3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 ## Copyright 1998-2008 The OpenLDAP Foundation.
6 ## All rights reserved.
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted only as authorized by the OpenLDAP
12 ## A copy of this license is available in the file LICENSE in the
13 ## top-level directory of the distribution or, alternatively, at
14 ## <http://www.OpenLDAP.org/license.html>.
16 echo "running defines.sh"
17 . $SRCDIR/scripts/defines.sh
19 if test $PPOLICY = ppolicyno; then
20 echo "Password policy overlay not available, test skipped"
24 mkdir -p $TESTDIR $DBDIR1
26 echo "Starting slapd on TCP/IP port $PORT1..."
27 . $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
28 $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
30 if test $WAIT != 0 ; then
36 USER="uid=nd, ou=People, dc=example, dc=com"
41 echo "Using ldapsearch to check that slapd is running..."
42 for i in 0 1 2 3 4 5; do
43 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
44 'objectclass=*' > /dev/null 2>&1
46 if test $RC = 0 ; then
49 echo "Waiting 5 seconds for slapd to start..."
52 if test $RC != 0 ; then
53 echo "ldapsearch failed ($RC)!"
54 test $KILLSERVERS != no && kill -HUP $KILLPIDS
58 echo /dev/null > $TESTOUT
60 echo "Using ldapadd to populate the database..."
61 # may need "-e relax" for draft 09, but not yet.
62 $LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
63 $LDIFPPOLICY >> $TESTOUT 2>&1
65 if test $RC != 0 ; then
66 echo "ldapadd failed ($RC)!"
67 test $KILLSERVERS != no && kill -HUP $KILLPIDS
71 echo "Testing account lockout..."
72 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
74 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
76 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
78 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
79 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
80 COUNT=`grep "Account locked" $SEARCHOUT | wc -l`
81 if test $COUNT != 2 ; then
82 echo "Account lockout test failed"
83 test $KILLSERVERS != no && kill -HUP $KILLPIDS
87 echo "Waiting 20 seconds for lockout to reset..."
90 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
91 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
93 if test $RC != 0 ; then
94 echo "ldapsearch failed ($RC)!"
95 test $KILLSERVERS != no && kill -HUP $KILLPIDS
99 echo "Testing password expiration"
100 echo "Waiting 20 seconds for password to expire..."
103 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
104 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
106 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
107 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
109 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
110 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
112 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
113 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
115 if test $RC = 0 ; then
116 echo "Password expiration failed ($RC)!"
117 test $KILLSERVERS != no && kill -HUP $KILLPIDS
121 COUNT=`grep "grace logins" $SEARCHOUT | wc -l`
122 if test $COUNT != 3 ; then
123 echo "Password expiration test failed"
124 test $KILLSERVERS != no && kill -HUP $KILLPIDS
128 echo "Resetting password to clear expired status"
129 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
131 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
133 if test $RC != 0 ; then
134 echo "ldappasswd failed ($RC)!"
135 test $KILLSERVERS != no && kill -HUP $KILLPIDS
139 echo "Filling password history..."
140 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
141 $TESTOUT 2>&1 << EOMODS
142 dn: uid=nd, ou=People, dc=example, dc=com
147 replace: userpassword
148 userpassword: 20urgle12-1
150 dn: uid=nd, ou=People, dc=example, dc=com
153 userpassword: 20urgle12-1
155 replace: userpassword
156 userpassword: 20urgle12-2
158 dn: uid=nd, ou=People, dc=example, dc=com
161 userpassword: 20urgle12-2
163 replace: userpassword
164 userpassword: 20urgle12-3
166 dn: uid=nd, ou=People, dc=example, dc=com
169 userpassword: 20urgle12-3
171 replace: userpassword
172 userpassword: 20urgle12-4
174 dn: uid=nd, ou=People, dc=example, dc=com
177 userpassword: 20urgle12-4
179 replace: userpassword
180 userpassword: 20urgle12-5
182 dn: uid=nd, ou=People, dc=example, dc=com
185 userpassword: 20urgle12-5
187 replace: userpassword
188 userpassword: 20urgle12-6
192 if test $RC != 0 ; then
193 echo "ldapmodify failed ($RC)!"
194 test $KILLSERVERS != no && kill -HUP $KILLPIDS
197 echo "Testing password history..."
198 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
199 $TESTOUT 2>&1 << EOMODS
200 dn: uid=nd, ou=People, dc=example, dc=com
203 userPassword: 20urgle12-6
205 replace: userPassword
206 userPassword: 20urgle12-2
210 if test $RC = 0 ; then
211 echo "ldapmodify failed ($RC)!"
212 test $KILLSERVERS != no && kill -HUP $KILLPIDS
216 echo "Testing forced reset..."
218 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
219 $TESTOUT 2>&1 << EOMODS
220 dn: uid=nd, ou=People, dc=example, dc=com
222 replace: userPassword
230 if test $RC != 0 ; then
231 echo "ldapmodify failed ($RC)!"
232 test $KILLSERVERS != no && kill -HUP $KILLPIDS
236 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
237 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
239 if test $RC = 0 ; then
240 echo "Forced reset failed ($RC)!"
241 test $KILLSERVERS != no && kill -HUP $KILLPIDS
245 COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
246 if test $COUNT != 1 ; then
247 echo "Forced reset test failed"
248 test $KILLSERVERS != no && kill -HUP $KILLPIDS
252 echo "Clearing forced reset..."
254 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
255 $TESTOUT 2>&1 << EOMODS
256 dn: uid=nd, ou=People, dc=example, dc=com
262 if test $RC != 0 ; then
263 echo "ldapmodify failed ($RC)!"
264 test $KILLSERVERS != no && kill -HUP $KILLPIDS
268 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
269 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
271 if test $RC != 0 ; then
272 echo "Clearing forced reset failed ($RC)!"
273 test $KILLSERVERS != no && kill -HUP $KILLPIDS
277 echo "Testing Safe modify..."
279 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
280 -w $PASS -s failexpect \
281 -D "$USER" >> $TESTOUT 2>&1
283 if test $RC = 0 ; then
284 echo "Safe modify test 1 failed ($RC)!"
285 test $KILLSERVERS != no && kill -HUP $KILLPIDS
294 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
295 -w $OLDPASS -s $PASS -a $OLDPASS \
296 -D "$USER" >> $TESTOUT 2>&1
298 if test $RC != 0 ; then
299 echo "Safe modify test 2 failed ($RC)!"
300 test $KILLSERVERS != no && kill -HUP $KILLPIDS
304 echo "Testing length requirement..."
305 # check control in response (ITS#5711)
306 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
307 -w $PASS -a $PASS -s 2shr \
308 -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1
310 cat ${TESTOUT}.2 >> $TESTOUT
311 if test $RC = 0 ; then
312 echo "Length requirement test failed ($RC)!"
313 test $KILLSERVERS != no && kill -HUP $KILLPIDS
316 COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
317 if test $COUNT != 1 ; then
318 echo "Length requirement test failed"
319 test $KILLSERVERS != no && kill -HUP $KILLPIDS
322 COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l`
323 if test $COUNT != 1 ; then
324 echo "Control not returned in response"
325 test $KILLSERVERS != no && kill -HUP $KILLPIDS
329 echo "Testing hashed length requirement..."
331 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > \
332 ${TESTOUT}.2 2>&1 << EOMODS
339 userPassword: {MD5}xxxxxx
343 cat ${TESTOUT}.2 >> $TESTOUT
344 if test $RC = 0 ; then
345 echo "Hashed length requirement test failed ($RC)!"
346 test $KILLSERVERS != no && kill -HUP $KILLPIDS
349 COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
350 if test $COUNT != 1 ; then
351 echo "Hashed length requirement test failed"
352 test $KILLSERVERS != no && kill -HUP $KILLPIDS
356 echo "Testing multiple password add/modify checks..."
358 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
359 $TESTOUT 2>&1 << EOMODS
360 dn: cn=Add Should Fail, ou=People, dc=example, dc=com
362 objectClass: inetOrgPerson
365 userPassword: firstpw
366 userPassword: secondpw
369 if test $RC = 0 ; then
370 echo "Multiple password add test failed ($RC)!"
371 test $KILLSERVERS != no && kill -HUP $KILLPIDS
375 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
376 $TESTOUT 2>&1 << EOMODS
380 userPassword: firstpw
381 userPassword: secondpw
384 if test $RC = 0 ; then
385 echo "Multiple password modify add test failed ($RC)!"
386 test $KILLSERVERS != no && kill -HUP $KILLPIDS
390 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
391 $TESTOUT 2>&1 << EOMODS
394 replace: userPassword
395 userPassword: firstpw
396 userPassword: secondpw
399 if test $RC = 0 ; then
400 echo "Multiple password modify replace test failed ($RC)!"
401 test $KILLSERVERS != no && kill -HUP $KILLPIDS
405 test $KILLSERVERS != no && kill -HUP $KILLPIDS
407 echo ">>>>> Test succeeded"
409 test $KILLSERVERS != no && wait