test041-aci revision 1.1.1.1
1#! /bin/sh 2# $OpenLDAP: pkg/ldap/tests/scripts/test041-aci,v 1.9.2.4 2008/02/11 23:26:51 kurt Exp $ 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2008 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16case "$BACKEND" in 17bdb|hdb) 18 ;; 19*) 20 echo "Test does not support $BACKEND backend" 21 exit 0 22 ;; 23esac 24 25echo "running defines.sh" 26. $SRCDIR/scripts/defines.sh 27 28if test "$ACI" = "acino" ; then 29 echo "ACI not enabled, test skipped" 30 exit 0 31fi 32 33mkdir -p $TESTDIR $DBDIR1 34 35echo "Running slapadd to build slapd database..." 36. $CONFFILTER $BACKEND $MONITORDB < $ACICONF > $CONF1 37$SLAPADD -f $CONF1 -l $LDIFORDERED 38RC=$? 39if test $RC != 0 ; then 40 echo "slapadd failed ($RC)!" 41 exit $RC 42fi 43 44echo "Starting slapd on TCP/IP port $PORT1..." 45$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & 46PID=$! 47if test $WAIT != 0 ; then 48 echo PID $PID 49 read foo 50fi 51KILLPIDS="$PID" 52 53sleep 1 54 55echo "Testing slapd ACI access control..." 56for i in 0 1 2 3 4 5; do 57 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ 58 'objectclass=*' > /dev/null 2>&1 59 RC=$? 60 if test $RC = 0 ; then 61 break 62 fi 63 echo "Waiting 5 seconds for slapd to start..." 64 sleep 5 65done 66 67if test $RC != 0 ; then 68 echo "ldapsearch failed ($RC)!" 69 test $KILLSERVERS != no && kill -HUP $KILLPIDS 70 exit $RC 71fi 72 73cat /dev/null > $SEARCHOUT 74cat /dev/null > $TESTOUT 75 76# Search must fail 77BASEDN="dc=example,dc=com" 78echo "Searching \"$BASEDN\" (should fail)..." 79echo "# Searching \"$BASEDN\" (should fail)..." >> $SEARCHOUT 80$LDAPSEARCH -s base -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ 81 '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT 82RC=$? 83if test $RC != 32 ; then 84 echo "ldapsearch should have failed with noSuchObject ($RC)!" 85 test $KILLSERVERS != no && kill -HUP $KILLPIDS 86 if test $RC = 0 ; then 87 exit -1 88 fi 89 exit $RC 90fi 91 92# Bind must fail 93BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 94BINDPW=bjensen 95echo "Testing ldapwhoami as ${BINDDN} (should fail)..." 96$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$BINDDN" -w $BINDPW 97RC=$? 98if test $RC = 0 ; then 99 echo "ldapwhoami should have failed!" 100 test $KILLSERVERS != no && kill -HUP $KILLPIDS 101 exit -1 102fi 103 104# Populate ACIs 105echo "Writing ACIs as \"$MANAGERDN\"..." 106$LDAPMODIFY -D "$MANAGERDN" -w $PASSWD -h $LOCALHOST -p $PORT1 \ 107 >> $TESTOUT 2>&1 << EOMODS0 108dn: dc=example,dc=com 109changetype: modify 110add: OpenLDAPaci 111OpenLDAPaci: 0#subtree#grant;d,c,s,r;[all]#group/groupOfUniqueNames/uniqueMe 112 mber#cn=ITD Staff,ou=Groups,dc=example,dc=com 113OpenLDAPaci: 1#entry#grant;d;[all]#public# 114 115dn: ou=People,dc=example,dc=com 116changetype: modify 117add: OpenLDAPaci 118OpenLDAPaci: 0#subtree#grant;x;userPassword#public# 119OpenLDAPaci: 1#subtree#grant;w;userPassword#self# 120OpenLDAPaci: 2#subtree#grant;w;userPassword#access-id#cn=Bjorn Jensen,ou=Inf 121 ormation Technology Division,ou=People,dc=example,dc=com 122 123dn: ou=Groups,dc=example,dc=com 124changetype: modify 125add: OpenLDAPaci 126OpenLDAPaci: 0#entry#grant;s;[all]#public# 127OpenLDAPaci: 1#children#grant;r;member;r;uniqueMember#access-id#cn=Bjorn Jen 128 sen,ou=Information Technology Division,ou=People,dc=example,dc=com 129EOMODS0 130RC=$? 131if test $RC != 0 ; then 132 echo "ldapmodify failed ($RC)!" 133 test $KILLSERVERS != no && kill -HUP $KILLPIDS 134 exit $RC 135fi 136 137# Search must succeed with no results 138BASEDN="dc=example,dc=com" 139echo "Searching \"$BASEDN\" (should succeed with no results)..." 140echo "# Searching \"$BASEDN\" (should succeed with no results)..." >> $SEARCHOUT 141$LDAPSEARCH -s base -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ 142 '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT 143RC=$? 144if test $RC != 0 ; then 145 ### TEMPORARY (see ITS#3963) 146 echo "ldapsearch failed ($RC)! IGNORED..." 147 ###echo "ldapsearch failed ($RC)!" 148 ###test $KILLSERVERS != no && kill -HUP $KILLPIDS 149 ###exit $RC 150fi 151 152BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 153BINDPW=bjensen 154echo "Testing ldapwhoami as ${BINDDN}..." 155$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$BINDDN" -w $BINDPW 156RC=$? 157if test $RC != 0 ; then 158 echo "ldapwhoami failed ($RC)!" 159 test $KILLSERVERS != no && kill -HUP $KILLPIDS 160 exit $RC 161fi 162 163# Search must succeed 164BINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 165BINDPW=bjorn 166BASEDN="dc=example,dc=com" 167echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." 168echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." >> $SEARCHOUT 169$LDAPSEARCH -s base -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ 170 -D "$BINDDN" -w "$BINDPW" \ 171 '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 172RC=$? 173if test $RC != 0 ; then 174 echo "ldapsearch failed ($RC)!" 175 test $KILLSERVERS != no && kill -HUP $KILLPIDS 176 exit $RC 177fi 178 179# Passwd must succeed 180BINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 181BINDPW=bjorn 182TGT="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 183NEWPW=jdoe 184echo "Setting \"$TGT\" password..." 185$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ 186 -w "$BINDPW" -s "$NEWPW" \ 187 -D "$BINDDN" "$TGT" >> $TESTOUT 2>&1 188RC=$? 189if test $RC != 0 ; then 190 echo "ldappasswd failed ($RC)!" 191 test $KILLSERVERS != no && kill -HUP $KILLPIDS 192 exit $RC 193fi 194 195# Re-change as self... 196echo "Changing self password..." 197BINDDN="$TGT" 198BINDPW=$NEWPW 199TGT="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 200NEWPW=newcred 201$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ 202 -w "$BINDPW" -s "$NEWPW" \ 203 -D "$BINDDN" "$TGT" >> $TESTOUT 2>&1 204RC=$? 205if test $RC != 0 ; then 206 echo "ldappasswd failed ($RC)!" 207 test $KILLSERVERS != no && kill -HUP $KILLPIDS 208 exit $RC 209fi 210 211# Searching groups 212BINDPW=$NEWPW 213BASEDN="ou=Groups,dc=example,dc=com" 214echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." 215echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." >> $SEARCHOUT 216$LDAPSEARCH -s one -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ 217 -D "$BINDDN" -w "$BINDPW" \ 218 '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 219RC=$? 220if test $RC != 0 ; then 221 echo "ldapsearch failed ($RC)!" 222 test $KILLSERVERS != no && kill -HUP $KILLPIDS 223 exit $RC 224fi 225 226# Search must fail 227BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 228BINDPW=bjensen 229echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed with no results)..." 230echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed with no results)..." >> $SEARCHOUT 231$LDAPSEARCH -s one -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ 232 -D "$BINDDN" -w "$BINDPW" \ 233 '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 234RC=$? 235if test $RC != 0 ; then 236 echo "ldapsearch failed ($RC)!" 237 test $KILLSERVERS != no && kill -HUP $KILLPIDS 238 exit $RC 239fi 240 241test $KILLSERVERS != no && kill -HUP $KILLPIDS 242 243LDIF=$ACIOUT 244 245echo "Filtering ldapsearch results..." 246. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT 247echo "Filtering original ldif used to create database..." 248. $LDIFFILTER < $LDIF > $LDIFFLT 249echo "Comparing filter output..." 250$CMP $SEARCHFLT $LDIFFLT > $CMPOUT 251 252if test $? != 0 ; then 253 echo "comparison failed - operations did not complete correctly" 254 exit 1 255fi 256 257echo ">>>>> Test succeeded" 258 259test $KILLSERVERS != no && wait 260 261exit 0 262