From: Pierangelo Masarati Date: Sat, 19 Jun 2004 15:46:38 +0000 (+0000) Subject: improve SASL in id assertion test X-Git-Tag: OPENDLAP_REL_ENG_2_2_MP~226 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=47e5f301f9cd305d022b11a43f700d28baaa3fb6;p=openldap improve SASL in id assertion test --- diff --git a/tests/data/idassert.out b/tests/data/idassert.out new file mode 100644 index 0000000000..53d76bb2e2 --- /dev/null +++ b/tests/data/idassert.out @@ -0,0 +1,59 @@ +dn: o=Example,c=US +objectClass: organization +objectClass: dcObject +o: Example, Inc. +dc: example + +dn: ou=People,o=Example,c=US +objectClass: organizationalUnit +ou: People + +dn: uid=bjorn,ou=People,o=Example,c=US +objectClass: inetOrgPerson +cn: Bjorn Jensen +sn: Jensen +uid: bjorn +mail: bjorn@example.com +description: *** + +dn: uid=bjensen,ou=People,o=Example,c=US +objectClass: inetOrgPerson +cn: Barbara Jensen +sn: Jensen +uid: bjensen +mail: bjensen@example.com +description: *** + +dn: ou=Groups,o=Example,c=US +objectClass: organizationalUnit +ou: Groups + +dn: cn=All,ou=Groups,o=Example,c=US +objectClass: groupOfNames +cn: All +member: uid=bjorn,ou=People,o=Example,c=US +member: uid=bjensen,ou=People,o=Example,c=US + +dn: cn=Authorizable,ou=Groups,o=Example,c=US +objectClass: groupOfNames +cn: Authorizable +member: uid=bjorn,ou=People,o=Example,c=US + +dn: ou=Admin,o=Example,c=US +objectClass: organizationalUnit +ou: Admin + +dn: cn=Proxy US,ou=Admin,o=Example,c=US +objectClass: applicationProcess +objectClass: simpleSecurityObject +cn: Proxy US + +dn: cn=Proxy IT,ou=Admin,o=Example,c=US +objectClass: applicationProcess +objectClass: simpleSecurityObject +cn: Proxy IT + +dn: cn=Sandbox,ou=Admin,o=Example,c=US +objectClass: applicationProcess +cn: Sandbox + diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf index 2dce8669d1..0892d07cd3 100644 --- a/tests/data/slapd-idassert.conf +++ b/tests/data/slapd-idassert.conf @@ -46,6 +46,9 @@ access to attr=userpassword by self =wx by anonymous =x +access to dn.exact="" + by * read + access to * by users read by * search @@ -78,7 +81,7 @@ suffix "o=Example,c=US" suffixmassage "o=Example,c=US" "dc=example,dc=com" uri "ldap://:9011/" -#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" "mech=DIGEST-MD5" +#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" #SASL_MECH# #nosasl#idassert-method "simple" #nosasl#idassert-authcDN "cn=Proxy US,ou=Admin,dc=example,dc=com" #nosasl#idassert-passwd proxy diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh index 99147ad9bb..49f326c9a0 100755 --- a/tests/scripts/conf.sh +++ b/tests/scripts/conf.sh @@ -22,10 +22,14 @@ if [ x"$MONITORDB" = x"yes" -o x"$MONITORDB" = xmod ] ; then else MON=nomonitor fi -if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" = x"yes" ] ; then +if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" != x"no" ] ; then SASL="sasl" + if [ x"$USE_SASL" = x"yes" ] ; then + USE_SASL=DIGEST-MD5 + fi else SASL="nosasl" + SASL_MECH= fi sed -e "s/@BACKEND@/${BACKEND}/" \ -e "s/^#${BACKEND}#//" \ @@ -38,5 +42,6 @@ sed -e "s/@BACKEND@/${BACKEND}/" \ -e "s/^#${MON}#//" \ -e "s/^#${MONMOD}#//" \ -e "s/^#${SASL}#//" \ + -e "s/#SASL_MECH#/\"mech=${USE_SASL}\"/" \ -e "s/@CACHETTL@/${CACHETTL}/" \ -e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/" diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh index 443d3304f3..32bc64ec8c 100755 --- a/tests/scripts/defines.sh +++ b/tests/scripts/defines.sh @@ -96,6 +96,7 @@ CMPOUT=/dev/null SLAPD="../servers/slapd/slapd -s0" SLURPD=../servers/slurpd/slurpd LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS" +LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL" LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL" LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS" LDAPMODIFY="$CLIENTDIR/ldapmodify $TOOLPROTO $TOOLARGS" @@ -202,6 +203,7 @@ CERTIFICATEOUT=$DATADIR/certificate.out DNOUT=$DATADIR/dn.out EMPTYDNOUT1=$DATADIR/emptydn.out.slapadd EMPTYDNOUT2=$DATADIR/emptydn.out +IDASSERTOUT=$DATADIR/idassert.out # Just in case we linked the binaries dynamically LD_LIBRARY_PATH=`pwd`/../libraries:${LD_LIBRARY_PATH} export LD_LIBRARY_PATH diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert index 79815d6030..0f5e849fb2 100755 --- a/tests/scripts/test028-idassert +++ b/tests/scripts/test028-idassert @@ -22,11 +22,19 @@ if test $BACKLDAP = "ldapno" ; then fi if test $WITH_SASL = "yes" ; then - if test $USE_SASL = "yes" ; then - echo "Using SASL authc/authz..." + if test $USE_SASL != "no" ; then + if test $USE_SASL = "yes" ; then + MECH="DIGEST-MD5" + else + MECH="$USE_SASL" + fi + echo "Using SASL authc/authz with mech=$MECH; unset SLAPD_USE_SASL to disable" else - echo "Using proxyAuthz with simple authc" - echo "set SLAPD_USE_SASL=yes to enable SASL authc/authz..." + echo "Using proxyAuthz with simple authc..." + echo " set SLAPD_USE_SASL={yes|} to enable SASL authc/authz" + echo " if SLAPD_USE_SASL=\"yes\", defaults to DIGEST-MD5" + echo " FIXME: should be mandatory, right?" + echo " FIXME: authz with CRAM-MD5 does not work..." fi else echo "SASL not available; using proxyAuthz with simple authc..." @@ -169,6 +177,58 @@ if test $RC != 0 ; then exit $RC fi +ID="uid=jaj,ou=People,dc=example,dc=it" +BASE="o=Example,c=US" +echo "Testing ldapsearch as $ID for \"$BASE\"..." +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ + -D "$ID" -w jaj > $SEARCHOUT 2>&1 + +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Filtering ldapsearch results..." +. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT +echo "Filtering original ldif used to create database..." +. $LDIFFILTER < $IDASSERTOUT > $LDIFFLT +echo "Comparing filter output..." +$CMP $SEARCHFLT $LDIFFLT > $CMPOUT + +if test $? != 0 ; then + echo "comparison failed - search with identity assertion didn't succeed" + exit 1 +fi + +if test $USE_SASL != "no" ; then + ID="it/jaj" + BASE="o=Example,c=US" + echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..." + $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ + -Q -U "$ID" -w jaj -Y $MECH > $SEARCHOUT 2>&1 + + RC=$? + if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo "Filtering ldapsearch results..." + . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT + echo "Filtering original ldif used to create database..." + . $LDIFFILTER < $IDASSERTOUT > $LDIFFLT + echo "Comparing filter output..." + $CMP $SEARCHFLT $LDIFFLT > $CMPOUT + + if test $? != 0 ; then + echo "comparison failed - search with SASL bind and identity assertion didn't succeed" + exit 1 + fi +fi + test $KILLSERVERS != no && kill -HUP $KILLPIDS echo ">>>>> Test succeeded"