Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
openldap
OpenLDAP
Commits
34b95c52
Commit
34b95c52
authored
Jan 28, 2021
by
Ondřej Kuzník
Committed by
Quanah Gibson-Mount
Feb 25, 2021
Browse files
ITS#9438 Add remoteauth overlay
parent
0c2ba041
Pipeline
#1805
passed with stage
in 28 minutes and 9 seconds
Changes
12
Pipelines
2
Expand all
Hide whitespace changes
Inline
Side-by-side
configure.ac
View file @
34b95c52
...
...
@@ -353,6 +353,7 @@ Overlays="accesslog \
ppolicy \
proxycache \
refint \
remoteauth \
retcode \
rwm \
seqmod \
...
...
@@ -393,6 +394,8 @@ OL_ARG_ENABLE(proxycache, [AS_HELP_STRING([--enable-proxycache], [Proxy Cache ov
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(refint, [AS_HELP_STRING([--enable-refint], [Referential Integrity overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(remoteauth, [AS_HELP_STRING([--enable-remoteauth], [Deferred Authentication overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(retcode, [AS_HELP_STRING([--enable-retcode], [Return Code testing overlay])],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(rwm, [AS_HELP_STRING([--enable-rwm], [Rewrite/Remap overlay])],
...
...
@@ -569,6 +572,7 @@ BUILD_MEMBEROF=no
BUILD_PPOLICY=no
BUILD_PROXYCACHE=no
BUILD_REFINT=no
BUILD_REMOTEAUTH=no
BUILD_RETCODE=no
BUILD_RWM=no
BUILD_SEQMOD=no
...
...
@@ -2861,6 +2865,18 @@ if test "$ol_enable_refint" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_REFINT,$MFLAG,[define for Referential Integrity overlay])
fi
if test "$ol_enable_remoteauth" != no ; then
BUILD_REMOTEAUTH=$ol_enable_remoteauth
if test "$ol_enable_remoteauth" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS remoteauth.la"
else
MFLAG=SLAPD_MOD_STATIC
SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS remoteauth.o"
fi
AC_DEFINE_UNQUOTED(SLAPD_OVER_REMOTEAUTH,$MFLAG,[define for Deferred Authentication overlay])
fi
if test "$ol_enable_retcode" != no ; then
BUILD_RETCODE=$ol_enable_retcode
if test "$ol_enable_retcode" = mod ; then
...
...
@@ -3033,6 +3049,7 @@ dnl overlays
AC_SUBST(BUILD_PPOLICY)
AC_SUBST(BUILD_PROXYCACHE)
AC_SUBST(BUILD_REFINT)
AC_SUBST(BUILD_REMOTEAUTH)
AC_SUBST(BUILD_RETCODE)
AC_SUBST(BUILD_RWM)
AC_SUBST(BUILD_SEQMOD)
...
...
doc/man/man5/slapo-remoteauth.5
0 → 100644
View file @
34b95c52
.TH SLAPO-REMOTEAUTH 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2021 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo-remoteauth \- Delegate authentication requests to remote directories, e.g. Active Directory
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The
.B remoteauth
overlay to
.BR slapd (8)
provides passthrough authentication to remote directory servers, e.g.
Active Directory, for LDAP simple bind operations. The local LDAP entry
referenced in the bind operation is mapped to its counterpart in the remote
directory. An LDAP bind operation is performed against the remote directory
and results are returned based on those of the remote operation.
.LP
A slapd server configured with the
.B remoteauth
overlay handles an authentication request based on the presence of
.B userPassword
in the local entry. If the
.B userPassword
is present, authentication is performed locally, otherwise the
.B remoteauth
overlay performs the authentication request to the configured remote directory
server.
.LP
.SH CONFIGURATION
The following options can be applied to the
.B remoteauth
overlay within the slapd.conf file. All options should follow the
.B overlay remoteauth
directive.
.TP
.B overlay remoteauth
This directive adds the
.B remoteauth
overlay to the current database, see
.BR slapd.conf (5)
for details.
.TP
.B remoteauth_dn_attribute <dnattr>
Attribute in the local entry that is used to store the bind DN to a remote
directory server.
.TP
.B remoteauth_mapping <domain> <hostname|LDAP URI|file:///path/to/list_of_hostnames>
For a non-Windows deployment, a domain can be considered as a collection of
one or more hosts to which slapd server authentcates against on behalf of
authenticating users.
For a given domain name, the mapping specifies the target server(s),
e.g., Active Directory domain controller(s), to connect to via LDAP.
The second argument can be given either as a hostname, an LDAP URI, or a file
containing a list of hostnames/URIs, one per line. The hostnames are tried in
sequence until the connection succeeds.
This option can be provided more than once to provide mapping information for
different domains. For example:
.nf
remoteauth_mapping americas file:///path/to/americas.domain.hosts
remoteauth_mapping asiapacific file:///path/to/asiapacific.domain.hosts
remoteauth_mapping emea emeadc1.emea.example.com
.fi
.TP
.B remoteauth_domain_attribute <attr>
Attribute in the local entry that specifies the domain name, any text after
"\\" or ":" is ignored.
.TP
.B remoteauth_default_domain <default domain>
Default domain.
.TP
.B remoteauth_default_realm <server>
Fallback server to connect to for domains not specified in
.BR remoteauth_mapping .
.TP
.B remoteauth_retry_count <num>
Number of connection retries attempted. Default is 3.
.TP
.B remoteauth_store <on|off>
Whether to store the password in the local entry on successful bind. Default is
off.
.HP
.hy 0
.B remoteauth_tls
.B [starttls=yes]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.RS
Remoteauth specific TLS configuration, see
.BR slapd.conf (5)
for more details on each of the parameters and defaults.
.RE
.TP
.B remoteauth_tls_peerkey_hash <hostname> <hashname>:<base64 of public key hash>
Mapping between remote server hostnames and their public key hashes. Only one
mapping per hostname is supported and if any pins are specified, all hosts
need to be pinned. If set, pinning is in effect regardless of whether or not
certificate name validation is enabled by
.BR tls_reqcert .
.SH EXAMPLE
A typical example configuration of
.B remoteauth
overlay for AD is shown below (as a
.BR slapd.conf (5)
snippet):
.LP
.nf
database <database>
#...
overlay remoteauth
remoteauth_dn_attribute seeAlso
remoteauth_domain_attribute associatedDomain
remoteauth_default_realm americas.example.com
remoteauth_mapping americas file:///home/ldap/etc/remoteauth.americas
remoteauth_mapping emea emeadc1.emea.example.com
remoteauth_tls starttls=yes tls_reqcert=demand tls_cacert=/home/ldap/etc/example-ca.pem
remoteauth_tls_peerkey_hash ldap.americas.tld sha256:Bxv3MkLoDm6gt/iDfeGNdNNqa5TTpPDdIwvZM/cIgeo=
.fi
Where seeAlso contains the AD bind DN for the user, associatedDomain contains the
Windows Domain Id in the form of <NT-domain-name>:<NT-username> in which
anything following, including ":", is ignored.
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8).
.SH Copyrights
Copyright 2004-2021 The OpenLDAP Foundation.
Portions Copyright 2004-2017 Howard Chu, Symas Corporation.
Portions Copyright 2017-2021 Ondřej Kuzník, Symas Corporation.
Portions Copyright 2004 Hewlett-Packard Company
servers/slapd/bconfig.c
View file @
34b95c52
...
...
@@ -283,6 +283,8 @@ static OidRec OidMacros[] = {
* OLcfgOv{Oc|At}:19 -> collect
* OLcfgOv{Oc|At}:20 -> retcode
* OLcfgOv{Oc|At}:21 -> sssvlv
* OLcfgOv{Oc|At}:22 -> autoca
* OLcfgOv{Oc|At}:24 -> remoteauth
*/
/* alphabetical ordering */
...
...
servers/slapd/overlays/Makefile.in
View file @
34b95c52
...
...
@@ -27,6 +27,7 @@ SRCS = overlays.c \
collect.c
\
ppolicy.c
\
refint.c
\
remoteauth.c
\
retcode.c
\
rwm.c rwmconf.c rwmdn.c rwmmap.c
\
seqmod.c
\
...
...
@@ -102,6 +103,9 @@ ppolicy.la : ppolicy.lo
refint.la
:
refint.lo
$(LTLINK_MOD)
-module
-o
$@
refint.lo version.lo
$(LINK_LIBS)
remoteauth.la
:
remoteauth.lo
$(LTLINK_MOD)
-module
-o
$@
remoteauth.lo version.lo
$(LINK_LIBS)
retcode.la
:
retcode.lo
$(LTLINK_MOD)
-module
-o
$@
retcode.lo version.lo
$(LINK_LIBS)
...
...
servers/slapd/overlays/remoteauth.c
0 → 100644
View file @
34b95c52
This diff is collapsed.
Click to expand it.
tests/data/remoteauth/config.ldif
0 → 100644
View file @
34b95c52
dn: olcOverlay={0}remoteauth,olcDatabase={1}@BACKEND@,cn=config
objectClass: olcOverlayConfig
objectclass: olcRemoteAuthCfg
olcOverlay: {0}remoteauth
olcRemoteAuthRetryCount: 3
olcRemoteAuthTLS: starttls=critical
tls_cert="@TESTDIR@/tls/certs/localhost.crt"
tls_key="@TESTDIR@/tls/private/localhost.key"
tls_cacert="@TESTDIR@/tls/ca/certs/testsuiteCA.crt"
tls_reqcert=demand tls_reqsan=allow
#openssl# tls_crlcheck=none
olcRemoteAuthDNAttribute: seeAlso
olcRemoteAuthDomainAttribute: o
olcRemoteAuthDefaultDomain: default
olcRemoteAuthDefaultRealm: @SURIP3@
olcRemoteAuthStore: FALSE
olcRemoteAuthMapping: default file://@TESTDIR@/default_domain
olcRemoteAuthMapping: working_ldaps @SURIP3@
olcRemoteAuthMapping: failing_ldaps @SURIP2@
olcRemoteAuthMapping: self @URIP1@
tests/data/remoteauth/default_domain
0 → 100644
View file @
34b95c52
ldap://we/should/not/be/able/to/connect/to
@SURIP2@
@SURIP3@
tests/data/remoteauth/remoteauth.conf
0 → 100644
View file @
34b95c52
overlay
remoteauth
# defaults
#remoteauth_retry_count 3
#remoteauth_store off
remoteauth_tls
starttls
=
critical
tls_cert
=@
TESTDIR
@/
tls
/
certs
/
localhost
.
crt
tls_key
=@
TESTDIR
@/
tls
/
private
/
localhost
.
key
tls_cacert
=@
TESTDIR
@/
tls
/
ca
/
certs
/
testsuiteCA
.
crt
remoteauth_dn_attribute
seeAlso
remoteauth_domain_attribute
o
remoteauth_default_domain
default
remoteauth_default_realm
@
SURIP3
@
# It's a trap! (ehm... stack) cn=config entries will be emitted in reverse order
remoteauth_mapping
self
@
URIP1
@
remoteauth_mapping
failing_ldaps
@
SURIP2
@
remoteauth_mapping
working_ldaps
@
SURIP3
@
remoteauth_mapping
default
file
://@
TESTDIR
@/
default_domain
tests/run.in
View file @
34b95c52
...
...
@@ -49,6 +49,7 @@ AC_memberof=memberof@BUILD_MEMBEROF@
AC_pcache
=
pcache@BUILD_PROXYCACHE@
AC_ppolicy
=
ppolicy@BUILD_PPOLICY@
AC_refint
=
refint@BUILD_REFINT@
AC_remoteauth
=
remoteauth@BUILD_REMOTEAUTH@
AC_retcode
=
retcode@BUILD_RETCODE@
AC_translucent
=
translucent@BUILD_TRANSLUCENT@
AC_unique
=
unique@BUILD_UNIQUE@
...
...
@@ -75,8 +76,9 @@ if test "${AC_asyncmeta}" = "asyncmetamod" && test "${AC_LIBS_DYNAMIC}" = "stati
AC_meta
=
"asyncmetano"
fi
export
AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_perl AC_relay AC_sql
\
AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof AC_pcache AC_ppolicy
\
AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent
\
AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof
\
AC_pcache AC_ppolicy AC_refint AC_remoteauth
\
AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent
\
AC_valsort
\
AC_lloadd
\
AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED
\
...
...
tests/scripts/conf.sh
View file @
34b95c52
...
...
@@ -43,6 +43,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e
"s/^#
${
AC_ppolicy
}
#//"
\
-e
"s/^#
${
AC_refint
}
#//"
\
-e
"s/^#
${
AC_retcode
}
#//"
\
-e
"s/^#
${
AC_remoteauth
}
#//"
\
-e
"s/^#
${
AC_rwm
}
#//"
\
-e
"s/^#
${
AC_syncprov
}
#//"
\
-e
"s/^#
${
AC_translucent
}
#//"
\
...
...
tests/scripts/defines.sh
View file @
34b95c52
...
...
@@ -37,6 +37,7 @@ MEMBEROF=${AC_memberof-memberofno}
PROXYCACHE
=
${
AC_pcache
-pcacheno
}
PPOLICY
=
${
AC_ppolicy
-ppolicyno
}
REFINT
=
${
AC_refint
-refintno
}
REMOTEAUTH
=
${
AC_remoteauth
-remoteauthno
}
RETCODE
=
${
AC_retcode
-retcodeno
}
RWM
=
${
AC_rwm
-rwmno
}
SYNCPROV
=
${
AC_syncprov
-syncprovno
}
...
...
tests/scripts/test082-remoteauth
0 → 100755
View file @
34b95c52
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2016-2021 Ondřej Kuzník, Symas Corp.
## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
echo
"running defines.sh"
.
$SRCDIR
/scripts/defines.sh
if
test
$WITH_TLS
=
no
;
then
echo
"TLS support not available, test skipped"
exit
0
fi
if
test
$REMOTEAUTH
=
remoteauthno
;
then
echo
"RemoteAuth overlay not available, test skipped"
exit
0
fi
mkdir
-p
$TESTDIR
$DBDIR1
$DBDIR2
$TESTDIR
/confdir
cp
-r
$DATADIR
/tls
$TESTDIR
.
$CONFFILTER
<
$DATADIR
/remoteauth/default_domain
>
$TESTDIR
/default_domain
.
$CONFFILTER
$BACKEND
<
$TLSCONF
>
$CONF1
$SLAPPASSWD
-g
-n
>
$CONFIGPWF
echo
"database config"
>>
$CONF1
echo
"rootpw
`
$SLAPPASSWD
-T
$CONFIGPWF
`
"
>>
$CONF1
echo
"TLSCACertificateFile
$TESTDIR
/tls/ca/certs/testsuiteCA.crt"
>>
$CONF1
$SLAPD
-Tt
-n
0
-f
$CONF1
-F
$TESTDIR
/confdir
-d
$LVL
>
$LOG1
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slaptest failed (
$RC
)!"
exit
$RC
fi
echo
-n
"Running slapadd to build slapd database... "
$SLAPADD
-F
$TESTDIR
/confdir
-l
$LDIFORDERED
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slapadd failed (
$RC
)!"
exit
$RC
fi
echo
"DB tweaks..."
$SLAPMODIFY
-f
$CONF1
>>
$LOG1
2>&1
<<
EOMODS
dn:
$MELLIOTDN
changetype: modify
add: o
o: self
-
replace: seeAlso
seeAlso:
$BJORNSDN
dn:
$JOHNDDN
changetype: modify
replace: seeAlso
seeAlso:
$BJORNSDN
EOMODS
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slapmodify failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"Starting slapd on TCP/IP port
$PORT1
for configuration..."
$SLAPD
-f
$CONF1
-F
$TESTDIR
/confdir
-h
$URI1
-d
$LVL
>
$LOG1
2>&1 &
REMOTEAUTH_PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
REMOTEAUTH_PID
$REMOTEAUTH_PID
read
foo
fi
KILLPIDS
=
"
$REMOTEAUTH_PID
"
sleep
$SLEEP0
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-s
base
-b
"
$MONITOR
"
-H
$URI1
\
'objectclass=*'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
${
SLEEP1
}
seconds for slapd to start..."
sleep
${
SLEEP1
}
done
if
[
"
$REMOTEAUTH
"
=
remoteauthmod
]
;
then
$LDAPADD
-D
cn
=
config
-H
$URI1
-y
$CONFIGPWF
\
>>
$TESTOUT
2>&1
<<
EOMOD
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath:
$TESTWD
/../servers/slapd/overlays
olcModuleLoad: remoteauth.la
EOMOD
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapmodify failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
fi
echo
"Loading test remoteauth configuration..."
.
$CONFFILTER
$BACKEND
<
$DATADIR
/remoteauth/config.ldif |
\
$LDAPADD
-v
-D
cn
=
config
-H
$URI1
-y
$CONFIGPWF
\
>>
$TESTOUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapadd failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"Preparing second server on
$URI2
and
$SURIP3
... "
.
$CONFFILTER
$BACKEND
<
$TLSCONF
|
sed
-e
"s,
$DBDIR1
,
$DBDIR2
,"
>
$CONF2
echo
-n
"loading data... "
$SLAPADD
-f
$CONF2
-l
$LDIFORDERED
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slapadd failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"tweaking DB contents... "
$SLAPMODIFY
-f
$CONF2
>>
$LOG2
2>&1
<<
EOMODS
dn:
$BJORNSDN
changetype: modify
replace: userPassword
userPassword: bjorn2
EOMODS
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"slapmodify failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
"starting up... "
$SLAPD
-f
$CONF2
-h
"
$URI2
$SURIP3
"
-d
$LVL
>
$LOG2
2>&1 &
BACKEND_PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
BACKEND_PID
$BACKEND_PID
read
foo
fi
KILLPIDS
=
"
$KILLPIDS
$BACKEND_PID
"
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-s
base
-b
"
$MONITOR
"
-H
$URI2
\
'objectclass=*'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
${
SLEEP1
}
seconds for slapd to start..."
sleep
${
SLEEP1
}
done
if
test
$RC
!=
0
;
then
echo
"failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
.
$CONFFILTER
$BACKEND
<
$TLSCONF
>
$CONF1
echo
"TLSCACertificateFile
$TESTDIR
/tls/ca/certs/testsuiteCA.crt"
>>
$CONF1
echo
"database config"
>>
$CONF1
echo
"rootpw
`
$SLAPPASSWD
-T
$CONFIGPWF
`
"
>>
$CONF1
# We check basic remoteauth operation and generated configuration in these
# circumstances:
# 1. configured online through cn=config (what we set up above)
# 2. the server from 1. restarted (loading from cn=config on startup)
# 3. configured and started through a slapd.conf
#
# All of the above should present the same behaviour and cn=config output
echo
"Saving generated config before server restart..."
echo
"# search output from dynamically configured server..."
>>
$SERVER1OUT
$LDAPSEARCH
-D
cn
=
config
-H
$URI1
-y
$CONFIGPWF
\
-b
"olcOverlay={0}remoteauth,olcDatabase={1}
$BACKEND
,cn=config"
\
>>
$SERVER1OUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"Checking bind handling... "
$LDAPWHOAMI
-H
$URI1
-x
-D
"
$BJORNSDN
"
-w
bjorn
>
/dev/null
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapwhoami failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"1 "
$LDAPWHOAMI
-H
$URI1
-x
-D
"
$JOHNDDN
"
-w
bjorn2
>
/dev/null
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapwhoami failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"2 "
$LDAPWHOAMI
-H
$URI1
-x
-D
"
$MELLIOTDN
"
-w
bjorn
>
/dev/null
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapwhoami failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"3 "
echo
"ok"
echo
"Stopping slapd on TCP/IP port
$PORT1
..."
kill
-HUP
$REMOTEAUTH_PID
KILLPIDS
=
"
$BACKEND_PID
"
sleep
$SLEEP0
echo
"Starting slapd on TCP/IP port
$PORT1
..."
$SLAPD
-F
$TESTDIR
/confdir
-h
$URI1
-d
$LVL
>>
$LOG1
2>&1 &
REMOTEAUTH_PID
=
$!
if
test
$WAIT
!=
0
;
then
echo
REMOTEAUTH_PID
$REMOTEAUTH_PID
read
foo
fi
KILLPIDS
=
"
$KILLPIDS
$REMOTEAUTH_PID
"
sleep
$SLEEP0
for
i
in
0 1 2 3 4 5
;
do
$LDAPSEARCH
-s
base
-b
"
$MONITOR
"
-H
$URI1
\
'objectclass=*'
>
/dev/null 2>&1
RC
=
$?
if
test
$RC
=
0
;
then
break
fi
echo
"Waiting
${
SLEEP1
}
seconds for slapd to start..."
sleep
${
SLEEP1
}
done
echo
"Saving generated config after server restart..."
echo
"# search output from dynamically configured server after restart..."
>>
$SERVER2OUT
$LDAPSEARCH
-D
cn
=
config
-H
$URI1
-y
$CONFIGPWF
\
-b
"olcOverlay={0}remoteauth,olcDatabase={1}
$BACKEND
,cn=config"
\
>>
$SERVER2OUT
2>&1
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapsearch failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"Checking bind handling... "
$LDAPWHOAMI
-H
$URI1
-x
-D
"
$BJORNSDN
"
-w
bjorn
>
/dev/null
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapwhoami failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"1 "
$LDAPWHOAMI
-H
$URI1
-x
-D
"
$JOHNDDN
"
-w
bjorn2
>
/dev/null
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapwhoami failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS
exit
$RC
fi
echo
-n
"2 "
$LDAPWHOAMI
-H
$URI1
-x
-D
"
$MELLIOTDN
"
-w
bjorn
>
/dev/null
RC
=
$?
if
test
$RC
!=
0
;
then
echo
"ldapwhoami failed (
$RC
)!"
test
$KILLSERVERS
!=
no
&&
kill
-HUP
$KILLPIDS