test066-autoca 8.58 KB
Newer Older
Howard Chu's avatar
Howard Chu committed
1
2
3
4
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
5
## Copyright 1998-2020 The OpenLDAP Foundation.
Howard Chu's avatar
Howard Chu committed
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.

echo "running defines.sh"
. $SRCDIR/scripts/defines.sh

if test $AUTOCA = autocano; then 
	echo "Automatic CA overlay not available, test skipped"
	exit 0
fi 

CFDIR=$TESTDIR/slapd.d

mkdir -p $TESTDIR $CFDIR $DBDIR1

$SLAPPASSWD -g -n >$CONFIGPWF

#
# Test operation of autoca:
# - configure over ldap without TLS
# - populate over ldap
# - add host entry
# - add autoca overlay
# - generate server and user certs
# - check for TLS operation
#

echo "Starting slapd on TCP/IP port $PORT1..."
. $CONFFILTER $BACKEND $MONITORDB < $DYNAMICCONF > $CONFLDIF
$SLAPADD -F $CFDIR -n 0 -l $CONFLDIF
43
$SLAPD -F $CFDIR -h $URIP1 -d $LVL $TIMING > $LOG1 2>&1 &
Howard Chu's avatar
Howard Chu committed
44
45
46
47
48
49
50
51
52
53
54
55
PID=$!
if test $WAIT != 0 ; then
    echo PID $PID
    read foo
fi
KILLPIDS="$PID"
cd $TESTWD

sleep 1

echo "Using ldapsearch to check that slapd is running..."
for i in 0 1 2 3 4 5; do
56
	$LDAPSEARCH -s base -b "" -H $URIP1 \
Howard Chu's avatar
Howard Chu committed
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
		'objectclass=*' > /dev/null 2>&1
	RC=$?
	if test $RC = 0 ; then
		break
	fi
	echo "Waiting 5 seconds for slapd to start..."
	sleep 5
done

if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "Adding schema and databases on slapd..."
73
$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
Howard Chu's avatar
Howard Chu committed
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
include: file://$ABS_SCHEMADIR/core.ldif

include: file://$ABS_SCHEMADIR/cosine.ldif

include: file://$ABS_SCHEMADIR/inetorgperson.ldif

include: file://$ABS_SCHEMADIR/openldap.ldif

include: file://$ABS_SCHEMADIR/nis.ldif
EOF
RC=$?
if test $RC != 0 ; then
	echo "ldapadd failed for schema config ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

nullExclude="" nullOK=""
test $BACKEND = null && nullExclude="# " nullOK="OK"

if [ "$BACKENDTYPE" = mod ]; then
95
	$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
Howard Chu's avatar
Howard Chu committed
96
97
98
99
100
101
102
103
104
105
106
107
108
109
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
olcModuleLoad: back_$BACKEND.la
EOF
	RC=$?
	if test $RC != 0 ; then
		echo "ldapadd failed for backend config ($RC)!"
		test $KILLSERVERS != no && kill -HUP $KILLPIDS
		exit $RC
	fi
fi

110
$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
Howard Chu's avatar
Howard Chu committed
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
dn: olcDatabase={1}$BACKEND,cn=config
objectClass: olcDatabaseConfig
${nullExclude}objectClass: olc${BACKEND}Config
olcDatabase: {1}$BACKEND
olcSuffix: $BASEDN
${nullExclude}olcDbDirectory: $DBDIR1
olcRootDN: $MANAGERDN
olcRootPW: $PASSWD
EOF
RC=$?
if test $RC != 0 ; then
	echo "ldapadd failed for database config ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

if test $INDEXDB = indexdb ; then
128
	$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
Howard Chu's avatar
Howard Chu committed
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
dn: olcDatabase={1}$BACKEND,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: objectClass,entryUUID,entryCSN eq
olcDbIndex: cn,uid pres,eq,sub
EOF
	RC=$?
	if test $RC != 0 ; then
		echo "ldapadd modify for database config ($RC)!"
		test $KILLSERVERS != no && kill -HUP $KILLPIDS
		exit $RC
	fi
fi

echo "Using ldapadd to populate slapd..."
144
$LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD -f $LDIFORDERED \
Howard Chu's avatar
Howard Chu committed
145
146
147
148
149
150
151
152
153
	>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
	echo "ldapadd failed for database populate ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "Adding server entries to slapd..."
154
$LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD <<EOF >> $TESTOUT 2>&1
Howard Chu's avatar
Howard Chu committed
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
dn: ou=Servers,$BASEDN
objectClass: organizationalUnit
ou: Servers

dn: cn=localhost,ou=Servers,$BASEDN
objectClass: device
objectClass: ipHost
cn: localhost
ipHostNumber: 127.0.0.1

dn: cn=www.example.com,ou=Servers,$BASEDN
objectClass: device
objectClass: ipHost
cn: localhost
ipHostNumber: 93.184.216.34
EOF
RC=$?
if test $RC != 0 ; then
	echo "ldapadd failed for database populate ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

Howard Chu's avatar
Howard Chu committed
178
echo "Inserting autoca overlay on slapd..."
Howard Chu's avatar
Howard Chu committed
179
if [ "$AUTOCA" = autocamod ]; then
180
	$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
Howard Chu's avatar
Howard Chu committed
181
182
183
184
185
186
187
188
189
190
191
192
193
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: $TESTWD/../servers/slapd/overlays
olcModuleLoad: autoca.la
EOF
	RC=$?
	if test $RC != 0 ; then
		echo "ldapadd failed for moduleLoad ($RC)!"
		test $KILLSERVERS != no && kill -HUP $KILLPIDS
		exit $RC
	fi
fi
194
$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
Howard Chu's avatar
Howard Chu committed
195
196
197
dn: olcOverlay=autoca,olcDatabase={1}$BACKEND,cn=config
changetype: add
objectClass: olcOverlayConfig
198
objectClass: olcAutoCAConfig
Howard Chu's avatar
Howard Chu committed
199
olcOverlay: autoca
200
olcAutoCAlocalDN: cn=localhost,ou=Servers,$BASEDN
Howard Chu's avatar
Howard Chu committed
201
202
203
204
205
206
207
208
EOF
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed for autoca config ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi
echo "Using ldapsearch to retrieve CA cert..."
209
$LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \
Howard Chu's avatar
Howard Chu committed
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
	'objectclass=*' 'cACertificate;binary'  > $SEARCHOUT 2>&1
RC=$?

if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "Setting up CA cert..."
echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/cacert.pem
sed -e "/^dn:/d" -e "s/cACertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/cacert.pem
echo "-----END CERTIFICATE-----" >> $TESTDIR/cacert.pem

echo "Using ldapsearch to generate localhost cert..."
225
$LDAPSEARCH -b cn=localhost,ou=Servers,$BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \
Howard Chu's avatar
Howard Chu committed
226
227
228
229
230
231
232
233
234
235
236
237
238
	-A 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary'  >> $TESTOUT 2>&1
RC=$?

if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "Using ldapsearch to attempt TLS..."
unset LDAPNOINIT
LDAPTLS_CACERT=$TESTDIR/cacert.pem
export LDAPTLS_CACERT
239
$LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
Howard Chu's avatar
Howard Chu committed
240
241
242
243
244
245
246
247
248
	'objectclass=*' >> $TESTOUT 2>&1
RC=$?

if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

Howard Chu's avatar
Howard Chu committed
249
250
251
# note - the attrs are being saved in raw DER form.
# they need to be base64 encoded into PEM for most programs to use them
# so we ignore those files for now.
Howard Chu's avatar
Howard Chu committed
252
echo "Using ldapsearch to generate user cert..."
253
$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
Howard Chu's avatar
Howard Chu committed
254
255
256
257
258
259
260
261
262
263
	-T $TESTDIR -t 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary'  >> $TESTOUT 2>&1
RC=$?

if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "Using ldapsearch to retrieve user cert..."
264
$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
Howard Chu's avatar
Howard Chu committed
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
	'objectclass=*' 'userCertificate;binary' > $SEARCHOUT 2>&1
RC=$?

if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "Setting up user cert..."
echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/usercert.pem
sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userCertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/usercert.pem
echo "-----END CERTIFICATE-----" >> $TESTDIR/usercert.pem

echo "Using ldapsearch to retrieve user key..."
280
$LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
Howard Chu's avatar
Howard Chu committed
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
	'objectclass=*' 'userPrivateKey;binary' > $SEARCHOUT 2>&1
RC=$?

if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "Setting up user key..."
echo "-----BEGIN PRIVATE KEY-----" > $TESTDIR/userkey.pem
sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userPrivateKey;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/userkey.pem
echo "-----END PRIVATE KEY-----" >> $TESTDIR/userkey.pem

LDAPTLS_CERT=$TESTDIR/usercert.pem
LDAPTLS_KEY=$TESTDIR/userkey.pem
export LDAPTLS_CERT
export LDAPTLS_KEY

echo "Setting TLSVerifyClient to try..."
301
$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
Howard Chu's avatar
Howard Chu committed
302
303
304
305
306
307
308
309
310
311
312
313
dn: cn=config
changetype: modify
replace: olcTLSVerifyClient
olcTLSVerifyClient: try
EOF
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed for autoca config ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

314
$CLIENTDIR/ldapwhoami -Y EXTERNAL -H $URIP1 -ZZ
Howard Chu's avatar
Howard Chu committed
315
316
317
318
319
320
321
322
323
324
325
326
327
328

if test $RC != 0 ; then
	echo "ldapwhoami failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

test $KILLSERVERS != no && kill -HUP $KILLPIDS

echo ">>>>> Test succeeded"

test $KILLSERVERS != no && wait

exit 0