Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Joe Martin
OpenLDAP
Commits
c0872442
Commit
c0872442
authored
Jun 19, 2018
by
Ondřej Kuzník
Browse files
SASL and proxyauthz tests
parent
bd3da732
Changes
3
Hide whitespace changes
Inline
Side-by-side
tests/data/lloadd-sasl.conf
0 → 100644
View file @
c0872442
# Load balancer config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2020 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
# allow big PDUs from anonymous (for testing purposes)
sockbuf_max_incoming_client
4194303
sockbuf_max_incoming_upstream
4194303
feature
proxyauthz
bindconf
bindmethod
=
sasl
@
SASL_MECH
@
authcid
=
manager
authzid
=
"dn:cn=Manager,dc=example,dc=com"
credentials
=
secret
backend
-
server
uri
=@
URI2
@
numconns
=
3
bindconns
=
3
retry
=
5000
max
-
pending
-
ops
=
20
conn
-
max
-
pending
=
3
backend
-
server
uri
=@
URI3
@
numconns
=
3
bindconns
=
3
retry
=
5000
max
-
pending
-
ops
=
20
conn
-
max
-
pending
=
3
backend
-
server
uri
=@
URI4
@
numconns
=
3
bindconns
=
3
retry
=
5000
max
-
pending
-
ops
=
20
conn
-
max
-
pending
=
3
tests/scripts/defines.sh
View file @
c0872442
...
...
@@ -157,6 +157,7 @@ LLOADDEMPTYCONF=$DATADIR/lloadd-empty.conf
LLOADDANONCONF
=
$DATADIR
/lloadd-anon.conf
LLOADDUNREACHABLECONF
=
$DATADIR
/lloadd-backend-issues.conf
LLOADDTLSCONF
=
$DATADIR
/lloadd-tls.conf
LLOADDSASLCONF
=
$DATADIR
/lloadd-sasl.conf
# generated files
CONF1
=
$TESTDIR
/slapd.1.conf
...
...
tests/scripts/lloadd/test006-sasl
0 → 100755
View file @
c0872442
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2020 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
echo
"running defines.sh"
.
$SRCDIR
/scripts/defines.sh
if
test
$WITH_SASL
=
"yes"
;
then
if
test
$USE_SASL
=
"no"
;
then
echo
"Not asked to test SASL, skipping test, set SLAPD_USE_SASL to enable..."
exit
0
fi
if
test
$USE_SASL
=
"yes"
;
then
MECH
=
"DIGEST-MD5"
else
MECH
=
"
$USE_SASL
"
fi
echo
"Using SASL authc[/authz] with mech=
$MECH
; unset SLAPD_USE_SASL to disable"
else
echo
"SASL not available; using proxyAuthz with simple authc..."
fi
mkdir
-p
$TESTDIR
$DBDIR1
$DBDIR2
cp
-r
$DATADIR
/tls
$TESTDIR
cd
$TESTWD
$SLAPPASSWD
-g
-n
>
$CONFIGPWF
echo
"rootpw
`
$SLAPPASSWD
-T
$CONFIGPWF
`
"
>
$TESTDIR
/configpw.conf
echo
"Running slapadd to build slapd database..."
.
$CONFFILTER
$BACKEND
<
$TLSSASLCONF
>
$CONF2
echo
'authz-regexp "^uid=([^,]*),.+" ldap:///dc=example,dc=com??sub?(|(cn=$1)(uid=$1))'
>>
$CONF2
$SLAPADD
-f
$CONF2
-l
$LDIFORDERED
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slapadd failed (
$RC
)!"
exit
$RC
fi
echo
"Starting a slapd on TCP/IP port
$PORT2
..."
$SLAPD
-f
$CONF2
-h
$URI2
-d
$LVL
>
$LOG2
2>&1 &
PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
PID
$PID
read
foo
fi
PID2
=
"
$PID
"
KILLPIDS
=
"
$PID
"
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-s
base
-b
"
$MONITOR
"
-H
$URI2
\
'(objectclass=*)'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
$SLEEP1
seconds for slapd to start..."
sleep
$SLEEP1
done
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Running slapadd to build slapd database..."
.
$CONFFILTER
$BACKEND
<
$CONFTWO
>
$CONF3
echo
'authz-regexp "^uid=([^,]*),.+" ldap:///dc=example,dc=com??sub?(|(cn=$1)(uid=$1))'
>>
$CONF3
$SLAPADD
-f
$CONF3
-l
$LDIFORDERED
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slapadd failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Running slapindex to index slapd database..."
$SLAPINDEX
-f
$CONF3
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"warning: slapindex failed (
$RC
)"
echo
" assuming no indexing support"
fi
echo
"Starting second slapd on TCP/IP port
$PORT3
..."
$SLAPD
-f
$CONF3
-h
$URI3
-d
$LVL
>
$LOG3
2>&1 &
PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
PID
$PID
read
foo
fi
PID2
=
"
$PID
"
KILLPIDS
=
"
$KILLPIDS
$PID
"
sleep
$SLEEP0
echo
"Testing slapd searching..."
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-s
base
-b
"
$MONITOR
"
-H
$URI3
\
'(objectclass=*)'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
$SLEEP1
seconds for slapd to start..."
sleep
$SLEEP1
done
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Starting lloadd on TCP/IP port
$PORT1
..."
.
$CONFFILTER
$BACKEND
<
$LLOADDSASLCONF
>
$CONF1
.lloadd
if
test
$AC_lloadd
=
lloaddyes
;
then
$LLOADD
-f
$CONF1
.lloadd
-h
$URI1
-d
$LVL
>
$LOG1
2>&1 &
else
.
$CONFFILTER
$BACKEND
<
$SLAPDLLOADCONF
>
$CONF1
.slapd
$SLAPD
-f
$CONF1
.slapd
-h
$URI6
-d
$LVL
>
$LOG1
2>&1 &
fi
PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
PID
$PID
read
foo
fi
KILLPIDS
=
"
$KILLPIDS
$PID
"
echo
"Testing lloadd searching..."
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-s
base
-b
"
$MONITOR
"
-H
$URI1
\
'(objectclass=*)'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
$SLEEP1
seconds for lloadd to start..."
sleep
$SLEEP1
done
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Checking whether
$MECH
is supported..."
$LDAPSEARCH
-s
base
-b
""
-H
$URI1
\
'objectClass=*'
supportedSASLMechanisms
>
$SEARCHOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
grep
"supportedSASLMechanisms:
$MECH
"
$SEARCHOUT
>
$TESTOUT
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"SASL mechanism
$MECH
is not available, test skipped"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
0
fi
AUTHZID
=
"u:bjorn"
echo
"Testing lloadd's identity can assert any authzid..."
$LDAPWHOAMI
-D
"
$MANAGERDN
"
-H
$URI1
-w
$PASSWD
\
-e
\!
"authzid=
$AUTHZID
"
>
$TESTOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapwhoami failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
AUTHZID
=
"u:bjorn"
echo
"Testing a different identity cannot do the same thing..."
$LDAPWHOAMI
-D
"
$BABSDN
"
-H
$URI1
-w
bjensen
\
-e
\!
"authzid=
$AUTHZID
"
>>
$TESTOUT
2>/dev/null
RC
=
$?
if
test
$RC
!=
1
;
then
echo
"ldapwhoami failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Validating WhoAmI? results..."
echo
'dn:cn=bjorn jensen,ou=information technology division,ou=people,dc=example,dc=com'
>
$TESTDIR
/whoami.out
echo
'Result: Protocol error (2)
Additional info: proxy authorization control specified multiple times'
>>
$TESTDIR
/whoami.out
$CMP
$TESTDIR
/whoami.out
$TESTOUT
>
$CMPOUT
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"Comparison failed"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
else
echo
"Success"
fi
ID
=
"jaj"
echo
"Testing ldapsearch as
$ID
for
\"
$BASEDN
\"
with SASL bind and identity assertion..."
$LDAPSASLSEARCH
-H
$URI1
-b
"
$BASEDN
"
\
-Q
-Y
$MECH
-O
maxbufsize
=
0
-U
"
$ID
"
-w
jaj
>
$SEARCHOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Filtering ldapsearch results..."
$LDIFFILTER
-s
e <
$SEARCHOUT
>
$SEARCHFLT
echo
"Filtering original ldif used to create database..."
$LDIFFILTER
-s
e <
$LDIF
>
$LDIFFLT
echo
"Comparing filter output..."
$CMP
$SEARCHFLT
$LDIFFLT
>
$CMPOUT
if
test
$?
!=
0
;
then
echo
"comparison failed - search with SASL bind and identity assertion didn't succeed"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
1
fi
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
if
test
$RC
!=
0
;
then
echo
">>>>> Test failed"
else
echo
">>>>> Test succeeded"
RC
=
0
fi
test
$KILLSERVERS
!=
no
&&
wait
exit
$RC
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment