ITS#9438 Add remoteauth overlay

configure.ac

@@ -353,6 +353,7 @@ Overlays="accesslog \
 	ppolicy \
 	proxycache \
 	refint \
+	remoteauth \
 	retcode \
 	rwm \
 	seqmod \
@@ -393,6 +394,8 @@ OL_ARG_ENABLE(proxycache, [AS_HELP_STRING([--enable-proxycache], [Proxy Cache ov
 	no, [no yes mod], ol_enable_overlays)
 OL_ARG_ENABLE(refint, [AS_HELP_STRING([--enable-refint], [Referential Integrity overlay])],
 	no, [no yes mod], ol_enable_overlays)
+OL_ARG_ENABLE(remoteauth, [AS_HELP_STRING([--enable-remoteauth], [Deferred Authentication overlay])],
+	no, [no yes mod], ol_enable_overlays)
 OL_ARG_ENABLE(retcode, [AS_HELP_STRING([--enable-retcode], [Return Code testing overlay])],
 	no, [no yes mod], ol_enable_overlays)
 OL_ARG_ENABLE(rwm, [AS_HELP_STRING([--enable-rwm], [Rewrite/Remap overlay])],
@@ -569,6 +572,7 @@ BUILD_MEMBEROF=no
 BUILD_PPOLICY=no
 BUILD_PROXYCACHE=no
 BUILD_REFINT=no
+BUILD_REMOTEAUTH=no
 BUILD_RETCODE=no
 BUILD_RWM=no
 BUILD_SEQMOD=no
@@ -2861,6 +2865,18 @@ if test "$ol_enable_refint" != no ; then
 	AC_DEFINE_UNQUOTED(SLAPD_OVER_REFINT,$MFLAG,[define for Referential Integrity overlay])
 fi
 
+if test "$ol_enable_remoteauth" != no ; then
+	BUILD_REMOTEAUTH=$ol_enable_remoteauth
+	if test "$ol_enable_remoteauth" = mod ; then
+		MFLAG=SLAPD_MOD_DYNAMIC
+		SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS remoteauth.la"
+	else
+		MFLAG=SLAPD_MOD_STATIC
+		SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS remoteauth.o"
+	fi
+	AC_DEFINE_UNQUOTED(SLAPD_OVER_REMOTEAUTH,$MFLAG,[define for Deferred Authentication overlay])
+fi
+
 if test "$ol_enable_retcode" != no ; then
 	BUILD_RETCODE=$ol_enable_retcode
 	if test "$ol_enable_retcode" = mod ; then
@@ -3033,6 +3049,7 @@ dnl overlays
   AC_SUBST(BUILD_PPOLICY)
   AC_SUBST(BUILD_PROXYCACHE)
   AC_SUBST(BUILD_REFINT)
+  AC_SUBST(BUILD_REMOTEAUTH)
   AC_SUBST(BUILD_RETCODE)
   AC_SUBST(BUILD_RWM)
   AC_SUBST(BUILD_SEQMOD)

doc/man/man5/slapo-remoteauth.5

+.TH SLAPO-REMOTEAUTH 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 1998-2021 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copying restrictions apply.  See the COPYRIGHT file.
+.\" $OpenLDAP$
+.SH NAME
+slapo-remoteauth \- Delegate authentication requests to remote directories, e.g. Active Directory
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+The
+.B remoteauth
+overlay to
+.BR slapd (8)
+provides passthrough authentication to remote directory servers, e.g.
+Active Directory, for LDAP simple bind operations. The local LDAP entry
+referenced in the bind operation is mapped to its counterpart in the remote
+directory. An LDAP bind operation is performed against the remote directory
+and results are returned based on those of the remote operation.
+.LP
+A slapd server configured with the
+.B remoteauth
+overlay handles an authentication request based on the presence of
+.B userPassword
+in the local entry. If the
+.B userPassword
+is present, authentication is performed locally, otherwise the
+.B remoteauth
+overlay performs the authentication request to the configured remote directory
+server.
+.LP
+
+.SH CONFIGURATION
+
+The following options can be applied to the
+.B remoteauth
+overlay within the slapd.conf file. All options should follow the
+.B overlay remoteauth
+directive.
+
+.TP
+.B overlay remoteauth
+This directive adds the
+.B remoteauth
+overlay to the current database, see
+.BR slapd.conf (5)
+for details.
+
+.TP
+.B remoteauth_dn_attribute <dnattr>
+Attribute in the local entry that is used to store the bind DN to a remote
+directory server.
+
+.TP
+.B remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames>
+For a non-Windows deployment, a domain can be considered as a collection of
+one or more hosts to which slapd server authentcates against on behalf of
+authenticating users.
+For a given domain name, the mapping specifies the target server(s),
+e.g., Active Directory domain controller(s), to connect to via LDAP.
+The second argument can be given either as a hostname, an LDAP URI, or a file
+containing a list of hostnames/URIs, one per line. The hostnames are tried in
+sequence until the connection succeeds.
+
+This option can be provided more than once to provide mapping information for
+different domains. For example:
+
+.nf
+    remoteauth_mapping americas file:///path/to/americas.domain.hosts
+    remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
+    remoteauth_mapping emea emeadc1.emea.example.com
+.fi
+
+.TP
+.B remoteauth_domain_attribute <attr>
+Attribute in the local entry that specifies the domain name, any text after
+"\\" or ":" is ignored.
+
+.TP
+.B remoteauth_default_domain <default domain>
+Default domain.
+
+
+.TP
+.B remoteauth_default_realm <server>
+Fallback server to connect to for domains not specified in
+.BR remoteauth_mapping .
+
+.TP
+.B remoteauth_retry_count <num>
+Number of connection retries attempted. Default is 3.
+
+.TP
+.B remoteauth_store <on|off>
+Whether to store the password in the local entry on successful bind. Default is
+off.
+
+.HP
+.hy 0
+.B remoteauth_tls
+.B [starttls=yes]
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
+.B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
+.B [tls_crlcheck=none|peer|all]
+.RS
+Remoteauth specific TLS configuration, see
+.BR slapd.conf (5)
+for more details on each of the parameters and defaults.
+.RE
+
+.TP
+.B remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash>
+Mapping between remote server hostnames and their public key hashes. Only one
+mapping per hostname is supported and if any pins are specified, all hosts
+need to be pinned. If set, pinning is in effect regardless of whether or not
+certificate name validation is enabled by
+.BR tls_reqcert .
+
+.SH EXAMPLE
+A typical example configuration of
+.B remoteauth
+overlay for AD is shown below (as a
+.BR slapd.conf (5)
+snippet):
+
+.LP
+.nf
+   database <database>
+   #...
+
+   overlay remoteauth
+   remoteauth_dn_attribute seeAlso
+   remoteauth_domain_attribute associatedDomain
+   remoteauth_default_realm americas.example.com
+
+   remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
+   remoteauth_mapping emea emeadc1.emea.example.com
+
+   remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
+   remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=
+.fi
+
+Where seeAlso contains the AD bind DN for the user, associatedDomain contains the
+Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which
+anything following, including ":", is ignored.
+
+.SH SEE ALSO
+.BR slapd.conf (5),
+.BR slapd (8).
+
+.SH Copyrights
+Copyright 2004-2021 The OpenLDAP Foundation.
+Portions Copyright 2004-2017 Howard Chu, Symas Corporation.
+Portions Copyright 2017-2021 Ondřej Kuzník, Symas Corporation.
+Portions Copyright 2004 Hewlett-Packard Company

servers/slapd/bconfig.c

@@ -283,6 +283,8 @@ static OidRec OidMacros[] = {
  * OLcfgOv{Oc|At}:19			-> collect
  * OLcfgOv{Oc|At}:20			-> retcode
  * OLcfgOv{Oc|At}:21			-> sssvlv
+ * OLcfgOv{Oc|At}:22			-> autoca
+ * OLcfgOv{Oc|At}:24			-> remoteauth
  */
 
 /* alphabetical ordering */

servers/slapd/overlays/Makefile.in

@@ -27,6 +27,7 @@ SRCS = overlays.c \
 	collect.c \
 	ppolicy.c \
 	refint.c \
+	remoteauth.c \
 	retcode.c \
 	rwm.c rwmconf.c rwmdn.c rwmmap.c \
 	seqmod.c \
@@ -102,6 +103,9 @@ ppolicy.la : ppolicy.lo
 refint.la : refint.lo
 	$(LTLINK_MOD) -module -o $@ refint.lo version.lo $(LINK_LIBS)
 
+remoteauth.la : remoteauth.lo
+	$(LTLINK_MOD) -module -o $@ remoteauth.lo version.lo $(LINK_LIBS)
+
 retcode.la : retcode.lo
 	$(LTLINK_MOD) -module -o $@ retcode.lo version.lo $(LINK_LIBS)
 

tests/data/remoteauth/config.ldif

+dn: olcOverlay={0}remoteauth,olcDatabase={1}@BACKEND@,cn=config
+objectClass: olcOverlayConfig
+objectclass: olcRemoteAuthCfg
+olcOverlay: {0}remoteauth
+olcRemoteAuthRetryCount: 3
+olcRemoteAuthTLS: starttls=critical
+  tls_cert="@TESTDIR@/tls/certs/localhost.crt"
+  tls_key="@TESTDIR@/tls/private/localhost.key"
+  tls_cacert="@TESTDIR@/tls/ca/certs/testsuiteCA.crt"
+  tls_reqcert=demand tls_reqsan=allow
+#openssl#  tls_crlcheck=none
+olcRemoteAuthDNAttribute: seeAlso
+olcRemoteAuthDomainAttribute: o
+olcRemoteAuthDefaultDomain: default
+olcRemoteAuthDefaultRealm: @SURIP3@
+olcRemoteAuthStore: FALSE
+olcRemoteAuthMapping: default file://@TESTDIR@/default_domain
+olcRemoteAuthMapping: working_ldaps @SURIP3@
+olcRemoteAuthMapping: failing_ldaps @SURIP2@
+olcRemoteAuthMapping: self @URIP1@
+

tests/data/remoteauth/default_domain

+ldap://we/should/not/be/able/to/connect/to
+@SURIP2@
+@SURIP3@

tests/data/remoteauth/remoteauth.conf

+overlay remoteauth
+
+# defaults
+#remoteauth_retry_count 3
+#remoteauth_store off
+
+remoteauth_tls starttls=critical
+    tls_cert=@TESTDIR@/tls/certs/localhost.crt
+    tls_key=@TESTDIR@/tls/private/localhost.key
+    tls_cacert=@TESTDIR@/tls/ca/certs/testsuiteCA.crt
+
+remoteauth_dn_attribute seeAlso
+remoteauth_domain_attribute o
+remoteauth_default_domain default
+remoteauth_default_realm @SURIP3@
+
+# It's a trap! (ehm... stack) cn=config entries will be emitted in reverse order
+remoteauth_mapping self @URIP1@
+remoteauth_mapping failing_ldaps @SURIP2@
+remoteauth_mapping working_ldaps @SURIP3@
+remoteauth_mapping default file://@TESTDIR@/default_domain

tests/run.in

@@ -49,6 +49,7 @@ AC_memberof=memberof@BUILD_MEMBEROF@
 AC_pcache=pcache@BUILD_PROXYCACHE@
 AC_ppolicy=ppolicy@BUILD_PPOLICY@
 AC_refint=refint@BUILD_REFINT@
+AC_remoteauth=remoteauth@BUILD_REMOTEAUTH@
 AC_retcode=retcode@BUILD_RETCODE@
 AC_translucent=translucent@BUILD_TRANSLUCENT@
 AC_unique=unique@BUILD_UNIQUE@
@@ -75,8 +76,9 @@ if test "${AC_asyncmeta}" = "asyncmetamod" && test "${AC_LIBS_DYNAMIC}" = "stati
 	AC_meta="asyncmetano"
 fi
 export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_perl AC_relay AC_sql \
-	AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof AC_pcache AC_ppolicy \
-	AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
+	AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof \
+	AC_pcache AC_ppolicy AC_refint AC_remoteauth \
+	AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
 	AC_valsort \
 	AC_lloadd \
 	AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \

tests/scripts/conf.sh

@@ -43,6 +43,7 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
 	-e "s/^#${AC_ppolicy}#//"			\
 	-e "s/^#${AC_refint}#//"			\
 	-e "s/^#${AC_retcode}#//"			\
+	-e "s/^#${AC_remoteauth}#//"			\
 	-e "s/^#${AC_rwm}#//"				\
 	-e "s/^#${AC_syncprov}#//"			\
 	-e "s/^#${AC_translucent}#//"			\

tests/scripts/defines.sh

@@ -37,6 +37,7 @@ MEMBEROF=${AC_memberof-memberofno}
 PROXYCACHE=${AC_pcache-pcacheno}
 PPOLICY=${AC_ppolicy-ppolicyno}
 REFINT=${AC_refint-refintno}
+REMOTEAUTH=${AC_remoteauth-remoteauthno}
 RETCODE=${AC_retcode-retcodeno}
 RWM=${AC_rwm-rwmno}
 SYNCPROV=${AC_syncprov-syncprovno}

tests/scripts/test082-remoteauth

+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2016-2021 Ondřej Kuzník, Symas Corp.
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+if test $WITH_TLS = no ; then
+    echo "TLS support not available, test skipped"
+    exit 0
+fi
+
+if test $REMOTEAUTH = remoteauthno; then
+    echo "RemoteAuth overlay not available, test skipped"
+    exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1 $DBDIR2 $TESTDIR/confdir
+cp -r $DATADIR/tls $TESTDIR
+
+. $CONFFILTER < $DATADIR/remoteauth/default_domain > $TESTDIR/default_domain
+
+. $CONFFILTER $BACKEND < $TLSCONF > $CONF1
+
+$SLAPPASSWD -g -n >$CONFIGPWF
+echo "database config" >>$CONF1
+echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >>$CONF1
+echo "TLSCACertificateFile $TESTDIR/tls/ca/certs/testsuiteCA.crt" >>$CONF1
+
+$SLAPD -Tt -n 0 -f $CONF1 -F $TESTDIR/confdir -d $LVL > $LOG1 2>&1
+RC=$?
+if test $RC != 0 ; then
+    echo "slaptest failed ($RC)!"
+    exit $RC
+fi
+
+echo -n "Running slapadd to build slapd database... "
+$SLAPADD -F $TESTDIR/confdir -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+    echo "slapadd failed ($RC)!"
+    exit $RC
+fi
+
+echo "DB tweaks..."
+$SLAPMODIFY -f $CONF1 >>$LOG1 2>&1 <<EOMODS
+dn: $MELLIOTDN
+changetype: modify
+add: o
+o: self
+-
+replace: seeAlso
+seeAlso: $BJORNSDN
+
+dn: $JOHNDDN
+changetype: modify
+replace: seeAlso
+seeAlso: $BJORNSDN
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+    echo "slapmodify failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo "Starting slapd on TCP/IP port $PORT1 for configuration..."
+$SLAPD -f $CONF1 -F $TESTDIR/confdir -h $URI1 -d $LVL > $LOG1 2>&1 &
+REMOTEAUTH_PID=$!
+if test $WAIT != 0 ; then
+    echo REMOTEAUTH_PID $REMOTEAUTH_PID
+    read foo
+fi
+KILLPIDS="$REMOTEAUTH_PID"
+
+sleep $SLEEP0
+
+for i in 0 1 2 3 4 5; do
+    $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
+        'objectclass=*' > /dev/null 2>&1
+    RC=$?
+    if test $RC = 0 ; then
+        break
+    fi
+    echo "Waiting ${SLEEP1} seconds for slapd to start..."
+    sleep ${SLEEP1}
+done
+
+if [ "$REMOTEAUTH" = remoteauthmod ]; then
+$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF \
+    >> $TESTOUT 2>&1 <<EOMOD
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/overlays
+olcModuleLoad: remoteauth.la
+EOMOD
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapmodify failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+fi
+
+echo "Loading test remoteauth configuration..."
+. $CONFFILTER $BACKEND < $DATADIR/remoteauth/config.ldif | \
+$LDAPADD -v -D cn=config -H $URI1 -y $CONFIGPWF \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapadd failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo -n "Preparing second server on $URI2 and $SURIP3... "
+. $CONFFILTER $BACKEND < $TLSCONF | sed -e "s,$DBDIR1,$DBDIR2," > $CONF2
+
+echo -n "loading data... "
+$SLAPADD -f $CONF2 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+    echo "slapadd failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo -n "tweaking DB contents... "
+$SLAPMODIFY -f $CONF2 >>$LOG2 2>&1 <<EOMODS
+dn: $BJORNSDN
+changetype: modify
+replace: userPassword
+userPassword: bjorn2
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+    echo "slapmodify failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo "starting up... "
+$SLAPD -f $CONF2 -h "$URI2 $SURIP3" -d $LVL > $LOG2 2>&1 &
+BACKEND_PID=$!
+if test $WAIT != 0 ; then
+    echo BACKEND_PID $BACKEND_PID
+    read foo
+fi
+KILLPIDS="$KILLPIDS $BACKEND_PID"
+
+for i in 0 1 2 3 4 5; do
+    $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
+        'objectclass=*' > /dev/null 2>&1
+    RC=$?
+    if test $RC = 0 ; then
+        break
+    fi
+    echo "Waiting ${SLEEP1} seconds for slapd to start..."
+    sleep ${SLEEP1}
+done
+
+if test $RC != 0 ; then
+    echo "failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+. $CONFFILTER $BACKEND < $TLSCONF > $CONF1
+
+echo "TLSCACertificateFile $TESTDIR/tls/ca/certs/testsuiteCA.crt" >>$CONF1
+echo "database config" >>$CONF1
+echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >>$CONF1
+
+# We check basic remoteauth operation and generated configuration in these
+# circumstances:
+# 1. configured online through cn=config (what we set up above)
+# 2. the server from 1. restarted (loading from cn=config on startup)
+# 3. configured and started through a slapd.conf
+#
+# All of the above should present the same behaviour and cn=config output
+
+echo "Saving generated config before server restart..."
+echo "# search output from dynamically configured server..." >> $SERVER1OUT
+$LDAPSEARCH -D cn=config -H $URI1 -y $CONFIGPWF \
+    -b "olcOverlay={0}remoteauth,olcDatabase={1}$BACKEND,cn=config" \
+    >> $SERVER1OUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapsearch failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo -n "Checking bind handling... "
+
+$LDAPWHOAMI -H $URI1 -x -D "$BJORNSDN" -w bjorn >/dev/null
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapwhoami failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+echo -n "1 "
+
+$LDAPWHOAMI -H $URI1 -x -D "$JOHNDDN" -w bjorn2 >/dev/null
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapwhoami failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+echo -n "2 "
+
+$LDAPWHOAMI -H $URI1 -x -D "$MELLIOTDN" -w bjorn >/dev/null
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapwhoami failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+echo -n "3 "
+
+echo "ok"
+
+echo "Stopping slapd on TCP/IP port $PORT1..."
+kill -HUP $REMOTEAUTH_PID
+KILLPIDS="$BACKEND_PID"
+sleep $SLEEP0
+echo "Starting slapd on TCP/IP port $PORT1..."
+$SLAPD -F $TESTDIR/confdir -h $URI1 -d $LVL >> $LOG1 2>&1 &
+REMOTEAUTH_PID=$!
+if test $WAIT != 0 ; then
+    echo REMOTEAUTH_PID $REMOTEAUTH_PID
+    read foo
+fi
+KILLPIDS="$KILLPIDS $REMOTEAUTH_PID"
+
+sleep $SLEEP0
+
+for i in 0 1 2 3 4 5; do
+    $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
+        'objectclass=*' > /dev/null 2>&1
+    RC=$?
+    if test $RC = 0 ; then
+        break
+    fi
+    echo "Waiting ${SLEEP1} seconds for slapd to start..."
+    sleep ${SLEEP1}
+done
+
+echo "Saving generated config after server restart..."
+echo "# search output from dynamically configured server after restart..." >> $SERVER2OUT
+$LDAPSEARCH -D cn=config -H $URI1 -y $CONFIGPWF \
+    -b "olcOverlay={0}remoteauth,olcDatabase={1}$BACKEND,cn=config" \
+    >> $SERVER2OUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapsearch failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo -n "Checking bind handling... "
+
+$LDAPWHOAMI -H $URI1 -x -D "$BJORNSDN" -w bjorn >/dev/null
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapwhoami failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+echo -n "1 "
+
+$LDAPWHOAMI -H $URI1 -x -D "$JOHNDDN" -w bjorn2 >/dev/null
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapwhoami failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+echo -n "2 "
+
+$LDAPWHOAMI -H $URI1 -x -D "$MELLIOTDN" -w bjorn >/dev/null
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapwhoami failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS