1#! /bin/sh 2# $OpenLDAP$ 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2021 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16echo "running defines.sh" 17. $SRCDIR/scripts/defines.sh 18 19if test $PPOLICY = ppolicyno; then 20 echo "Password policy overlay not available, test skipped" 21 exit 0 22fi 23 24mkdir -p $TESTDIR $DBDIR1 25 26$SLAPPASSWD -g -n >$CONFIGPWF 27echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf 28 29echo "Starting slapd on TCP/IP port $PORT1..." 30. $CONFFILTER $BACKEND < $PPOLICYCONF > $CONF1 31$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & 32PID=$! 33if test $WAIT != 0 ; then 34 echo PID $PID 35 read foo 36fi 37KILLPIDS="$PID" 38 39USER="uid=nd, ou=People, dc=example, dc=com" 40PASS=testpassword 41PWADMIN="uid=ndadmin, ou=People, dc=example, dc=com" 42ADMINPASSWD=testpw 43 44sleep 1 45 46echo "Using ldapsearch to check that slapd is running..." 47for i in 0 1 2 3 4 5; do 48 $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ 49 'objectclass=*' > /dev/null 2>&1 50 RC=$? 51 if test $RC = 0 ; then 52 break 53 fi 54 echo "Waiting 5 seconds for slapd to start..." 55 sleep 5 56done 57if test $RC != 0 ; then 58 echo "ldapsearch failed ($RC)!" 59 test $KILLSERVERS != no && kill -HUP $KILLPIDS 60 exit $RC 61fi 62 63echo /dev/null > $TESTOUT 64 65echo "Testing redundant ppolicy instance..." 66$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 67dn: olcOverlay=ppolicy,olcDatabase={1}$BACKEND,cn=config 68objectClass: olcOverlayConfig 69objectClass: olcPPolicyConfig 70olcOverlay: ppolicy 71olcPPolicyDefault: cn=duplicate policy,ou=policies,dc=example,dc=com 72EOF 73RC=$? 74if test $RC = 0 ; then 75 echo "ldapadd should have failed ($RC)!" 76 test $KILLSERVERS != no && kill -HUP $KILLPIDS 77 exit 1 78fi 79 80echo "Using ldapadd to populate the database..." 81$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -e '!relax' \ 82 < $LDIFPPOLICY >> $TESTOUT 2>&1 83RC=$? 84if test $RC != 0 ; then 85 echo "ldapadd failed ($RC)!" 86 test $KILLSERVERS != no && kill -HUP $KILLPIDS 87 exit $RC 88fi 89 90echo "Testing account lockout..." 91$LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 92sleep 2 93$LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 94sleep 2 95$LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 96sleep 2 97$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1 98$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 99COUNT=`grep "Account locked" $SEARCHOUT | wc -l` 100if test $COUNT != 2 ; then 101 echo "Account lockout test failed" 102 test $KILLSERVERS != no && kill -HUP $KILLPIDS 103 exit 1 104fi 105 106DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \ 107 -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*seconds_before_unlock=\(\d*\)/\1/p'` 108 109echo "Waiting $DELAY seconds for lockout to reset..." 110sleep $DELAY 111sleep 1 112 113$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 114 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 115RC=$? 116if test $RC != 0 ; then 117 echo "ldapsearch failed ($RC)!" 118 test $KILLSERVERS != no && kill -HUP $KILLPIDS 119 exit $RC 120fi 121 122DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \ 123 -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'` 124 125echo "Testing password expiration" 126echo "Waiting $DELAY seconds for password to expire..." 127sleep $DELAY 128sleep 1 129 130$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 131 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 132sleep 2 133$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 134 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 135sleep 2 136$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 137 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 138sleep 2 139$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 140 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 141RC=$? 142if test $RC = 0 ; then 143 echo "Password expiration failed ($RC)!" 144 test $KILLSERVERS != no && kill -HUP $KILLPIDS 145 exit 1 146fi 147 148COUNT=`grep "grace logins" $SEARCHOUT | wc -l` 149if test $COUNT != 3 ; then 150 echo "Password expiration test failed" 151 test $KILLSERVERS != no && kill -HUP $KILLPIDS 152 exit 1 153fi 154 155echo "Resetting password to clear expired status" 156$LDAPPASSWD -H $URI1 \ 157 -w secret -s $PASS \ 158 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 159RC=$? 160if test $RC != 0 ; then 161 echo "ldappasswd failed ($RC)!" 162 test $KILLSERVERS != no && kill -HUP $KILLPIDS 163 exit $RC 164fi 165 166echo "Filling password history..." 167$LDAPMODIFY -v -D "$USER" -H $URI1 -w $PASS >> \ 168 $TESTOUT 2>&1 << EOMODS 169dn: $USER 170changetype: modify 171delete: userpassword 172userpassword: $PASS 173- 174replace: userpassword 175userpassword: 20urgle12-1 176 177dn: $USER 178changetype: modify 179delete: userpassword 180userpassword: 20urgle12-1 181- 182replace: userpassword 183userpassword: 20urgle12-2 184 185dn: $USER 186changetype: modify 187delete: userpassword 188userpassword: 20urgle12-2 189- 190replace: userpassword 191userpassword: 20urgle12-3 192 193dn: $USER 194changetype: modify 195delete: userpassword 196userpassword: 20urgle12-3 197- 198replace: userpassword 199userpassword: 20urgle12-4 200 201dn: $USER 202changetype: modify 203delete: userpassword 204userpassword: 20urgle12-4 205- 206replace: userpassword 207userpassword: 20urgle12-5 208 209dn: $USER 210changetype: modify 211delete: userpassword 212userpassword: 20urgle12-5 213- 214replace: userpassword 215userpassword: 20urgle12-6 216 217EOMODS 218RC=$? 219if test $RC != 0 ; then 220 echo "ldapmodify failed ($RC)!" 221 test $KILLSERVERS != no && kill -HUP $KILLPIDS 222 exit $RC 223fi 224echo "Testing password history..." 225$LDAPMODIFY -v -D "$USER" -H $URI1 -w 20urgle12-6 >> \ 226 $TESTOUT 2>&1 << EOMODS 227dn: $USER 228changetype: modify 229delete: userPassword 230userPassword: 20urgle12-6 231- 232replace: userPassword 233userPassword: 20urgle12-2 234 235EOMODS 236RC=$? 237if test $RC = 0 ; then 238 echo "ldapmodify failed ($RC)!" 239 test $KILLSERVERS != no && kill -HUP $KILLPIDS 240 exit 1 241fi 242 243echo "Testing failed logins when password/policy missing..." 244 245$LDAPSEARCH -e ppolicy -H $URI1 \ 246 -D "uid=test, ou=People,$BASEDN" -w hasnopolicy \ 247 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 248RC=$? 249if test $RC = 0 ; then 250 echo "Password accepted ($RC)!" 251 test $KILLSERVERS != no && kill -HUP $KILLPIDS 252 exit 1 253fi 254 255$LDAPSEARCH -e ppolicy -H $URI1 -D "$BASEDN" -w hasnopw \ 256 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 257RC=$? 258if test $RC = 0 ; then 259 echo "Password accepted ($RC)!" 260 test $KILLSERVERS != no && kill -HUP $KILLPIDS 261 exit 1 262fi 263 264$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$BASEDN" \* \+ > $SEARCHOUT 2>&1 265COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l` 266if test $COUNT != 0 ; then 267 echo "Failed login stored on an account without policy and or password" 268 test $KILLSERVERS != no && kill -HUP $KILLPIDS 269 exit 1 270fi 271 272echo "Testing forced reset..." 273 274$LDAPMODIFY -v -D "$PWADMIN" -H $URI1 -w $ADMINPASSWD >> \ 275 $TESTOUT 2>&1 << EOMODS 276dn: $USER 277changetype: modify 278replace: userPassword 279userPassword: $PASS 280 281EOMODS 282RC=$? 283if test $RC != 0 ; then 284 echo "ldapmodify failed ($RC)!" 285 test $KILLSERVERS != no && kill -HUP $KILLPIDS 286 exit $RC 287fi 288 289$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 290 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 291RC=$? 292if test $RC = 0 ; then 293 echo "Forced reset failed ($RC)!" 294 test $KILLSERVERS != no && kill -HUP $KILLPIDS 295 exit 1 296fi 297 298COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l` 299if test $COUNT != 1 ; then 300 echo "Forced reset test failed" 301 test $KILLSERVERS != no && kill -HUP $KILLPIDS 302 exit 1 303fi 304 305echo "Clearing forced reset..." 306 307$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 308 $TESTOUT 2>&1 << EOMODS 309dn: $USER 310changetype: modify 311delete: pwdReset 312 313EOMODS 314RC=$? 315if test $RC != 0 ; then 316 echo "ldapmodify failed ($RC)!" 317 test $KILLSERVERS != no && kill -HUP $KILLPIDS 318 exit $RC 319fi 320 321$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 322 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 323RC=$? 324if test $RC != 0 ; then 325 echo "Clearing forced reset failed ($RC)!" 326 test $KILLSERVERS != no && kill -HUP $KILLPIDS 327 exit $RC 328fi 329 330echo "Testing Safe modify..." 331 332$LDAPPASSWD -H $URI1 \ 333 -w $PASS -s failexpect \ 334 -D "$USER" >> $TESTOUT 2>&1 335RC=$? 336if test $RC = 0 ; then 337 echo "Safe modify test 1 failed ($RC)!" 338 test $KILLSERVERS != no && kill -HUP $KILLPIDS 339 exit 1 340fi 341 342sleep 2 343 344OLDPASS=$PASS 345PASS=successexpect 346 347$LDAPPASSWD -H $URI1 \ 348 -w $OLDPASS -s $PASS -a $OLDPASS \ 349 -D "$USER" >> $TESTOUT 2>&1 350RC=$? 351if test $RC != 0 ; then 352 echo "Safe modify test 2 failed ($RC)!" 353 test $KILLSERVERS != no && kill -HUP $KILLPIDS 354 exit $RC 355fi 356 357echo "Testing length requirement..." 358# check control in response (ITS#5711) 359$LDAPPASSWD -H $URI1 \ 360 -w $PASS -a $PASS -s 2shr \ 361 -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1 362RC=$? 363cat ${TESTOUT}.2 >> $TESTOUT 364if test $RC = 0 ; then 365 echo "Length requirement test failed ($RC)!" 366 test $KILLSERVERS != no && kill -HUP $KILLPIDS 367 exit 1 368fi 369COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` 370if test $COUNT != 1 ; then 371 echo "Length requirement test failed" 372 test $KILLSERVERS != no && kill -HUP $KILLPIDS 373 exit 1 374fi 375COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l` 376if test $COUNT != 1 ; then 377 echo "Control not returned in response" 378 test $KILLSERVERS != no && kill -HUP $KILLPIDS 379 exit 1 380fi 381 382$LDAPPASSWD -H $URI1 \ 383 -w $PASS -a $PASS -s passwordthatistoolong \ 384 -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1 385RC=$? 386cat ${TESTOUT}.2 >> $TESTOUT 387COUNT=`grep "Password is too long for policy" ${TESTOUT}.2 | wc -l` 388if test $COUNT != 1 ; then 389 echo "Control not returned in response" 390 test $KILLSERVERS != no && kill -HUP $KILLPIDS 391 exit 1 392fi 393 394echo "Testing hashed length requirement..." 395 396$LDAPMODIFY -H $URI1 -D "$USER" -w $PASS > \ 397 ${TESTOUT}.2 2>&1 << EOMODS 398dn: $USER 399changetype: modify 400delete: userPassword 401userPassword: $PASS 402- 403add: userPassword 404userPassword: {MD5}xxxxxx 405 406EOMODS 407RC=$? 408cat ${TESTOUT}.2 >> $TESTOUT 409if test $RC = 0 ; then 410 echo "Hashed length requirement test failed ($RC)!" 411 test $KILLSERVERS != no && kill -HUP $KILLPIDS 412 exit 1 413fi 414COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` 415if test $COUNT != 1 ; then 416 echo "Hashed length requirement test failed" 417 test $KILLSERVERS != no && kill -HUP $KILLPIDS 418 exit 1 419fi 420 421echo "Testing multiple password add/modify checks..." 422 423$LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \ 424 $TESTOUT 2>&1 << EOMODS 425dn: cn=Add Should Fail, ou=People, dc=example, dc=com 426changetype: add 427objectClass: inetOrgPerson 428cn: Add Should Fail 429sn: Fail 430userPassword: firstpw 431userPassword: secondpw 432EOMODS 433RC=$? 434if test $RC = 0 ; then 435 echo "Multiple password add test failed ($RC)!" 436 test $KILLSERVERS != no && kill -HUP $KILLPIDS 437 exit 1 438fi 439 440$LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \ 441 $TESTOUT 2>&1 << EOMODS 442dn: $USER 443changetype: modify 444add: userPassword 445userPassword: firstpw 446userPassword: secondpw 447EOMODS 448RC=$? 449if test $RC = 0 ; then 450 echo "Multiple password modify add test failed ($RC)!" 451 test $KILLSERVERS != no && kill -HUP $KILLPIDS 452 exit 1 453fi 454 455$LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \ 456 $TESTOUT 2>&1 << EOMODS 457dn: $USER 458changetype: modify 459replace: userPassword 460userPassword: firstpw 461userPassword: secondpw 462EOMODS 463RC=$? 464if test $RC = 0 ; then 465 echo "Multiple password modify replace test failed ($RC)!" 466 test $KILLSERVERS != no && kill -HUP $KILLPIDS 467 exit 1 468fi 469 470echo "Testing idle password expiration" 471echo "Reconfiguring policy to replace expiration with idle expiration..." 472$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 473 $TESTOUT 2>&1 << EOMODS 474dn: cn=Standard Policy, ou=Policies, dc=example, dc=com 475changetype: modify 476delete: pwdMaxAge 477- 478add: pwdMaxIdle 479pwdMaxIdle: 15 480 481EOMODS 482RC=$? 483if test $RC != 0 ; then 484 echo "ldapmodify failed ($RC)!" 485 test $KILLSERVERS != no && kill -HUP $KILLPIDS 486 exit $RC 487fi 488 489$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 490 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 491 492DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \ 493 -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'` 494 495echo "Waiting $DELAY seconds for password to expire..." 496sleep $DELAY 497sleep 1 498 499$LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 500 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 501RC=$? 502if test $RC != 49 ; then 503 echo "Password idle expiration failed ($RC)!" 504 test $KILLSERVERS != no && kill -HUP $KILLPIDS 505 exit 1 506fi 507 508echo "Reverting policy changes..." 509$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 510 $TESTOUT 2>&1 << EOMODS 511dn: cn=Standard Policy, ou=Policies, dc=example, dc=com 512changetype: modify 513delete: pwdMaxIdle 514- 515add: pwdMaxAge 516pwdMaxAge: 30 517 518EOMODS 519RC=$? 520if test $RC != 0 ; then 521 echo "ldapmodify failed ($RC)!" 522 test $KILLSERVERS != no && kill -HUP $KILLPIDS 523 exit $RC 524fi 525 526if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then 527echo "" 528echo "Setting up policy state forwarding test..." 529 530mkdir $DBDIR2 531sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2 532echo "Starting slapd consumer on TCP/IP port $PORT2..." 533$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 & 534PID=$! 535if test $WAIT != 0 ; then 536 echo PID $PID 537 read foo 538fi 539KILLPIDS="$KILLPIDS $PID" 540 541echo "Configuring syncprov on provider..." 542if [ "$SYNCPROV" = syncprovmod ]; then 543 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 544dn: cn=module,cn=config 545objectclass: olcModuleList 546cn: module 547olcModulePath: $TESTWD/../servers/slapd/overlays 548olcModuleLoad: syncprov.la 549 550EOF 551 RC=$? 552 if test $RC != 0 ; then 553 echo "ldapadd failed for moduleLoad ($RC)!" 554 test $KILLSERVERS != no && kill -HUP $KILLPIDS 555 exit $RC 556 fi 557fi 558 559$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 560dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config 561objectClass: olcOverlayConfig 562objectClass: olcSyncProvConfig 563olcOverlay: {1}syncprov 564 565EOF 566RC=$? 567if test $RC != 0 ; then 568 echo "ldapadd failed for provider database config ($RC)!" 569 test $KILLSERVERS != no && kill -HUP $KILLPIDS 570 exit $RC 571fi 572 573echo "Using ldapsearch to check that slapd is running..." 574for i in 0 1 2 3 4 5; do 575 $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \ 576 'objectclass=*' > /dev/null 2>&1 577 RC=$? 578 if test $RC = 0 ; then 579 break 580 fi 581 echo "Waiting 5 seconds for slapd to start..." 582 sleep 5 583done 584if test $RC != 0 ; then 585 echo "ldapsearch failed ($RC)!" 586 test $KILLSERVERS != no && kill -HUP $KILLPIDS 587 exit $RC 588fi 589 590echo "Configuring syncrepl on consumer..." 591if [ "$BACKLDAP" = ldapmod ]; then 592 $LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 593dn: cn=module,cn=config 594objectclass: olcModuleList 595cn: module 596olcModulePath: $TESTWD/../servers/slapd/back-ldap 597olcModuleLoad: back_ldap.la 598 599EOF 600 RC=$? 601 if test $RC != 0 ; then 602 echo "ldapadd failed for moduleLoad ($RC)!" 603 test $KILLSERVERS != no && kill -HUP $KILLPIDS 604 exit $RC 605 fi 606fi 607$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 608dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config 609changetype: add 610objectClass: olcOverlayConfig 611objectClass: olcChainConfig 612olcOverlay: {0}chain 613 614dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config 615changetype: add 616objectClass: olcLDAPConfig 617objectClass: olcChainDatabase 618olcDBURI: $URI1 619olcDbIDAssertBind: bindmethod=simple 620 binddn="cn=manager,dc=example,dc=com" 621 credentials=secret 622 mode=self 623 624dn: olcDatabase={1}$BACKEND,cn=config 625changetype: modify 626add: olcSyncrepl 627olcSyncrepl: rid=1 628 provider=$URI1 629 binddn="cn=manager,dc=example,dc=com" 630 bindmethod=simple 631 credentials=secret 632 searchbase="dc=example,dc=com" 633 type=refreshAndPersist 634 retry="3 5 300 5" 635- 636add: olcUpdateref 637olcUpdateref: $URI1 638- 639 640dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config 641changetype: modify 642replace: olcPPolicyForwardUpdates 643olcPPolicyForwardUpdates: TRUE 644- 645 646EOF 647RC=$? 648if test $RC != 0 ; then 649 echo "ldapmodify failed ($RC)!" 650 test $KILLSERVERS != no && kill -HUP $KILLPIDS 651 exit $RC 652fi 653 654echo "Waiting for consumer to sync..." 655sleep $SLEEP1 656 657echo "Testing policy state forwarding..." 658$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 659RC=$? 660if test $RC != 49 ; then 661 echo "ldapsearch should have failed with 49, got ($RC)!" 662 test $KILLSERVERS != no && kill -HUP $KILLPIDS 663 exit 1 664fi 665 666$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1 667COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l` 668if test $COUNT != 1 ; then 669 echo "Policy state forwarding failed" 670 test $KILLSERVERS != no && kill -HUP $KILLPIDS 671 exit 1 672fi 673 674# End of chaining test 675 676fi 677 678echo "" 679echo "Testing obsolete Netscape ppolicy controls..." 680echo "Enabling Netscape controls..." 681$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \ 682 $TESTOUT 2>&1 << EOMODS 683dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config 684changetype: modify 685replace: olcPPolicySendNetscapeControls 686olcPPolicySendNetscapeControls: TRUE 687- 688 689EOMODS 690RC=$? 691if test $RC != 0 ; then 692 echo "ldapmodify failed ($RC)!" 693 test $KILLSERVERS != no && kill -HUP $KILLPIDS 694 exit $RC 695fi 696 697echo "Reconfiguring policy to remove grace logins..." 698$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 699 $TESTOUT 2>&1 << EOMODS 700dn: cn=Standard Policy, ou=Policies, dc=example, dc=com 701changetype: modify 702delete: pwdGraceAuthnLimit 703- 704replace: pwdMaxAge 705pwdMaxAge: 15 706- 707 708EOMODS 709RC=$? 710if test $RC != 0 ; then 711 echo "ldapmodify failed ($RC)!" 712 test $KILLSERVERS != no && kill -HUP $KILLPIDS 713 exit $RC 714fi 715 716OLDPASS=$PASS 717PASS=newpass 718$LDAPPASSWD -H $URI1 \ 719 -w secret -s $PASS \ 720 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 721RC=$? 722if test $RC != 0 ; then 723 echo "Setting new password failed ($RC)!" 724 test $KILLSERVERS != no && kill -HUP $KILLPIDS 725 exit $RC 726fi 727 728echo "Clearing forced reset..." 729$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 730 $TESTOUT 2>&1 << EOMODS 731dn: $USER 732changetype: modify 733delete: pwdReset 734 735EOMODS 736 737DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \ 738 -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'` 739DELAY=`expr $DELAY - 10` 740 741echo "Testing password expiration" 742echo "Waiting $DELAY seconds for password to expire..." 743sleep $DELAY 744 745$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 746 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 747sleep 3 748$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 749 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 750sleep 3 751$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 752 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 753sleep 3 754$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 755 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 756sleep 3 757$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 758 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 759RC=$? 760if test $RC = 0 ; then 761 echo "Password expiration failed ($RC)!" 762 test $KILLSERVERS != no && kill -HUP $KILLPIDS 763 exit 1 764fi 765COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l` 766if test $COUNT = 0 ; then 767 echo "Password expiring warning test failed!" 768 test $KILLSERVERS != no && kill -HUP $KILLPIDS 769 exit 1 770fi 771 772test $KILLSERVERS != no && kill -HUP $KILLPIDS 773 774echo ">>>>> Test succeeded" 775 776test $KILLSERVERS != no && wait 777 778exit 0 779