From: Howard Chu Date: Tue, 16 Mar 2004 10:16:21 +0000 (+0000) Subject: Added tests for password policy overlay X-Git-Tag: OPENLDAP_REL_ENG_2_2_BP~277 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=c564301d34a89bdc74a7a53cfc76dad7a0c74e78;p=openldap Added tests for password policy overlay --- diff --git a/tests/data/ppolicy.ldif b/tests/data/ppolicy.ldif new file mode 100644 index 0000000000..363e9cbe68 --- /dev/null +++ b/tests/data/ppolicy.ldif @@ -0,0 +1,65 @@ +dn: o=University of Michigan, c=US +objectClass: top +objectClass: organization +o: University of Michigan + +dn: ou=People, o=University of Michigan, c=US +objectClass: top +objectClass: organizationalUnit +ou: People + +dn: ou=Policies, o=University of Michigan, c=US +objectClass: top +objectClass: organizationalUnit +ou: Policies + +dn: cn=Standard Policy, ou=Policies, o=University of Michigan, c=US +objectClass: top +objectClass: device +objectClass: pwdPolicy +cn: Standard Policy +pwdAttribute: 2.5.4.35 +pwdLockoutDuration: 30 +pwdInHistory: 6 +pwdCheckQuality: 1 +pwdExpireWarning: 300 +pwdMaxAge: 600 +pwdMinLength: 5 +pwdGraceLoginLimit: 3 +pwdAllowUserChange: TRUE +pwdMustChange: TRUE +pwdMaxFailure: 3 +pwdFailureCountInterval: 120 +pwdSafeModify: TRUE + +dn: uid=nd, ou=People, o=University of Michigan, c=US +objectClass: top +objectClass: person +objectClass: inetOrgPerson +cn: Neil Dunbar +uid: nd +sn: Dunbar +givenName: Neil +userPassword: testpassword + +dn: uid=ndadmin, ou=People, o=University of Michigan, c=US +objectClass: top +objectClass: person +objectClass: inetOrgPerson +cn: Neil Dunbar (Admin) +uid: ndadmin +sn: Dunbar +givenName: Neil +userPassword: testpw + +dn: uid=test, ou=People, o=University of Michigan, c=US +objectClass: top +objectClass: person +objectClass: inetOrgPerson +cn: test test +uid: test +sn: Test +givenName: Test +userPassword: kfhgkjhfdgkfd +pwdPolicySubEntry: cn=No Policy, ou=Policies, o=University of Michigan, c=US + diff --git a/tests/data/slapd-ppolicy.conf b/tests/data/slapd-ppolicy.conf new file mode 100644 index 0000000000..4bad52facc --- /dev/null +++ b/tests/data/slapd-ppolicy.conf @@ -0,0 +1,49 @@ +# master slapd config -- for testing +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2004 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +ucdata-path ./ucdata +include ./schema/core.schema +include ./schema/cosine.schema +include ./schema/inetorgperson.schema +include ./schema/openldap.schema +include ./schema/nis.schema +include ./schema/ppolicy.schema +pidfile ./test-db/slapd.pid +argsfile ./test-db/slapd.args + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la +#ppolicymod#moduleload ../servers/slapd/overlays/ppolicy.la + +####################################################################### +# ldbm database definitions +####################################################################### + +database @BACKEND@ +suffix "o=University of Michigan,c=US" +directory ./testrun/db.1.a +rootdn "cn=Manager,o=University of Michigan,c=US" +rootpw secret +index objectClass eq +overlay ppolicy +ppolicy_default "cn=Standard Policy,ou=Policies,o=University of Michigan,c=US" + +access to attr=userpassword + by self write + by * auth + +access to * + by self write + by * read diff --git a/tests/run.in b/tests/run.in index 35166ddd97..46ebb37eed 100644 --- a/tests/run.in +++ b/tests/run.in @@ -27,10 +27,11 @@ AC_hdb=@BUILD_HDB@ AC_ldbm=@BUILD_LDBM@ AC_ldap=ldap@BUILD_LDAP@ AC_pcache=pcache@BUILD_PROXYCACHE@ +AC_ppolicy=ppolicy@BUILD_PPOLICY@ AC_MONITOR=@BUILD_MONITOR@ AC_WITH_TLS=@WITH_TLS@ -export AC_MONITOR AC_WITH_TLS AC_ldap AC_pcache +export AC_MONITOR AC_WITH_TLS AC_ldap AC_pcache AC_ppolicy if test ! -x ../servers/slapd/slapd ; then echo "Could not locate slapd(8)" diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh index 28f3b6e370..5b49c9c494 100755 --- a/tests/scripts/conf.sh +++ b/tests/scripts/conf.sh @@ -22,6 +22,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \ -e "s/^#${BACKENDTYPE}#//" \ -e "s/^#${AC_ldap}#//" \ -e "s/^#${AC_pcache}#//" \ + -e "s/^#${AC_ppolicy}#//" \ -e "s/^#${MON}#//" \ -e "s/@CACHETTL@/${CACHETTL}/" \ -e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/" diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh index 2813cd1e2e..010c00fd0e 100755 --- a/tests/scripts/defines.sh +++ b/tests/scripts/defines.sh @@ -15,6 +15,7 @@ MONITORDB=${AC_MONITOR-no} PROXYCACHE=${AC_pcache-pcacheno} +PPOLICY=${AC_ppolicy-ppolicyno} WITHTLS=${AC_WITHTLS-yes} DATADIR=./testdata @@ -40,6 +41,7 @@ RCONF=$DATADIR/slapd-referrals.conf MASTERCONF=$DATADIR/slapd-repl-master.conf SRMASTERCONF=$DATADIR/slapd-syncrepl-master.conf SLAVECONF=$DATADIR/slapd-repl-slave.conf +PPOLICYCONF=$DATADIR/slapd-ppolicy.conf PROXYCACHECONF=$DATADIR/slapd-proxycache.conf CACHEMASTERCONF=$DATADIR/slapd-cache-master.conf R1SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-refresh1.conf @@ -111,6 +113,7 @@ LDIFORDEREDNOCP=$DATADIR/test-ordered-nocp.ldif LDIFBASE=$DATADIR/test-base.ldif LDIFPASSWD=$DATADIR/passwd.ldif LDIFPASSWDOUT=$DATADIR/passwd-out.ldif +LDIFPPOLICY=$DATADIR/ppolicy.ldif LDIFLANG=$DATADIR/test-lang.ldif LDIFLANGOUT=$DATADIR/lang-out.ldif LDIFREF=$DATADIR/referrals.ldif diff --git a/tests/scripts/test022-ppolicy b/tests/scripts/test022-ppolicy new file mode 100755 index 0000000000..bf391fa7d1 --- /dev/null +++ b/tests/scripts/test022-ppolicy @@ -0,0 +1,319 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2004 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $PPOLICY = ppolicyno; then + echo "Password policy overlay not available, test skipped" + exit 0 +fi + +mkdir -p $TESTDIR $DBDIR1 + +echo "Starting slapd on TCP/IP port $PORT1..." +. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1 +$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" + +USER="uid=nd, ou=People, o=University of Michigan, c=US" +PASS=testpassword + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done +if test $RC != 0 ; then + echo "ldapsearch failed $(RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Using ldapadd to populate the database..." +$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \ + $LDIFPPOLICY > $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing account lockout..." +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 +COUNT=`grep "Account locked" $SEARCHOUT | wc -l` +if test $COUNT != 2 ; then + echo "Account lockout test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Waiting 30 seconds for lockout to reset..." +sleep 30 + +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing password expiration..." +$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \ + $TESTOUT 2>&1 << EOMODS +dn: uid=nd, ou=People, o=University of Michigan, c=US +changetype: modify +replace: pwdChangedTime +pwdChangedTime: 20031231000001Z + +EOMODS + +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > $SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 +sleep 2 +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "Password expiration failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +COUNT=`grep "grace logins" $SEARCHOUT | wc -l` +if test $COUNT != 3 ; then + echo "Password expiration test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Resetting password to clear expired status" +$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ + -w secret -s $PASS \ + -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldappasswd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Filling password history..." +$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS > \ + $TESTOUT 2>&1 << EOMODS +dn: uid=nd, ou=People, o=University of Michigan,c=US +changetype: modify +delete: userpassword +userpassword: testpassword +- +replace: userpassword +userpassword: 20urgle12-1 + +dn: uid=nd, ou=People, o=University of Michigan,c=US +changetype: modify +delete: userpassword +userpassword: 20urgle12-1 +- +replace: userpassword +userpassword: 20urgle12-2 + +dn: uid=nd, ou=People, o=University of Michigan,c=US +changetype: modify +delete: userpassword +userpassword: 20urgle12-2 +- +replace: userpassword +userpassword: 20urgle12-3 + +dn: uid=nd, ou=People, o=University of Michigan,c=US +changetype: modify +delete: userpassword +userpassword: 20urgle12-3 +- +replace: userpassword +userpassword: 20urgle12-4 + +dn: uid=nd, ou=People, o=University of Michigan,c=US +changetype: modify +delete: userpassword +userpassword: 20urgle12-4 +- +replace: userpassword +userpassword: 20urgle12-5 + +dn: uid=nd, ou=People, o=University of Michigan,c=US +changetype: modify +delete: userpassword +userpassword: 20urgle12-5 +- +replace: userpassword +userpassword: 20urgle12-6 + +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi +echo "Testing password history..." +$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 > \ + $TESTOUT 2>&1 << EOMODS +dn: uid=nd, ou=People, o=University of Michigan, c=US +changetype: modify +delete: userPassword +userPassword: 20urgle12-6 +- +replace: userPassword +userPassword: 20urgle12-2 + +EOMODS +RC=$? +if test $RC = 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing forced reset..." + +$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \ + $TESTOUT 2>&1 << EOMODS +dn: uid=nd, ou=People, o=University of Michigan, c=US +changetype: modify +replace: userPassword +userPassword: testpassword +- +replace: pwdReset +pwdReset: TRUE + +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "Forced reset failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l` +if test $COUNT != 1 ; then + echo "Forced reset test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +echo "Clearing forced reset..." + +$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \ + $TESTOUT 2>&1 << EOMODS +dn: uid=nd, ou=People, o=University of Michigan, c=US +changetype: modify +delete: pwdReset + +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ + -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "Clearing forced reset failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing Safe modify..." + +$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ + -w $PASS -s failexpect \ + -D "$USER" > $TESTOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "Safe modify test 1 failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +sleep 2 + +$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ + -w $PASS -s failexpect -a $PASS \ + -D "$USER" > $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "Safe modify test 2 failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing length requirement..." + +$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ + -w failexpect -a failexpect -s spw \ + -D "$USER" > $TESTOUT 2>&1 +RC=$? +if test $RC = 0 ; then + echo "Length requirement test failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi +COUNT=`grep "Password fails quality" $TESTOUT | wc -l` +if test $COUNT != 1 ; then + echo "Length requirement test failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +echo ">>>>> Test succeeded" +exit 0