#! /bin/sh # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## ## Copyright 1998-2021 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## . echo "running defines.sh" . $SRCDIR/scripts/defines.sh if test $WITH_TLS = no ; then echo "TLS support not available, test skipped" exit 0 fi mkdir -p $TESTDIR $DBDIR1 $DBDIR2 cp -r $DATADIR/tls $TESTDIR cd $TESTWD $SLAPPASSWD -g -n >$CONFIGPWF echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf echo "Running slapadd to build slapd database..." . $CONFFILTER $BACKEND < $TLSSASLCONF > $CONF2 $SLAPADD -f $CONF2 -l $LDIFORDERED RC=$? if test $RC != 0 ; then echo "slapadd failed ($RC)!" exit $RC fi echo "Starting a slapd on TCP/IP port $PORT3..." $SLAPD -f $CONF2 -h $URI3 -d $LVL > $LOG2 2>&1 & PID=$! if test $WAIT != 0 ; then echo PID $PID read foo fi PID2="$PID" KILLPIDS="$PID" for i in 0 1 2 3 4 5; do $LDAPSEARCH -s base -b "$MONITOR" -H $URI3 \ '(objectclass=*)' > /dev/null 2>&1 RC=$? if test $RC = 0 ; then break fi echo "Waiting $SLEEP1 seconds for slapd to start..." sleep $SLEEP1 done if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Running slapadd to build slapd database..." . $CONFFILTER $BACKEND < $CONFTWO > $CONF3 # FIXME: Hack! echo "TLSCertificateKeyFile $TESTDIR/tls/private/localhost.key" >>$CONF3 echo "TLSCertificateFile $TESTDIR/tls/certs/localhost.crt" >>$CONF3 echo 'authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)' >>$CONF3 $SLAPADD -f $CONF3 -l $LDIFORDERED RC=$? if test $RC != 0 ; then echo "slapadd failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Running slapindex to index slapd database..." $SLAPINDEX -f $CONF3 RC=$? if test $RC != 0 ; then echo "warning: slapindex failed ($RC)" echo " assuming no indexing support" fi echo "Starting second slapd on TCP/IP port $PORT4 w/ ldaps..." $SLAPD -f $CONF3 -h $SURI4 -d $LVL > $LOG3 2>&1 & PID=$! if test $WAIT != 0 ; then echo PID $PID read foo fi PID2="$PID" KILLPIDS="$KILLPIDS $PID" sleep $SLEEP0 echo "Testing slapd searching..." for i in 0 1 2 3 4 5; do $LDAPSEARCH -o tls-reqcert=never -s base -b "$MONITOR" -H $SURI4 \ '(objectclass=*)' > /dev/null 2>&1 RC=$? if test $RC = 0 ; then break fi echo "Waiting $SLEEP1 seconds for slapd to start..." sleep $SLEEP1 done if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Starting lloadd on TCP/IP port $PORT1 and ldaps $PORT2..." . $CONFFILTER $BACKEND < $LLOADDTLSCONF > $CONF1.lloadd if test $AC_lloadd = lloaddyes; then $LLOADD -f $CONF1.lloadd -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 & else . $CONFFILTER $BACKEND < $SLAPDLLOADCONF | sed -e "s,listen.*,listen \"$URI1 $SURI2\"," > $CONF1.slapd $SLAPD -f $CONF1.slapd -h $URI6 -d $LVL > $LOG1 2>&1 & fi PID=$! if test $WAIT != 0 ; then echo PID $PID read foo fi KILLPIDS="$KILLPIDS $PID" echo "Testing slapd searching..." for i in 0 1 2 3 4 5; do $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ '(objectclass=*)' > /dev/null 2>&1 RC=$? if test $RC = 0 ; then break fi echo "Waiting $SLEEP1 seconds for lloadd to start..." sleep $SLEEP1 done if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo -n "Using ldapsearch with startTLS with no server cert validation...." $LDAPSEARCH -o tls-reqcert=never -ZZ -b "" -s base -H $URIP1 \ '@extensibleObject' > $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch (startTLS) failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC else echo "success" fi echo -n "Using ldapsearch with startTLS with hard require cert...." $LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -ZZ -b "" -s base -H $URIP1 \ '@extensibleObject' > $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch (startTLS) failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC else echo "success" fi if test $WITH_TLS_TYPE = openssl ; then echo -n "Using ldapsearch with startTLS and specific protocol version...." $LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -o tls-protocol-min=3.3 -ZZ -b "" -s base -H $URIP1 \ '@extensibleObject' > $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch (protocol-min) failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC else echo "success" fi fi echo -n "Using ldapsearch on $SURI2 with no server cert validation..." $LDAPSEARCH -o tls-reqcert=never -b "cn=Subschema" -s base -H $SURIP2 \ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch (ldaps) failed($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC else echo "success" fi echo -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert. Should fail..." $LDAPSEARCH -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ >> $SEARCHOUT 2>&1 RC=$? if test $RC = 0 ; then echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit 1 else echo "failed correctly with error code ($RC)" fi echo -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..." $LDAPSEARCH -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch (ldaps) failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC else echo "success" fi if test $WITH_SASL = no ; then echo "SASL support not available, skipping client cert authentication" else echo -n "Using ldapwhoami with SASL/EXTERNAL...." $LDAPSASLWHOAMI -o tls-cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard \ -o tls-cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \ -o tls-key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \ -ZZ -Y EXTERNAL -H $URIP1 \ > $TESTOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapwhoami (startTLS) failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC else echo "success" fi echo -n "Validating mapped SASL ID..." echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out $CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT RC=$? if test $RC != 0 ; then echo "Comparison failed" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC else echo "success" fi fi test $KILLSERVERS != no && kill -HUP $KILLPIDS if test $RC != 0 ; then echo ">>>>> Test failed" else echo ">>>>> Test succeeded" RC=0 fi test $KILLSERVERS != no && wait exit $RC