Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Joe Martin
OpenLDAP
Commits
bd3da732
Commit
bd3da732
authored
Jun 15, 2018
by
Ondřej Kuzník
Browse files
Add TLS tests
parent
34ddaa5f
Changes
3
Hide whitespace changes
Inline
Side-by-side
tests/data/lloadd-tls.conf
0 → 100644
View file @
bd3da732
# Load balancer config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2020 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
# SSL configuration
TLSCACertificateFile
@
TESTDIR
@/
tls
/
ca
/
certs
/
testsuiteCA
.
crt
TLSCertificateKeyFile
@
TESTDIR
@/
tls
/
private
/
localhost
.
key
TLSCertificateFile
@
TESTDIR
@/
tls
/
certs
/
localhost
.
crt
TLSVerifyClient
try
# noop for standalone
TLSShareSlapdCTX
yes
# allow big PDUs from anonymous (for testing purposes)
sockbuf_max_incoming_client
4194303
sockbuf_max_incoming_upstream
4194303
feature
proxyauthz
bindconf
bindmethod
=
simple
binddn
=
"cn=Manager,dc=example,dc=com"
credentials
=
secret
tls_cacert
=@
TESTDIR
@/
tls
/
ca
/
certs
/
testsuiteCA
.
crt
backend
-
server
uri
=@
URIP3
@
starttls
=
critical
numconns
=
3
bindconns
=
3
retry
=
5000
max
-
pending
-
ops
=
20
conn
-
max
-
pending
=
3
backend
-
server
uri
=@
SURIP4
@
numconns
=
3
bindconns
=
3
retry
=
5000
max
-
pending
-
ops
=
20
conn
-
max
-
pending
=
3
backend
-
server
uri
=@
URI5
@
numconns
=
3
bindconns
=
3
retry
=
5000
max
-
pending
-
ops
=
20
conn
-
max
-
pending
=
3
tests/scripts/defines.sh
View file @
bd3da732
...
...
@@ -156,6 +156,7 @@ LLOADDCONF=$DATADIR/lloadd.conf
LLOADDEMPTYCONF
=
$DATADIR
/lloadd-empty.conf
LLOADDANONCONF
=
$DATADIR
/lloadd-anon.conf
LLOADDUNREACHABLECONF
=
$DATADIR
/lloadd-backend-issues.conf
LLOADDTLSCONF
=
$DATADIR
/lloadd-tls.conf
# generated files
CONF1
=
$TESTDIR
/slapd.1.conf
...
...
tests/scripts/lloadd/test005-tls
0 → 100755
View file @
bd3da732
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2020 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
echo
"running defines.sh"
.
$SRCDIR
/scripts/defines.sh
if
test
$WITH_TLS
=
no
;
then
echo
"TLS support not available, test skipped"
exit
0
fi
mkdir
-p
$TESTDIR
$DBDIR1
$DBDIR2
cp
-r
$DATADIR
/tls
$TESTDIR
cd
$TESTWD
$SLAPPASSWD
-g
-n
>
$CONFIGPWF
echo
"rootpw
`
$SLAPPASSWD
-T
$CONFIGPWF
`
"
>
$TESTDIR
/configpw.conf
echo
"Running slapadd to build slapd database..."
.
$CONFFILTER
$BACKEND
<
$TLSSASLCONF
>
$CONF2
$SLAPADD
-f
$CONF2
-l
$LDIFORDERED
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slapadd failed (
$RC
)!"
exit
$RC
fi
echo
"Starting a slapd on TCP/IP port
$PORT3
..."
$SLAPD
-f
$CONF2
-h
$URI3
-d
$LVL
>
$LOG2
2>&1 &
PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
PID
$PID
read
foo
fi
PID2
=
"
$PID
"
KILLPIDS
=
"
$PID
"
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-s
base
-b
"
$MONITOR
"
-H
$URI3
\
'(objectclass=*)'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
$SLEEP1
seconds for slapd to start..."
sleep
$SLEEP1
done
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Running slapadd to build slapd database..."
.
$CONFFILTER
$BACKEND
<
$CONFTWO
>
$CONF3
# FIXME: Hack!
echo
"TLSCertificateKeyFile
$TESTDIR
/tls/private/localhost.key"
>>
$CONF3
echo
"TLSCertificateFile
$TESTDIR
/tls/certs/localhost.crt"
>>
$CONF3
echo
'authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)'
>>
$CONF3
$SLAPADD
-f
$CONF3
-l
$LDIFORDERED
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slapadd failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Running slapindex to index slapd database..."
$SLAPINDEX
-f
$CONF3
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"warning: slapindex failed (
$RC
)"
echo
" assuming no indexing support"
fi
echo
"Starting second slapd on TCP/IP port
$PORT4
w/ ldaps..."
$SLAPD
-f
$CONF3
-h
$SURI4
-d
$LVL
>
$LOG3
2>&1 &
PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
PID
$PID
read
foo
fi
PID2
=
"
$PID
"
KILLPIDS
=
"
$KILLPIDS
$PID
"
sleep
$SLEEP0
echo
"Testing slapd searching..."
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-o
tls-reqcert
=
never
-s
base
-b
"
$MONITOR
"
-H
$SURI4
\
'(objectclass=*)'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
$SLEEP1
seconds for slapd to start..."
sleep
$SLEEP1
done
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Starting lloadd on TCP/IP port
$PORT1
and ldaps
$PORT2
..."
.
$CONFFILTER
$BACKEND
<
$LLOADDTLSCONF
>
$CONF1
.lloadd
if
test
$AC_lloadd
=
lloaddyes
;
then
$LLOADD
-f
$CONF1
.lloadd
-h
"
$URI1
$SURI2
"
-d
$LVL
>
$LOG1
2>&1 &
else
.
$CONFFILTER
$BACKEND
<
$SLAPDLLOADCONF
|
sed
-e
"s,listen.*,listen
\"
$URI1
$SURI2
\"
,"
>
$CONF1
.slapd
$SLAPD
-f
$CONF1
.slapd
-h
$URI6
-d
$LVL
>
$LOG1
2>&1 &
fi
PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
PID
$PID
read
foo
fi
KILLPIDS
=
"
$KILLPIDS
$PID
"
echo
"Testing slapd searching..."
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-s
base
-b
"
$MONITOR
"
-H
$URI1
\
'(objectclass=*)'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
$SLEEP1
seconds for lloadd to start..."
sleep
$SLEEP1
done
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"Using ldapsearch with startTLS with no server cert validation...."
$LDAPSEARCH
-o
tls-reqcert
=
never
-ZZ
-b
""
-s
base
-H
$URIP1
\
'@extensibleObject'
>
$SEARCHOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch (startTLS) failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
else
echo
"success"
fi
echo
-n
"Using ldapsearch with startTLS with hard require cert...."
$LDAPSEARCH
-o
tls-cacert
=
$TESTDIR
/tls/ca/certs/testsuiteCA.crt
-o
tls-reqcert
=
hard
-ZZ
-b
""
-s
base
-H
$URIP1
\
'@extensibleObject'
>
$SEARCHOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch (startTLS) failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
else
echo
"success"
fi
if
test
$WITH_TLS_TYPE
=
openssl
;
then
echo
-n
"Using ldapsearch with startTLS and specific protocol version...."
$LDAPSEARCH
-o
tls-cacert
=
$TESTDIR
/tls/ca/certs/testsuiteCA.crt
-o
tls-reqcert
=
hard
-o
tls-protocol-min
=
3.3
-ZZ
-b
""
-s
base
-H
$URIP1
\
'@extensibleObject'
>
$SEARCHOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch (protocol-min) failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
else
echo
"success"
fi
fi
echo
-n
"Using ldapsearch on
$SURI2
with no server cert validation..."
$LDAPSEARCH
-o
tls-reqcert
=
never
-b
"cn=Subschema"
-s
base
-H
$SURIP2
\
'(&(objectClasses=top)(objectClasses=2.5.6.0))'
cn objectClass
\
>>
$SEARCHOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch (ldaps) failed(
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
else
echo
"success"
fi
echo
-n
"Using ldapsearch on
$SURI2
with reqcert HARD and no CA cert. Should fail..."
$LDAPSEARCH
-o
tls-reqcert
=
hard
-b
"cn=Subschema"
-s
base
-H
$SURIP2
\
'(&(objectClasses=top)(objectClasses=2.5.6.0))'
cn objectClass
\
>>
$SEARCHOUT
2>&1
RC
=
$?
if
test
$RC
=
0
;
then
echo
"ldapsearch (ldaps) succeeded when it should have failed(
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
1
else
echo
"failed correctly with error code (
$RC
)"
fi
echo
-n
"Using ldapsearch on
$SURI2
with CA cert and reqcert HARD..."
$LDAPSEARCH
-o
tls-cacert
=
$TESTDIR
/tls/ca/certs/testsuiteCA.crt
\
-o
tls-reqcert
=
hard
-b
"cn=Subschema"
-s
base
-H
$SURIP2
\
'(&(objectClasses=top)(objectClasses=2.5.6.0))'
cn objectClass
\
>>
$SEARCHOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch (ldaps) failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
else
echo
"success"
fi
if
test
$WITH_SASL
=
no
;
then
echo
"SASL support not available, skipping client cert authentication"
else
echo
-n
"Using ldapwhoami with SASL/EXTERNAL...."
$LDAPSASLWHOAMI
-o
tls-cacert
=
$TESTDIR
/tls/ca/certs/testsuiteCA.crt
-o
tls-reqcert
=
hard
\
-o
tls-cert
=
$TESTDIR
/tls/certs/bjensen@mailgw.example.com.crt
\
-o
tls-key
=
$TESTDIR
/tls/private/bjensen@mailgw.example.com.key
\
-ZZ
-Y
EXTERNAL
-H
$URIP1
\
>
$TESTOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapwhoami (startTLS) failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
else
echo
"success"
fi
echo
-n
"Validating mapped SASL ID..."
echo
'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com'
>
$TESTDIR
/dn.out
$CMP
$TESTDIR
/dn.out
$TESTOUT
>
$CMPOUT
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"Comparison failed"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
else
echo
"success"
fi
fi
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
if
test
$RC
!=
0
;
then
echo
">>>>> Test failed"
else
echo
">>>>> Test succeeded"
RC
=
0
fi
test
$KILLSERVERS
!=
no
&&
wait
exit
$RC
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment