1#! /bin/sh 2# $OpenLDAP$ 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2021 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16echo "running defines.sh" 17. $SRCDIR/scripts/defines.sh 18 19echo "### This test requires the LDAP backend and the rwm overlay." 20echo "### If available, and explicitly requested, it can use SASL bind;" 21echo "### note that SASL must be properly set up, and the requested" 22echo "### mechanism must be available. Define SLAPD_USE_SASL={yes|<mech>}," 23echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]." 24 25if test $BACKLDAP = "ldapno" ; then 26 echo "LDAP backend not available, test skipped" 27 exit 0 28fi 29 30if test $RWM = "rwmno" ; then 31 echo "Rewrite/remap overlay not available, test skipped" 32 exit 0 33fi 34 35if test $WITH_SASL = "yes" ; then 36 if test $USE_SASL != "no" ; then 37 if test $USE_SASL = "yes" ; then 38 MECH="DIGEST-MD5" 39 else 40 MECH="$USE_SASL" 41 fi 42 echo "Using SASL authc[/authz] with mech=$MECH; unset SLAPD_USE_SASL to disable" 43 else 44 echo "Using proxyAuthz with simple authc..." 45 fi 46else 47 echo "SASL not available; using proxyAuthz with simple authc..." 48fi 49 50mkdir -p $TESTDIR $DBDIR1 $DBDIR2 51 52echo "Running slapadd to build slapd database..." 53. $CONFFILTER $BACKEND < $IDASSERTCONF > $ADDCONF 54$SLAPADD -f $ADDCONF -l $LDIFIDASSERT1 -n 1 55RC=$? 56if test $RC != 0 ; then 57 echo "slapadd -n 1 failed ($RC)!" 58 exit $RC 59fi 60$SLAPADD -f $ADDCONF -l $LDIFIDASSERT2 -n 2 61RC=$? 62if test $RC != 0 ; then 63 echo "slapadd -n 2 failed ($RC)!" 64 exit $RC 65fi 66 67echo "Starting slapd on TCP/IP port $PORT..." 68. $CONFFILTER $BACKEND < $IDASSERTCONF > $CONF1 69$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & 70PID=$! 71if test $WAIT != 0 ; then 72 echo PID $PID 73 read foo 74fi 75KILLPIDS="$PID" 76 77sleep 1 78 79echo "Using ldapsearch to check that slapd is running..." 80for i in 0 1 2 3 4 5; do 81 $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ 82 'objectclass=*' > /dev/null 2>&1 83 RC=$? 84 if test $RC = 0 ; then 85 break 86 fi 87 echo "Waiting 5 seconds for slapd to start..." 88 sleep 5 89done 90 91echo "Testing ldapwhoami as proxy US..." 92$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy 93RC=$? 94if test $RC != 0 ; then 95 echo "ldapwhoami failed ($RC)!" 96 test $KILLSERVERS != no && kill -HUP $KILLPIDS 97 exit $RC 98fi 99 100AUTHZID="u:it/jaj" 101echo "Testing ldapwhoami as proxy US, $AUTHZID..." 102$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 103RC=$? 104if test $RC != 0 && test $BACKEND != null ; then 105 echo "ldapwhoami failed ($RC)!" 106 test $KILLSERVERS != no && kill -HUP $KILLPIDS 107 exit $RC 108fi 109 110AUTHZID="u:bjorn" 111echo "Testing ldapwhoami as proxy US, $AUTHZID... (should fail)" 112$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 113RC=$? 114if test $RC != 1 ; then 115 echo "ldapwhoami should have failed ($RC)!" 116 test $KILLSERVERS != no && kill -HUP $KILLPIDS 117 exit 1 118fi 119 120AUTHZID="u:bjensen" 121echo "Testing ldapwhoami as proxy US, $AUTHZID... (should fail)" 122$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 123RC=$? 124if test $RC != 1 ; then 125 echo "ldapwhoami should have failed ($RC)!" 126 test $KILLSERVERS != no && kill -HUP $KILLPIDS 127 exit 1 128fi 129 130echo "Testing ldapwhoami as proxy IT..." 131$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy 132RC=$? 133if test $RC != 0 ; then 134 echo "ldapwhoami failed ($RC)!" 135 test $KILLSERVERS != no && kill -HUP $KILLPIDS 136 exit $RC 137fi 138 139AUTHZID="u:it/jaj" 140echo "Testing ldapwhoami as proxy IT, $AUTHZID... (should fail)" 141$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 142RC=$? 143if test $RC != 1 ; then 144 echo "ldapwhoami should have failed ($RC)!" 145 test $KILLSERVERS != no && kill -HUP $KILLPIDS 146 exit 1 147fi 148 149AUTHZID="u:bjorn" 150echo "Testing ldapwhoami as proxy IT, $AUTHZID... (should fail)" 151$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 152RC=$? 153if test $RC != 1 ; then 154 echo "ldapwhoami should have failed ($RC)!" 155 test $KILLSERVERS != no && kill -HUP $KILLPIDS 156 exit 1 157fi 158 159AUTHZID="dn:cn=Sandbox,ou=Admin,dc=example,dc=com" 160echo "Testing ldapwhoami as proxy IT, $AUTHZID..." 161$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" 162RC=$? 163if test $RC != 0 && test $BACKEND != null ; then 164 echo "ldapwhoami failed ($RC)!" 165 test $KILLSERVERS != no && kill -HUP $KILLPIDS 166 exit $RC 167fi 168 169AUTHZID="dn:uid=bjorn,ou=People,o=Example,c=US" 170echo "Testing ldapwhoami as bjorn, $AUTHZID..." 171$LDAPWHOAMI -H $URI1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID" 172RC=$? 173if test $RC != 0 ; then 174 echo "ldapwhoami failed ($RC)!" 175 test $KILLSERVERS != no && kill -HUP $KILLPIDS 176 exit $RC 177fi 178 179AUTHZID="dn:uid=bjorn,ou=People,o=Esempio,c=IT" 180echo "Testing ldapwhoami as bjorn, $AUTHZID..." 181$LDAPWHOAMI -H $URI1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID" 182RC=$? 183if test $RC != 0 ; then 184 echo "ldapwhoami failed ($RC)!" 185 test $KILLSERVERS != no && kill -HUP $KILLPIDS 186 exit $RC 187fi 188 189AUTHZID="u:it/jaj" 190echo "Checking another DB's rootdn can't assert identity from another DB..." 191$LDAPWHOAMI -H $URI1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID" 192 193RC=$? 194if test $RC != 1 ; then 195 echo "ldapwhoami should have failed ($RC)!" 196 test $KILLSERVERS != no && kill -HUP $KILLPIDS 197 exit 1 198fi 199 200ID="uid=jaj,ou=People,dc=example,dc=it" 201BASE="o=Example,c=US" 202echo "Testing ldapsearch as $ID for \"$BASE\"..." 203$LDAPSEARCH -H $URI1 -b "$BASE" \ 204 -D "$ID" -w jaj > $SEARCHOUT 2>&1 205 206RC=$? 207if test $RC != 0 && test $BACKEND != null ; then 208 echo "ldapsearch failed ($RC)!" 209 test $KILLSERVERS != no && kill -HUP $KILLPIDS 210 exit $RC 211fi 212 213echo "Filtering ldapsearch results..." 214$LDIFFILTER -s ldif=e < $SEARCHOUT > $SEARCHFLT 215echo "Filtering original ldif used to create database..." 216$LDIFFILTER -s ldif=e < $IDASSERTOUT > $LDIFFLT 217echo "Comparing filter output..." 218$CMP $SEARCHFLT $LDIFFLT > $CMPOUT 219 220if test $? != 0 ; then 221 echo "comparison failed - search with identity assertion didn't succeed" 222 test $KILLSERVERS != no && kill -HUP $KILLPIDS 223 exit 1 224fi 225 226if test $USE_SASL != "no" ; then 227 ID="it/jaj" 228 BASE="o=Example,c=US" 229 echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..." 230 $LDAPSASLSEARCH -H $URI1 -b "$BASE" \ 231 -Q -U "$ID" -w jaj -Y $MECH > $SEARCHOUT 2>&1 232 233 RC=$? 234 if test $RC != 0 ; then 235 echo "ldapsearch failed ($RC)!" 236 test $KILLSERVERS != no && kill -HUP $KILLPIDS 237 exit $RC 238 fi 239 240 ID="manager" 241 AUTHZID="u:it/jaj" 242 echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..." 243 $LDAPSASLWHOAMI -H $URI1 \ 244 -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID 245 246 RC=$? 247 if test $RC != 50 ; then 248 echo "ldapwhoami should have failed ($RC)!" 249 test $KILLSERVERS != no && kill -HUP $KILLPIDS 250 exit 1 251 fi 252 253 echo "Filtering ldapsearch results..." 254 $LDIFFILTER < $SEARCHOUT > $SEARCHFLT 255 echo "Filtering original ldif used to create database..." 256 $LDIFFILTER < $IDASSERTOUT > $LDIFFLT 257 echo "Comparing filter output..." 258 $CMP $SEARCHFLT $LDIFFLT > $CMPOUT 259 260 if test $? != 0 ; then 261 echo "comparison failed - search with SASL bind and identity assertion didn't succeed" 262 test $KILLSERVERS != no && kill -HUP $KILLPIDS 263 exit 1 264 fi 265fi 266 267test $KILLSERVERS != no && kill -HUP $KILLPIDS 268 269echo ">>>>> Test succeeded" 270 271test $KILLSERVERS != no && wait 272 273exit 0 274