xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/test066-autoca (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2) 
1#! /bin/sh
2# $OpenLDAP$
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2021 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16echo "running defines.sh"
17. $SRCDIR/scripts/defines.sh
18
19if test $AUTOCA = autocano; then
20	echo "Automatic CA overlay not available, test skipped"
21	exit 0
22fi
23
24CFDIR=$TESTDIR/slapd.d
25
26mkdir -p $TESTDIR $CFDIR $DBDIR1
27
28$SLAPPASSWD -g -n >$CONFIGPWF
29
30#
31# Test operation of autoca:
32# - configure over ldap without TLS
33# - populate over ldap
34# - add host entry
35# - add autoca overlay
36# - generate server and user certs
37# - check for TLS operation
38#
39
40echo "Starting slapd on TCP/IP port $PORT1..."
41. $CONFFILTER $BACKEND < $DYNAMICCONF > $CONFLDIF
42$SLAPADD -F $CFDIR -n 0 -l $CONFLDIF
43$SLAPD -F $CFDIR -h $URIP1 -d $LVL > $LOG1 2>&1 &
44PID=$!
45if test $WAIT != 0 ; then
46    echo PID $PID
47    read foo
48fi
49KILLPIDS="$PID"
50cd $TESTWD
51
52sleep 1
53
54echo "Using ldapsearch to check that slapd is running..."
55for i in 0 1 2 3 4 5; do
56	$LDAPSEARCH -s base -b "" -H $URIP1 \
57		'objectclass=*' > /dev/null 2>&1
58	RC=$?
59	if test $RC = 0 ; then
60		break
61	fi
62	echo "Waiting 5 seconds for slapd to start..."
63	sleep 5
64done
65
66if test $RC != 0 ; then
67	echo "ldapsearch failed ($RC)!"
68	test $KILLSERVERS != no && kill -HUP $KILLPIDS
69	exit $RC
70fi
71
72echo "Adding schema and databases on slapd..."
73$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
74include: file://$ABS_SCHEMADIR/core.ldif
75
76include: file://$ABS_SCHEMADIR/cosine.ldif
77
78include: file://$ABS_SCHEMADIR/inetorgperson.ldif
79
80include: file://$ABS_SCHEMADIR/openldap.ldif
81
82include: file://$ABS_SCHEMADIR/nis.ldif
83EOF
84RC=$?
85if test $RC != 0 ; then
86	echo "ldapadd failed for schema config ($RC)!"
87	test $KILLSERVERS != no && kill -HUP $KILLPIDS
88	exit $RC
89fi
90
91nullExclude="" nullOK=""
92test $BACKEND = null && nullExclude="# " nullOK="OK"
93
94if [ "$BACKENDTYPE" = mod ]; then
95	$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
96dn: cn=module,cn=config
97objectClass: olcModuleList
98cn: module
99olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
100olcModuleLoad: back_$BACKEND.la
101EOF
102	RC=$?
103	if test $RC != 0 ; then
104		echo "ldapadd failed for backend config ($RC)!"
105		test $KILLSERVERS != no && kill -HUP $KILLPIDS
106		exit $RC
107	fi
108fi
109
110$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
111dn: olcDatabase={1}$BACKEND,cn=config
112objectClass: olcDatabaseConfig
113${nullExclude}objectClass: olc${BACKEND}Config
114olcDatabase: {1}$BACKEND
115olcSuffix: $BASEDN
116${nullExclude}olcDbDirectory: $DBDIR1
117olcRootDN: $MANAGERDN
118olcRootPW: $PASSWD
119EOF
120RC=$?
121if test $RC != 0 ; then
122	echo "ldapadd failed for database config ($RC)!"
123	test $KILLSERVERS != no && kill -HUP $KILLPIDS
124	exit $RC
125fi
126
127if test $INDEXDB = indexdb ; then
128	$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
129dn: olcDatabase={1}$BACKEND,cn=config
130changetype: modify
131add: olcDbIndex
132olcDbIndex: objectClass,entryUUID,entryCSN eq
133olcDbIndex: cn,uid pres,eq,sub
134EOF
135	RC=$?
136	if test $RC != 0 ; then
137		echo "ldapadd modify for database config ($RC)!"
138		test $KILLSERVERS != no && kill -HUP $KILLPIDS
139		exit $RC
140	fi
141fi
142
143echo "Using ldapadd to populate slapd..."
144$LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD -f $LDIFORDERED \
145	>> $TESTOUT 2>&1
146RC=$?
147if test $RC != 0 ; then
148	echo "ldapadd failed for database populate ($RC)!"
149	test $KILLSERVERS != no && kill -HUP $KILLPIDS
150	exit $RC
151fi
152
153echo "Adding server entries to slapd..."
154$LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD <<EOF >> $TESTOUT 2>&1
155dn: ou=Servers,$BASEDN
156objectClass: organizationalUnit
157ou: Servers
158
159dn: cn=localhost,ou=Servers,$BASEDN
160objectClass: device
161objectClass: ipHost
162cn: localhost
163ipHostNumber: 127.0.0.1
164
165dn: cn=www.example.com,ou=Servers,$BASEDN
166objectClass: device
167objectClass: ipHost
168cn: localhost
169ipHostNumber: 93.184.216.34
170EOF
171RC=$?
172if test $RC != 0 ; then
173	echo "ldapadd failed for database populate ($RC)!"
174	test $KILLSERVERS != no && kill -HUP $KILLPIDS
175	exit $RC
176fi
177
178echo "Inserting autoca overlay on slapd..."
179if [ "$AUTOCA" = autocamod ]; then
180	$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
181dn: cn=module,cn=config
182objectClass: olcModuleList
183cn: module
184olcModulePath: $TESTWD/../servers/slapd/overlays
185olcModuleLoad: autoca.la
186EOF
187	RC=$?
188	if test $RC != 0 ; then
189		echo "ldapadd failed for moduleLoad ($RC)!"
190		test $KILLSERVERS != no && kill -HUP $KILLPIDS
191		exit $RC
192	fi
193fi
194$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
195dn: olcOverlay=autoca,olcDatabase={1}$BACKEND,cn=config
196changetype: add
197objectClass: olcOverlayConfig
198objectClass: olcAutoCAConfig
199olcOverlay: autoca
200olcAutoCAlocalDN: cn=localhost,ou=Servers,$BASEDN
201EOF
202RC=$?
203if test $RC != 0 ; then
204	echo "ldapmodify failed for autoca config ($RC)!"
205	test $KILLSERVERS != no && kill -HUP $KILLPIDS
206	exit $RC
207fi
208echo "Using ldapsearch to retrieve CA cert..."
209$LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \
210	'objectclass=*' 'cACertificate;binary'  > $SEARCHOUT 2>&1
211RC=$?
212
213if test $RC != 0 ; then
214	echo "ldapsearch failed ($RC)!"
215	test $KILLSERVERS != no && kill -HUP $KILLPIDS
216	exit $RC
217fi
218
219echo "Setting up CA cert..."
220echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/cacert.pem
221sed -e "/^dn:/d" -e "s/cACertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/cacert.pem
222echo "-----END CERTIFICATE-----" >> $TESTDIR/cacert.pem
223
224echo "Using ldapsearch to generate localhost cert..."
225$LDAPSEARCH -b cn=localhost,ou=Servers,$BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \
226	-A 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary'  >> $TESTOUT 2>&1
227RC=$?
228
229if test $RC != 0 ; then
230	echo "ldapsearch failed ($RC)!"
231	test $KILLSERVERS != no && kill -HUP $KILLPIDS
232	exit $RC
233fi
234
235echo "Using ldapsearch to attempt TLS..."
236unset LDAPNOINIT
237LDAPTLS_CACERT=$TESTDIR/cacert.pem
238export LDAPTLS_CACERT
239$LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
240	'objectclass=*' >> $TESTOUT 2>&1
241RC=$?
242
243if test $RC != 0 ; then
244	echo "ldapsearch failed ($RC)!"
245	test $KILLSERVERS != no && kill -HUP $KILLPIDS
246	exit $RC
247fi
248
249if test $WITH_SASL = no ; then
250	echo "SASL support not available, skipping client cert authentication"
251else
252	# note - the attrs are being saved in raw DER form.
253	# they need to be base64 encoded into PEM for most programs to use them
254	# so we ignore those files for now.
255	echo "Using ldapsearch to generate user cert..."
256	$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
257		-T $TESTDIR -t 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary'  >> $TESTOUT 2>&1
258	RC=$?
259
260	if test $RC != 0 ; then
261		echo "ldapsearch failed ($RC)!"
262		test $KILLSERVERS != no && kill -HUP $KILLPIDS
263		exit $RC
264	fi
265
266	echo "Using ldapsearch to retrieve user cert..."
267	$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
268		'objectclass=*' 'userCertificate;binary' > $SEARCHOUT 2>&1
269	RC=$?
270
271	if test $RC != 0 ; then
272		echo "ldapsearch failed ($RC)!"
273		test $KILLSERVERS != no && kill -HUP $KILLPIDS
274		exit $RC
275	fi
276
277	echo "Setting up user cert..."
278	echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/usercert.pem
279	sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userCertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/usercert.pem
280	echo "-----END CERTIFICATE-----" >> $TESTDIR/usercert.pem
281
282	echo "Using ldapsearch to retrieve user key..."
283	$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
284		'objectclass=*' 'userPrivateKey;binary' > $SEARCHOUT 2>&1
285	RC=$?
286
287	if test $RC != 0 ; then
288		echo "ldapsearch failed ($RC)!"
289		test $KILLSERVERS != no && kill -HUP $KILLPIDS
290		exit $RC
291	fi
292
293	echo "Setting up user key..."
294	echo "-----BEGIN PRIVATE KEY-----" > $TESTDIR/userkey.pem
295	sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userPrivateKey;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/userkey.pem
296	echo "-----END PRIVATE KEY-----" >> $TESTDIR/userkey.pem
297
298	LDAPTLS_CERT=$TESTDIR/usercert.pem
299	LDAPTLS_KEY=$TESTDIR/userkey.pem
300	export LDAPTLS_CERT
301	export LDAPTLS_KEY
302
303	echo "Setting TLSVerifyClient to try..."
304	$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
305dn: cn=config
306changetype: modify
307replace: olcTLSVerifyClient
308olcTLSVerifyClient: try
309EOF
310	RC=$?
311	if test $RC != 0 ; then
312		echo "ldapmodify failed for autoca config ($RC)!"
313		test $KILLSERVERS != no && kill -HUP $KILLPIDS
314		exit $RC
315	fi
316
317	$CLIENTDIR/ldapwhoami -Y EXTERNAL -H $URIP1 -ZZ
318
319	if test $RC != 0 ; then
320		echo "ldapwhoami failed ($RC)!"
321		test $KILLSERVERS != no && kill -HUP $KILLPIDS
322		exit $RC
323	fi
324fi
325
326test $KILLSERVERS != no && kill -HUP $KILLPIDS
327
328echo ">>>>> Test succeeded"
329
330test $KILLSERVERS != no && wait
331
332exit 0
333