukem -w "$BINDPW" -s "$NEWPW" \ 1842de962bdSlukem -D "$BINDDN" "$TGT" >> $TESTOUT 2>&1 1852de962bdSlukemRC=$? 1862de962bdSlukemif test $RC != 0 ; then 1872de962bdSlukem echo "ldappasswd failed ($RC)!" 1882de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 1892de962bdSlukem exit $RC 1902de962bdSlukemfi 1912de962bdSlukem 1922de962bdSlukem# Re-change as self... 1932de962bdSlukemecho "Changing self password..." 1942de962bdSlukemBINDDN="$TGT" 1952de962bdSlukemBINDPW=$NEWPW 1962de962bdSlukemTGT="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 1972de962bdSlukemNEWPW=newcred 198*e670fd5cSchristos$LDAPPASSWD -H $URI1 \ 1992de962bdSlukem -w "$BINDPW" -s "$NEWPW" \ 2002de962bdSlukem -D "$BINDDN" "$TGT" >> $TESTOUT 2>&1 2012de962bdSlukemRC=$? 2022de962bdSlukemif test $RC != 0 ; then 2032de962bdSlukem echo "ldappasswd failed ($RC)!" 2042de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 2052de962bdSlukem exit $RC 2062de962bdSlukemfi 2072de962bdSlukem 2082de962bdSlukem# Searching groups 2092de962bdSlukemBINDPW=$NEWPW 2102de962bdSlukemBASEDN="ou=Groups,dc=example,dc=com" 2112de962bdSlukemecho "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." 2122de962bdSlukemecho "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." >> $SEARCHOUT 213*e670fd5cSchristos$LDAPSEARCH -s one -b "$BASEDN" -H $URI1 \ 2142de962bdSlukem -D "$BINDDN" -w "$BINDPW" \ 2152de962bdSlukem '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 2162de962bdSlukemRC=$? 2172de962bdSlukemif test $RC != 0 ; then 2182de962bdSlukem echo "ldapsearch failed ($RC)!" 2192de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 2202de962bdSlukem exit $RC 2212de962bdSlukemfi 2222de962bdSlukem 2232de962bdSlukem# Search must fail 2242de962bdSlukemBINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 2252de962bdSlukemBINDPW=bjensen 2262de962bdSlukemecho "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed with no results)..." 2272de962bdSlukemecho "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed with no results)..." >> $SEARCHOUT 228*e670fd5cSchristos$LDAPSEARCH -s one -b "$BASEDN" -H $URI1 \ 2292de962bdSlukem -D "$BINDDN" -w "$BINDPW" \ 2302de962bdSlukem '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 2312de962bdSlukemRC=$? 2322de962bdSlukemif test $RC != 0 ; then 2332de962bdSlukem echo "ldapsearch failed ($RC)!" 2342de962bdSlukem test $KILLSERVERS != no && kill -HUP $KILLPIDS 2352de962bdSlukem exit $RC 2362de962bdSlukemfi 2372de962bdSlukem 2382de962bdSlukemtest $KILLSERVERS != no && kill -HUP $KILLPIDS 2392de962bdSlukem 2402de962bdSlukemLDIF=$ACIOUT 2412de962bdSlukem 2422de962bdSlukemecho "Filtering ldapsearch results..." 243d11b170bStron$LDIFFILTER -s mdb=e < $SEARCHOUT > $SEARCHFLT 2442de962bdSlukemecho "Filtering original ldif used to create database..." 245d11b170bStron$LDIFFILTER -s mdb=e < $LDIF > $LDIFFLT 2462de962bdSlukemecho "Comparing filter output..." 2472de962bdSlukem$CMP $SEARCHFLT $LDIFFLT > $CMPOUT 2482de962bdSlukem 2492de962bdSlukemif test $? != 0 ; then 2502de962bdSlukem echo "comparison failed - operations did not complete correctly" 2512de962bdSlukem exit 1 2522de962bdSlukemfi 2532de962bdSlukem 2542de962bdSlukemecho ">>>>> Test succeeded" 2552de962bdSlukem 2562de962bdSlukemtest $KILLSERVERS != no && wait 2572de962bdSlukem 2582de962bdSlukemexit 0 259