--- /dev/null
+dn: o=Example,c=US
+objectClass: organization
+objectClass: dcObject
+o: Example, Inc.
+dc: example
+
+dn: ou=People,o=Example,c=US
+objectClass: organizationalUnit
+ou: People
+
+dn: uid=bjorn,ou=People,o=Example,c=US
+objectClass: inetOrgPerson
+cn: Bjorn Jensen
+sn: Jensen
+uid: bjorn
+mail: bjorn@example.com
+description: ***
+
+dn: uid=bjensen,ou=People,o=Example,c=US
+objectClass: inetOrgPerson
+cn: Barbara Jensen
+sn: Jensen
+uid: bjensen
+mail: bjensen@example.com
+description: ***
+
+dn: ou=Groups,o=Example,c=US
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=All,ou=Groups,o=Example,c=US
+objectClass: groupOfNames
+cn: All
+member: uid=bjorn,ou=People,o=Example,c=US
+member: uid=bjensen,ou=People,o=Example,c=US
+
+dn: cn=Authorizable,ou=Groups,o=Example,c=US
+objectClass: groupOfNames
+cn: Authorizable
+member: uid=bjorn,ou=People,o=Example,c=US
+
+dn: ou=Admin,o=Example,c=US
+objectClass: organizationalUnit
+ou: Admin
+
+dn: cn=Proxy US,ou=Admin,o=Example,c=US
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: Proxy US
+
+dn: cn=Proxy IT,ou=Admin,o=Example,c=US
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: Proxy IT
+
+dn: cn=Sandbox,ou=Admin,o=Example,c=US
+objectClass: applicationProcess
+cn: Sandbox
+
by self =wx
by anonymous =x
+access to dn.exact=""
+ by * read
+
access to *
by users read
by * search
suffixmassage "o=Example,c=US" "dc=example,dc=com"
uri "ldap://:9011/"
-#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" "mech=DIGEST-MD5"
+#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" #SASL_MECH#
#nosasl#idassert-method "simple"
#nosasl#idassert-authcDN "cn=Proxy US,ou=Admin,dc=example,dc=com"
#nosasl#idassert-passwd proxy
else
MON=nomonitor
fi
-if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" = x"yes" ] ; then
+if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" != x"no" ] ; then
SASL="sasl"
+ if [ x"$USE_SASL" = x"yes" ] ; then
+ USE_SASL=DIGEST-MD5
+ fi
else
SASL="nosasl"
+ SASL_MECH=
fi
sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s/^#${BACKEND}#//" \
-e "s/^#${MON}#//" \
-e "s/^#${MONMOD}#//" \
-e "s/^#${SASL}#//" \
+ -e "s/#SASL_MECH#/\"mech=${USE_SASL}\"/" \
-e "s/@CACHETTL@/${CACHETTL}/" \
-e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/"
SLAPD="../servers/slapd/slapd -s0"
SLURPD=../servers/slurpd/slurpd
LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS"
+LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL"
LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL"
LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS"
LDAPMODIFY="$CLIENTDIR/ldapmodify $TOOLPROTO $TOOLARGS"
DNOUT=$DATADIR/dn.out
EMPTYDNOUT1=$DATADIR/emptydn.out.slapadd
EMPTYDNOUT2=$DATADIR/emptydn.out
+IDASSERTOUT=$DATADIR/idassert.out
# Just in case we linked the binaries dynamically
LD_LIBRARY_PATH=`pwd`/../libraries:${LD_LIBRARY_PATH} export LD_LIBRARY_PATH
fi
if test $WITH_SASL = "yes" ; then
- if test $USE_SASL = "yes" ; then
- echo "Using SASL authc/authz..."
+ if test $USE_SASL != "no" ; then
+ if test $USE_SASL = "yes" ; then
+ MECH="DIGEST-MD5"
+ else
+ MECH="$USE_SASL"
+ fi
+ echo "Using SASL authc/authz with mech=$MECH; unset SLAPD_USE_SASL to disable"
else
- echo "Using proxyAuthz with simple authc"
- echo "set SLAPD_USE_SASL=yes to enable SASL authc/authz..."
+ echo "Using proxyAuthz with simple authc..."
+ echo " set SLAPD_USE_SASL={yes|<mech>} to enable SASL authc/authz"
+ echo " if SLAPD_USE_SASL=\"yes\", <mech> defaults to DIGEST-MD5"
+ echo " FIXME: should be mandatory, right?"
+ echo " FIXME: authz with CRAM-MD5 does not work..."
fi
else
echo "SASL not available; using proxyAuthz with simple authc..."
exit $RC
fi
+ID="uid=jaj,ou=People,dc=example,dc=it"
+BASE="o=Example,c=US"
+echo "Testing ldapsearch as $ID for \"$BASE\"..."
+$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
+ -D "$ID" -w jaj > $SEARCHOUT 2>&1
+
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+echo "Filtering ldapsearch results..."
+. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+echo "Filtering original ldif used to create database..."
+. $LDIFFILTER < $IDASSERTOUT > $LDIFFLT
+echo "Comparing filter output..."
+$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
+
+if test $? != 0 ; then
+ echo "comparison failed - search with identity assertion didn't succeed"
+ exit 1
+fi
+
+if test $USE_SASL != "no" ; then
+ ID="it/jaj"
+ BASE="o=Example,c=US"
+ echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
+ $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
+ -Q -U "$ID" -w jaj -Y $MECH > $SEARCHOUT 2>&1
+
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
+ echo "Filtering ldapsearch results..."
+ . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+ echo "Filtering original ldif used to create database..."
+ . $LDIFFILTER < $IDASSERTOUT > $LDIFFLT
+ echo "Comparing filter output..."
+ $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
+
+ if test $? != 0 ; then
+ echo "comparison failed - search with SASL bind and identity assertion didn't succeed"
+ exit 1
+ fi
+fi
+
test $KILLSERVERS != no && kill -HUP $KILLPIDS
echo ">>>>> Test succeeded"
projects / openldap / commitdiff