From: Pierangelo Masarati Date: Sat, 19 Jun 2004 10:05:07 +0000 (+0000) Subject: add test for idassert X-Git-Tag: OPENDLAP_REL_ENG_2_2_MP~232 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=49d64acdf6f306a6700d64aef2f8f20ad117067a;p=openldap add test for idassert --- diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf new file mode 100644 index 0000000000..2dce8669d1 --- /dev/null +++ b/tests/data/slapd-idassert.conf @@ -0,0 +1,117 @@ +# master slapd config -- for testing +# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 + kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2003 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +#ucdata-path ./ucdata +include ./schema/core.schema +include ./schema/cosine.schema +include ./schema/inetorgperson.schema +include ./schema/openldap.schema +include ./schema/nis.schema +pidfile ./testrun/slapd.1.pid +argsfile ./testrun/slapd.1.args + +# password-hash {md5} + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la + +####################################################################### +# ldbm database definitions +####################################################################### + +authz-policy both +authz-regexp "^uid=admin/([^,]+),.*" "ldap:///ou=Admin,dc=example,dc=com??sub?cn=$1" +authz-regexp "^uid=it/([^,]+),.*" "ldap:///ou=People,dc=example,dc=it??sub?uid=$1" +authz-regexp "^uid=(us/)*([^,]+),.*" "ldap:///ou=People,dc=example,dc=com??sub?uid=$2" + +# +# normal installations should protect root dse, +# cn=monitor, cn=schema, and cn=config +# + +access to attr=userpassword + by self =wx + by anonymous =x + +access to * + by users read + by * search + +database @BACKEND@ +#ldbm#cachesize 0 +suffix "dc=example,dc=com" +directory ./testrun/db.1.a +rootdn "cn=Manager,dc=example,dc=com" +rootpw secret +index objectClass eq +index cn,sn,uid pres,eq,sub + +access to dn.exact="cn=Proxy,ou=Admin,dc=example,dc=com" + attr=authzTo + by dn.exact="cn=Proxy,ou=Admin,dc=example,dc=com" =wx + by * =x + +database @BACKEND@ +#ldbm#cachesize 0 +suffix "dc=example,dc=it" +directory ./testrun/db.2.a +rootdn "cn=Manager,dc=example,dc=it" +rootpw secret +index objectClass eq +index cn,sn,uid pres,eq,sub + +database ldap +suffix "o=Example,c=US" +suffixmassage "o=Example,c=US" "dc=example,dc=com" +uri "ldap://:9011/" + +#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" "mech=DIGEST-MD5" +#nosasl#idassert-method "simple" +#nosasl#idassert-authcDN "cn=Proxy US,ou=Admin,dc=example,dc=com" +#nosasl#idassert-passwd proxy +idassert-mode self + +# authorizes database +idassert-authz "dn.subtree:dc=example,dc=it" + +database ldap +suffix "o=Esempio,c=IT" +suffixmassage "o=Esempio,c=IT" "dc=example,dc=com" +uri "ldap://:9011/" + +acl-authcDN "cn=Proxy IT,ou=Admin,dc=example,dc=com" +acl-passwd proxy + +idassert-method "simple" +idassert-authcDN "cn=Proxy IT,ou=Admin,dc=example,dc=com" +idassert-passwd proxy +idassert-mode "dn:cn=Sandbox,ou=Admin,dc=example,dc=com" + +# authorizes database +idassert-authz "dn.subtree:dc=example,dc=com" +# authorizes anonymous +idassert-authz "dn.exact:" + +access to attrs=entry,cn,sn,mail + by users read + +access to * + by dn.exact="cn=Proxy IT,ou=Admin,o=Esempio,c=IT" read + by group.exact="cn=Authorizable,ou=Groups,o=Esempio,c=IT" read + by dn.exact="cn=Sandbox,ou=Admin,dc=example,dc=com" search + by * none + + diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif new file mode 100644 index 0000000000..7e5e26d52f --- /dev/null +++ b/tests/data/test-idassert1.ldif @@ -0,0 +1,66 @@ +dn: dc=example,dc=com +objectClass: organization +objectClass: dcObject +o: Example, Inc. +dc: example + +dn: ou=People,dc=example,dc=com +objectClass: organizationalUnit +ou: People + +dn: uid=bjorn,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +cn: Bjorn Jensen +sn: Jensen +uid: bjorn +userPassword:: Ympvcm4= +mail: bjorn@example.com +description: *** +authzFrom: dn.exact:uid=jaj,o=Example,c=US + +dn: uid=bjensen,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +cn: Barbara Jensen +sn: Jensen +uid: bjensen +userPassword:: YmplbnNlbg== +mail: bjensen@example.com +description: *** + +dn: ou=Groups,dc=example,dc=com +objectClass: organizationalUnit +ou: Groups + +dn: cn=All,ou=Groups,dc=example,dc=com +objectClass: groupOfNames +cn: All +member: uid=bjorn,ou=People,dc=example,dc=com +member: uid=bjensen,ou=People,dc=example,dc=com + +dn: cn=Authorizable,ou=Groups,dc=example,dc=com +objectClass: groupOfNames +cn: Authorizable +member: uid=bjorn,ou=People,dc=example,dc=com + +dn: ou=Admin,dc=example,dc=com +objectClass: organizationalUnit +ou: Admin + +dn: cn=Proxy US,ou=Admin,dc=example,dc=com +objectClass: applicationProcess +objectClass: simpleSecurityObject +cn: Proxy US +userPassword:: cHJveHk= +authzTo: dn.subtree:ou=People,dc=example,dc=it + +dn: cn=Proxy IT,ou=Admin,dc=example,dc=com +objectClass: applicationProcess +objectClass: simpleSecurityObject +cn: Proxy IT +userPassword:: cHJveHk= +authzTo: dn.exact:cn=Sandbox,ou=Admin,dc=example,dc=com +authzTo: dn.exact: + +dn: cn=Sandbox,ou=Admin,dc=example,dc=com +objectClass: applicationProcess +cn: Sandbox diff --git a/tests/data/test-idassert2.ldif b/tests/data/test-idassert2.ldif new file mode 100644 index 0000000000..c8f3d68fc6 --- /dev/null +++ b/tests/data/test-idassert2.ldif @@ -0,0 +1,27 @@ +dn: dc=example,dc=it +objectClass: organization +objectClass: dcObject +o: Example +o: Esempio S.p.A. +dc: example + +dn: ou=People,dc=example,dc=it +objectClass: organizationalUnit +ou: People + +dn: uid=dots,ou=People,dc=example,dc=it +objectClass: inetOrgPerson +cn: Dorothy Stevens +sn: Stevens +uid: dots +userPassword:: ZG90cw== +mail: dots@example.it + +dn: uid=jaj,ou=People,dc=example,dc=it +objectClass: inetOrgPerson +cn: James A Jones 1 +sn: Jones +uid: jaj +userPassword:: amFq +mail: jaj@example.it + diff --git a/tests/run.in b/tests/run.in index ccac9c0ce3..eb5244ab03 100644 --- a/tests/run.in +++ b/tests/run.in @@ -31,9 +31,10 @@ AC_ppolicy=ppolicy@BUILD_PPOLICY@ AC_refint=refint@BUILD_REFINT@ AC_unique=unique@BUILD_UNIQUE@ AC_MONITOR=@BUILD_MONITOR@ +AC_WITH_SASL=@WITH_SASL@ AC_WITH_TLS=@WITH_TLS@ -export AC_MONITOR AC_WITH_TLS AC_ldap AC_pcache AC_ppolicy +export AC_MONITOR AC_WITH_SASL AC_WITH_TLS AC_ldap AC_pcache AC_ppolicy export AC_refint AC_unique if test ! -x ../servers/slapd/slapd ; then diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh index bb20b9cd1f..510c461d40 100755 --- a/tests/scripts/conf.sh +++ b/tests/scripts/conf.sh @@ -22,6 +22,12 @@ if [ x"$MONITORDB" = x"yes" -o x"$MONITORDB" = xmod ] ; then else MON=nomonitor fi +USE_SASL=${SLAPD_USE_SASL+yes} +if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" = x"yes" ] ; then + SASL="sasl" +else + SASL="nosasl" +fi sed -e "s/@BACKEND@/${BACKEND}/" \ -e "s/^#${BACKEND}#//" \ -e "s/^#${BACKENDTYPE}#//" \ @@ -32,5 +38,6 @@ sed -e "s/@BACKEND@/${BACKEND}/" \ -e "s/^#${AC_unique}#//" \ -e "s/^#${MON}#//" \ -e "s/^#${MONMOD}#//" \ + -e "s/^#${SASL}#//" \ -e "s/@CACHETTL@/${CACHETTL}/" \ -e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/" diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh index 3eb1d593ad..7113ea8bf3 100755 --- a/tests/scripts/defines.sh +++ b/tests/scripts/defines.sh @@ -14,10 +14,12 @@ ## . MONITORDB=${AC_MONITOR-no} +BACKLDAP=${AC_ldap-ldapno} PROXYCACHE=${AC_pcache-pcacheno} PPOLICY=${AC_ppolicy-ppolicyno} REFINT=${AC_refint-refintno} UNIQUE=${AC_unique-uniqueno} +WITH_SASL=${AC_WITH_SASL-no} WITHTLS=${AC_WITHTLS-yes} DATADIR=./testdata @@ -60,6 +62,7 @@ UNIQUECONF=$DATADIR/slapd-unique.conf LIMITSCONF=$DATADIR/slapd-limits.conf DNCONF=$DATADIR/slapd-dn.conf EMPTYDNCONF=$DATADIR/slapd-emptydn.conf +IDASSERTCONF=$DATADIR/slapd-idassert.conf CONF1=$TESTDIR/slapd.1.conf CONF2=$TESTDIR/slapd.2.conf @@ -132,6 +135,8 @@ LDIFLIMITS=$DATADIR/test-limits.ldif LDIFDN=$DATADIR/test-dn.ldif LDIFEMPTYDN1=$DATADIR/test-emptydn1.ldif LDIFEMPTYDN2=$DATADIR/test-emptydn2.ldif +LDIFIDASSERT1=$DATADIR/test-idassert1.ldif +LDIFIDASSERT2=$DATADIR/test-idassert2.ldif MONITOR="" REFDN="c=US" BASEDN="dc=example,dc=com" diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert new file mode 100755 index 0000000000..d03d4dfcd2 --- /dev/null +++ b/tests/scripts/test028-idassert @@ -0,0 +1,171 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2004 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $BACKLDAP = "ldapno" ; then + echo "LDAP backend not available, test skipped" + exit 0 +fi + +if test $WITH_SASL = "yes" ; then + echo "Using SASL authc/authz..." +else + echo "SASL not available; using proxyAuthz with simple authc..." +fi + +mkdir -p $TESTDIR $DBDIR1 $DBDIR2 + +echo "Running slapadd to build slapd database..." +. $CONFFILTER $BACKEND $MONITORDB < $IDASSERTCONF > $ADDCONF +$SLAPADD -f $ADDCONF -l $LDIFIDASSERT1 -n 1 +RC=$? +if test $RC != 0 ; then + echo "slapadd -n 1 failed ($RC)!" + exit $RC +fi +$SLAPADD -f $ADDCONF -l $LDIFIDASSERT2 -n 2 +RC=$? +if test $RC != 0 ; then + echo "slapadd -n 2 failed ($RC)!" + exit $RC +fi + +echo "Starting slapd on TCP/IP port $PORT..." +. $CONFFILTER $BACKEND $MONITORDB < $IDASSERTCONF > $CONF1 +$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +echo "Testing ldapwhoami as proxy US..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +AUTHZID="u:it/jaj" +echo "Testing ldapwhoami as proxy US, $AUTHZID..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +AUTHZID="u:bjorn" +echo "Testing ldapwhoami as proxy US, $AUTHZID..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" +RC=$? +if test $RC != 1 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +AUTHZID="u:bjensen" +echo "Testing ldapwhoami as proxy US, $AUTHZID..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" +RC=$? +if test $RC != 1 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing ldapwhoami as proxy IT..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +AUTHZID="u:it/jaj" +echo "Testing ldapwhoami as proxy IT, $AUTHZID..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" +RC=$? +if test $RC != 1 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +AUTHZID="u:bjorn" +echo "Testing ldapwhoami as proxy IT, $AUTHZID..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" +RC=$? +if test $RC != 1 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +AUTHZID="dn:cn=Sandbox,ou=Admin,dc=example,dc=com" +echo "Testing ldapwhoami as proxy IT, $AUTHZID..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID" +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +AUTHZID="dn:uid=bjorn,ou=People,o=Example,c=US" +echo "Testing ldapwhoami as bjorn, $AUTHZID..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID" +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +AUTHZID="dn:uid=bjorn,ou=People,o=Esempio,c=IT" +echo "Testing ldapwhoami as bjorn, $AUTHZID..." +$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID" +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +echo ">>>>> Test succeeded" +exit 0 +