3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 ## Copyright 1998-2005 The OpenLDAP Foundation.
6 ## All rights reserved.
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted only as authorized by the OpenLDAP
12 ## A copy of this license is available in the file LICENSE in the
13 ## top-level directory of the distribution or, alternatively, at
14 ## <http://www.OpenLDAP.org/license.html>.
16 echo "running defines.sh"
17 . $SRCDIR/scripts/defines.sh
19 if test $PPOLICY = ppolicyno; then
20 echo "Password policy overlay not available, test skipped"
24 mkdir -p $TESTDIR $DBDIR1
26 echo "Starting slapd on TCP/IP port $PORT1..."
27 . $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
28 $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
30 if test $WAIT != 0 ; then
36 USER="uid=nd, ou=People, dc=example, dc=com"
41 echo "Using ldapsearch to check that slapd is running..."
42 for i in 0 1 2 3 4 5; do
43 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
44 'objectclass=*' > /dev/null 2>&1
46 if test $RC = 0 ; then
49 echo "Waiting 5 seconds for slapd to start..."
52 if test $RC != 0 ; then
53 echo "ldapsearch failed ($RC)!"
54 test $KILLSERVERS != no && kill -HUP $KILLPIDS
58 echo "Using ldapadd to populate the database..."
59 # may need -e manageDIT for draft 09, but not yet.
60 $LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
61 $LDIFPPOLICY > $TESTOUT 2>&1
63 if test $RC != 0 ; then
64 echo "ldapadd failed ($RC)!"
65 test $KILLSERVERS != no && kill -HUP $KILLPIDS
69 echo "Testing account lockout..."
70 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
72 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
74 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
76 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
77 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
78 COUNT=`grep "Account locked" $SEARCHOUT | wc -l`
79 if test $COUNT != 2 ; then
80 echo "Account lockout test failed"
81 test $KILLSERVERS != no && kill -HUP $KILLPIDS
85 echo "Waiting 20 seconds for lockout to reset..."
88 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
89 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
91 if test $RC != 0 ; then
92 echo "ldapsearch failed ($RC)!"
93 test $KILLSERVERS != no && kill -HUP $KILLPIDS
97 echo "Testing password expiration"
98 echo "Waiting 20 seconds for password to expire..."
101 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
102 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
104 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
105 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
107 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
108 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
110 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
111 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
113 if test $RC = 0 ; then
114 echo "Password expiration failed ($RC)!"
115 test $KILLSERVERS != no && kill -HUP $KILLPIDS
119 COUNT=`grep "grace logins" $SEARCHOUT | wc -l`
120 if test $COUNT != 3 ; then
121 echo "Password expiration test failed"
122 test $KILLSERVERS != no && kill -HUP $KILLPIDS
126 echo "Resetting password to clear expired status"
127 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
129 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
131 if test $RC != 0 ; then
132 echo "ldappasswd failed ($RC)!"
133 test $KILLSERVERS != no && kill -HUP $KILLPIDS
137 echo "Filling password history..."
138 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS > \
139 $TESTOUT 2>&1 << EOMODS
140 dn: uid=nd, ou=People, dc=example, dc=com
143 userpassword: testpassword
145 replace: userpassword
146 userpassword: 20urgle12-1
148 dn: uid=nd, ou=People, dc=example, dc=com
151 userpassword: 20urgle12-1
153 replace: userpassword
154 userpassword: 20urgle12-2
156 dn: uid=nd, ou=People, dc=example, dc=com
159 userpassword: 20urgle12-2
161 replace: userpassword
162 userpassword: 20urgle12-3
164 dn: uid=nd, ou=People, dc=example, dc=com
167 userpassword: 20urgle12-3
169 replace: userpassword
170 userpassword: 20urgle12-4
172 dn: uid=nd, ou=People, dc=example, dc=com
175 userpassword: 20urgle12-4
177 replace: userpassword
178 userpassword: 20urgle12-5
180 dn: uid=nd, ou=People, dc=example, dc=com
183 userpassword: 20urgle12-5
185 replace: userpassword
186 userpassword: 20urgle12-6
190 if test $RC != 0 ; then
191 echo "ldapmodify failed ($RC)!"
192 test $KILLSERVERS != no && kill -HUP $KILLPIDS
195 echo "Testing password history..."
196 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 > \
197 $TESTOUT 2>&1 << EOMODS
198 dn: uid=nd, ou=People, dc=example, dc=com
201 userPassword: 20urgle12-6
203 replace: userPassword
204 userPassword: 20urgle12-2
208 if test $RC = 0 ; then
209 echo "ldapmodify failed ($RC)!"
210 test $KILLSERVERS != no && kill -HUP $KILLPIDS
214 echo "Testing forced reset..."
216 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
217 $TESTOUT 2>&1 << EOMODS
218 dn: uid=nd, ou=People, dc=example, dc=com
220 replace: userPassword
221 userPassword: testpassword
228 if test $RC != 0 ; then
229 echo "ldapmodify failed ($RC)!"
230 test $KILLSERVERS != no && kill -HUP $KILLPIDS
234 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
235 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
237 if test $RC = 0 ; then
238 echo "Forced reset failed ($RC)!"
239 test $KILLSERVERS != no && kill -HUP $KILLPIDS
243 COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
244 if test $COUNT != 1 ; then
245 echo "Forced reset test failed"
246 test $KILLSERVERS != no && kill -HUP $KILLPIDS
250 echo "Clearing forced reset..."
252 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
253 $TESTOUT 2>&1 << EOMODS
254 dn: uid=nd, ou=People, dc=example, dc=com
260 if test $RC != 0 ; then
261 echo "ldapmodify failed ($RC)!"
262 test $KILLSERVERS != no && kill -HUP $KILLPIDS
266 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
267 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
269 if test $RC != 0 ; then
270 echo "Clearing forced reset failed ($RC)!"
271 test $KILLSERVERS != no && kill -HUP $KILLPIDS
275 echo "Testing Safe modify..."
277 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
278 -w $PASS -s failexpect \
279 -D "$USER" > $TESTOUT 2>&1
281 if test $RC = 0 ; then
282 echo "Safe modify test 1 failed ($RC)!"
283 test $KILLSERVERS != no && kill -HUP $KILLPIDS
289 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
290 -w $PASS -s failexpect -a $PASS \
291 -D "$USER" > $TESTOUT 2>&1
293 if test $RC != 0 ; then
294 echo "Safe modify test 2 failed ($RC)!"
295 test $KILLSERVERS != no && kill -HUP $KILLPIDS
299 echo "Testing length requirement..."
301 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
302 -w failexpect -a failexpect -s spw \
303 -D "$USER" > $TESTOUT 2>&1
305 if test $RC = 0 ; then
306 echo "Length requirement test failed ($RC)!"
307 test $KILLSERVERS != no && kill -HUP $KILLPIDS
310 COUNT=`grep "Password fails quality" $TESTOUT | wc -l`
311 if test $COUNT != 1 ; then
312 echo "Length requirement test failed"
313 test $KILLSERVERS != no && kill -HUP $KILLPIDS
317 echo "Testing hashed length requirement..."
319 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w failexpect > \
320 $TESTOUT 2>&1 << EOMODS
324 userPassword: failexpect
327 userPassword: {MD5}xxxxxx
331 if test $RC = 0 ; then
332 echo "Hashed length requirement test failed ($RC)!"
333 test $KILLSERVERS != no && kill -HUP $KILLPIDS
336 COUNT=`grep "Password fails quality" $TESTOUT | wc -l`
337 if test $COUNT != 1 ; then
338 echo "Hashed length requirement test failed"
339 test $KILLSERVERS != no && kill -HUP $KILLPIDS
343 test $KILLSERVERS != no && kill -HUP $KILLPIDS
345 echo ">>>>> Test succeeded"