3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 ## Copyright 1998-2013 The OpenLDAP Foundation.
6 ## All rights reserved.
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted only as authorized by the OpenLDAP
12 ## A copy of this license is available in the file LICENSE in the
13 ## top-level directory of the distribution or, alternatively, at
14 ## <http://www.OpenLDAP.org/license.html>.
16 echo "running defines.sh"
17 . $SRCDIR/scripts/defines.sh
19 if test $PPOLICY = ppolicyno; then
20 echo "Password policy overlay not available, test skipped"
24 mkdir -p $TESTDIR $DBDIR1
26 $SLAPPASSWD -g -n >$CONFIGPWF
27 echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
29 echo "Starting slapd on TCP/IP port $PORT1..."
30 . $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
31 $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
33 if test $WAIT != 0 ; then
39 USER="uid=nd, ou=People, dc=example, dc=com"
44 echo "Using ldapsearch to check that slapd is running..."
45 for i in 0 1 2 3 4 5; do
46 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
47 'objectclass=*' > /dev/null 2>&1
49 if test $RC = 0 ; then
52 echo "Waiting 5 seconds for slapd to start..."
55 if test $RC != 0 ; then
56 echo "ldapsearch failed ($RC)!"
57 test $KILLSERVERS != no && kill -HUP $KILLPIDS
61 echo /dev/null > $TESTOUT
63 echo "Using ldapadd to populate the database..."
64 # may need "-e relax" for draft 09, but not yet.
65 $LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
66 $LDIFPPOLICY >> $TESTOUT 2>&1
68 if test $RC != 0 ; then
69 echo "ldapadd failed ($RC)!"
70 test $KILLSERVERS != no && kill -HUP $KILLPIDS
74 echo "Testing account lockout..."
75 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
77 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
79 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
81 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
82 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
83 COUNT=`grep "Account locked" $SEARCHOUT | wc -l`
84 if test $COUNT != 2 ; then
85 echo "Account lockout test failed"
86 test $KILLSERVERS != no && kill -HUP $KILLPIDS
90 echo "Waiting 20 seconds for lockout to reset..."
93 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
94 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
96 if test $RC != 0 ; then
97 echo "ldapsearch failed ($RC)!"
98 test $KILLSERVERS != no && kill -HUP $KILLPIDS
102 echo "Testing password expiration"
103 echo "Waiting 20 seconds for password to expire..."
106 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
107 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
109 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
110 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
112 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
113 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
115 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
116 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
118 if test $RC = 0 ; then
119 echo "Password expiration failed ($RC)!"
120 test $KILLSERVERS != no && kill -HUP $KILLPIDS
124 COUNT=`grep "grace logins" $SEARCHOUT | wc -l`
125 if test $COUNT != 3 ; then
126 echo "Password expiration test failed"
127 test $KILLSERVERS != no && kill -HUP $KILLPIDS
131 echo "Resetting password to clear expired status"
132 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
134 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
136 if test $RC != 0 ; then
137 echo "ldappasswd failed ($RC)!"
138 test $KILLSERVERS != no && kill -HUP $KILLPIDS
142 echo "Filling password history..."
143 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
144 $TESTOUT 2>&1 << EOMODS
145 dn: uid=nd, ou=People, dc=example, dc=com
150 replace: userpassword
151 userpassword: 20urgle12-1
153 dn: uid=nd, ou=People, dc=example, dc=com
156 userpassword: 20urgle12-1
158 replace: userpassword
159 userpassword: 20urgle12-2
161 dn: uid=nd, ou=People, dc=example, dc=com
164 userpassword: 20urgle12-2
166 replace: userpassword
167 userpassword: 20urgle12-3
169 dn: uid=nd, ou=People, dc=example, dc=com
172 userpassword: 20urgle12-3
174 replace: userpassword
175 userpassword: 20urgle12-4
177 dn: uid=nd, ou=People, dc=example, dc=com
180 userpassword: 20urgle12-4
182 replace: userpassword
183 userpassword: 20urgle12-5
185 dn: uid=nd, ou=People, dc=example, dc=com
188 userpassword: 20urgle12-5
190 replace: userpassword
191 userpassword: 20urgle12-6
195 if test $RC != 0 ; then
196 echo "ldapmodify failed ($RC)!"
197 test $KILLSERVERS != no && kill -HUP $KILLPIDS
200 echo "Testing password history..."
201 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
202 $TESTOUT 2>&1 << EOMODS
203 dn: uid=nd, ou=People, dc=example, dc=com
206 userPassword: 20urgle12-6
208 replace: userPassword
209 userPassword: 20urgle12-2
213 if test $RC = 0 ; then
214 echo "ldapmodify failed ($RC)!"
215 test $KILLSERVERS != no && kill -HUP $KILLPIDS
219 echo "Testing forced reset..."
221 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
222 $TESTOUT 2>&1 << EOMODS
223 dn: uid=nd, ou=People, dc=example, dc=com
225 replace: userPassword
233 if test $RC != 0 ; then
234 echo "ldapmodify failed ($RC)!"
235 test $KILLSERVERS != no && kill -HUP $KILLPIDS
239 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
240 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
242 if test $RC = 0 ; then
243 echo "Forced reset failed ($RC)!"
244 test $KILLSERVERS != no && kill -HUP $KILLPIDS
248 COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
249 if test $COUNT != 1 ; then
250 echo "Forced reset test failed"
251 test $KILLSERVERS != no && kill -HUP $KILLPIDS
255 echo "Clearing forced reset..."
257 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
258 $TESTOUT 2>&1 << EOMODS
259 dn: uid=nd, ou=People, dc=example, dc=com
265 if test $RC != 0 ; then
266 echo "ldapmodify failed ($RC)!"
267 test $KILLSERVERS != no && kill -HUP $KILLPIDS
271 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
272 -b "$BASEDN" -s base > $SEARCHOUT 2>&1
274 if test $RC != 0 ; then
275 echo "Clearing forced reset failed ($RC)!"
276 test $KILLSERVERS != no && kill -HUP $KILLPIDS
280 echo "Testing Safe modify..."
282 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
283 -w $PASS -s failexpect \
284 -D "$USER" >> $TESTOUT 2>&1
286 if test $RC = 0 ; then
287 echo "Safe modify test 1 failed ($RC)!"
288 test $KILLSERVERS != no && kill -HUP $KILLPIDS
297 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
298 -w $OLDPASS -s $PASS -a $OLDPASS \
299 -D "$USER" >> $TESTOUT 2>&1
301 if test $RC != 0 ; then
302 echo "Safe modify test 2 failed ($RC)!"
303 test $KILLSERVERS != no && kill -HUP $KILLPIDS
307 echo "Testing length requirement..."
308 # check control in response (ITS#5711)
309 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
310 -w $PASS -a $PASS -s 2shr \
311 -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1
313 cat ${TESTOUT}.2 >> $TESTOUT
314 if test $RC = 0 ; then
315 echo "Length requirement test failed ($RC)!"
316 test $KILLSERVERS != no && kill -HUP $KILLPIDS
319 COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
320 if test $COUNT != 1 ; then
321 echo "Length requirement test failed"
322 test $KILLSERVERS != no && kill -HUP $KILLPIDS
325 COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l`
326 if test $COUNT != 1 ; then
327 echo "Control not returned in response"
328 test $KILLSERVERS != no && kill -HUP $KILLPIDS
332 echo "Testing hashed length requirement..."
334 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > \
335 ${TESTOUT}.2 2>&1 << EOMODS
342 userPassword: {MD5}xxxxxx
346 cat ${TESTOUT}.2 >> $TESTOUT
347 if test $RC = 0 ; then
348 echo "Hashed length requirement test failed ($RC)!"
349 test $KILLSERVERS != no && kill -HUP $KILLPIDS
352 COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
353 if test $COUNT != 1 ; then
354 echo "Hashed length requirement test failed"
355 test $KILLSERVERS != no && kill -HUP $KILLPIDS
359 echo "Testing multiple password add/modify checks..."
361 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
362 $TESTOUT 2>&1 << EOMODS
363 dn: cn=Add Should Fail, ou=People, dc=example, dc=com
365 objectClass: inetOrgPerson
368 userPassword: firstpw
369 userPassword: secondpw
372 if test $RC = 0 ; then
373 echo "Multiple password add test failed ($RC)!"
374 test $KILLSERVERS != no && kill -HUP $KILLPIDS
378 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
379 $TESTOUT 2>&1 << EOMODS
383 userPassword: firstpw
384 userPassword: secondpw
387 if test $RC = 0 ; then
388 echo "Multiple password modify add test failed ($RC)!"
389 test $KILLSERVERS != no && kill -HUP $KILLPIDS
393 $LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
394 $TESTOUT 2>&1 << EOMODS
397 replace: userPassword
398 userPassword: firstpw
399 userPassword: secondpw
402 if test $RC = 0 ; then
403 echo "Multiple password modify replace test failed ($RC)!"
404 test $KILLSERVERS != no && kill -HUP $KILLPIDS
408 if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then
410 echo "Setting up policy state forwarding test..."
413 sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
414 echo "Starting slapd consumer on TCP/IP port $PORT2..."
415 $SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 &
417 if test $WAIT != 0 ; then
421 KILLPIDS="$KILLPIDS $PID"
423 echo "Configuring syncprov on provider..."
424 if [ "$SYNCPROV" = syncprovmod ]; then
425 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
426 dn: cn=module,cn=config
427 objectclass: olcModuleList
429 olcModulePath: $TESTWD/../servers/slapd/overlays
430 olcModuleLoad: syncprov.la
434 if test $RC != 0 ; then
435 echo "ldapadd failed for moduleLoad ($RC)!"
436 test $KILLSERVERS != no && kill -HUP $KILLPIDS
441 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
442 dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
443 objectClass: olcOverlayConfig
444 objectClass: olcSyncProvConfig
445 olcOverlay: {1}syncprov
449 if test $RC != 0 ; then
450 echo "ldapadd failed for provider database config ($RC)!"
451 test $KILLSERVERS != no && kill -HUP $KILLPIDS
455 echo "Using ldapsearch to check that slapd is running..."
456 for i in 0 1 2 3 4 5; do
457 $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
458 'objectclass=*' > /dev/null 2>&1
460 if test $RC = 0 ; then
463 echo "Waiting 5 seconds for slapd to start..."
466 if test $RC != 0 ; then
467 echo "ldapsearch failed ($RC)!"
468 test $KILLSERVERS != no && kill -HUP $KILLPIDS
472 echo "Configuring syncrepl on consumer..."
473 if [ "$BACKLDAP" = ldapmod ]; then
474 $LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
475 dn: cn=module,cn=config
476 objectclass: olcModuleList
478 olcModulePath: $TESTWD/../servers/slapd/back-ldap
479 olcModuleLoad: back_ldap.la
483 if test $RC != 0 ; then
484 echo "ldapadd failed for moduleLoad ($RC)!"
485 test $KILLSERVERS != no && kill -HUP $KILLPIDS
489 $LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
490 dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
492 objectClass: olcOverlayConfig
493 objectClass: olcChainConfig
496 dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
498 objectClass: olcLDAPConfig
499 objectClass: olcChainDatabase
501 olcDbIDAssertBind: bindmethod=simple
502 binddn="cn=manager,dc=example,dc=com"
506 dn: olcDatabase={1}$BACKEND,cn=config
511 binddn="cn=manager,dc=example,dc=com"
514 searchbase="dc=example,dc=com"
515 type=refreshAndPersist
522 dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
524 replace: olcPPolicyForwardUpdates
525 olcPPolicyForwardUpdates: TRUE
530 if test $RC != 0 ; then
531 echo "ldapmodify failed ($RC)!"
532 test $KILLSERVERS != no && kill -HUP $KILLPIDS
536 echo "Waiting for consumer to sync..."
539 echo "Testing policy state forwarding..."
540 $LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
542 if test $RC != 49 ; then
543 echo "ldapsearch should have failed with 49, got ($RC)!"
544 test $KILLSERVERS != no && kill -HUP $KILLPIDS
548 $LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1
549 COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l`
550 if test $COUNT != 1 ; then
551 echo "Policy state forwarding failed"
552 test $KILLSERVERS != no && kill -HUP $KILLPIDS
556 # End of chaining test
560 test $KILLSERVERS != no && kill -HUP $KILLPIDS
562 echo ">>>>> Test succeeded"
564 test $KILLSERVERS != no && wait