Commit 1dc0fc11 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

parents 46e3b09e 2ec44a11
Pipeline #1842 passed with stage
in 48 minutes and 9 seconds
......@@ -23,13 +23,13 @@ build-openssl-heimdal-lloadd:
stage: build
script:
- apt update
- DEBIAN_FRONTEND=noninteractive apt install -y build-essential pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev
- DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev
- autoreconf
- ./configure --enable-backends=mod --enable-overlays=mod --enable-modules --enable-dynamic --disable-ndb --enable-balancer=mod --disable-asyncmeta
- make depend
- make
- ulimit -n 4096 # back-monitor takes a while scanning a long connections array
- make test
- SLAPD_COMMON_WRAPPER=gdb make test
artifacts:
name: testdir
when: on_failure
......@@ -41,13 +41,13 @@ build-gnutls-mit-standalone-lloadd:
stage: build
script:
- apt update
- DEBIAN_FRONTEND=noninteractive apt install -y build-essential pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev
- DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev
- autoreconf
- ./configure --enable-backends=mod --enable-overlays=mod --disable-autoca --enable-modules --enable-dynamic --disable-ndb --enable-balancer=yes --disable-asyncmeta
- make depend
- make
- ulimit -n 4096 # back-monitor takes a while scanning a long connections array
- make test
- SLAPD_COMMON_WRAPPER=gdb make test
artifacts:
name: testdir
when: on_failure
......
......@@ -350,6 +350,7 @@ Overlays="accesslog \
ppolicy \
proxycache \
refint \
remoteauth \
retcode \
rwm \
seqmod \
......@@ -390,6 +391,8 @@ OL_ARG_ENABLE(proxycache, [AS_HELP_STRING([--enable-proxycache], [Proxy Cache ov
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(refint, [AS_HELP_STRING([--enable-refint], [Referential Integrity overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(remoteauth, [AS_HELP_STRING([--enable-remoteauth], [Deferred Authentication overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(retcode, [AS_HELP_STRING([--enable-retcode], [Return Code testing overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(rwm, [AS_HELP_STRING([--enable-rwm], [Rewrite/Remap overlay])],
......@@ -566,6 +569,7 @@ BUILD_MEMBEROF=no
BUILD_PPOLICY=no
BUILD_PROXYCACHE=no
BUILD_REFINT=no
BUILD_REMOTEAUTH=no
BUILD_RETCODE=no
BUILD_RWM=no
BUILD_SEQMOD=no
......@@ -2842,6 +2846,18 @@ if test "$ol_enable_refint" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_REFINT,$MFLAG,[define for Referential Integrity overlay])
fi
if test "$ol_enable_remoteauth" != no ; then
BUILD_REMOTEAUTH=$ol_enable_remoteauth
if test "$ol_enable_remoteauth" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS remoteauth.la"
else
MFLAG=SLAPD_MOD_STATIC
SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS remoteauth.o"
fi
AC_DEFINE_UNQUOTED(SLAPD_OVER_REMOTEAUTH,$MFLAG,[define for Deferred Authentication overlay])
fi
if test "$ol_enable_retcode" != no ; then
BUILD_RETCODE=$ol_enable_retcode
if test "$ol_enable_retcode" = mod ; then
......@@ -3014,6 +3030,7 @@ dnl overlays
AC_SUBST(BUILD_PPOLICY)
AC_SUBST(BUILD_PROXYCACHE)
AC_SUBST(BUILD_REFINT)
AC_SUBST(BUILD_REMOTEAUTH)
AC_SUBST(BUILD_RETCODE)
AC_SUBST(BUILD_RWM)
AC_SUBST(BUILD_SEQMOD)
......
......@@ -253,6 +253,12 @@ E: limits group/groupOfNames/member="cn=dirsync,dc=example,dc=org" size.prtota
E: limits users size.soft=5 size.hard=100 size.prtotal=disabled
E: limits anonymous size.soft=2 size.hard=5 size.prtotal=disabled
H2: Glued/Subordinate database configurations
When using subordinate databases, it is necessary for any limits that
are to be applied across the parent and its subordinates to be defined in both
the parent and its subordinates. Otherwise the settings on the subordinate databases
are not honored.
H2: Further Information
For further information please see {{slapd.conf}}(5), {{ldapsearch}}(1) and {{slapd.access}}(5)
......
......@@ -43,8 +43,12 @@ slapd Configuration File}} chapters.
H2: Monitor configuration via cn=config(5)
{{This section has yet to be written.}}
The {{monitor backend}} is statically built into slapd and can be
instantiated via ldapadd.
> dn: olcDatabase=monitor,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: monitor
H2: Monitor configuration via slapd.conf(5)
......
......@@ -1637,6 +1637,17 @@ is requested cannot exceed the
size limit of regular searches unless extended by the
.B prtotal
switch.
The \fBolcLimits\fP statement is typically used to let an unlimited
number of entries be returned by searches performed
with the identity used by the consumer for synchronization purposes
by means of the RFC 4533 LDAP Content Synchronization protocol
(see \fBolcSyncrepl\fP for details).
When using subordinate databases, it is necessary for any limits that
are to be applied across the parent and its subordinates to be defined in
both the parent and its subordinates. Otherwise the settings on the
subordinate databases are not honored.
.RE
.TP
.B olcMaxDerefDepth: <depth>
......
......@@ -1583,7 +1583,7 @@ the use of the pagedResults control as a means to circumvent size
limitations on regular searches; the keyword
.I disabled
disables the control, i.e. no paged results can be returned.
Note that the total number of entries returned when the pagedResults control
Note that the total number of entries returned when the pagedResults control
is requested cannot exceed the
.B hard
size limit of regular searches unless extended by the
......@@ -1595,6 +1595,11 @@ number of entries be returned by searches performed
with the identity used by the consumer for synchronization purposes
by means of the RFC 4533 LDAP Content Synchronization protocol
(see \fBsyncrepl\fP for details).
When using subordinate databases, it is necessary for any limits that
are to be applied across the parent and its subordinates to be defined in
both the parent and its subordinates. Otherwise the settings on the
subordinate databases are not honored.
.RE
.TP
.B maxderefdepth <depth>
......
......@@ -137,6 +137,20 @@ The schema is loaded automatically by the overlay.
The schema includes a number of object classes and associated
attribute types as described below.
The root entry of the underlying accesslog database makes use
of the
.B auditContainer
class which is as follows:
.LP
.RS 4
( 1.3.6.1.4.1.4203.666.11.5.2.0
NAME 'auditContainer'
DESC 'AuditLog container'
SUP top STRUCTURAL
MAY ( cn $ reqStart $ reqEnd ) )
.RE
.P
There is
a basic
.B auditObject
......@@ -378,7 +392,7 @@ filter.
DESC 'ModRDN operation'
SUP auditWriteObject STRUCTURAL
MUST ( reqNewRDN $ reqDeleteOldRDN )
MAY ( reqNewSuperior $ reqOld ) )
MAY ( reqNewSuperior $ reqMod $ reqOld ) )
.RE
.P
The
......
......@@ -11,8 +11,9 @@ ETCDIR/slapd.d
.SH DESCRIPTION
The Audit Logging overlay can be used to record all changes on a given
backend database to a specified log file. Changes are logged as standard
LDIF, with an additional comment header giving the timestamp of the change
and the identity of the user making the change.
LDIF, with an additional comment header providing six fields of
information about the change. A second comment header is added at the end
of the operation to note the termination of the change.
.LP
For Add and Modify operations the identity comes from the modifiersName
associated with the operation. This is usually the same as the requestor's
......@@ -31,6 +32,19 @@ Specify the fully qualified path for the log file.
.B olcAuditlogFile <filename>
For use with
.B cn=config
.SH COMMENT FIELD INFORMATION
The first field is the operation type.
.br
The second field is the timestamp of the operation in seconds since epoch.
.br
The third field is the suffix of the database.
.br
The fourth field is the recorded modifiersName.
.br
The fifth field is the originating IP address and port.
.br
The sixth field is the connection number. A connection number of -1
indicates an internal slapd operation.
.SH EXAMPLE
The following LDIF could be used to add this overlay to
.B cn=config
......@@ -48,6 +62,30 @@ olcAuditlogFile: /tmp/auditlog.ldif
.RE
.LP
.LP
.SH EXAMPLE CHANGELOG
.LP
.RS
.nf
# modify 1614223245 dc=example,dc=com cn=admin,dc=example,dc=com IP=[::1]:47270 conn=1002
dn: uid=joepublic,ou=people,dc=example,dc=com
changetype: modify
replace: displayName
displayName: Joe Public
-
replace: entryCSN
entryCSN: 20210225032045.045229Z#000000#001#000000
-
replace: modifiersName
modifiersName: cn=admin,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20210225032045Z
-
# end modify 1614223245
.fi
.RE
.LP
.SH FILES
.TP
ETCDIR/slapd.conf
......
.TH SLAPO-REMOTEAUTH 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2021 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-remoteauth \- Delegate authentication requests to remote directories, e.g. Active Directory
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The
.B remoteauth
overlay to
.BR slapd (8)
provides passthrough authentication to remote directory servers, e.g.
Active Directory, for LDAP simple bind operations. The local LDAP entry
referenced in the bind operation is mapped to its counterpart in the remote
directory. An LDAP bind operation is performed against the remote directory
and results are returned based on those of the remote operation.
.LP
A slapd server configured with the
.B remoteauth
overlay handles an authentication request based on the presence of
.B userPassword
in the local entry. If the
.B userPassword
is present, authentication is performed locally, otherwise the
.B remoteauth
overlay performs the authentication request to the configured remote directory
server.
.LP
.SH CONFIGURATION
The following options can be applied to the
.B remoteauth
overlay within the slapd.conf file. All options should follow the
.B overlay remoteauth
directive.
.TP
.B overlay remoteauth
This directive adds the
.B remoteauth
overlay to the current database, see
.BR slapd.conf (5)
for details.
.TP
.B remoteauth_dn_attribute <dnattr>
Attribute in the local entry that is used to store the bind DN to a remote
directory server.
.TP
.B remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames>
For a non-Windows deployment, a domain can be considered as a collection of
one or more hosts to which slapd server authentcates against on behalf of
authenticating users.
For a given domain name, the mapping specifies the target server(s),
e.g., Active Directory domain controller(s), to connect to via LDAP.
The second argument can be given either as a hostname, an LDAP URI, or a file
containing a list of hostnames/URIs, one per line. The hostnames are tried in
sequence until the connection succeeds.
This option can be provided more than once to provide mapping information for
different domains. For example:
.nf
remoteauth_mapping americas file:///path/to/americas.domain.hosts
remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
remoteauth_mapping emea emeadc1.emea.example.com
.fi
.TP
.B remoteauth_domain_attribute <attr>
Attribute in the local entry that specifies the domain name, any text after
"\\" or ":" is ignored.
.TP
.B remoteauth_default_domain <default domain>
Default domain.
.TP
.B remoteauth_default_realm <server>
Fallback server to connect to for domains not specified in
.BR remoteauth_mapping .
.TP
.B remoteauth_retry_count <num>
Number of connection retries attempted. Default is 3.
.TP
.B remoteauth_store <on|off>
Whether to store the password in the local entry on successful bind. Default is
off.
.HP
.hy 0
.B remoteauth_tls
.B [starttls=yes]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.RS
Remoteauth specific TLS configuration, see
.BR slapd.conf (5)
for more details on each of the parameters and defaults.
.RE
.TP
.B remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash>
Mapping between remote server hostnames and their public key hashes. Only one
mapping per hostname is supported and if any pins are specified, all hosts
need to be pinned. If set, pinning is in effect regardless of whether or not
certificate name validation is enabled by
.BR tls_reqcert .
.SH EXAMPLE
A typical example configuration of
.B remoteauth
overlay for AD is shown below (as a
.BR slapd.conf (5)
snippet):
.LP
.nf
database <database>
#...
overlay remoteauth
remoteauth_dn_attribute seeAlso
remoteauth_domain_attribute associatedDomain
remoteauth_default_realm americas.example.com
remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
remoteauth_mapping emea emeadc1.emea.example.com
remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=
.fi
Where seeAlso contains the AD bind DN for the user, associatedDomain contains the
Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which
anything following, including ":", is ignored.
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8).
.SH Copyrights
Copyright 2004-2021 The OpenLDAP Foundation.
Portions Copyright 2004-2017 Howard Chu, Symas Corporation.
Portions Copyright 2017-2021 Ondřej Kuzník, Symas Corporation.
Portions Copyright 2004 Hewlett-Packard Company
......@@ -179,6 +179,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
#define LDAP_OPT_X_SASL_CBINDING_NONE 0
#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE 1
......
......@@ -292,6 +292,13 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#ifdef SSL_OP_NO_TLSv1
#ifdef SSL_OP_NO_TLSv1_1
#ifdef SSL_OP_NO_TLSv1_2
#ifdef SSL_OP_NO_TLSv1_3
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_3)
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 );
else
#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
......@@ -310,8 +317,10 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) {
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
SSL_CTX_clear_options( ctx, SSL_OP_NO_SSLv3 );
}
if ( lo->ldo_tls_ciphersuite &&
!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
......
......@@ -283,6 +283,8 @@ static OidRec OidMacros[] = {
* OLcfgOv{Oc|At}:19 -> collect
* OLcfgOv{Oc|At}:20 -> retcode
* OLcfgOv{Oc|At}:21 -> sssvlv
* OLcfgOv{Oc|At}:22 -> autoca
* OLcfgOv{Oc|At}:24 -> remoteauth
*/
/* alphabetical ordering */
......
......@@ -27,6 +27,7 @@ SRCS = overlays.c \
collect.c \
ppolicy.c \
refint.c \
remoteauth.c \
retcode.c \
rwm.c rwmconf.c rwmdn.c rwmmap.c \
seqmod.c \
......@@ -102,6 +103,9 @@ ppolicy.la : ppolicy.lo
refint.la : refint.lo
$(LTLINK_MOD) -module -o $@ refint.lo version.lo $(LINK_LIBS)
remoteauth.la : remoteauth.lo
$(LTLINK_MOD) -module -o $@ remoteauth.lo version.lo $(LINK_LIBS)
retcode.la : retcode.lo
$(LTLINK_MOD) -module -o $@ retcode.lo version.lo $(LINK_LIBS)
......
This diff is collapsed.
dn: olcOverlay={0}remoteauth,olcDatabase={1}@BACKEND@,cn=config
objectClass: olcOverlayConfig
objectclass: olcRemoteAuthCfg
olcOverlay: {0}remoteauth
olcRemoteAuthRetryCount: 3
olcRemoteAuthTLS: starttls=critical
tls_cert="@TESTDIR@/tls/certs/localhost.crt"
tls_key="@TESTDIR@/tls/private/localhost.key"
tls_cacert="@TESTDIR@/tls/ca/certs/testsuiteCA.crt"
tls_reqcert=demand tls_reqsan=allow
#openssl# tls_crlcheck=none
olcRemoteAuthDNAttribute: seeAlso
olcRemoteAuthDomainAttribute: o
olcRemoteAuthDefaultDomain: default
olcRemoteAuthDefaultRealm: @SURIP3@
olcRemoteAuthStore: FALSE
olcRemoteAuthMapping: default file://@TESTDIR@/default_domain
olcRemoteAuthMapping: working_ldaps @SURIP3@
olcRemoteAuthMapping: failing_ldaps @SURIP2@
olcRemoteAuthMapping: self @URIP1@
ldap://we/should/not/be/able/to/connect/to
@SURIP2@
@SURIP3@
overlay remoteauth
# defaults
#remoteauth_retry_count 3
#remoteauth_store off
remoteauth_tls starttls=critical
tls_cert=@TESTDIR@/tls/certs/localhost.crt
tls_key=@TESTDIR@/tls/private/localhost.key
tls_cacert=@TESTDIR@/tls/ca/certs/testsuiteCA.crt
remoteauth_dn_attribute seeAlso
remoteauth_domain_attribute o
remoteauth_default_domain default
remoteauth_default_realm @SURIP3@
# It's a trap! (ehm... stack) cn=config entries will be emitted in reverse order
remoteauth_mapping self @URIP1@
remoteauth_mapping failing_ldaps @SURIP2@
remoteauth_mapping working_ldaps @SURIP3@
remoteauth_mapping default file://@TESTDIR@/default_domain
......@@ -49,6 +49,7 @@ AC_memberof=memberof@BUILD_MEMBEROF@
AC_pcache=pcache@BUILD_PROXYCACHE@
AC_ppolicy=ppolicy@BUILD_PPOLICY@
AC_refint=refint@BUILD_REFINT@
AC_remoteauth=remoteauth@BUILD_REMOTEAUTH@
AC_retcode=retcode@BUILD_RETCODE@
AC_translucent=translucent@BUILD_TRANSLUCENT@
AC_unique=unique@BUILD_UNIQUE@
......@@ -75,8 +76,9 @@ if test "${AC_asyncmeta}" = "asyncmetamod" && test "${AC_LIBS_DYNAMIC}" = "stati
AC_meta="asyncmetano"
fi
export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_perl AC_relay AC_sql \
AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof AC_pcache AC_ppolicy \
AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof \
AC_pcache AC_ppolicy AC_refint AC_remoteauth \
AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
AC_valsort \
AC_lloadd \
AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \
......
......@@ -29,6 +29,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s/@RELAY@/${RELAY}/" \
-e "s/^#relay-${RELAY}#//" \
-e "s/^#${BACKENDTYPE}#//" \
-e "s/^#${AC_TLS_TYPE}#//" \
-e "s/^#${AC_ldap}#//" \
-e "s/^#${AC_meta}#//" \
-e "s/^#${AC_asyncmeta}#//" \
......@@ -42,6 +43,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s/^#${AC_ppolicy}#//" \
-e "s/^#${AC_refint}#//" \
-e "s/^#${AC_retcode}#//" \
-e "s/^#${AC_remoteauth}#//" \
-e "s/^#${AC_rwm}#//" \
-e "s/^#${AC_syncprov}#//" \
-e "s/^#${AC_translucent}#//" \
......
......@@ -37,6 +37,7 @@ MEMBEROF=${AC_memberof-memberofno}
PROXYCACHE=${AC_pcache-pcacheno}
PPOLICY=${AC_ppolicy-ppolicyno}
REFINT=${AC_refint-refintno}
REMOTEAUTH=${AC_remoteauth-remoteauthno}
RETCODE=${AC_retcode-retcodeno}
RWM=${AC_rwm-rwmno}
SYNCPROV=${AC_syncprov-syncprovno}
......@@ -54,7 +55,7 @@ ACI=${AC_ACI_ENABLED-acino}
SLEEP0=${SLEEP0-1}
SLEEP1=${SLEEP1-7}
SLEEP2=${SLEEP2-15}
TIMEOUT=${TIMEOUT-4}
TIMEOUT=${TIMEOUT-8}
# dirs
PROGDIR=./progs
......@@ -65,6 +66,10 @@ case "$SCHEMADIR" in
.*) ABS_SCHEMADIR="$TESTWD/$SCHEMADIR" ;;
*) ABS_SCHEMADIR="$SCHEMADIR" ;;
esac
case "$SRCDIR" in
.*) ABS_SRCDIR="$TESTWD/$SRCDIR" ;;
*) ABS_SRCDIR="$SRCDIR" ;;
esac
DBDIR1A=$TESTDIR/db.1.a
DBDIR1B=$TESTDIR/db.1.b
......@@ -181,6 +186,23 @@ SLURPLOG=$TESTDIR/slurp.log
CONFIGPWF=$TESTDIR/configpw
# wrappers (valgrind, gdb, environment variables, etc.)
if [ -n "$WRAPPER" ]; then
: # skip
elif [ "$SLAPD_COMMON_WRAPPER" = gdb ]; then
WRAPPER="$ABS_SRCDIR/scripts/grandchild_wrapper.py gdb -nx -x $ABS_SRCDIR/scripts/gdb.py -batch-silent -return-child-result --args"
elif [ "$SLAPD_COMMON_WRAPPER" = valgrind ]; then
WRAPPER="valgrind --log-file=$TESTDIR/valgrind.%p.log --fullpath-after=`dirname $ABS_SRCDIR` --keep-debuginfo=yes --leak-check=full"
elif [ "$SLAPD_COMMON_WRAPPER" = "valgrind-errstop" ]; then
WRAPPER="valgrind --log-file=$TESTDIR/valgrind.%p.log --vgdb=yes --vgdb-error=1"
elif [ "$SLAPD_COMMON_WRAPPER" = vgdb ]; then
WRAPPER="valgrind --log-file=$TESTDIR/valgrind.%p.log --vgdb=yes --vgdb-error=0"
fi
if [ -n "$WRAPPER" ]; then
SLAPD_WRAPPER="$TESTWD/../libtool --mode=execute env $WRAPPER"
fi
# args
SASLARGS="-Q"
TOOLARGS="-x $LDAP_TOOLARGS"
......@@ -192,11 +214,11 @@ CONFDIRSYNC=$SRCDIR/scripts/confdirsync.sh
MONITORDATA=$SRCDIR/scripts/monitor_data.sh
SLAPADD="$TESTWD/../servers/slapd/slapd -Ta -d 0 $LDAP_VERBOSE"
SLAPCAT="$TESTWD/../servers/slapd/slapd -Tc -d 0 $LDAP_VERBOSE"
SLAPINDEX="$TESTWD/../servers/slapd/slapd -Ti -d 0 $LDAP_VERBOSE"
SLAPMODIFY="$TESTWD/../servers/slapd/slapd -Tm -d 0 $LDAP_VERBOSE"
SLAPPASSWD="$TESTWD/../servers/slapd/slapd -Tpasswd"
SLAPADD="$SLAPD_WRAPPER $TESTWD/../servers/slapd/slapd -Ta -d 0 $LDAP_VERBOSE"
SLAPCAT="$SLAPD_WRAPPER $TESTWD/../servers/slapd/slapd -Tc -d 0 $LDAP_VERBOSE"
SLAPINDEX="$SLAPD_WRAPPER $TESTWD/../servers/slapd/slapd -Ti -d 0 $LDAP_VERBOSE"
SLAPMODIFY="$SLAPD_WRAPPER $TESTWD/../servers/slapd/slapd -Tm -d 0 $LDAP_VERBOSE"
SLAPPASSWD="$SLAPD_WRAPPER $TESTWD/../servers/slapd/slapd -Tpasswd"
unset DIFF_OPTIONS
# NOTE: -u/-c is not that portable...
......@@ -204,8 +226,8 @@ DIFF="diff -i"
CMP="diff -i"
BCMP="diff -iB"
CMPOUT=/dev/null
SLAPD="$TESTWD/../servers/slapd/slapd -s0"
LLOADD="$TESTWD/../servers/lloadd/lloadd -s0"
SLAPD="$SLAPD_WRAPPER $TESTWD/../servers/slapd/slapd -s0"
LLOADD="$SLAPD_WRAPPER $TESTWD/../servers/lloadd/lloadd -s0"
LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS"
LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $SASLARGS $TOOLPROTO $LDAP_TOOLARGS -LLL"
LDAPSASLWHOAMI="$CLIENTDIR/ldapwhoami $SASLARGS $LDAP_TOOLARGS"
......