1#! /bin/sh 2# $OpenLDAP$ 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2021 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16echo "running defines.sh" 17. $SRCDIR/scripts/defines.sh 18 19if test $WITH_SASL = no ; then 20 echo "SASL support not available, test skipped" 21 exit 0 22fi 23 24CONFDIR=$TESTDIR/slapd.d 25CONFLDIF=$TESTDIR/slapd.ldif 26 27mkdir -p $TESTDIR $DBDIR1 $CONFDIR 28cp -r $DATADIR/tls $TESTDIR 29$SLAPPASSWD -g -n >$CONFIGPWF 30 31echo "Starting KDC for SASL/GSSAPI tests..." 32. $SRCDIR/scripts/setup_kdc.sh 33 34echo "Configuring slapd..." 35cat > $CONFLDIF <<EOF 36dn: cn=config 37objectClass: olcGlobal 38cn: config 39olcSaslHost: localhost 40olcSaslRealm: $KRB5REALM 41olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt 42olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt 43olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key 44 45dn: cn=schema,cn=config 46objectClass: olcSchemaConfig 47cn: schema 48 49include: file://$ABS_SCHEMADIR/core.ldif 50 51dn: olcDatabase={0}config,cn=config 52objectClass: olcDatabaseConfig 53olcDatabase: {0}config 54olcRootPW:< file://$TESTDIR/configpw 55 56EOF 57$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF 58RC=$? 59if test $RC != 0 ; then 60 echo "slapadd failed ($RC)!" 61 kill $KDCPROC 62 exit $RC 63fi 64 65echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." 66$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 & 67PID=$! 68if test $WAIT != 0 ; then 69 echo PID $PID 70 read foo 71fi 72KILLPIDS="$PID" 73 74sleep 1 75 76echo "Using ldapsearch to check that slapd is running..." 77for i in 0 1 2 3 4 5; do 78 $LDAPSEARCH -s base -b "" -H $URI1 \ 79 'objectclass=*' > /dev/null 2>&1 80 RC=$? 81 if test $RC = 0 ; then 82 break 83 fi 84 echo "Waiting 5 seconds for slapd to start..." 85 sleep 5 86done 87 88if test $RC != 0 ; then 89 echo "ldapsearch failed ($RC)!" 90 kill $KDCPROC 91 test $KILLSERVERS != no && kill -HUP $KILLPIDS 92 exit $RC 93fi 94 95$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1 96RC=$? 97if test $RC != 0 ; then 98 echo "ldapsearch failed ($RC)!" 99 kill $KDCPROC 100 test $KILLSERVERS != no && kill -HUP $KILLPIDS 101 exit $RC 102fi 103 104grep GSSAPI $TESTOUT 105RC=$? 106if test $RC != 0 ; then 107 echo "failed: GSSAPI mechanism not in supportedSASLMechanisms." 108 kill $KDCPROC 109 test $KILLSERVERS != no && kill -HUP $KILLPIDS 110 exit $RC 111fi 112 113echo -n "Using ldapwhoami with SASL/GSSAPI: " 114$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1 115RC=$? 116if test $RC != 0 ; then 117 echo "ldapwhoami failed ($RC)!" 118 kill $KDCPROC 119 test $KILLSERVERS != no && kill -HUP $KILLPIDS 120 exit $RC 121else 122 echo "success" 123fi 124 125echo -n "Validating mapped SASL/GSSAPI ID: " 126echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out 127$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT 128RC=$? 129if test $RC != 0 ; then 130 echo "Comparison failed" 131 kill $KDCPROC 132 test $KILLSERVERS != no && kill -HUP $KILLPIDS 133 exit $RC 134else 135 echo "success" 136fi 137 138if test $WITH_TLS = no ; then 139 echo "SASL/GSSAPI: TLS support not available, skipping TLS part." 140else 141 echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: " 142 $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \ 143 -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ 144 > $TESTOUT 2>&1 145 RC=$? 146 if test $RC != 0 ; then 147 echo "ldapwhoami failed ($RC)!" 148 kill $KDCPROC 149 test $KILLSERVERS != no && kill -HUP $KILLPIDS 150 exit $RC 151 else 152 echo "success" 153 fi 154 155 echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: " 156 $LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow \ 157 -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ 158 > $TESTOUT 2>&1 159 RC=$? 160 if test $RC != 0 ; then 161 echo "ldapwhoami failed ($RC)!" 162 kill $KDCPROC 163 test $KILLSERVERS != no && kill -HUP $KILLPIDS 164 exit $RC 165 else 166 echo "success" 167 fi 168fi 169 170if test $WITH_TLS = no ; then 171 echo "TLS support not available, skipping channel-binding test" 172elif test $HAVE_SASL_GSS_CBIND = no ; then 173 echo "SASL has no channel-binding support in GSSAPI, test skipped" 174else 175 echo "Testing SASL/GSSAPI with SASL_CBINDING..." 176 177 for acb in "none" "tls-unique" "tls-endpoint" ; do 178 179 echo "Modifying slapd's olcSaslCBinding to ${acb} ..." 180 $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1 181dn: cn=config 182changetype: modify 183replace: olcSaslCBinding 184olcSaslCBinding: ${acb} 185EOF 186 RC=$? 187 if test $RC != 0 ; then 188 echo "ldapmodify failed ($RC)!" 189 kill $KDCPROC 190 test $KILLSERVERS != no && kill -HUP $KILLPIDS 191 exit $RC 192 fi 193 194 for icb in "none" "tls-unique" "tls-endpoint" ; do 195 196 # The gnutls implementation of "tls-unique" seems broken 197 if test $icb = "tls-unique" -o $acb = "tls-unique" ; then 198 if test $WITH_TLS_TYPE = gnutls ; then 199 continue 200 fi 201 fi 202 203 fail="no" 204 if test $icb != $acb -a $acb != "none" ; then 205 # This currently fails in MIT, but it is planned to be 206 # fixed not to fail like in heimdal - avoid testing. 207 if test $icb = "none" ; then 208 continue 209 fi 210 # Otherwise unmatching bindings are expected to fail. 211 fail="yes" 212 fi 213 214 echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING " 215 echo -n "(client: ${icb}, server: ${acb}): " 216 217 $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \ 218 -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ 219 -o SASL_CBINDING=$icb > $TESTOUT 2>&1 220 221 RC=$? 222 if test $RC != 0 ; then 223 if test $fail = "no" ; then 224 echo "test failed ($RC)!" 225 kill $KDCPROC 226 test $KILLSERVERS != no && kill -HUP $KILLPIDS 227 exit $RC 228 fi 229 elif test $fail = "yes" ; then 230 echo "failed: command succeeded unexpectedly." 231 kill $KDCPROC 232 test $KILLSERVERS != no && kill -HUP $KILLPIDS 233 exit 1 234 fi 235 236 echo "success" 237 RC=0 238 done 239 done 240fi 241 242 243kill $KDCPROC 244test $KILLSERVERS != no && kill -HUP $KILLPIDS 245 246if test $RC != 0 ; then 247 echo ">>>>> Test failed" 248else 249 echo ">>>>> Test succeeded" 250 RC=0 251fi 252 253test $KILLSERVERS != no && wait 254 255exit $RC 256