1#! /bin/sh
2# $OpenLDAP$
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2021 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16echo "running defines.sh"
17. $SRCDIR/scripts/defines.sh
18
19if test $AUTOCA = autocano; then
20          echo "Automatic CA overlay not available, test skipped"
21          exit 0
22fi
23
24CFDIR=$TESTDIR/slapd.d
25
26mkdir -p $TESTDIR $CFDIR $DBDIR1
27
28$SLAPPASSWD -g -n >$CONFIGPWF
29
30#
31# Test operation of autoca:
32# - configure over ldap without TLS
33# - populate over ldap
34# - add host entry
35# - add autoca overlay
36# - generate server and user certs
37# - check for TLS operation
38#
39
40echo "Starting slapd on TCP/IP port $PORT1..."
41. $CONFFILTER $BACKEND < $DYNAMICCONF > $CONFLDIF
42$SLAPADD -F $CFDIR -n 0 -l $CONFLDIF
43$SLAPD -F $CFDIR -h $URIP1 -d $LVL > $LOG1 2>&1 &
44PID=$!
45if test $WAIT != 0 ; then
46    echo PID $PID
47    read foo
48fi
49KILLPIDS="$PID"
50cd $TESTWD
51
52sleep 1
53
54echo "Using ldapsearch to check that slapd is running..."
55for i in 0 1 2 3 4 5; do
56          $LDAPSEARCH -s base -b "" -H $URIP1 \
57                    'objectclass=*' > /dev/null 2>&1
58          RC=$?
59          if test $RC = 0 ; then
60                    break
61          fi
62          echo "Waiting 5 seconds for slapd to start..."
63          sleep 5
64done
65
66if test $RC != 0 ; then
67          echo "ldapsearch failed ($RC)!"
68          test $KILLSERVERS != no && kill -HUP $KILLPIDS
69          exit $RC
70fi
71
72echo "Adding schema and databases on slapd..."
73$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
74include: file://$ABS_SCHEMADIR/core.ldif
75
76include: file://$ABS_SCHEMADIR/cosine.ldif
77
78include: file://$ABS_SCHEMADIR/inetorgperson.ldif
79
80include: file://$ABS_SCHEMADIR/openldap.ldif
81
82include: file://$ABS_SCHEMADIR/nis.ldif
83EOF
84RC=$?
85if test $RC != 0 ; then
86          echo "ldapadd failed for schema config ($RC)!"
87          test $KILLSERVERS != no && kill -HUP $KILLPIDS
88          exit $RC
89fi
90
91nullExclude="" nullOK=""
92test $BACKEND = null && nullExclude="# " nullOK="OK"
93
94if [ "$BACKENDTYPE" = mod ]; then
95          $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
96dn: cn=module,cn=config
97objectClass: olcModuleList
98cn: module
99olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
100olcModuleLoad: back_$BACKEND.la
101EOF
102          RC=$?
103          if test $RC != 0 ; then
104                    echo "ldapadd failed for backend config ($RC)!"
105                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
106                    exit $RC
107          fi
108fi
109
110$LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
111dn: olcDatabase={1}$BACKEND,cn=config
112objectClass: olcDatabaseConfig
113${nullExclude}objectClass: olc${BACKEND}Config
114olcDatabase: {1}$BACKEND
115olcSuffix: $BASEDN
116${nullExclude}olcDbDirectory: $DBDIR1
117olcRootDN: $MANAGERDN
118olcRootPW: $PASSWD
119EOF
120RC=$?
121if test $RC != 0 ; then
122          echo "ldapadd failed for database config ($RC)!"
123          test $KILLSERVERS != no && kill -HUP $KILLPIDS
124          exit $RC
125fi
126
127if test $INDEXDB = indexdb ; then
128          $LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
129dn: olcDatabase={1}$BACKEND,cn=config
130changetype: modify
131add: olcDbIndex
132olcDbIndex: objectClass,entryUUID,entryCSN eq
133olcDbIndex: cn,uid pres,eq,sub
134EOF
135          RC=$?
136          if test $RC != 0 ; then
137                    echo "ldapadd modify for database config ($RC)!"
138                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
139                    exit $RC
140          fi
141fi
142
143echo "Using ldapadd to populate slapd..."
144$LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD -f $LDIFORDERED \
145          >> $TESTOUT 2>&1
146RC=$?
147if test $RC != 0 ; then
148          echo "ldapadd failed for database populate ($RC)!"
149          test $KILLSERVERS != no && kill -HUP $KILLPIDS
150          exit $RC
151fi
152
153echo "Adding server entries to slapd..."
154$LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD <<EOF >> $TESTOUT 2>&1
155dn: ou=Servers,$BASEDN
156objectClass: organizationalUnit
157ou: Servers
158
159dn: cn=localhost,ou=Servers,$BASEDN
160objectClass: device
161objectClass: ipHost
162cn: localhost
163ipHostNumber: 127.0.0.1
164
165dn: cn=www.example.com,ou=Servers,$BASEDN
166objectClass: device
167objectClass: ipHost
168cn: localhost
169ipHostNumber: 93.184.216.34
170EOF
171RC=$?
172if test $RC != 0 ; then
173          echo "ldapadd failed for database populate ($RC)!"
174          test $KILLSERVERS != no && kill -HUP $KILLPIDS
175          exit $RC
176fi
177
178echo "Inserting autoca overlay on slapd..."
179if [ "$AUTOCA" = autocamod ]; then
180          $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
181dn: cn=module,cn=config
182objectClass: olcModuleList
183cn: module
184olcModulePath: $TESTWD/../servers/slapd/overlays
185olcModuleLoad: autoca.la
186EOF
187          RC=$?
188          if test $RC != 0 ; then
189                    echo "ldapadd failed for moduleLoad ($RC)!"
190                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
191                    exit $RC
192          fi
193fi
194$LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
195dn: olcOverlay=autoca,olcDatabase={1}$BACKEND,cn=config
196changetype: add
197objectClass: olcOverlayConfig
198objectClass: olcAutoCAConfig
199olcOverlay: autoca
200olcAutoCAlocalDN: cn=localhost,ou=Servers,$BASEDN
201EOF
202RC=$?
203if test $RC != 0 ; then
204          echo "ldapmodify failed for autoca config ($RC)!"
205          test $KILLSERVERS != no && kill -HUP $KILLPIDS
206          exit $RC
207fi
208echo "Using ldapsearch to retrieve CA cert..."
209$LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \
210          'objectclass=*' 'cACertificate;binary'  > $SEARCHOUT 2>&1
211RC=$?
212
213if test $RC != 0 ; then
214          echo "ldapsearch failed ($RC)!"
215          test $KILLSERVERS != no && kill -HUP $KILLPIDS
216          exit $RC
217fi
218
219echo "Setting up CA cert..."
220echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/cacert.pem
221sed -e "/^dn:/d" -e "s/cACertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/cacert.pem
222echo "-----END CERTIFICATE-----" >> $TESTDIR/cacert.pem
223
224echo "Using ldapsearch to generate localhost cert..."
225$LDAPSEARCH -b cn=localhost,ou=Servers,$BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \
226          -A 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary'  >> $TESTOUT 2>&1
227RC=$?
228
229if test $RC != 0 ; then
230          echo "ldapsearch failed ($RC)!"
231          test $KILLSERVERS != no && kill -HUP $KILLPIDS
232          exit $RC
233fi
234
235echo "Using ldapsearch to attempt TLS..."
236unset LDAPNOINIT
237LDAPTLS_CACERT=$TESTDIR/cacert.pem
238export LDAPTLS_CACERT
239$LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
240          'objectclass=*' >> $TESTOUT 2>&1
241RC=$?
242
243if test $RC != 0 ; then
244          echo "ldapsearch failed ($RC)!"
245          test $KILLSERVERS != no && kill -HUP $KILLPIDS
246          exit $RC
247fi
248
249if test $WITH_SASL = no ; then
250          echo "SASL support not available, skipping client cert authentication"
251else
252          # note - the attrs are being saved in raw DER form.
253          # they need to be base64 encoded into PEM for most programs to use them
254          # so we ignore those files for now.
255          echo "Using ldapsearch to generate user cert..."
256          $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
257                    -T $TESTDIR -t 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary'  >> $TESTOUT 2>&1
258          RC=$?
259
260          if test $RC != 0 ; then
261                    echo "ldapsearch failed ($RC)!"
262                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
263                    exit $RC
264          fi
265
266          echo "Using ldapsearch to retrieve user cert..."
267          $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
268                    'objectclass=*' 'userCertificate;binary' > $SEARCHOUT 2>&1
269          RC=$?
270
271          if test $RC != 0 ; then
272                    echo "ldapsearch failed ($RC)!"
273                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
274                    exit $RC
275          fi
276
277          echo "Setting up user cert..."
278          echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/usercert.pem
279          sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userCertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/usercert.pem
280          echo "-----END CERTIFICATE-----" >> $TESTDIR/usercert.pem
281
282          echo "Using ldapsearch to retrieve user key..."
283          $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \
284                    'objectclass=*' 'userPrivateKey;binary' > $SEARCHOUT 2>&1
285          RC=$?
286
287          if test $RC != 0 ; then
288                    echo "ldapsearch failed ($RC)!"
289                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
290                    exit $RC
291          fi
292
293          echo "Setting up user key..."
294          echo "-----BEGIN PRIVATE KEY-----" > $TESTDIR/userkey.pem
295          sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userPrivateKey;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/userkey.pem
296          echo "-----END PRIVATE KEY-----" >> $TESTDIR/userkey.pem
297
298          LDAPTLS_CERT=$TESTDIR/usercert.pem
299          LDAPTLS_KEY=$TESTDIR/userkey.pem
300          export LDAPTLS_CERT
301          export LDAPTLS_KEY
302
303          echo "Setting TLSVerifyClient to try..."
304          $LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
305dn: cn=config
306changetype: modify
307replace: olcTLSVerifyClient
308olcTLSVerifyClient: try
309EOF
310          RC=$?
311          if test $RC != 0 ; then
312                    echo "ldapmodify failed for autoca config ($RC)!"
313                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
314                    exit $RC
315          fi
316
317          $CLIENTDIR/ldapwhoami -Y EXTERNAL -H $URIP1 -ZZ
318
319          if test $RC != 0 ; then
320                    echo "ldapwhoami failed ($RC)!"
321                    test $KILLSERVERS != no && kill -HUP $KILLPIDS
322                    exit $RC
323          fi
324fi
325
326test $KILLSERVERS != no && kill -HUP $KILLPIDS
327
328echo ">>>>> Test succeeded"
329
330test $KILLSERVERS != no && wait
331
332exit 0
333