3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 ## Copyright 1998-2017 The OpenLDAP Foundation.
6 ## All rights reserved.
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted only as authorized by the OpenLDAP
12 ## A copy of this license is available in the file LICENSE in the
13 ## top-level directory of the distribution or, alternatively, at
14 ## <http://www.OpenLDAP.org/license.html>.
16 echo "running defines.sh"
17 . $SRCDIR/scripts/defines.sh
19 if test $AUTOCA = autocano; then
20 echo "Automatic CA overlay not available, test skipped"
24 CFDIR=$TESTDIR/slapd.d
26 mkdir -p $TESTDIR $CFDIR $DBDIR1
28 $SLAPPASSWD -g -n >$CONFIGPWF
31 # Test operation of autoca:
32 # - configure over ldap without TLS
33 # - populate over ldap
35 # - add autoca overlay
36 # - generate server and user certs
37 # - check for TLS operation
40 echo "Starting slapd on TCP/IP port $PORT1..."
41 . $CONFFILTER $BACKEND $MONITORDB < $DYNAMICCONF > $CONFLDIF
42 $SLAPADD -F $CFDIR -n 0 -l $CONFLDIF
43 $SLAPD -F $CFDIR -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
45 if test $WAIT != 0 ; then
54 echo "Using ldapsearch to check that slapd is running..."
55 for i in 0 1 2 3 4 5; do
56 $LDAPSEARCH -s base -b "" -H $URI1 \
57 'objectclass=*' > /dev/null 2>&1
59 if test $RC = 0 ; then
62 echo "Waiting 5 seconds for slapd to start..."
66 if test $RC != 0 ; then
67 echo "ldapsearch failed ($RC)!"
68 test $KILLSERVERS != no && kill -HUP $KILLPIDS
72 echo "Adding schema and databases on slapd..."
73 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
74 include: file://$ABS_SCHEMADIR/core.ldif
76 include: file://$ABS_SCHEMADIR/cosine.ldif
78 include: file://$ABS_SCHEMADIR/inetorgperson.ldif
80 include: file://$ABS_SCHEMADIR/openldap.ldif
82 include: file://$ABS_SCHEMADIR/nis.ldif
85 if test $RC != 0 ; then
86 echo "ldapadd failed for schema config ($RC)!"
87 test $KILLSERVERS != no && kill -HUP $KILLPIDS
91 nullExclude="" nullOK=""
92 test $BACKEND = null && nullExclude="# " nullOK="OK"
94 if [ "$BACKENDTYPE" = mod ]; then
95 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
96 dn: cn=module,cn=config
97 objectClass: olcModuleList
99 olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
100 olcModuleLoad: back_$BACKEND.la
103 if test $RC != 0 ; then
104 echo "ldapadd failed for backend config ($RC)!"
105 test $KILLSERVERS != no && kill -HUP $KILLPIDS
110 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
111 dn: olcDatabase={1}$BACKEND,cn=config
112 objectClass: olcDatabaseConfig
113 ${nullExclude}objectClass: olc${BACKEND}Config
114 olcDatabase: {1}$BACKEND
116 ${nullExclude}olcDbDirectory: $DBDIR1
117 olcRootDN: $MANAGERDN
121 if test $RC != 0 ; then
122 echo "ldapadd failed for database config ($RC)!"
123 test $KILLSERVERS != no && kill -HUP $KILLPIDS
127 if test $INDEXDB = indexdb ; then
128 $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
129 dn: olcDatabase={1}$BACKEND,cn=config
132 olcDbIndex: objectClass,entryUUID,entryCSN eq
133 olcDbIndex: cn,uid pres,eq,sub
136 if test $RC != 0 ; then
137 echo "ldapadd modify for database config ($RC)!"
138 test $KILLSERVERS != no && kill -HUP $KILLPIDS
143 echo "Using ldapadd to populate slapd..."
144 $LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFORDERED \
147 if test $RC != 0 ; then
148 echo "ldapadd failed for database populate ($RC)!"
149 test $KILLSERVERS != no && kill -HUP $KILLPIDS
153 echo "Adding server entries to slapd..."
154 $LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD <<EOF >> $TESTOUT 2>&1
155 dn: ou=Servers,$BASEDN
156 objectClass: organizationalUnit
159 dn: cn=localhost,ou=Servers,$BASEDN
163 ipHostNumber: 127.0.0.1
165 dn: cn=www.example.com,ou=Servers,$BASEDN
169 ipHostNumber: 93.184.216.34
172 if test $RC != 0 ; then
173 echo "ldapadd failed for database populate ($RC)!"
174 test $KILLSERVERS != no && kill -HUP $KILLPIDS
178 echo "Inserting autoca overlay on slapd..."
179 if [ "$AUTOCA" = autocamod ]; then
180 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
181 dn: cn=module,cn=config
182 objectClass: olcModuleList
184 olcModulePath: $TESTWD/../servers/slapd/overlays
185 olcModuleLoad: autoca.la
188 if test $RC != 0 ; then
189 echo "ldapadd failed for moduleLoad ($RC)!"
190 test $KILLSERVERS != no && kill -HUP $KILLPIDS
194 $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
195 dn: olcOverlay=autoca,olcDatabase={1}$BACKEND,cn=config
197 objectClass: olcOverlayConfig
198 objectClass: olcACAConfig
200 olcACAlocalDN: cn=localhost,ou=Servers,$BASEDN
203 if test $RC != 0 ; then
204 echo "ldapmodify failed for autoca config ($RC)!"
205 test $KILLSERVERS != no && kill -HUP $KILLPIDS
208 echo "Using ldapsearch to retrieve CA cert..."
209 $LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URI1 -w $PASSWD -s base \
210 'objectclass=*' 'cACertificate;binary' > $SEARCHOUT 2>&1
213 if test $RC != 0 ; then
214 echo "ldapsearch failed ($RC)!"
215 test $KILLSERVERS != no && kill -HUP $KILLPIDS
219 echo "Setting up CA cert..."
220 echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/cacert.pem
221 sed -e "/^dn:/d" -e "s/cACertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/cacert.pem
222 echo "-----END CERTIFICATE-----" >> $TESTDIR/cacert.pem
224 echo "Using ldapsearch to generate localhost cert..."
225 $LDAPSEARCH -b cn=localhost,ou=Servers,$BASEDN -D $MANAGERDN -H $URI1 -w $PASSWD -s base \
226 -A 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary' >> $TESTOUT 2>&1
229 if test $RC != 0 ; then
230 echo "ldapsearch failed ($RC)!"
231 test $KILLSERVERS != no && kill -HUP $KILLPIDS
235 echo "Using ldapsearch to attempt TLS..."
237 LDAPTLS_CACERT=$TESTDIR/cacert.pem
238 export LDAPTLS_CACERT
239 $LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URI1 -w $PASSWD -s base -ZZ \
240 'objectclass=*' >> $TESTOUT 2>&1
243 if test $RC != 0 ; then
244 echo "ldapsearch failed ($RC)!"
245 test $KILLSERVERS != no && kill -HUP $KILLPIDS
249 # note - the attrs are being saved in raw DER form.
250 # they need to be base64 encoded into PEM for most programs to use them
251 # so we ignore those files for now.
252 echo "Using ldapsearch to generate user cert..."
253 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URI1 -w $PASSWD -s base -ZZ \
254 -T $TESTDIR -t 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary' >> $TESTOUT 2>&1
257 if test $RC != 0 ; then
258 echo "ldapsearch failed ($RC)!"
259 test $KILLSERVERS != no && kill -HUP $KILLPIDS
263 echo "Using ldapsearch to retrieve user cert..."
264 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URI1 -w $PASSWD -s base -ZZ \
265 'objectclass=*' 'userCertificate;binary' > $SEARCHOUT 2>&1
268 if test $RC != 0 ; then
269 echo "ldapsearch failed ($RC)!"
270 test $KILLSERVERS != no && kill -HUP $KILLPIDS
274 echo "Setting up user cert..."
275 echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/usercert.pem
276 sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userCertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/usercert.pem
277 echo "-----END CERTIFICATE-----" >> $TESTDIR/usercert.pem
279 echo "Using ldapsearch to retrieve user key..."
280 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URI1 -w $PASSWD -s base -ZZ \
281 'objectclass=*' 'userPrivateKey;binary' > $SEARCHOUT 2>&1
284 if test $RC != 0 ; then
285 echo "ldapsearch failed ($RC)!"
286 test $KILLSERVERS != no && kill -HUP $KILLPIDS
290 echo "Setting up user key..."
291 echo "-----BEGIN PRIVATE KEY-----" > $TESTDIR/userkey.pem
292 sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userPrivateKey;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/userkey.pem
293 echo "-----END PRIVATE KEY-----" >> $TESTDIR/userkey.pem
295 LDAPTLS_CERT=$TESTDIR/usercert.pem
296 LDAPTLS_KEY=$TESTDIR/userkey.pem
300 echo "Setting TLSVerifyClient to try..."
301 $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
304 replace: olcTLSVerifyClient
305 olcTLSVerifyClient: try
308 if test $RC != 0 ; then
309 echo "ldapmodify failed for autoca config ($RC)!"
310 test $KILLSERVERS != no && kill -HUP $KILLPIDS
314 $CLIENTDIR/ldapwhoami -Y EXTERNAL -H $URI1 -ZZ
316 if test $RC != 0 ; then
317 echo "ldapwhoami failed ($RC)!"
318 test $KILLSERVERS != no && kill -HUP $KILLPIDS
322 test $KILLSERVERS != no && kill -HUP $KILLPIDS
324 echo ">>>>> Test succeeded"
326 test $KILLSERVERS != no && wait