xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/test077-sasl-gssapi (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2) 
1*e670fd5cSchristos#! /bin/sh
2*e670fd5cSchristos# $OpenLDAP$
3*e670fd5cSchristos## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4*e670fd5cSchristos##
5*e670fd5cSchristos## Copyright 1998-2021 The OpenLDAP Foundation.
6*e670fd5cSchristos## All rights reserved.
7*e670fd5cSchristos##
8*e670fd5cSchristos## Redistribution and use in source and binary forms, with or without
9*e670fd5cSchristos## modification, are permitted only as authorized by the OpenLDAP
10*e670fd5cSchristos## Public License.
11*e670fd5cSchristos##
12*e670fd5cSchristos## A copy of this license is available in the file LICENSE in the
13*e670fd5cSchristos## top-level directory of the distribution or, alternatively, at
14*e670fd5cSchristos## <http://www.OpenLDAP.org/license.html>.
15*e670fd5cSchristos
16*e670fd5cSchristosecho "running defines.sh"
17*e670fd5cSchristos. $SRCDIR/scripts/defines.sh
18*e670fd5cSchristos
19*e670fd5cSchristosif test $WITH_SASL = no ; then
20*e670fd5cSchristos	echo "SASL support not available, test skipped"
21*e670fd5cSchristos	exit 0
22*e670fd5cSchristosfi
23*e670fd5cSchristos
24*e670fd5cSchristosCONFDIR=$TESTDIR/slapd.d
25*e670fd5cSchristosCONFLDIF=$TESTDIR/slapd.ldif
26*e670fd5cSchristos
27*e670fd5cSchristosmkdir -p $TESTDIR $DBDIR1 $CONFDIR
28*e670fd5cSchristoscp -r $DATADIR/tls $TESTDIR
29*e670fd5cSchristos$SLAPPASSWD -g -n >$CONFIGPWF
30*e670fd5cSchristos
31*e670fd5cSchristosecho "Starting KDC for SASL/GSSAPI tests..."
32*e670fd5cSchristos. $SRCDIR/scripts/setup_kdc.sh
33*e670fd5cSchristos
34*e670fd5cSchristosecho "Configuring slapd..."
35*e670fd5cSchristoscat > $CONFLDIF <<EOF
36*e670fd5cSchristosdn: cn=config
37*e670fd5cSchristosobjectClass: olcGlobal
38*e670fd5cSchristoscn: config
39*e670fd5cSchristosolcSaslHost: localhost
40*e670fd5cSchristosolcSaslRealm: $KRB5REALM
41*e670fd5cSchristosolcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
42*e670fd5cSchristosolcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
43*e670fd5cSchristosolcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
44*e670fd5cSchristos
45*e670fd5cSchristosdn: cn=schema,cn=config
46*e670fd5cSchristosobjectClass: olcSchemaConfig
47*e670fd5cSchristoscn: schema
48*e670fd5cSchristos
49*e670fd5cSchristosinclude: file://$ABS_SCHEMADIR/core.ldif
50*e670fd5cSchristos
51*e670fd5cSchristosdn: olcDatabase={0}config,cn=config
52*e670fd5cSchristosobjectClass: olcDatabaseConfig
53*e670fd5cSchristosolcDatabase: {0}config
54*e670fd5cSchristosolcRootPW:< file://$TESTDIR/configpw
55*e670fd5cSchristos
56*e670fd5cSchristosEOF
57*e670fd5cSchristos$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
58*e670fd5cSchristosRC=$?
59*e670fd5cSchristosif test $RC != 0 ; then
60*e670fd5cSchristos	echo "slapadd failed ($RC)!"
61*e670fd5cSchristos	kill $KDCPROC
62*e670fd5cSchristos	exit $RC
63*e670fd5cSchristosfi
64*e670fd5cSchristos
65*e670fd5cSchristosecho "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
66*e670fd5cSchristos$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 &
67*e670fd5cSchristosPID=$!
68*e670fd5cSchristosif test $WAIT != 0 ; then
69*e670fd5cSchristos	echo PID $PID
70*e670fd5cSchristos	read foo
71*e670fd5cSchristosfi
72*e670fd5cSchristosKILLPIDS="$PID"
73*e670fd5cSchristos
74*e670fd5cSchristossleep 1
75*e670fd5cSchristos
76*e670fd5cSchristosecho "Using ldapsearch to check that slapd is running..."
77*e670fd5cSchristosfor i in 0 1 2 3 4 5; do
78*e670fd5cSchristos	$LDAPSEARCH -s base -b "" -H $URI1 \
79*e670fd5cSchristos		'objectclass=*' > /dev/null 2>&1
80*e670fd5cSchristos	RC=$?
81*e670fd5cSchristos	if test $RC = 0 ; then
82*e670fd5cSchristos		break
83*e670fd5cSchristos	fi
84*e670fd5cSchristos	echo "Waiting 5 seconds for slapd to start..."
85*e670fd5cSchristos	sleep 5
86*e670fd5cSchristosdone
87*e670fd5cSchristos
88*e670fd5cSchristosif test $RC != 0 ; then
89*e670fd5cSchristos	echo "ldapsearch failed ($RC)!"
90*e670fd5cSchristos	kill $KDCPROC
91*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
92*e670fd5cSchristos	exit $RC
93*e670fd5cSchristosfi
94*e670fd5cSchristos
95*e670fd5cSchristos$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1
96*e670fd5cSchristosRC=$?
97*e670fd5cSchristosif test $RC != 0 ; then
98*e670fd5cSchristos	echo "ldapsearch failed ($RC)!"
99*e670fd5cSchristos	kill $KDCPROC
100*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
101*e670fd5cSchristos	exit $RC
102*e670fd5cSchristosfi
103*e670fd5cSchristos
104*e670fd5cSchristosgrep GSSAPI $TESTOUT
105*e670fd5cSchristosRC=$?
106*e670fd5cSchristosif test $RC != 0 ; then
107*e670fd5cSchristos	echo "failed: GSSAPI mechanism not in supportedSASLMechanisms."
108*e670fd5cSchristos	kill $KDCPROC
109*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
110*e670fd5cSchristos	exit $RC
111*e670fd5cSchristosfi
112*e670fd5cSchristos
113*e670fd5cSchristosecho -n "Using ldapwhoami with SASL/GSSAPI: "
114*e670fd5cSchristos$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1
115*e670fd5cSchristosRC=$?
116*e670fd5cSchristosif test $RC != 0 ; then
117*e670fd5cSchristos	echo "ldapwhoami failed ($RC)!"
118*e670fd5cSchristos	kill $KDCPROC
119*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
120*e670fd5cSchristos	exit $RC
121*e670fd5cSchristoselse
122*e670fd5cSchristos	echo "success"
123*e670fd5cSchristosfi
124*e670fd5cSchristos
125*e670fd5cSchristosecho -n "Validating mapped SASL/GSSAPI ID: "
126*e670fd5cSchristosecho "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out
127*e670fd5cSchristos$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
128*e670fd5cSchristosRC=$?
129*e670fd5cSchristosif test $RC != 0 ; then
130*e670fd5cSchristos	echo "Comparison failed"
131*e670fd5cSchristos	kill $KDCPROC
132*e670fd5cSchristos	test $KILLSERVERS != no && kill -HUP $KILLPIDS
133*e670fd5cSchristos	exit $RC
134*e670fd5cSchristoselse
135*e670fd5cSchristos	echo "success"
136*e670fd5cSchristosfi
137*e670fd5cSchristos
138*e670fd5cSchristosif test $WITH_TLS = no ; then
139*e670fd5cSchristos	echo "SASL/GSSAPI: TLS support not available, skipping TLS part."
140*e670fd5cSchristoselse
141*e670fd5cSchristos	echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: "
142*e670fd5cSchristos	$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
143*e670fd5cSchristos		-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
144*e670fd5cSchristos		> $TESTOUT 2>&1
145*e670fd5cSchristos	RC=$?
146*e670fd5cSchristos	if test $RC != 0 ; then
147*e670fd5cSchristos		echo "ldapwhoami failed ($RC)!"
148*e670fd5cSchristos		kill $KDCPROC
149*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
150*e670fd5cSchristos		exit $RC
151*e670fd5cSchristos	else
152*e670fd5cSchristos		echo "success"
153*e670fd5cSchristos	fi
154*e670fd5cSchristos
155*e670fd5cSchristos	echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: "
156*e670fd5cSchristos	$LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow	\
157*e670fd5cSchristos		-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
158*e670fd5cSchristos		> $TESTOUT 2>&1
159*e670fd5cSchristos	RC=$?
160*e670fd5cSchristos	if test $RC != 0 ; then
161*e670fd5cSchristos		echo "ldapwhoami failed ($RC)!"
162*e670fd5cSchristos		kill $KDCPROC
163*e670fd5cSchristos		test $KILLSERVERS != no && kill -HUP $KILLPIDS
164*e670fd5cSchristos		exit $RC
165*e670fd5cSchristos	else
166*e670fd5cSchristos		echo "success"
167*e670fd5cSchristos	fi
168*e670fd5cSchristosfi
169*e670fd5cSchristos
170*e670fd5cSchristosif test $WITH_TLS = no ; then
171*e670fd5cSchristos	echo "TLS support not available, skipping channel-binding test"
172*e670fd5cSchristoselif test $HAVE_SASL_GSS_CBIND = no ; then
173*e670fd5cSchristos	echo "SASL has no channel-binding support in GSSAPI, test skipped"
174*e670fd5cSchristoselse
175*e670fd5cSchristos	echo "Testing SASL/GSSAPI with SASL_CBINDING..."
176*e670fd5cSchristos
177*e670fd5cSchristos	for acb in "none" "tls-unique" "tls-endpoint" ; do
178*e670fd5cSchristos
179*e670fd5cSchristos		echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
180*e670fd5cSchristos		$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
181*e670fd5cSchristosdn: cn=config
182*e670fd5cSchristoschangetype: modify
183*e670fd5cSchristosreplace: olcSaslCBinding
184*e670fd5cSchristosolcSaslCBinding: ${acb}
185*e670fd5cSchristosEOF
186*e670fd5cSchristos		RC=$?
187*e670fd5cSchristos		if test $RC != 0 ; then
188*e670fd5cSchristos			echo "ldapmodify failed ($RC)!"
189*e670fd5cSchristos			kill $KDCPROC
190*e670fd5cSchristos			test $KILLSERVERS != no && kill -HUP $KILLPIDS
191*e670fd5cSchristos			exit $RC
192*e670fd5cSchristos		fi
193*e670fd5cSchristos
194*e670fd5cSchristos		for icb in "none" "tls-unique" "tls-endpoint" ; do
195*e670fd5cSchristos
196*e670fd5cSchristos			# The gnutls implementation of "tls-unique" seems broken
197*e670fd5cSchristos			if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
198*e670fd5cSchristos				if test $WITH_TLS_TYPE = gnutls ; then
199*e670fd5cSchristos					continue
200*e670fd5cSchristos				fi
201*e670fd5cSchristos			fi
202*e670fd5cSchristos
203*e670fd5cSchristos			fail="no"
204*e670fd5cSchristos			if test $icb != $acb -a $acb != "none" ; then
205*e670fd5cSchristos				# This currently fails in MIT, but it is planned to be
206*e670fd5cSchristos				# fixed not to fail like in heimdal - avoid testing.
207*e670fd5cSchristos				if test $icb = "none" ; then
208*e670fd5cSchristos					continue
209*e670fd5cSchristos				fi
210*e670fd5cSchristos				# Otherwise unmatching bindings are expected to fail.
211*e670fd5cSchristos				fail="yes"
212*e670fd5cSchristos			fi
213*e670fd5cSchristos
214*e670fd5cSchristos			echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
215*e670fd5cSchristos			echo -n "(client: ${icb}, server: ${acb}): "
216*e670fd5cSchristos
217*e670fd5cSchristos			$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
218*e670fd5cSchristos			-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
219*e670fd5cSchristos			-o SASL_CBINDING=$icb > $TESTOUT 2>&1
220*e670fd5cSchristos
221*e670fd5cSchristos			RC=$?
222*e670fd5cSchristos			if test $RC != 0 ; then
223*e670fd5cSchristos				if test $fail = "no" ; then
224*e670fd5cSchristos					echo "test failed ($RC)!"
225*e670fd5cSchristos					kill $KDCPROC
226*e670fd5cSchristos					test $KILLSERVERS != no && kill -HUP $KILLPIDS
227*e670fd5cSchristos					exit $RC
228*e670fd5cSchristos				fi
229*e670fd5cSchristos			elif test $fail = "yes" ; then
230*e670fd5cSchristos				echo "failed: command succeeded unexpectedly."
231*e670fd5cSchristos				kill $KDCPROC
232*e670fd5cSchristos				test $KILLSERVERS != no && kill -HUP $KILLPIDS
233*e670fd5cSchristos				exit 1
234*e670fd5cSchristos			fi
235*e670fd5cSchristos
236*e670fd5cSchristos			echo "success"
237*e670fd5cSchristos			RC=0
238*e670fd5cSchristos		done
239*e670fd5cSchristos	done
240*e670fd5cSchristosfi
241*e670fd5cSchristos
242*e670fd5cSchristos
243*e670fd5cSchristoskill $KDCPROC
244*e670fd5cSchristostest $KILLSERVERS != no && kill -HUP $KILLPIDS
245*e670fd5cSchristos
246*e670fd5cSchristosif test $RC != 0 ; then
247*e670fd5cSchristos	echo ">>>>> Test failed"
248*e670fd5cSchristoselse
249*e670fd5cSchristos	echo ">>>>> Test succeeded"
250*e670fd5cSchristos	RC=0
251*e670fd5cSchristosfi
252*e670fd5cSchristos
253*e670fd5cSchristostest $KILLSERVERS != no && wait
254*e670fd5cSchristos
255*e670fd5cSchristosexit $RC
256