xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/test068-sasl-tls-external (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2)

#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.

echo "running defines.sh"
. $SRCDIR/scripts/defines.sh

if test $WITH_TLS = no ; then
        echo "TLS support not available, test skipped"
        exit 0
fi

if test $WITH_SASL = no ; then
	echo "SASL support not available, test skipped"
	exit 0
fi

mkdir -p $TESTDIR $DBDIR1
cp -r $DATADIR/tls $TESTDIR

cd $TESTWD

echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND < $TLSSASLCONF > $CONF1
$SLAPADD -f $CONF1 -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
        echo "slapadd failed ($RC)!"
        exit $RC
fi

echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
    echo PID $PID
    read foo
fi
KILLPIDS="$PID"

sleep 1

for i in 0 1 2 3 4 5; do
	$LDAPSEARCH -s base -b "" -H $URI1 \
		'objectclass=*' > /dev/null 2>&1
        RC=$?
        if test $RC = 0 ; then
                break
        fi
        echo "Waiting 5 seconds for slapd to start..."
        sleep 5
done

if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo -n "Using ldapwhoami with SASL/EXTERNAL...."
$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard \
	-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key -ZZ -Y EXTERNAL -H $URIP1 \
	> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
	echo "ldapwhoami (startTLS) failed ($RC)!"
	exit $RC
else
	echo "success"
fi

echo -n "Validating mapped SASL ID..."
echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out
$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT

RC=$?
if test $RC != 0 ; then
	echo "Comparison failed"
	test $KILLSERVERS != no && kill -HUP $PID
	exit $RC
else
	echo "success"
fi

# Exercise channel-bindings code in builds without SASL support
for cb in "none" "tls-unique" "tls-endpoint" ; do

	echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."

	$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt     \
	-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt           \
	-o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key          \
	-o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1      \
	> $TESTOUT 2>&1

	RC=$?
	if test $RC != 0 ; then
		echo "ldapwhoami failed ($RC)!"
		test $KILLSERVERS != no && kill -HUP $PID
		exit $RC
	else
		echo "success"
	fi
done


test $KILLSERVERS != no && kill -HUP $KILLPIDS

if test $RC != 0 ; then
	echo ">>>>> Test failed"
else
	echo ">>>>> Test succeeded"
	RC=0
fi

test $KILLSERVERS != no && wait

exit $RC