xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/test076-authid-rewrite (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2) 
1#! /bin/sh
2# $OpenLDAP$
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2021 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16echo "running defines.sh"
17. $SRCDIR/scripts/defines.sh
18
19if test $WITH_SASL = no; then
20	echo "SASL authentication not available, test skipped"
21	exit 0
22fi
23
24CONFDIR=$TESTDIR/slapd.d
25MECH=DIGEST-MD5
26
27mkdir -p $TESTDIR $CONFDIR $DBDIR1
28
29$SLAPPASSWD -g -n >$CONFIGPWF
30
31echo "Starting slapd on TCP/IP port $PORT1... $PWD"
32. $CONFFILTER $BACKEND < $DYNAMICCONF > $CONFLDIF
33$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
34cd $TESTDIR
35$SLAPD -F ./slapd.d -h $URI1 -d $LVL > $LOG1 2>&1 &
36PID=$!
37if test $WAIT != 0 ; then
38    echo PID $PID
39    read foo
40fi
41KILLPIDS="$PID"
42cd $TESTWD
43
44sleep 1
45
46echo "Using ldapsearch to check that slapd is running..."
47for i in 0 1 2 3 4 5; do
48	$LDAPSEARCH -s base -b "" -H $URI1 \
49		'objectclass=*' > /dev/null 2>&1
50	RC=$?
51	if test $RC = 0 ; then
52		break
53	fi
54	echo "Waiting 5 seconds for slapd to start..."
55	sleep 5
56done
57
58if test $RC != 0 ; then
59	echo "ldapsearch failed ($RC)!"
60	test $KILLSERVERS != no && kill -HUP $KILLPIDS
61	exit $RC
62fi
63
64echo "Checking whether $MECH is supported..."
65$LDAPSEARCH -s base -b "" -H $URI1 \
66	'objectClass=*' supportedSASLMechanisms > $SEARCHOUT 2>&1
67RC=$?
68if test $RC != 0 ; then
69	echo "ldapsearch failed ($RC)!"
70	test $KILLSERVERS != no && kill -HUP $KILLPIDS
71	exit $RC
72fi
73
74grep "supportedSASLMechanisms: $MECH" $SEARCHOUT > $TESTOUT
75RC=$?
76if test $RC != 0 ; then
77	echo "SASL mechanism $MECH is not available, test skipped"
78	test $KILLSERVERS != no && kill -HUP $KILLPIDS
79	exit 0
80fi
81
82echo "Adding schema and database..."
83$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
84include: file://$ABS_SCHEMADIR/core.ldif
85
86include: file://$ABS_SCHEMADIR/cosine.ldif
87
88include: file://$ABS_SCHEMADIR/inetorgperson.ldif
89
90include: file://$ABS_SCHEMADIR/openldap.ldif
91
92include: file://$ABS_SCHEMADIR/nis.ldif
93EOF
94RC=$?
95if test $RC != 0 ; then
96	echo "ldapadd failed for schema config ($RC)!"
97	test $KILLSERVERS != no && kill -HUP $KILLPIDS
98	exit $RC
99fi
100
101if [ "$BACKENDTYPE" = mod ]; then
102	$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
103dn: cn=module,cn=config
104objectClass: olcModuleList
105cn: module
106olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
107olcModuleLoad: back_$BACKEND.la
108EOF
109	RC=$?
110	if test $RC != 0 ; then
111		echo "ldapadd failed for backend config ($RC)!"
112		test $KILLSERVERS != no && kill -HUP $KILLPIDS
113		exit $RC
114	fi
115fi
116
117$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
118dn: olcDatabase={1}$BACKEND,cn=config
119objectClass: olcDatabaseConfig
120objectClass: olc${BACKEND}Config
121olcDatabase: {1}$BACKEND
122olcSuffix: $BASEDN
123olcDbDirectory: $DBDIR1
124olcRootDN: $MANAGERDN
125olcRootPW: $PASSWD
126EOF
127RC=$?
128if test $RC != 0 ; then
129	echo "ldapadd failed for database config ($RC)!"
130	test $KILLSERVERS != no && kill -HUP $KILLPIDS
131	exit $RC
132fi
133
134if test $INDEXDB = indexdb ; then
135	$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
136dn: olcDatabase={1}$BACKEND,cn=config
137changetype: modify
138add: olcDbIndex
139olcDbIndex: objectClass,entryUUID,entryCSN eq
140olcDbIndex: cn,uid pres,eq,sub
141EOF
142	RC=$?
143	if test $RC != 0 ; then
144		echo "ldapmodify failed for index config ($RC)!"
145		test $KILLSERVERS != no && kill -HUP $KILLPIDS
146		exit $RC
147	fi
148fi
149
150echo "Using ldapadd to populate the database..."
151$LDAPADD -H $URI1 -D "$MANAGERDN" -w $PASSWD < $LDIFORDERED >>$TESTOUT 2>&1
152RC=$?
153if test $RC != 0 ; then
154	echo "ldapadd failed ($RC)!"
155	test $KILLSERVERS != no && kill -HUP $KILLPIDS
156	exit $RC
157fi
158
159echo
160
161echo "Adding olcAuthzRegexp rule for static mapping..."
162$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
163dn: cn=config
164changetype: modify
165add: olcAuthzRegexp
166olcAuthzRegexp: uid=manager,cn=[^,]+,cn=auth $MANAGERDN
167EOF
168RC=$?
169if test $RC != 0; then
170	echo "ldapmodify failed ($RC)!"
171	test $KILLSERVERS != no && kill -HUP $KILLPIDS
172	exit $RC
173fi
174
175ID=Manager
176echo "Testing ldapwhoami as $ID..."
177$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
178RC=$?
179if test $RC != 0; then
180	echo "ldapwhoami failed ($RC)!"
181	test $KILLSERVERS != no && kill -HUP $KILLPIDS
182	exit $RC
183fi
184
185echo
186
187echo "Adding olcAuthzRegexp rule to search by uid..."
188$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
189dn: cn=config
190changetype: modify
191add: olcAuthzRegexp
192olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=\$1)
193EOF
194RC=$?
195if test $RC != 0; then
196	echo "ldapmodify failed ($RC)!"
197	test $KILLSERVERS != no && kill -HUP $KILLPIDS
198	exit $RC
199fi
200
201ID=Manager
202echo "Testing ldapwhoami as $ID..."
203$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
204RC=$?
205if test $RC != 0; then
206	echo "ldapwhoami failed ($RC)!"
207	test $KILLSERVERS != no && kill -HUP $KILLPIDS
208	exit $RC
209fi
210
211ID=bjensen
212echo "Testing ldapwhoami as $ID..."
213$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
214RC=$?
215if test $RC != 0; then
216	echo "ldapwhoami failed ($RC)!"
217	test $KILLSERVERS != no && kill -HUP $KILLPIDS
218	exit $RC
219fi
220
221echo
222
223echo "Inserting olcAuthzRegexp rule before the last..."
224$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
225dn: cn=config
226changetype: modify
227add: olcAuthzRegexp
228olcAuthzRegexp: {1}uid=babs,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjensen)
229EOF
230RC=$?
231if test $RC != 0; then
232	echo "ldapmodify failed ($RC)!"
233	test $KILLSERVERS != no && kill -HUP $KILLPIDS
234	exit $RC
235fi
236
237ID=Manager
238echo "Testing ldapwhoami as $ID..."
239$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
240RC=$?
241if test $RC != 0; then
242	echo "ldapwhoami failed ($RC)!"
243	test $KILLSERVERS != no && kill -HUP $KILLPIDS
244	exit $RC
245fi
246
247ID=babs
248echo "Testing ldapwhoami as $ID..."
249$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
250RC=$?
251if test $RC != 0; then
252	echo "ldapwhoami failed ($RC)!"
253	test $KILLSERVERS != no && kill -HUP $KILLPIDS
254	exit $RC
255fi
256
257ID=bjensen
258echo "Testing ldapwhoami as $ID..."
259$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
260RC=$?
261if test $RC != 0; then
262	echo "ldapwhoami failed ($RC)!"
263	test $KILLSERVERS != no && kill -HUP $KILLPIDS
264	exit $RC
265fi
266
267echo
268
269echo "Deleting the first olcAuthzRegexp rule..."
270$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
271dn: cn=config
272changetype: modify
273delete: olcAuthzRegexp
274olcAuthzRegexp: {0}
275EOF
276RC=$?
277if test $RC != 0; then
278	echo "ldapmodify failed ($RC)!"
279	test $KILLSERVERS != no && kill -HUP $KILLPIDS
280	exit $RC
281fi
282
283ID=Manager
284echo "Testing ldapwhoami as $ID (should fail)..."
285$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
286RC=$?
287if test $RC != 49; then
288	echo "ldapwhoami unexpected result ($RC)!"
289	test $KILLSERVERS != no && kill -HUP $KILLPIDS
290	exit $RC
291fi
292
293ID=babs
294echo "Testing ldapwhoami as $ID..."
295$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
296RC=$?
297if test $RC != 0; then
298	echo "ldapwhoami failed ($RC)!"
299	test $KILLSERVERS != no && kill -HUP $KILLPIDS
300	exit $RC
301fi
302
303ID=bjensen
304echo "Testing ldapwhoami as $ID..."
305$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
306RC=$?
307if test $RC != 0; then
308	echo "ldapwhoami failed ($RC)!"
309	test $KILLSERVERS != no && kill -HUP $KILLPIDS
310	exit $RC
311fi
312
313echo
314
315echo "Updating an olcAuthzRegexp rule in place..."
316$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
317dn: cn=config
318changetype: modify
319delete: olcAuthzRegexp
320olcAuthzRegexp: {0}
321-
322add: olcAuthzRegexp
323olcAuthzRegexp: {0}uid=biff,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjorn)
324EOF
325RC=$?
326if test $RC != 0; then
327	echo "ldapmodify failed ($RC)!"
328	test $KILLSERVERS != no && kill -HUP $KILLPIDS
329	exit $RC
330fi
331
332ID=babs
333echo "Testing ldapwhoami as $ID (should fail)..."
334$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
335RC=$?
336if test $RC != 49; then
337	echo "ldapwhoami failed ($RC)!"
338	test $KILLSERVERS != no && kill -HUP $KILLPIDS
339	exit $RC
340fi
341
342ID=biff
343echo "Testing ldapwhoami as $ID..."
344$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjorn
345RC=$?
346if test $RC != 0; then
347	echo "ldapwhoami failed ($RC)!"
348	test $KILLSERVERS != no && kill -HUP $KILLPIDS
349	exit $RC
350fi
351
352ID=bjensen
353echo "Testing ldapwhoami as $ID..."
354$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
355RC=$?
356if test $RC != 0; then
357	echo "ldapwhoami failed ($RC)!"
358	test $KILLSERVERS != no && kill -HUP $KILLPIDS
359	exit $RC
360fi
361
362echo
363
364echo "Deleting all olcAuthzRegexp rules..."
365$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
366dn: cn=config
367changetype: modify
368delete: olcAuthzRegexp
369EOF
370RC=$?
371if test $RC != 0; then
372	echo "ldapmodify failed ($RC)!"
373	test $KILLSERVERS != no && kill -HUP $KILLPIDS
374	exit $RC
375fi
376
377ID=bjensen
378echo "Testing ldapwhoami as $ID (should fail)..."
379$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
380RC=$?
381if test $RC != 49; then
382	echo "ldapwhoami failed ($RC)!"
383	test $KILLSERVERS != no && kill -HUP $KILLPIDS
384	exit $RC
385fi
386
387echo
388
389echo "Initializing olcAuthIDRewrite engine..."
390$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
391dn: cn=config
392changetype: modify
393add: olcAuthIDRewrite
394olcAuthIDRewrite: rewriteEngine ON
395olcAuthIDRewrite: rewriteContext authid
396EOF
397RC=$?
398if test $RC != 0; then
399	echo "ldapmodify failed ($RC)!"
400	test $KILLSERVERS != no && kill -HUP $KILLPIDS
401	exit $RC
402fi
403
404echo
405
406echo "Adding olcAuthIDRewrite rule for static mapping..."
407$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
408dn: cn=config
409changetype: modify
410add: olcAuthIDRewrite
411olcAuthIDRewrite: rewriteRule uid=manager,cn=[^,]+,cn=auth $MANAGERDN :
412EOF
413RC=$?
414if test $RC != 0; then
415	echo "ldapmodify failed ($RC)!"
416	test $KILLSERVERS != no && kill -HUP $KILLPIDS
417	exit $RC
418fi
419
420ID=Manager
421echo "Testing ldapwhoami as $ID..."
422$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
423RC=$?
424if test $RC != 0; then
425	echo "ldapwhoami failed ($RC)!"
426	test $KILLSERVERS != no && kill -HUP $KILLPIDS
427	exit $RC
428fi
429
430echo
431
432echo "Adding olcAuthIDRewrite rule to search by uid..."
433$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
434dn: cn=config
435changetype: modify
436add: olcAuthIDRewrite
437olcAuthIDRewrite: rewriteRule uid=([^,]+),cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=\$1) :
438EOF
439RC=$?
440if test $RC != 0; then
441	echo "ldapmodify failed ($RC)!"
442	test $KILLSERVERS != no && kill -HUP $KILLPIDS
443	exit $RC
444fi
445
446ID=Manager
447echo "Testing ldapwhoami as $ID..."
448$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
449RC=$?
450if test $RC != 0; then
451	echo "ldapwhoami failed ($RC)!"
452	test $KILLSERVERS != no && kill -HUP $KILLPIDS
453	exit $RC
454fi
455
456ID=bjensen
457echo "Testing ldapwhoami as $ID..."
458$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
459RC=$?
460if test $RC != 0; then
461	echo "ldapwhoami failed ($RC)!"
462	test $KILLSERVERS != no && kill -HUP $KILLPIDS
463	exit $RC
464fi
465
466echo
467
468echo "Inserting olcAuthIDRewrite rule before the last..."
469$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
470dn: cn=config
471changetype: modify
472add: olcAuthIDRewrite
473olcAuthIDRewrite: {3}rewriteRule uid=babs,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjensen) :
474EOF
475RC=$?
476if test $RC != 0; then
477	echo "ldapmodify failed ($RC)!"
478	test $KILLSERVERS != no && kill -HUP $KILLPIDS
479	exit $RC
480fi
481
482ID=Manager
483echo "Testing ldapwhoami as $ID..."
484$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
485RC=$?
486if test $RC != 0; then
487	echo "ldapwhoami failed ($RC)!"
488	test $KILLSERVERS != no && kill -HUP $KILLPIDS
489	exit $RC
490fi
491
492ID=babs
493echo "Testing ldapwhoami as $ID..."
494$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
495RC=$?
496if test $RC != 0; then
497	echo "ldapwhoami failed ($RC)!"
498	test $KILLSERVERS != no && kill -HUP $KILLPIDS
499	exit $RC
500fi
501
502ID=bjensen
503echo "Testing ldapwhoami as $ID..."
504$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
505RC=$?
506if test $RC != 0; then
507	echo "ldapwhoami failed ($RC)!"
508	test $KILLSERVERS != no && kill -HUP $KILLPIDS
509	exit $RC
510fi
511
512echo
513
514echo "Deleting the first olcAuthIDRewrite rule..."
515$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
516dn: cn=config
517changetype: modify
518delete: olcAuthIDRewrite
519olcAuthIDRewrite: {2}
520EOF
521RC=$?
522if test $RC != 0; then
523	echo "ldapmodify failed ($RC)!"
524	test $KILLSERVERS != no && kill -HUP $KILLPIDS
525	exit $RC
526fi
527
528ID=Manager
529echo "Testing ldapwhoami as $ID (should fail)..."
530$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
531RC=$?
532if test $RC != 49; then
533	echo "ldapwhoami unexpected result ($RC)!"
534	test $KILLSERVERS != no && kill -HUP $KILLPIDS
535	exit $RC
536fi
537
538ID=babs
539echo "Testing ldapwhoami as $ID..."
540$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
541RC=$?
542if test $RC != 0; then
543	echo "ldapwhoami failed ($RC)!"
544	test $KILLSERVERS != no && kill -HUP $KILLPIDS
545	exit $RC
546fi
547
548ID=bjensen
549echo "Testing ldapwhoami as $ID..."
550$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
551RC=$?
552if test $RC != 0; then
553	echo "ldapwhoami failed ($RC)!"
554	test $KILLSERVERS != no && kill -HUP $KILLPIDS
555	exit $RC
556fi
557
558echo
559
560echo "Updating an olcAuthIDRewrite rule in place..."
561$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
562dn: cn=config
563changetype: modify
564delete: olcAuthIDRewrite
565olcAuthIDRewrite: {2}
566-
567add: olcAuthIDRewrite
568olcAuthIDRewrite: {2}rewriteRule uid=biff,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjorn) :
569EOF
570RC=$?
571if test $RC != 0; then
572	echo "ldapmodify failed ($RC)!"
573	test $KILLSERVERS != no && kill -HUP $KILLPIDS
574	exit $RC
575fi
576
577ID=babs
578echo "Testing ldapwhoami as $ID (should fail)..."
579$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
580RC=$?
581if test $RC != 49; then
582	echo "ldapwhoami failed ($RC)!"
583	test $KILLSERVERS != no && kill -HUP $KILLPIDS
584	exit $RC
585fi
586
587ID=biff
588echo "Testing ldapwhoami as $ID..."
589$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjorn
590RC=$?
591if test $RC != 0; then
592	echo "ldapwhoami failed ($RC)!"
593	test $KILLSERVERS != no && kill -HUP $KILLPIDS
594	exit $RC
595fi
596
597ID=bjensen
598echo "Testing ldapwhoami as $ID..."
599$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
600RC=$?
601if test $RC != 0; then
602	echo "ldapwhoami failed ($RC)!"
603	test $KILLSERVERS != no && kill -HUP $KILLPIDS
604	exit $RC
605fi
606
607echo
608
609echo "Deleting all olcAuthIDRewrite rules..."
610$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
611dn: cn=config
612changetype: modify
613delete: olcAuthIDRewrite
614EOF
615RC=$?
616if test $RC != 0; then
617	echo "ldapmodify failed ($RC)!"
618	test $KILLSERVERS != no && kill -HUP $KILLPIDS
619	exit $RC
620fi
621
622ID=bjensen
623echo "Testing ldapwhoami as $ID (should fail)..."
624$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
625RC=$?
626if test $RC != 49; then
627	echo "ldapwhoami failed ($RC)!"
628	test $KILLSERVERS != no && kill -HUP $KILLPIDS
629	exit $RC
630fi
631
632echo
633
634test $KILLSERVERS != no && kill -HUP $KILLPIDS
635
636echo ">>>>> Test succeeded"
637
638test $KILLSERVERS != no && wait
639
640exit 0
641