|
|
ef2d9b |
From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001
|
|
|
ef2d9b |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
ef2d9b |
Date: Tue, 14 Apr 2020 16:19:05 +0300
|
|
|
ef2d9b |
Subject: [PATCH] auth: add SASL/GSSAPI tests
|
|
|
ef2d9b |
|
|
|
ef2d9b |
---
|
|
|
ef2d9b |
tests/data/krb5.conf | 32 ++++++
|
|
|
ef2d9b |
tests/data/slapd-sasl-gssapi.conf | 65 ++++++++++++
|
|
|
ef2d9b |
tests/scripts/conf.sh | 3 +
|
|
|
ef2d9b |
tests/scripts/defines.sh | 5 +
|
|
|
ef2d9b |
tests/scripts/setup_kdc.sh | 144 +++++++++++++++++++++++++++
|
|
|
ef2d9b |
tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++
|
|
|
ef2d9b |
6 files changed, 408 insertions(+)
|
|
|
ef2d9b |
create mode 100644 tests/data/krb5.conf
|
|
|
ef2d9b |
create mode 100644 tests/data/slapd-sasl-gssapi.conf
|
|
|
ef2d9b |
create mode 100755 tests/scripts/setup_kdc.sh
|
|
|
ef2d9b |
create mode 100755 tests/scripts/test077-sasl-gssapi
|
|
|
ef2d9b |
|
|
|
ef2d9b |
diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf
|
|
|
ef2d9b |
new file mode 100644
|
|
|
ef2d9b |
index 000000000..739113742
|
|
|
ef2d9b |
--- /dev/null
|
|
|
ef2d9b |
+++ b/tests/data/krb5.conf
|
|
|
ef2d9b |
@@ -0,0 +1,32 @@
|
|
|
ef2d9b |
+[libdefaults]
|
|
|
ef2d9b |
+ default_realm = @KRB5REALM@
|
|
|
ef2d9b |
+ dns_lookup_realm = false
|
|
|
ef2d9b |
+ dns_lookup_kdc = false
|
|
|
ef2d9b |
+ default_ccache_name = FILE://@TESTDIR@/ccache
|
|
|
ef2d9b |
+ #udp_preference_limit = 1
|
|
|
ef2d9b |
+[realms]
|
|
|
ef2d9b |
+ @KRB5REALM@ = {
|
|
|
ef2d9b |
+ kdc = @KDCHOST@:@KDCPORT@
|
|
|
ef2d9b |
+ acl_file = @TESTDIR@/kadm.acl
|
|
|
ef2d9b |
+ database_name = @TESTDIR@/kdc.db
|
|
|
ef2d9b |
+ key_stash_file = @TESTDIR@/kdc.stash
|
|
|
ef2d9b |
+ }
|
|
|
ef2d9b |
+[kdcdefaults]
|
|
|
ef2d9b |
+ kdc_ports = @KDCPORT@
|
|
|
ef2d9b |
+ kdc_tcp_ports = @KDCPORT@
|
|
|
ef2d9b |
+[logging]
|
|
|
ef2d9b |
+ kdc = FILE:@TESTDIR@/kdc.log
|
|
|
ef2d9b |
+ admin_server = FILE:@TESTDIR@/kadm.log
|
|
|
ef2d9b |
+ default = FILE:@TESTDIR@/krb5.log
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+#Heimdal
|
|
|
ef2d9b |
+[kdc]
|
|
|
ef2d9b |
+ database = {
|
|
|
ef2d9b |
+ dbname = @TESTDIR@/kdc.db
|
|
|
ef2d9b |
+ realm = @KRB5REALM@
|
|
|
ef2d9b |
+ mkey_file = @TESTDIR@/kdc.stash
|
|
|
ef2d9b |
+ log_file = @TESTDIR@/kdc.log
|
|
|
ef2d9b |
+ acl_file = @TESTDIR@/kadm.acl
|
|
|
ef2d9b |
+ }
|
|
|
ef2d9b |
+[hdb]
|
|
|
ef2d9b |
+ db-dir = @TESTDIR@
|
|
|
ef2d9b |
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
|
|
|
ef2d9b |
new file mode 100644
|
|
|
ef2d9b |
index 000000000..611fc7097
|
|
|
ef2d9b |
--- /dev/null
|
|
|
ef2d9b |
+++ b/tests/data/slapd-sasl-gssapi.conf
|
|
|
ef2d9b |
@@ -0,0 +1,65 @@
|
|
|
ef2d9b |
+# stand-alone slapd config -- for testing (with indexing)
|
|
|
ef2d9b |
+# $OpenLDAP$
|
|
|
ef2d9b |
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## Copyright 1998-2020 The OpenLDAP Foundation.
|
|
|
ef2d9b |
+## All rights reserved.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## Redistribution and use in source and binary forms, with or without
|
|
|
ef2d9b |
+## modification, are permitted only as authorized by the OpenLDAP
|
|
|
ef2d9b |
+## Public License.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## A copy of this license is available in the file LICENSE in the
|
|
|
ef2d9b |
+## top-level directory of the distribution or, alternatively, at
|
|
|
ef2d9b |
+## <http://www.OpenLDAP.org/license.html>.
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+#
|
|
|
ef2d9b |
+include @SCHEMADIR@/core.schema
|
|
|
ef2d9b |
+include @SCHEMADIR@/cosine.schema
|
|
|
ef2d9b |
+#
|
|
|
ef2d9b |
+include @SCHEMADIR@/corba.schema
|
|
|
ef2d9b |
+include @SCHEMADIR@/java.schema
|
|
|
ef2d9b |
+include @SCHEMADIR@/inetorgperson.schema
|
|
|
ef2d9b |
+include @SCHEMADIR@/misc.schema
|
|
|
ef2d9b |
+include @SCHEMADIR@/nis.schema
|
|
|
ef2d9b |
+include @SCHEMADIR@/openldap.schema
|
|
|
ef2d9b |
+#
|
|
|
ef2d9b |
+include @SCHEMADIR@/duaconf.schema
|
|
|
ef2d9b |
+include @SCHEMADIR@/dyngroup.schema
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+#
|
|
|
ef2d9b |
+pidfile @TESTDIR@/slapd.1.pid
|
|
|
ef2d9b |
+argsfile @TESTDIR@/slapd.1.args
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+# SSL configuration
|
|
|
ef2d9b |
+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
|
|
|
ef2d9b |
+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
|
|
|
ef2d9b |
+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+#
|
|
|
ef2d9b |
+rootdse @DATADIR@/rootdse.ldif
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
|
|
|
ef2d9b |
+#mod#moduleload back_@BACKEND@.la
|
|
|
ef2d9b |
+#monitormod#modulepath ../servers/slapd/back-monitor/
|
|
|
ef2d9b |
+#monitormod#moduleload back_monitor.la
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+#######################################################################
|
|
|
ef2d9b |
+# database definitions
|
|
|
ef2d9b |
+#######################################################################
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+database @BACKEND@
|
|
|
ef2d9b |
+suffix "dc=example,dc=com"
|
|
|
ef2d9b |
+rootdn "cn=Manager,dc=example,dc=com"
|
|
|
ef2d9b |
+rootpw secret
|
|
|
ef2d9b |
+#~null~#directory @TESTDIR@/db.1.a
|
|
|
ef2d9b |
+#indexdb#index objectClass eq
|
|
|
ef2d9b |
+#indexdb#index mail eq
|
|
|
ef2d9b |
+#ndb#dbname db_1_a
|
|
|
ef2d9b |
+#ndb#include @DATADIR@/ndb.conf
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+#monitor#database monitor
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+sasl-realm @KRB5REALM@
|
|
|
ef2d9b |
+sasl-host localhost
|
|
|
ef2d9b |
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
|
|
|
ef2d9b |
index b0393865d..c9e1a4b0a 100755
|
|
|
ef2d9b |
--- a/tests/scripts/conf.sh
|
|
|
ef2d9b |
+++ b/tests/scripts/conf.sh
|
|
|
ef2d9b |
@@ -99,4 +99,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
|
|
|
ef2d9b |
-e "s;@TESTWD@;${TESTWD};" \
|
|
|
ef2d9b |
-e "s;@DATADIR@;${DATADIR};" \
|
|
|
ef2d9b |
-e "s;@SCHEMADIR@;${SCHEMADIR};" \
|
|
|
ef2d9b |
+ -e "s;@KRB5REALM@;${KRB5REALM};" \
|
|
|
ef2d9b |
+ -e "s;@KDCHOST@;${KDCHOST};" \
|
|
|
ef2d9b |
+ -e "s;@KDCPORT@;${KDCPORT};" \
|
|
|
ef2d9b |
-e "/^#/d"
|
|
|
ef2d9b |
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
|
|
|
ef2d9b |
index 1d6c2b3f1..ccb2e5b41 100755
|
|
|
ef2d9b |
--- a/tests/scripts/defines.sh
|
|
|
ef2d9b |
+++ b/tests/scripts/defines.sh
|
|
|
ef2d9b |
@@ -114,6 +114,7 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
|
|
|
ef2d9b |
SCHEMACONF=$DATADIR/slapd-schema.conf
|
|
|
ef2d9b |
TLSCONF=$DATADIR/slapd-tls.conf
|
|
|
ef2d9b |
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
|
|
|
ef2d9b |
+SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
|
|
|
ef2d9b |
GLUECONF=$DATADIR/slapd-glue.conf
|
|
|
ef2d9b |
REFINTCONF=$DATADIR/slapd-refint.conf
|
|
|
ef2d9b |
RETCODECONF=$DATADIR/slapd-retcode.conf
|
|
|
ef2d9b |
@@ -223,6 +224,7 @@ PORT3=`expr $BASEPORT + 3`
|
|
|
ef2d9b |
PORT4=`expr $BASEPORT + 4`
|
|
|
ef2d9b |
PORT5=`expr $BASEPORT + 5`
|
|
|
ef2d9b |
PORT6=`expr $BASEPORT + 6`
|
|
|
ef2d9b |
+KDCPORT=`expr $BASEPORT + 7`
|
|
|
ef2d9b |
URI1="ldap://${LOCALHOST}:$PORT1/"
|
|
|
ef2d9b |
URIP1="ldap://${LOCALIP}:$PORT1/"
|
|
|
ef2d9b |
URI2="ldap://${LOCALHOST}:$PORT2/"
|
|
|
ef2d9b |
@@ -248,6 +250,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
|
|
|
ef2d9b |
SURI6="ldaps://${LOCALHOST}:$PORT6/"
|
|
|
ef2d9b |
SURIP6="ldaps://${LOCALIP}:$PORT6/"
|
|
|
ef2d9b |
|
|
|
ef2d9b |
+KRB5REALM="K5.REALM"
|
|
|
ef2d9b |
+KDCHOST=$LOCALHOST
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
# LDIF
|
|
|
ef2d9b |
LDIF=$DATADIR/test.ldif
|
|
|
ef2d9b |
LDIFADD1=$DATADIR/do_add.1
|
|
|
ef2d9b |
diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
|
|
|
ef2d9b |
new file mode 100755
|
|
|
ef2d9b |
index 000000000..1cb784075
|
|
|
ef2d9b |
--- /dev/null
|
|
|
ef2d9b |
+++ b/tests/scripts/setup_kdc.sh
|
|
|
ef2d9b |
@@ -0,0 +1,144 @@
|
|
|
ef2d9b |
+#! /bin/sh
|
|
|
ef2d9b |
+# $OpenLDAP$
|
|
|
ef2d9b |
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## Copyright 1998-2020 The OpenLDAP Foundation.
|
|
|
ef2d9b |
+## All rights reserved.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## Redistribution and use in source and binary forms, with or without
|
|
|
ef2d9b |
+## modification, are permitted only as authorized by the OpenLDAP
|
|
|
ef2d9b |
+## Public License.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## A copy of this license is available in the file LICENSE in the
|
|
|
ef2d9b |
+## top-level directory of the distribution or, alternatively, at
|
|
|
ef2d9b |
+## <http://www.OpenLDAP.org/license.html>.
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+export KRB5_TRACE=$TESTDIR/k5_trace
|
|
|
ef2d9b |
+export KRB5_CONFIG=$TESTDIR/krb5.conf
|
|
|
ef2d9b |
+export KRB5_KDC_PROFILE=$KRB5_CONFIG
|
|
|
ef2d9b |
+export KRB5_KTNAME=$TESTDIR/server.kt
|
|
|
ef2d9b |
+export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt
|
|
|
ef2d9b |
+export KRB5CCNAME=$TESTDIR/client.ccache
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+KDCLOG=$TESTDIR/setup_kdc.log
|
|
|
ef2d9b |
+KSERVICE=ldap/$LOCALHOST
|
|
|
ef2d9b |
+KUSER=kuser
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+echo "Trying Heimdal KDC..."
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1
|
|
|
ef2d9b |
+RC=$?
|
|
|
ef2d9b |
+if test $RC = 0 ; then
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kstash --random-key > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "Heimdal: kstash failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h"
|
|
|
ef2d9b |
+ kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "Heimdal: kadmin init failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 &
|
|
|
ef2d9b |
+else
|
|
|
ef2d9b |
+ echo "Trying MIT KDC..."
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "MIT: kdb5_util create failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "MIT: admin addprinc failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "MIT: kadmin addprinc failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ krb5kdc -n > $KDCLOG 2>&1 &
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+KDCPROC=$!
|
|
|
ef2d9b |
+sleep 1
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
|
|
|
ef2d9b |
+RC=$?
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
|
|
|
ef2d9b |
+RC=$?
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ echo "cyrus-sasl has no GSSAPI support, test skipped"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
|
|
|
ef2d9b |
new file mode 100755
|
|
|
ef2d9b |
index 000000000..64abe16fe
|
|
|
ef2d9b |
--- /dev/null
|
|
|
ef2d9b |
+++ b/tests/scripts/test077-sasl-gssapi
|
|
|
ef2d9b |
@@ -0,0 +1,159 @@
|
|
|
ef2d9b |
+#! /bin/sh
|
|
|
ef2d9b |
+# $OpenLDAP$
|
|
|
ef2d9b |
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## Copyright 1998-2020 The OpenLDAP Foundation.
|
|
|
ef2d9b |
+## All rights reserved.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## Redistribution and use in source and binary forms, with or without
|
|
|
ef2d9b |
+## modification, are permitted only as authorized by the OpenLDAP
|
|
|
ef2d9b |
+## Public License.
|
|
|
ef2d9b |
+##
|
|
|
ef2d9b |
+## A copy of this license is available in the file LICENSE in the
|
|
|
ef2d9b |
+## top-level directory of the distribution or, alternatively, at
|
|
|
ef2d9b |
+## <http://www.OpenLDAP.org/license.html>.
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+echo "running defines.sh"
|
|
|
ef2d9b |
+. $SRCDIR/scripts/defines.sh
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+if test $WITH_SASL = no ; then
|
|
|
ef2d9b |
+ echo "SASL support not available, test skipped"
|
|
|
ef2d9b |
+ exit 0
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+mkdir -p $TESTDIR $DBDIR1
|
|
|
ef2d9b |
+cp -r $DATADIR/tls $TESTDIR
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+cd $TESTWD
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+echo "Starting KDC for SASL/GSSAPI tests..."
|
|
|
ef2d9b |
+. $SRCDIR/scripts/setup_kdc.sh
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+echo "Running slapadd to build slapd database..."
|
|
|
ef2d9b |
+. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
|
|
|
ef2d9b |
+$SLAPADD -f $CONF1 -l $LDIFORDERED
|
|
|
ef2d9b |
+RC=$?
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "slapadd failed ($RC)!"
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ exit $RC
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
|
|
|
ef2d9b |
+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
|
|
ef2d9b |
+PID=$!
|
|
|
ef2d9b |
+if test $WAIT != 0 ; then
|
|
|
ef2d9b |
+ echo PID $PID
|
|
|
ef2d9b |
+ read foo
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+KILLPIDS="$PID"
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+sleep 1
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+for i in 0 1 2 3 4 5; do
|
|
|
ef2d9b |
+ $LDAPSEARCH -s base -b "" -H $URI1 \
|
|
|
ef2d9b |
+ 'objectclass=*' > /dev/null 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC = 0 ; then
|
|
|
ef2d9b |
+ break
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+ echo "Waiting 5 seconds for slapd to start..."
|
|
|
ef2d9b |
+ sleep 5
|
|
|
ef2d9b |
+done
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "ldapsearch failed ($RC)!"
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
ef2d9b |
+ exit $RC
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1
|
|
|
ef2d9b |
+RC=$?
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "ldapsearch failed ($RC)!"
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
ef2d9b |
+ exit $RC
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+grep GSSAPI $TESTOUT
|
|
|
ef2d9b |
+RC=$?
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "failed: GSSAPI mechanism not in supportedSASLMechanisms."
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
ef2d9b |
+ exit $RC
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+echo -n "Using ldapwhoami with SASL/GSSAPI: "
|
|
|
ef2d9b |
+$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1
|
|
|
ef2d9b |
+RC=$?
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "ldapwhoami failed ($RC)!"
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
ef2d9b |
+ exit $RC
|
|
|
ef2d9b |
+else
|
|
|
ef2d9b |
+ echo "success"
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+echo -n "Validating mapped SASL/GSSAPI ID: "
|
|
|
ef2d9b |
+echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out
|
|
|
ef2d9b |
+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
|
|
|
ef2d9b |
+RC=$?
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "Comparison failed"
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
ef2d9b |
+ exit $RC
|
|
|
ef2d9b |
+else
|
|
|
ef2d9b |
+ echo "success"
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+if test $WITH_TLS = no ; then
|
|
|
ef2d9b |
+ echo "SASL/GSSAPI: TLS support not available, skipping TLS part."
|
|
|
ef2d9b |
+else
|
|
|
ef2d9b |
+ echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: "
|
|
|
ef2d9b |
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
|
|
|
ef2d9b |
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
|
|
|
ef2d9b |
+ > $TESTOUT 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "ldapwhoami failed ($RC)!"
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
ef2d9b |
+ exit $RC
|
|
|
ef2d9b |
+ else
|
|
|
ef2d9b |
+ echo "success"
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+ echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: "
|
|
|
ef2d9b |
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow \
|
|
|
ef2d9b |
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
|
|
|
ef2d9b |
+ > $TESTOUT 2>&1
|
|
|
ef2d9b |
+ RC=$?
|
|
|
ef2d9b |
+ if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo "ldapwhoami failed ($RC)!"
|
|
|
ef2d9b |
+ kill $KDCPROC
|
|
|
ef2d9b |
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
ef2d9b |
+ exit $RC
|
|
|
ef2d9b |
+ else
|
|
|
ef2d9b |
+ echo "success"
|
|
|
ef2d9b |
+ fi
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+kill $KDCPROC
|
|
|
ef2d9b |
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+if test $RC != 0 ; then
|
|
|
ef2d9b |
+ echo ">>>>> Test failed"
|
|
|
ef2d9b |
+else
|
|
|
ef2d9b |
+ echo ">>>>> Test succeeded"
|
|
|
ef2d9b |
+ RC=0
|
|
|
ef2d9b |
+fi
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+test $KILLSERVERS != no && wait
|
|
|
ef2d9b |
+
|
|
|
ef2d9b |
+exit $RC
|
|
|
ef2d9b |
--
|
|
|
ef2d9b |
2.26.2
|
|
|
ef2d9b |
|