From 766cd03a2fbdda66bf178da31e0ec74d16924b2a Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 31 Jul 2020 01:38:48 +0100
Subject: [PATCH] ITS#9279 test Netscape password expiration controls
and do some LDIF cleanup
---
clients/tools/common.c | 24 ++++----
tests/scripts/test022-ppolicy | 110 +++++++++++++++++++++++++++++++---
2 files changed, 113 insertions(+), 21 deletions(-)
diff --git a/clients/tools/common.c b/clients/tools/common.c
index 9d75370176..2658fcd2bc 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -1570,20 +1570,20 @@ tool_bind( LDAP *ld )
#endif
#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
- if ( ctrls ) {
- LDAPControl *ctrl;
- ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRED,
- ctrls, NULL );
- if ( !ctrl )
- ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRING,
+ if ( ctrls ) {
+ LDAPControl *ctrl;
+ ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRED,
ctrls, NULL );
- if ( ctrl ) {
- LDAPControl *ctmp[2];
- ctmp[0] = ctrl;
- ctmp[1] = NULL;
- tool_print_ctrls( ld, ctmp );
+ if ( !ctrl )
+ ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRING,
+ ctrls, NULL );
+ if ( ctrl ) {
+ LDAPControl *ctmp[2];
+ ctmp[0] = ctrl;
+ ctmp[1] = NULL;
+ tool_print_ctrls( ld, ctmp );
+ }
}
- }
#endif
if ( ctrls ) {
diff --git a/tests/scripts/test022-ppolicy b/tests/scripts/test022-ppolicy
index 904497832b..3bb2d0ee61 100755
--- a/tests/scripts/test022-ppolicy
+++ b/tests/scripts/test022-ppolicy
@@ -142,7 +142,7 @@ fi
echo "Filling password history..."
$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
delete: userpassword
userpassword: $PASS
@@ -150,7 +150,7 @@ userpassword: $PASS
replace: userpassword
userpassword: 20urgle12-1
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-1
@@ -158,7 +158,7 @@ userpassword: 20urgle12-1
replace: userpassword
userpassword: 20urgle12-2
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-2
@@ -166,7 +166,7 @@ userpassword: 20urgle12-2
replace: userpassword
userpassword: 20urgle12-3
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-3
@@ -174,7 +174,7 @@ userpassword: 20urgle12-3
replace: userpassword
userpassword: 20urgle12-4
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-4
@@ -182,7 +182,7 @@ userpassword: 20urgle12-4
replace: userpassword
userpassword: 20urgle12-5
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-5
@@ -200,7 +200,7 @@ fi
echo "Testing password history..."
$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
delete: userPassword
userPassword: 20urgle12-6
@@ -220,7 +220,7 @@ echo "Testing forced reset..."
$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
replace: userPassword
userPassword: $PASS
@@ -256,7 +256,7 @@ echo "Clearing forced reset..."
$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
changetype: modify
delete: pwdReset
@@ -557,6 +557,98 @@ fi
fi
+echo ""
+echo "Testing obsolete Netscape ppolicy controls..."
+echo "Enabling Netscape controls..."
+$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
+ $TESTOUT 2>&1 << EOMODS
+dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
+changetype: modify
+replace: olcPPolicySendNetscapeControls
+olcPPolicySendNetscapeControls: TRUE
+-
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+echo "Reconfiguring policy to remove grace logins..."
+$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
+ $TESTOUT 2>&1 << EOMODS
+dn: cn=Standard Policy, ou=Policies, dc=example, dc=com
+changetype: modify
+delete: pwdGraceAuthnLimit
+-
+replace: pwdMaxAge
+pwdMaxAge: 15
+-
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+OLDPASS=$PASS
+PASS=newpass
+$LDAPPASSWD -H $URI1 \
+ -w secret -s $PASS \
+ -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "Setting new password failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+echo "Clearing forced reset..."
+$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
+ $TESTOUT 2>&1 << EOMODS
+dn: $USER
+changetype: modify
+delete: pwdReset
+
+EOMODS
+
+DELAY=10
+
+echo "Testing password expiration"
+echo "Waiting $DELAY seconds for password to expire..."
+sleep $DELAY
+
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+ -b "$BASEDN" -s base > $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+ -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+ -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+ -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+ -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+RC=$?
+if test $RC = 0 ; then
+ echo "Password expiration failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+fi
+COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l`
+if test $COUNT = 0 ; then
+ echo "Password expiring warning test failed!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+fi
+
test $KILLSERVERS != no && kill -HUP $KILLPIDS
echo ">>>>> Test succeeded"
--
GitLab