1#! /bin/sh
2# $OpenLDAP$
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2021 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16echo "running defines.sh"
17. $SRCDIR/scripts/defines.sh
18
19echo "### This test requires the LDAP backend and the rwm overlay."
20echo "### If available, and explicitly requested, it can use SASL bind;"
21echo "### note that SASL must be properly set up, and the requested"
22echo "### mechanism must be available.  Define SLAPD_USE_SASL={yes|<mech>},"
23echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]."
24
25if test $BACKLDAP = "ldapno" ; then
26          echo "LDAP backend not available, test skipped"
27          exit 0
28fi
29
30if test $RWM = "rwmno" ; then
31          echo "Rewrite/remap overlay not available, test skipped"
32          exit 0
33fi
34
35if test $WITH_SASL = "yes" ; then
36          if test $USE_SASL != "no" ; then
37                    if test $USE_SASL = "yes" ; then
38                              MECH="DIGEST-MD5"
39                    else
40                              MECH="$USE_SASL"
41                    fi
42                    echo "Using SASL authc[/authz] with mech=$MECH; unset SLAPD_USE_SASL to disable"
43          else
44                    echo "Using proxyAuthz with simple authc..."
45          fi
46else
47          echo "SASL not available; using proxyAuthz with simple authc..."
48fi
49
50mkdir -p $TESTDIR $DBDIR1 $DBDIR2
51
52echo "Running slapadd to build slapd database..."
53. $CONFFILTER $BACKEND < $IDASSERTCONF > $ADDCONF
54$SLAPADD -f $ADDCONF -l $LDIFIDASSERT1 -n 1
55RC=$?
56if test $RC != 0 ; then
57          echo "slapadd -n 1 failed ($RC)!"
58          exit $RC
59fi
60$SLAPADD -f $ADDCONF -l $LDIFIDASSERT2 -n 2
61RC=$?
62if test $RC != 0 ; then
63          echo "slapadd -n 2 failed ($RC)!"
64          exit $RC
65fi
66
67echo "Starting slapd on TCP/IP port $PORT..."
68. $CONFFILTER $BACKEND < $IDASSERTCONF > $CONF1
69$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 &
70PID=$!
71if test $WAIT != 0 ; then
72    echo PID $PID
73    read foo
74fi
75KILLPIDS="$PID"
76
77sleep 1
78
79echo "Using ldapsearch to check that slapd is running..."
80for i in 0 1 2 3 4 5; do
81          $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
82                    'objectclass=*' > /dev/null 2>&1
83          RC=$?
84          if test $RC = 0 ; then
85                    break
86          fi
87          echo "Waiting 5 seconds for slapd to start..."
88          sleep 5
89done
90
91echo "Testing ldapwhoami as proxy US..."
92$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy
93RC=$?
94if test $RC != 0 ; then
95          echo "ldapwhoami failed ($RC)!"
96          test $KILLSERVERS != no && kill -HUP $KILLPIDS
97          exit $RC
98fi
99
100AUTHZID="u:it/jaj"
101echo "Testing ldapwhoami as proxy US, $AUTHZID..."
102$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
103RC=$?
104if test $RC != 0 && test $BACKEND != null ; then
105          echo "ldapwhoami failed ($RC)!"
106          test $KILLSERVERS != no && kill -HUP $KILLPIDS
107          exit $RC
108fi
109
110AUTHZID="u:bjorn"
111echo "Testing ldapwhoami as proxy US, $AUTHZID... (should fail)"
112$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
113RC=$?
114if test $RC != 1 ; then
115          echo "ldapwhoami should have failed ($RC)!"
116          test $KILLSERVERS != no && kill -HUP $KILLPIDS
117          exit 1
118fi
119
120AUTHZID="u:bjensen"
121echo "Testing ldapwhoami as proxy US, $AUTHZID... (should fail)"
122$LDAPWHOAMI -H $URI1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
123RC=$?
124if test $RC != 1 ; then
125          echo "ldapwhoami should have failed ($RC)!"
126          test $KILLSERVERS != no && kill -HUP $KILLPIDS
127          exit 1
128fi
129
130echo "Testing ldapwhoami as proxy IT..."
131$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy
132RC=$?
133if test $RC != 0 ; then
134          echo "ldapwhoami failed ($RC)!"
135          test $KILLSERVERS != no && kill -HUP $KILLPIDS
136          exit $RC
137fi
138
139AUTHZID="u:it/jaj"
140echo "Testing ldapwhoami as proxy IT, $AUTHZID... (should fail)"
141$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
142RC=$?
143if test $RC != 1 ; then
144          echo "ldapwhoami should have failed ($RC)!"
145          test $KILLSERVERS != no && kill -HUP $KILLPIDS
146          exit 1
147fi
148
149AUTHZID="u:bjorn"
150echo "Testing ldapwhoami as proxy IT, $AUTHZID... (should fail)"
151$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
152RC=$?
153if test $RC != 1 ; then
154          echo "ldapwhoami should have failed ($RC)!"
155          test $KILLSERVERS != no && kill -HUP $KILLPIDS
156          exit 1
157fi
158
159AUTHZID="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
160echo "Testing ldapwhoami as proxy IT, $AUTHZID..."
161$LDAPWHOAMI -H $URI1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
162RC=$?
163if test $RC != 0 && test $BACKEND != null ; then
164          echo "ldapwhoami failed ($RC)!"
165          test $KILLSERVERS != no && kill -HUP $KILLPIDS
166          exit $RC
167fi
168
169AUTHZID="dn:uid=bjorn,ou=People,o=Example,c=US"
170echo "Testing ldapwhoami as bjorn, $AUTHZID..."
171$LDAPWHOAMI -H $URI1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID"
172RC=$?
173if test $RC != 0 ; then
174          echo "ldapwhoami failed ($RC)!"
175          test $KILLSERVERS != no && kill -HUP $KILLPIDS
176          exit $RC
177fi
178
179AUTHZID="dn:uid=bjorn,ou=People,o=Esempio,c=IT"
180echo "Testing ldapwhoami as bjorn, $AUTHZID..."
181$LDAPWHOAMI -H $URI1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID"
182RC=$?
183if test $RC != 0 ; then
184          echo "ldapwhoami failed ($RC)!"
185          test $KILLSERVERS != no && kill -HUP $KILLPIDS
186          exit $RC
187fi
188
189AUTHZID="u:it/jaj"
190echo "Checking another DB's rootdn can't assert identity from another DB..."
191$LDAPWHOAMI -H $URI1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID"
192
193RC=$?
194if test $RC != 1 ; then
195    echo "ldapwhoami should have failed ($RC)!"
196    test $KILLSERVERS != no && kill -HUP $KILLPIDS
197    exit 1
198fi
199
200ID="uid=jaj,ou=People,dc=example,dc=it"
201BASE="o=Example,c=US"
202echo "Testing ldapsearch as $ID for \"$BASE\"..."
203$LDAPSEARCH -H $URI1 -b "$BASE" \
204          -D "$ID" -w jaj > $SEARCHOUT 2>&1
205
206RC=$?
207if test $RC != 0 && test $BACKEND != null ; then
208          echo "ldapsearch failed ($RC)!"
209          test $KILLSERVERS != no && kill -HUP $KILLPIDS
210          exit $RC
211fi
212
213echo "Filtering ldapsearch results..."
214$LDIFFILTER -s ldif=e < $SEARCHOUT > $SEARCHFLT
215echo "Filtering original ldif used to create database..."
216$LDIFFILTER -s ldif=e < $IDASSERTOUT > $LDIFFLT
217echo "Comparing filter output..."
218$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
219
220if test $? != 0 ; then
221          echo "comparison failed - search with identity assertion didn't succeed"
222          test $KILLSERVERS != no && kill -HUP $KILLPIDS
223          exit 1
224fi
225
226if test $USE_SASL != "no" ; then
227          ID="it/jaj"
228          BASE="o=Example,c=US"
229          echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
230          $LDAPSASLSEARCH -H $URI1 -b "$BASE" \
231                    -Q -U "$ID" -w jaj -Y $MECH > $SEARCHOUT 2>&1
232
233          RC=$?
234          if test $RC != 0 ; then
235                    echo "ldapsearch failed ($RC)!"
236                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
237                    exit $RC
238          fi
239
240          ID="manager"
241          AUTHZID="u:it/jaj"
242          echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..."
243          $LDAPSASLWHOAMI -H $URI1 \
244                    -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID
245
246          RC=$?
247          if test $RC != 50 ; then
248                    echo "ldapwhoami should have failed ($RC)!"
249                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
250                    exit 1
251          fi
252
253          echo "Filtering ldapsearch results..."
254          $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
255          echo "Filtering original ldif used to create database..."
256          $LDIFFILTER < $IDASSERTOUT > $LDIFFLT
257          echo "Comparing filter output..."
258          $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
259
260          if test $? != 0 ; then
261                    echo "comparison failed - search with SASL bind and identity assertion didn't succeed"
262                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
263                    exit 1
264          fi
265fi
266
267test $KILLSERVERS != no && kill -HUP $KILLPIDS
268
269echo ">>>>> Test succeeded"
270
271test $KILLSERVERS != no && wait
272
273exit 0
274