improve SASL in id assertion test

tests/data/idassert.out

+dn: o=Example,c=US
+objectClass: organization
+objectClass: dcObject
+o: Example, Inc.
+dc: example
+
+dn: ou=People,o=Example,c=US
+objectClass: organizationalUnit
+ou: People
+
+dn: uid=bjorn,ou=People,o=Example,c=US
+objectClass: inetOrgPerson
+cn: Bjorn Jensen
+sn: Jensen
+uid: bjorn
+mail: bjorn@example.com
+description: ***
+
+dn: uid=bjensen,ou=People,o=Example,c=US
+objectClass: inetOrgPerson
+cn: Barbara Jensen
+sn: Jensen
+uid: bjensen
+mail: bjensen@example.com
+description: ***
+
+dn: ou=Groups,o=Example,c=US
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=All,ou=Groups,o=Example,c=US
+objectClass: groupOfNames
+cn: All
+member: uid=bjorn,ou=People,o=Example,c=US
+member: uid=bjensen,ou=People,o=Example,c=US
+
+dn: cn=Authorizable,ou=Groups,o=Example,c=US
+objectClass: groupOfNames
+cn: Authorizable
+member: uid=bjorn,ou=People,o=Example,c=US
+
+dn: ou=Admin,o=Example,c=US
+objectClass: organizationalUnit
+ou: Admin
+
+dn: cn=Proxy US,ou=Admin,o=Example,c=US
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: Proxy US
+
+dn: cn=Proxy IT,ou=Admin,o=Example,c=US
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: Proxy IT
+
+dn: cn=Sandbox,ou=Admin,o=Example,c=US
+objectClass: applicationProcess
+cn: Sandbox
+

tests/data/slapd-idassert.conf

@@ -46,6 +46,9 @@ access to attr=userpassword
 	by self =wx
 	by anonymous =x
 
+access to dn.exact=""
+	by * read
+
 access to *
 	by users read
 	by * search
@@ -78,7 +81,7 @@ suffix		"o=Example,c=US"
 suffixmassage	"o=Example,c=US" "dc=example,dc=com"
 uri		"ldap://:9011/"
 
-#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" "mech=DIGEST-MD5"
+#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" #SASL_MECH#
 #nosasl#idassert-method "simple"
 #nosasl#idassert-authcDN	"cn=Proxy US,ou=Admin,dc=example,dc=com"
 #nosasl#idassert-passwd		proxy

tests/scripts/conf.sh

@@ -22,10 +22,14 @@ if [ x"$MONITORDB" = x"yes" -o x"$MONITORDB" = xmod ] ; then
 else
 	MON=nomonitor
 fi
-if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" = x"yes" ] ; then
+if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" != x"no" ] ; then
 	SASL="sasl"
+	if [ x"$USE_SASL" = x"yes" ] ; then
+		USE_SASL=DIGEST-MD5
+	fi
 else
 	SASL="nosasl"
+	SASL_MECH=
 fi
 sed -e "s/@BACKEND@/${BACKEND}/"			\
 	-e "s/^#${BACKEND}#//"				\
@@ -38,5 +42,6 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
 	-e "s/^#${MON}#//"				\
 	-e "s/^#${MONMOD}#//"				\
 	-e "s/^#${SASL}#//"				\
+	-e "s/#SASL_MECH#/\"mech=${USE_SASL}\"/"	\
 	-e "s/@CACHETTL@/${CACHETTL}/"			\
 	-e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/"   

tests/scripts/defines.sh

@@ -96,6 +96,7 @@ CMPOUT=/dev/null
 SLAPD="../servers/slapd/slapd -s0"
 SLURPD=../servers/slurpd/slurpd
 LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS"
+LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL"
 LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL"
 LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS"
 LDAPMODIFY="$CLIENTDIR/ldapmodify $TOOLPROTO $TOOLARGS"
@@ -202,6 +203,7 @@ CERTIFICATEOUT=$DATADIR/certificate.out
 DNOUT=$DATADIR/dn.out
 EMPTYDNOUT1=$DATADIR/emptydn.out.slapadd
 EMPTYDNOUT2=$DATADIR/emptydn.out
+IDASSERTOUT=$DATADIR/idassert.out
 
 # Just in case we linked the binaries dynamically
 LD_LIBRARY_PATH=`pwd`/../libraries:${LD_LIBRARY_PATH} export LD_LIBRARY_PATH

tests/scripts/test028-idassert

@@ -22,11 +22,19 @@ if test $BACKLDAP = "ldapno" ; then
 fi 
 
 if test $WITH_SASL = "yes" ; then
-	if test $USE_SASL = "yes" ; then
-		echo "Using SASL authc/authz..."
+	if test $USE_SASL != "no" ; then
+		if test $USE_SASL = "yes" ; then
+			MECH="DIGEST-MD5"
+		else
+			MECH="$USE_SASL"
+		fi
+		echo "Using SASL authc/authz with mech=$MECH; unset SLAPD_USE_SASL to disable"
 	else
-		echo "Using proxyAuthz with simple authc"
-		echo "set SLAPD_USE_SASL=yes to enable SASL authc/authz..."
+		echo "Using proxyAuthz with simple authc..."
+		echo "        set SLAPD_USE_SASL={yes|<mech>} to enable SASL authc/authz"
+		echo "        if SLAPD_USE_SASL=\"yes\", <mech> defaults to DIGEST-MD5"
+		echo "        FIXME: should be mandatory, right?"
+		echo "        FIXME: authz with CRAM-MD5 does not work..."
 	fi
 else
 	echo "SASL not available; using proxyAuthz with simple authc..."
@@ -169,6 +177,58 @@ if test $RC != 0 ; then
 	exit $RC
 fi
 
+ID="uid=jaj,ou=People,dc=example,dc=it"
+BASE="o=Example,c=US"
+echo "Testing ldapsearch as $ID for \"$BASE\"..."
+$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
+	-D "$ID" -w jaj > $SEARCHOUT 2>&1
+
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Filtering ldapsearch results..."
+. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+echo "Filtering original ldif used to create database..."
+. $LDIFFILTER < $IDASSERTOUT > $LDIFFLT
+echo "Comparing filter output..."
+$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
+	
+if test $? != 0 ; then
+	echo "comparison failed - search with identity assertion didn't succeed"
+	exit 1
+fi
+
+if test $USE_SASL != "no" ; then
+	ID="it/jaj"
+	BASE="o=Example,c=US"
+	echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
+	$LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
+		-Q -U "$ID" -w jaj -Y $MECH > $SEARCHOUT 2>&1
+
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapsearch failed ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+
+	echo "Filtering ldapsearch results..."
+	. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+	echo "Filtering original ldif used to create database..."
+	. $LDIFFILTER < $IDASSERTOUT > $LDIFFLT
+	echo "Comparing filter output..."
+	$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
+	
+	if test $? != 0 ; then
+		echo "comparison failed - search with SASL bind and identity assertion didn't succeed"
+		exit 1
+	fi
+fi
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
 echo ">>>>> Test succeeded"