Commit 4f593f55 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

improve test028; add test029 about glueing ldap databases with identity assertion

parent 5bfb9fd5
dn: dc=example,dc=com
objectClass: organization
objectClass: dcObject
o: Example, Inc.
dc: example
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: uid=bjorn,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
cn: Bjorn Jensen
sn: Jensen
uid: bjorn
mail: bjorn@example.com
dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
cn: Barbara Jensen
sn: Jensen
uid: bjensen
mail: bjensen@example.com
dn: uid=proxy,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
cn: Proxy
sn: Proxy
uid: proxy
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=All,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: All
member: uid=bjorn,ou=People,dc=example,dc=com
member: uid=bjensen,ou=People,dc=example,dc=com
dn: cn=ITD,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: ITD
member: uid=bjorn,ou=People,dc=example,dc=com
dn: uid=proxy,ou=Groups,dc=example,dc=com
objectClass: inetOrgPerson
cn: Proxy
sn: Proxy
uid: proxy
dn: dc=example,dc=com
objectClass: organization
objectClass: dcObject
o: Example, Inc.
dc: example
......@@ -79,21 +79,21 @@ index cn,sn,uid pres,eq,sub
database ldap
suffix "o=Example,c=US"
suffixmassage "o=Example,c=US" "dc=example,dc=com"
uri "ldap://:9011/"
uri "@URI1@"
#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" #SASL_MECH#
#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" @SASL_MECH@
#nosasl#idassert-method "simple"
#nosasl#idassert-authcDN "cn=Proxy US,ou=Admin,dc=example,dc=com"
#nosasl#idassert-passwd proxy
idassert-mode self
# authorizes database
idassert-authz "dn.subtree:dc=example,dc=it"
idassert-authzFrom "dn.subtree:dc=example,dc=it"
database ldap
suffix "o=Esempio,c=IT"
suffixmassage "o=Esempio,c=IT" "dc=example,dc=com"
uri "ldap://:9011/"
uri "@URI1@"
acl-authcDN "cn=Proxy IT,ou=Admin,dc=example,dc=com"
acl-passwd proxy
......@@ -104,9 +104,9 @@ idassert-passwd proxy
idassert-mode "dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
# authorizes database
idassert-authz "dn.subtree:dc=example,dc=com"
idassert-authzFrom "dn.subtree:dc=example,dc=com"
# authorizes anonymous
idassert-authz "dn.exact:"
idassert-authzFrom "dn.exact:"
access to attrs=entry,cn,sn,mail
by users read
......
# master slapd config -- for testing
# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29
kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2003 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/nis.schema
pidfile ./testrun/slapd.1.pid
argsfile ./testrun/slapd.1.args
# password-hash {md5}
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
#######################################################################
authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com"
#
# normal installations should protect root dse,
# cn=monitor, cn=schema, and cn=config
#
access to attr=userpassword
by self =wx
by anonymous =x
access to *
by * read
# people branch
database ldap
suffix "ou=People,dc=example,dc=com"
uri "@URI2@"
# FIXME: doesn't work with authz=native
#sasl#idassert-method sasl authcid=proxy cred=proxy @SASL_MECH@
#nosasl#idassert-method simple
#nosasl#idassert-authcDN "uid=proxy,ou=People,dc=example,dc=com"
#nosasl#idassert-passwd proxy
idassert-mode self
subordinate
# groups branch
database ldap
suffix "ou=Groups,dc=example,dc=com"
uri "@URI3@"
# FIXME: doesn't work with authz=native
#sasl#idassert-method sasl authcid=proxy cred=proxy @SASL_MECH@
#nosasl#idassert-method simple
#nosasl#idassert-authcDN "uid=proxy,ou=Groups,dc=example,dc=com"
#nosasl#idassert-passwd proxy
idassert-mode self
subordinate
# root
database @BACKEND@
suffix "dc=example,dc=com"
directory ./testrun/db.1.a
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
index objectClass eq
index cn,sn,uid pres,eq,sub
# master slapd config -- for testing
# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29
kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2003 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/nis.schema
pidfile ./testrun/slapd.3.pid
argsfile ./testrun/slapd.3.args
# password-hash {md5}
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
#######################################################################
authz-policy to
authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=Groups,dc=example,dc=com"
#
# normal installations should protect root dse,
# cn=monitor, cn=schema, and cn=config
#
access to attr=userpassword
by self =wx
by anonymous =x
access to *
by users read
by * search
# people branch
database @BACKEND@
suffix "ou=Groups,dc=example,dc=com"
directory ./testrun/db.3.a
rootdn "cn=Manager,ou=Groups,dc=example,dc=com"
rootpw secret
index objectClass eq
index cn,sn,uid pres,eq,sub
# master slapd config -- for testing
# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29
kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2003 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/nis.schema
pidfile ./testrun/slapd.2.pid
argsfile ./testrun/slapd.2.args
# password-hash {md5}
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#######################################################################
# ldbm database definitions
#######################################################################
authz-policy to
authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com"
#
# normal installations should protect root dse,
# cn=monitor, cn=schema, and cn=config
#
# uid=proxy,ou=People,dc=example,dc=com needs to read userPassword
# to do SASL bind!
access to attr=userpassword
by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read
by self =wx
by anonymous =x
access to *
by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read
by users read
by * search
# people branch
database @BACKEND@
suffix "ou=People,dc=example,dc=com"
directory ./testrun/db.2.a
rootdn "cn=Manager,ou=People,dc=example,dc=com"
rootpw secret
index objectClass eq
index cn,sn,uid pres,eq,sub
......@@ -17,6 +17,7 @@ userPassword:: Ympvcm4=
mail: bjorn@example.com
description: ***
authzFrom: dn.exact:uid=jaj,o=Example,c=US
authzFrom: dn.subtree:ou=People,dc=example,dc=it
dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
......
dn: dc=example,dc=com
objectClass: organization
objectClass: dcObject
o: Example, Inc.
dc: example
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=All,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: All
member: uid=bjorn,ou=People,dc=example,dc=com
member: uid=bjensen,ou=People,dc=example,dc=com
dn: cn=ITD,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: ITD
member: uid=bjorn,ou=People,dc=example,dc=com
dn: uid=proxy,ou=Groups,dc=example,dc=com
objectClass: inetOrgPerson
cn: Proxy
sn: Proxy
uid: proxy
userPassword:: cHJveHk=
authzTo: dn:*
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: uid=bjorn,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
cn: Bjorn Jensen
sn: Jensen
uid: bjorn
userPassword:: Ympvcm4=
mail: bjorn@example.com
dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
cn: Barbara Jensen
sn: Jensen
uid: bjensen
userPassword:: YmplbnNlbg==
mail: bjensen@example.com
dn: uid=proxy,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
cn: Proxy
sn: Proxy
uid: proxy
userPassword:: cHJveHk=
authzTo: dn:*
......@@ -43,6 +43,9 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s/^#${MON}#//" \
-e "s/^#${MONMOD}#//" \
-e "s/^#${SASL}#//" \
-e "s/#SASL_MECH#/${SASL_MECH}/" \
-e "s;@URI1@;${URI1};" \
-e "s;@URI2@;${URI2};" \
-e "s;@URI3@;${URI3};" \
-e "s/@SASL_MECH@/${SASL_MECH}/" \
-e "s/@CACHETTL@/${CACHETTL}/" \
-e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/"
......@@ -64,6 +64,9 @@ LIMITSCONF=$DATADIR/slapd-limits.conf
DNCONF=$DATADIR/slapd-dn.conf
EMPTYDNCONF=$DATADIR/slapd-emptydn.conf
IDASSERTCONF=$DATADIR/slapd-idassert.conf
LDAPGLUECONF1=$DATADIR/slapd-ldapglue.conf
LDAPGLUECONF2=$DATADIR/slapd-ldapgluepeople.conf
LDAPGLUECONF3=$DATADIR/slapd-ldapgluegroups.conf
CONF1=$TESTDIR/slapd.1.conf
CONF2=$TESTDIR/slapd.2.conf
......@@ -139,6 +142,9 @@ LDIFEMPTYDN1=$DATADIR/test-emptydn1.ldif
LDIFEMPTYDN2=$DATADIR/test-emptydn2.ldif
LDIFIDASSERT1=$DATADIR/test-idassert1.ldif
LDIFIDASSERT2=$DATADIR/test-idassert2.ldif
LDIFLDAPGLUE1=$DATADIR/test-ldapglue.ldif
LDIFLDAPGLUE2=$DATADIR/test-ldapgluepeople.ldif
LDIFLDAPGLUE3=$DATADIR/test-ldapgluegroups.ldif
MONITOR=""
REFDN="c=US"
BASEDN="dc=example,dc=com"
......@@ -204,6 +210,8 @@ DNOUT=$DATADIR/dn.out
EMPTYDNOUT1=$DATADIR/emptydn.out.slapadd
EMPTYDNOUT2=$DATADIR/emptydn.out
IDASSERTOUT=$DATADIR/idassert.out
LDAPGLUEOUT=$DATADIR/ldapglue.out
LDAPGLUEANONYMOUSOUT=$DATADIR/ldapglueanonymous.out
# Just in case we linked the binaries dynamically
LD_LIBRARY_PATH=`pwd`/../libraries:${LD_LIBRARY_PATH} export LD_LIBRARY_PATH
......@@ -16,11 +16,11 @@
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
echo "### This test needs the ldap backend."
echo "### This test requires the ldap backend."
echo "### If available, and explicitly requested, it can use SASL bind;"
echo "### note that SASL must be properly set up, and the requested"
echo "### mechanism must be available. Define SLAPD_USE_SASL={yes|<mech>},"
echo "### wth \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]."
echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]."
if test $BACKLDAP = "ldapno" ; then
echo "LDAP backend not available, test skipped"
......@@ -201,6 +201,7 @@ $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
if test $? != 0 ; then
echo "comparison failed - search with identity assertion didn't succeed"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
......@@ -227,6 +228,7 @@ if test $USE_SASL != "no" ; then
if test $? != 0 ; then
echo "comparison failed - search with SASL bind and identity assertion didn't succeed"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
fi
......
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2004 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
echo "### This test requires the ldap backend."
echo "### If available, and explicitly requested, it can use SASL bind;"
echo "### note that SASL must be properly set up, and the requested"
echo "### mechanism must be available. Define SLAPD_USE_SASL={yes|<mech>},"
echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]."
if test $BACKLDAP = "ldapno" ; then
echo "LDAP backend not available, test skipped"
exit 0
fi
if test $WITH_SASL = "yes" ; then
if test $USE_SASL != "no" ; then
if test $USE_SASL = "yes" ; then
MECH="DIGEST-MD5"
else
MECH="$USE_SASL"
fi
echo "Using SASL authc[/authz] with mech=$MECH; unset SLAPD_USE_SASL to disable"
else
echo "Using proxyAuthz with simple authc..."
fi
else
echo "SASL not available; using proxyAuthz with simple authc..."
fi
mkdir -p $TESTDIR $DBDIR1 $DBDIR2 $DBDIR3
echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF1 > $ADDCONF
$SLAPADD -f $ADDCONF -l $LDIFLDAPGLUE1
RC=$?
if test $RC != 0 ; then
echo "slapadd 1 failed ($RC)!"
exit $RC
fi
. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF2 > $ADDCONF
$SLAPADD -f $ADDCONF -l $LDIFLDAPGLUE2
RC=$?
if test $RC != 0 ; then
echo "slapadd 2 failed ($RC)!"
exit $RC
fi
. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF3 > $ADDCONF
$SLAPADD -f $ADDCONF -l $LDIFLDAPGLUE3
RC=$?
if test $RC != 0 ; then
echo "slapadd 3 failed ($RC)!"
exit $RC
fi
echo "Starting local slapd on TCP/IP port $PORT1..."
. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF1 > $CONF1
$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
PID1=$!
if test $WAIT != 0 ; then
echo PID $PID1
read foo
fi
echo "Starting remote slapd 1 on TCP/IP port $PORT2..."
. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF2 > $CONF2
$SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 &
PID2=$!
if test $WAIT != 0 ; then
echo PID $PID2
read foo
fi
echo "Starting remote slapd 2 on TCP/IP port $PORT3..."
. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF3 > $CONF3
$SLAPD -f $CONF3 -h $URI3 -d $LVL $TIMING > $LOG3 2>&1 &
PID3=$!
if test $WAIT != 0 ; then
echo PID $PID3
read foo
fi
KILLPIDS="$PID1 $PID2 $PID3"
echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT2 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT3 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
ID="uid=bjorn,ou=People,dc=example,dc=com"
BASE="dc=example,dc=com"
echo "Testing ldapsearch as $ID for \"$BASE\"..."
$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
-D "$ID" -w bjorn > $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Filtering ldapsearch results..."
. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
echo "Filtering original ldif used to create database..."
. $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT
echo "Comparing filter output..."
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
if test $? != 0 ; then
echo "comparison failed - glued search with identity assertion didn't succeed"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
BASE="dc=example,dc=com"
echo "Testing ldapsearch as anonymous for \"$BASE\"..."
$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Filtering ldapsearch results..."
. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
echo "Filtering original ldif used to create database..."
. $LDIFFILTER < $LDAPGLUEANONYMOUSOUT > $LDIFFLT
echo "Comparing filter output..."
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
if test $? != 0 ; then
echo "comparison failed - anonymous glued search with identity assertion didn't succeed"
test $KILLSERVERS != no && kill -HUP $KILLPIDS