Commit 9105afc6 authored by Emmanuel Lecharny's avatar Emmanuel Lecharny Committed by Quanah Gibson-Mount
Browse files

ITS#8571 Added testsuite to cover the proxyauthz configuration for proxycache and back-ldap

parent 4dbecbd1
# master slapd config -- for proxy cache testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2016 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
include @SCHEMADIR@/core.schema
include @SCHEMADIR@/cosine.schema
include @SCHEMADIR@/inetorgperson.schema
include @SCHEMADIR@/openldap.schema
include @SCHEMADIR@/nis.schema
#
pidfile @TESTDIR@/slapd.1.pid
argsfile @TESTDIR@/slapd.1.args
disallow bind_anon
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la
#######################################################################
# database definitions
#######################################################################
database @BACKEND@
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#~null~#directory @TESTDIR@/db.1.a
#indexdb#index objectClass eq
#indexdb#index cn,sn,uid pres,eq,sub
#ndb#dbname db_1
#ndb#include @DATADIR@/ndb.conf
#monitor#database monitor
# proxy cache slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2016 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
include @SCHEMADIR@/core.schema
include @SCHEMADIR@/cosine.schema
include @SCHEMADIR@/inetorgperson.schema
include @SCHEMADIR@/openldap.schema
include @SCHEMADIR@/nis.schema
pidfile @TESTDIR@/slapd.2.pid
argsfile @TESTDIR@/slapd.2.args
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#ldapmod#modulepath ../servers/slapd/back-ldap/
#ldapmod#moduleload back_ldap.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la
#pcachemod#modulepath ../servers/slapd/overlays/
#pcachemod#moduleload pcache.la
#######################################################################
# database definitions
#######################################################################
database ldap
suffix "dc=example,dc=com"
rootdn "dc=example,dc=com"
rootpw "secret"
uri "@URI1@"
limits dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" size=1
idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret"
mode=self authz=proxyauthz flags="override"
idassert-authzFrom "dn.children:dc=example,dc=com"
#authz=proxyauthz
overlay pcache
pcache @BACKEND@ 100 2 @ENTRY_LIMIT@ @CCPERIOD@
pcacheattrset 0 sn cn title uid
pcacheattrset 1 mail postaladdress telephonenumber cn uid
pcachetemplate (|(cn=)(sn=)) 0 @TTL@ @NTTL@ @STTL@
pcachetemplate (sn=) 0 @TTL@ @NTTL@ @STTL@
pcachetemplate (uid=) 1 @TTL@ @NTTL@ @STTL@
pcachetemplate (mail=) 0 @TTL@ @NTTL@ @STTL@
pcachetemplate (&(objectclass=)(uid=)) 1 @TTL@ @NTTL@ @STTL@ @TTR@
pcachetemplate (cn=) 0 86400 86400 86400 180
pcachebind (cn=) 0 3600 sub ou=people,dc=example,dc=com
#bdb#cachesize 20
#hdb#cachesize 20
#bdb#dbnosync
#hdb#dbnosync
#mdb#dbnosync
#~null~#directory @TESTDIR@/db.2.a
#indexdb#index objectClass eq
#indexdb#index cn,sn,uid,mail pres,eq,sub
#ndb#dbname db_2
#ndb#include @DATADIR@/ndb.conf
#monitor#database monitor
......@@ -93,7 +93,9 @@ DSRMASTERCONF=$DATADIR/slapd-deltasync-master.conf
DSRSLAVECONF=$DATADIR/slapd-deltasync-slave.conf
PPOLICYCONF=$DATADIR/slapd-ppolicy.conf
PROXYCACHECONF=$DATADIR/slapd-proxycache.conf
PROXYAUTHZCONF=$DATADIR/slapd-proxyauthz.conf
CACHEMASTERCONF=$DATADIR/slapd-cache-master.conf
PROXYAUTHZMASTERCONF=$DATADIR/slapd-cache-master-proxyauthz.conf
R1SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-refresh1.conf
R2SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-refresh2.conf
P1SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist1.conf
......
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2016 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
PCACHETTL=${PCACHETTL-"1m"}
PCACHENTTL=${PCACHENTTL-"1m"}
PCACHESTTL=${PCACHESTTL-"1m"}
PCACHE_ENTRY_LIMIT=${PCACHE_ENTRY_LIMIT-"6"}
PCACHE_CCPERIOD=${PCACHE_CCPERIOD-"2"}
PCACHETTR=${PCACHETTR-"2"}
PCACHEBTTR=${PCACHEBTTR-"5"}
. $SRCDIR/scripts/defines.sh
LVL=0x100
if test $PROXYCACHE = pcacheno; then
echo "Proxy cache overlay not available, test skipped"
exit 0
fi
if test $BACKLDAP = "ldapno" ; then
echo "LDAP backend not available, test skipped"
exit 0
fi
if test $BACKEND = ldif ; then
# The (mail=example.com*) queries hit a sizelimit, so which
# entry is returned depends on the ordering in the backend.
echo "Test does not support $BACKEND backend, test skipped"
exit 0
fi
mkdir -p $TESTDIR $DBDIR1 $DBDIR2
# Test proxy caching:
# - start master
# - start proxy cache
# - populate master
# - perform a first search
# - verify cacheability
# - perform a second search with the same filter and same user
# - verify answerability and cacheability of the bind
# - perform a third search with the same user but a different filter
# - verify cacheability of the bind and the non-answerability of the result
echo "Starting master slapd on TCP/IP port $PORT1..."
. $CONFFILTER < $PROXYAUTHZMASTERCONF > $CONF1
$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
read foo
fi
KILLPIDS="$PID"
sleep 1
echo "Using ldapsearch to check that master slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
-D "cn=Manager,dc=example,dc=com" -w secret 'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Using ldapadd to populate the master directory..."
$LDAPADD -x -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
$LDIFORDERED > /dev/null 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapadd failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Starting proxy cache on TCP/IP port $PORT2..."
. $CONFFILTER < $PROXYAUTHZCONF | sed \
-e "s/@TTL@/${PCACHETTL}/" \
-e "s/@NTTL@/${PCACHENTTL}/" \
-e "s/@STTL@/${PCACHENTTL}/" \
-e "s/@TTR@/${PCACHETTR}/" \
-e "s/@ENTRY_LIMIT@/${PCACHE_ENTRY_LIMIT}/" \
-e "s/@CCPERIOD@/${PCACHE_CCPERIOD}/" \
-e "s/@BTTR@/${PCACHEBTTR}/" \
> $CONF2
$SLAPD -f $CONF2 -h $URI2 -d $LVL -d pcache > $LOG2 2>&1 &
CACHEPID=$!
if test $WAIT != 0 ; then
echo CACHEPID $CACHEPID
read foo
fi
KILLPIDS="$KILLPIDS $CACHEPID"
sleep 1
echo "Using ldapsearch to check that proxy slapd is running..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT2 \
-D "cn=Manager,dc=example,dc=com" -w secret 'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
cat /dev/null > $SEARCHOUT
echo "Making queries on the proxy cache..."
CNT=0
CNT=`expr $CNT + 1`
USERDN="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com"
UPASSWD="jaj"
echo "Query $CNT: $USERDN"
echo "# Query $CNT: $USERDN" >> $SEARCHOUT
$LDAPSEARCH -S "" -b "dc=example,dc=com" -s SUB -h $LOCALHOST -p $PORT2 \
-D "$USERDN" -w "$UPASSWD" "(sn=je*)" sn >> $SEARCHOUT 2>> $TESTOUT
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
# Check that the bind is cached
grep "CACHING BIND for $USERDN" $LOG2 > /dev/null
RC=$?
if test $RC != 0 ; then
echo "Refresh failed"
test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
exit 1
fi
CNT=`expr $CNT + 1`
USERDN="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com"
UPASSWD="jaj"
echo "Query $CNT: (Bind should be cached)"
echo "# Query $CNT: (Bind should be cached)" >> $SEARCHOUT
$LDAPSEARCH -S "" -b "dc=example,dc=com" -s SUB -h $LOCALHOST -p $PORT2 \
-D "$USERDN" -w "$UPASSWD" "(sn=je*)" sn >> $SEARCHOUT 2>> $TESTOUT
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
grep "CACHED BIND for $USERDN" $LOG2 > /dev/null
RC=$?
if test $RC != 0 ; then
echo "Refresh failed"
test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
exit 1
fi
CNT=`expr $CNT + 1`
USERDN="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com"
echo "Query $CNT: (Bind should be cached)"
echo "# Query $CNT: (Bind should be cached)" >> $SEARCHOUT
$LDAPSEARCH -S "" -b "dc=example,dc=com" -s SUB -h $LOCALHOST -p $PORT2 \
-D "$USERDN" -w "$UPASSWD" "(sn=je*)" sn >> $SEARCHOUT 2>> $TESTOUT
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
RC=`grep "CACHED BIND for $USERDN" $LOG2 | wc -l`
if test $RC != 2 ; then
echo "Bind wasn't answered from cache"
test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
exit 1
fi
echo "=== New search on (sn=jo*)"
cat /dev/null > $SEARCHOUT
echo "# Query $CNT: (Bind should be cached)" >> $SEARCHOUT
$LDAPSEARCH -S "" -b "dc=example,dc=com" -s SUB -h $LOCALHOST -p $PORT2 \
-D "$USERDN" -w "$UPASSWD" "(sn=jo*)" sn >> $SEARCHOUT 2>> $TESTOUT
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
RC=`grep "CACHED BIND for $USERDN" $LOG2 | wc -l`
if test $RC != 3 ; then
echo "Bind wasn't answered from cache"
test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
exit 1
fi
RC=`grep "QUERY NOT ANSWERABLE" $LOG2 | wc -l`
if test $RC != 3 ; then
echo "Search wasn't searched on remote peer"
test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
exit 1
fi
RC=`grep "dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" $SEARCHOUT | wc -l`
if test $RC != 1 ; then
echo "Search wasn't retrieved on remote peer"
test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
exit 1
fi
echo "Test succeeded"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
test $KILLSERVERS != no && wait
exit 0
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment