3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 ## Copyright 1998-2005 The OpenLDAP Foundation.
6 ## All rights reserved.
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted only as authorized by the OpenLDAP
12 ## A copy of this license is available in the file LICENSE in the
13 ## top-level directory of the distribution or, alternatively, at
14 ## <http://www.OpenLDAP.org/license.html>.
16 echo "running defines.sh"
17 . $SRCDIR/scripts/defines.sh
19 if test $PPOLICY = ppolicyno; then
20 echo "Password policy overlay not available, test skipped"
24 mkdir -p $TESTDIR $DBDIR1
26 echo "Starting slapd on TCP/IP port $PORT1..."
27 . $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
28 $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
30 if test $WAIT != 0 ; then
36 USER="uid=nd, ou=People, dc=example, dc=com"
39 echo "Using ldapsearch to check that slapd is running..."
40 for i in 0 1 2 3 4 5; do
41 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
42 'objectclass=*' > /dev/null 2>&1
44 if test $RC = 0 ; then
47 echo "Waiting 5 seconds for slapd to start..."
50 if test $RC != 0 ; then
51 echo "ldapsearch failed $(RC)!"
52 test $KILLSERVERS != no && kill -HUP $KILLPIDS
56 echo "Using ldapadd to populate the database..."
57 # may need -e manageDIT for draft 09, but not yet.
58 $LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
59 $LDIFPPOLICY > $TESTOUT 2>&1
61 if test $RC != 0 ; then
62 echo "ldapadd failed ($RC)!"
63 test $KILLSERVERS != no && kill -HUP $KILLPIDS
67 echo "Testing account lockout..."
68 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
70 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
72 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
74 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
75 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
76 COUNT=`grep "Account locked" $SEARCHOUT | wc -l`
77 if test $COUNT != 2 ; then
78 echo "Account lockout test failed"
79 test $KILLSERVERS != no && kill -HUP $KILLPIDS
83 echo "Waiting 20 seconds for lockout to reset..."
86 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
87 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
89 if test $RC != 0 ; then
90 echo "ldapsearch failed ($RC)!"
91 test $KILLSERVERS != no && kill -HUP $KILLPIDS
95 echo "Testing password expiration"
96 echo "Waiting 20 seconds for password to expire..."
99 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
100 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
102 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
103 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
105 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
106 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
108 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
109 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
111 if test $RC = 0 ; then
112 echo "Password expiration failed ($RC)!"
113 test $KILLSERVERS != no && kill -HUP $KILLPIDS
117 COUNT=`grep "grace logins" $SEARCHOUT | wc -l`
118 if test $COUNT != 3 ; then
119 echo "Password expiration test failed"
120 test $KILLSERVERS != no && kill -HUP $KILLPIDS
124 echo "Resetting password to clear expired status"
125 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
127 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
129 if test $RC != 0 ; then
130 echo "ldappasswd failed ($RC)!"
131 test $KILLSERVERS != no && kill -HUP $KILLPIDS
135 echo "Filling password history..."
136 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS > \
137 $TESTOUT 2>&1 << EOMODS
138 dn: uid=nd, ou=People, dc=example, dc=com
141 userpassword: testpassword
143 replace: userpassword
144 userpassword: 20urgle12-1
146 dn: uid=nd, ou=People, dc=example, dc=com
149 userpassword: 20urgle12-1
151 replace: userpassword
152 userpassword: 20urgle12-2
154 dn: uid=nd, ou=People, dc=example, dc=com
157 userpassword: 20urgle12-2
159 replace: userpassword
160 userpassword: 20urgle12-3
162 dn: uid=nd, ou=People, dc=example, dc=com
165 userpassword: 20urgle12-3
167 replace: userpassword
168 userpassword: 20urgle12-4
170 dn: uid=nd, ou=People, dc=example, dc=com
173 userpassword: 20urgle12-4
175 replace: userpassword
176 userpassword: 20urgle12-5
178 dn: uid=nd, ou=People, dc=example, dc=com
181 userpassword: 20urgle12-5
183 replace: userpassword
184 userpassword: 20urgle12-6
188 if test $RC != 0 ; then
189 echo "ldapmodify failed ($RC)!"
190 test $KILLSERVERS != no && kill -HUP $KILLPIDS
193 echo "Testing password history..."
194 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 > \
195 $TESTOUT 2>&1 << EOMODS
196 dn: uid=nd, ou=People, dc=example, dc=com
199 userPassword: 20urgle12-6
201 replace: userPassword
202 userPassword: 20urgle12-2
206 if test $RC = 0 ; then
207 echo "ldapmodify failed ($RC)!"
208 test $KILLSERVERS != no && kill -HUP $KILLPIDS
212 echo "Testing forced reset..."
214 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
215 $TESTOUT 2>&1 << EOMODS
216 dn: uid=nd, ou=People, dc=example, dc=com
218 replace: userPassword
219 userPassword: testpassword
226 if test $RC != 0 ; then
227 echo "ldapmodify failed ($RC)!"
228 test $KILLSERVERS != no && kill -HUP $KILLPIDS
232 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
233 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
235 if test $RC = 0 ; then
236 echo "Forced reset failed ($RC)!"
237 test $KILLSERVERS != no && kill -HUP $KILLPIDS
241 COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
242 if test $COUNT != 1 ; then
243 echo "Forced reset test failed"
244 test $KILLSERVERS != no && kill -HUP $KILLPIDS
248 echo "Clearing forced reset..."
250 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
251 $TESTOUT 2>&1 << EOMODS
252 dn: uid=nd, ou=People, dc=example, dc=com
258 if test $RC != 0 ; then
259 echo "ldapmodify failed ($RC)!"
260 test $KILLSERVERS != no && kill -HUP $KILLPIDS
264 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
265 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
267 if test $RC != 0 ; then
268 echo "Clearing forced reset failed ($RC)!"
269 test $KILLSERVERS != no && kill -HUP $KILLPIDS
273 echo "Testing Safe modify..."
275 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
276 -w $PASS -s failexpect \
277 -D "$USER" > $TESTOUT 2>&1
279 if test $RC = 0 ; then
280 echo "Safe modify test 1 failed ($RC)!"
281 test $KILLSERVERS != no && kill -HUP $KILLPIDS
287 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
288 -w $PASS -s failexpect -a $PASS \
289 -D "$USER" > $TESTOUT 2>&1
291 if test $RC != 0 ; then
292 echo "Safe modify test 2 failed ($RC)!"
293 test $KILLSERVERS != no && kill -HUP $KILLPIDS
297 echo "Testing length requirement..."
299 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
300 -w failexpect -a failexpect -s spw \
301 -D "$USER" > $TESTOUT 2>&1
303 if test $RC = 0 ; then
304 echo "Length requirement test failed ($RC)!"
305 test $KILLSERVERS != no && kill -HUP $KILLPIDS
308 COUNT=`grep "Password fails quality" $TESTOUT | wc -l`
309 if test $COUNT != 1 ; then
310 echo "Length requirement test failed"
311 test $KILLSERVERS != no && kill -HUP $KILLPIDS
315 echo "Testing hashed length requirement..."
317 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w failexpect > \
318 $TESTOUT 2>&1 << EOMODS
322 userPassword: failexpect
325 userPassword: {MD5}xxxxxx
329 if test $RC = 0 ; then
330 echo "Hashed length requirement test failed ($RC)!"
331 test $KILLSERVERS != no && kill -HUP $KILLPIDS
334 COUNT=`grep "Password fails quality" $TESTOUT | wc -l`
335 if test $COUNT != 1 ; then
336 echo "Hashed length requirement test failed"
337 test $KILLSERVERS != no && kill -HUP $KILLPIDS
341 test $KILLSERVERS != no && kill -HUP $KILLPIDS
343 echo ">>>>> Test succeeded"