mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-12-27 18:19:52 -05:00
508 lines
12 KiB
Bash
Executable file
508 lines
12 KiB
Bash
Executable file
#! /bin/sh
|
|
# $OpenLDAP$
|
|
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
##
|
|
## Copyright 2016-2021 Ondřej Kuzník, Symas Corp.
|
|
## Copyright 2021-2024 The OpenLDAP Foundation.
|
|
## All rights reserved.
|
|
##
|
|
## Redistribution and use in source and binary forms, with or without
|
|
## modification, are permitted only as authorized by the OpenLDAP
|
|
## Public License.
|
|
##
|
|
## A copy of this license is available in the file LICENSE in the
|
|
## top-level directory of the distribution or, alternatively, at
|
|
## <http://www.OpenLDAP.org/license.html>.
|
|
|
|
echo "running defines.sh"
|
|
. $SRCDIR/scripts/defines.sh
|
|
|
|
if test $OTP = otpno; then
|
|
echo "OTP overlay not available, test skipped"
|
|
exit 0
|
|
fi
|
|
|
|
OTP_DATA=$DATADIR/otp/hotp.ldif
|
|
|
|
# OTPs for this token
|
|
TOKEN_0=818800
|
|
TOKEN_1=320382
|
|
TOKEN_2=404533
|
|
TOKEN_3=127122
|
|
TOKEN_4=892599
|
|
TOKEN_5=407030
|
|
TOKEN_6=880935
|
|
TOKEN_7=920291
|
|
TOKEN_8=145192
|
|
TOKEN_9=316404
|
|
TOKEN_10=409144
|
|
|
|
# OTPs for the second set of parameters
|
|
TOKEN_SHA512_11=17544155
|
|
TOKEN_SHA512_12=48953477
|
|
TOKEN_SHA512_13=94485071
|
|
TOKEN_SHA512_14=72871903
|
|
TOKEN_SHA512_15=93883960
|
|
|
|
mkdir -p $TESTDIR $DBDIR1
|
|
|
|
echo "Running slapadd to build slapd database..."
|
|
. $CONFFILTER $BACKEND < $CONF > $ADDCONF
|
|
$SLAPADD -f $ADDCONF -l $LDIFORDERED
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "slapadd failed ($RC)!"
|
|
exit $RC
|
|
fi
|
|
|
|
mkdir $TESTDIR/confdir
|
|
. $CONFFILTER $BACKEND < $CONF > $CONF1
|
|
|
|
$SLAPPASSWD -g -n >$CONFIGPWF
|
|
echo "database config" >>$CONF1
|
|
echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >>$CONF1
|
|
|
|
echo "Starting slapd on TCP/IP port $PORT1..."
|
|
$SLAPD -f $CONF1 -F $TESTDIR/confdir -h $URI1 -d $LVL > $LOG1 2>&1 &
|
|
PID=$!
|
|
if test $WAIT != 0 ; then
|
|
echo PID $PID
|
|
read foo
|
|
fi
|
|
PROVIDERPID="$PID"
|
|
KILLPIDS="$PID"
|
|
|
|
sleep $SLEEP0
|
|
|
|
for i in 0 1 2 3 4 5; do
|
|
$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
|
|
'objectclass=*' > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC = 0 ; then
|
|
break
|
|
fi
|
|
echo "Waiting ${SLEEP1} seconds for slapd to start..."
|
|
sleep ${SLEEP1}
|
|
done
|
|
|
|
if [ "$OTP" = otpmod ]; then
|
|
$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF \
|
|
>> $TESTOUT 2>&1 <<EOMOD
|
|
dn: cn=module,cn=config
|
|
objectClass: olcModuleList
|
|
cn: module
|
|
olcModulePath: $TESTWD/../servers/slapd/overlays
|
|
olcModuleLoad: otp.la
|
|
EOMOD
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapmodify failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
fi
|
|
|
|
echo "Loading test otp configuration..."
|
|
$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF \
|
|
>> $TESTOUT 2>&1 <<EOMOD
|
|
dn: olcOverlay={0}otp,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: add
|
|
objectClass: olcOverlayConfig
|
|
EOMOD
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapmodify failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Provisioning tokens and configuration..."
|
|
$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
|
|
>> $TESTOUT 2>&1 < $OTP_DATA
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapmodify failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
|
|
echo "Authentication tests:"
|
|
echo "\ttoken that's not valid yet..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_10" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 49 ; then
|
|
echo "ldapwhoami should have failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
echo "\ta valid and expected token..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_4" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapwhoami failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "\ta valid token skipping some..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_6" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapwhoami failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "\treusing the same token..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_6" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 49 ; then
|
|
echo "ldapwhoami should have failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
echo "\tanother account sharing the same token..."
|
|
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_7" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapwhoami failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "\ttrying an old token..."
|
|
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_5" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 49 ; then
|
|
echo "ldapwhoami should have failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
echo "\tright token, wrong password..."
|
|
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjensen$TOKEN_8" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 49 ; then
|
|
echo "ldapwhoami should have failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
echo "\tmaking sure previous token has been retired too..."
|
|
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_8" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 49 ; then
|
|
echo "ldapwhoami should have failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
echo "\tthe first token we tested that's just become valid..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_10" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapwhoami failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Reconfiguring token parameters..."
|
|
$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
|
|
>/dev/null 2>&1 << EOMODS
|
|
dn: ou=Information Technology Division,ou=People,dc=example,dc=com
|
|
changetype: modify
|
|
replace: oathHOTPParams
|
|
oathHOTPParams: ou=Alumni Association,ou=People,dc=example,dc=com
|
|
EOMODS
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapmodify failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "A new round of tests:"
|
|
|
|
echo "\ta long token that's not valid yet..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_12" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 49 ; then
|
|
echo "ldapwhoami should have failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
echo "\ta valid and expected token..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_11" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapwhoami failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "\tthe previous long token that's just become valid, then a compare operation..."
|
|
$LDAPCOMPARE -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_12" \
|
|
"ou=Information Technology Division,ou=People,dc=example,dc=com" \
|
|
"oathSecret:$TOKEN_SHA512_13" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 6 ; then
|
|
echo "ldapcompare failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Retrieving token status..."
|
|
$LDAPSEARCH -b "ou=Information Technology Division,ou=People,dc=example,dc=com" \
|
|
-H $URI1 objectclass=oathHOTPToken '@oathHOTPToken' \
|
|
>> $SEARCHOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapsearch failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then
|
|
echo ""
|
|
echo "Setting up OTP state forwarding test..."
|
|
|
|
mkdir $DBDIR2
|
|
sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
|
|
echo "Starting slapd consumer on TCP/IP port $PORT2..."
|
|
$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
|
|
CONSUMERPID=$!
|
|
if test $WAIT != 0 ; then
|
|
echo CONSUMERPID $CONSUMERPID
|
|
read foo
|
|
fi
|
|
KILLPIDS="$KILLPIDS $CONSUMERPID"
|
|
|
|
echo "Configuring syncprov on provider..."
|
|
if [ "$SYNCPROV" = syncprovmod ]; then
|
|
$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
dn: cn=module,cn=config
|
|
objectclass: olcModuleList
|
|
cn: module
|
|
olcModulePath: $TESTWD/../servers/slapd/overlays
|
|
olcModuleLoad: syncprov.la
|
|
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapadd failed for moduleLoad ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
fi
|
|
|
|
$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcSyncProvConfig
|
|
olcOverlay: {1}syncprov
|
|
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapadd failed for provider database config ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Using ldapsearch to check that slapd is running..."
|
|
for i in 0 1 2 3 4 5; do
|
|
$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
|
|
'objectclass=*' > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC = 0 ; then
|
|
break
|
|
fi
|
|
echo "Waiting 5 seconds for slapd to start..."
|
|
sleep 5
|
|
done
|
|
if test $RC != 0 ; then
|
|
echo "ldapsearch failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Configuring syncrepl on consumer..."
|
|
if [ "$BACKLDAP" = ldapmod ]; then
|
|
$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
dn: cn=module,cn=config
|
|
objectclass: olcModuleList
|
|
cn: module
|
|
olcModulePath: $TESTWD/../servers/slapd/back-ldap
|
|
olcModuleLoad: back_ldap.la
|
|
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapadd failed for moduleLoad ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
fi
|
|
$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
|
|
changetype: add
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcChainConfig
|
|
olcOverlay: {0}chain
|
|
|
|
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
|
|
changetype: add
|
|
objectClass: olcLDAPConfig
|
|
objectClass: olcChainDatabase
|
|
olcDBURI: $URI1
|
|
olcDbIDAssertBind: bindmethod=simple
|
|
binddn="cn=manager,dc=example,dc=com"
|
|
credentials=secret
|
|
mode=self
|
|
|
|
dn: olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcSyncrepl
|
|
olcSyncrepl: rid=1
|
|
provider=$URI1
|
|
binddn="cn=manager,dc=example,dc=com"
|
|
bindmethod=simple
|
|
credentials=secret
|
|
searchbase="dc=example,dc=com"
|
|
type=refreshAndPersist
|
|
retry="3 5 300 5"
|
|
-
|
|
add: olcUpdateref
|
|
olcUpdateref: $URI1
|
|
-
|
|
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapmodify failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
if [ "$OTP" = otpmod ]; then
|
|
$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF \
|
|
>> $TESTOUT 2>&1 <<EOMOD
|
|
dn: cn=module,cn=config
|
|
objectClass: olcModuleList
|
|
cn: module
|
|
olcModulePath: $TESTWD/../servers/slapd/overlays
|
|
olcModuleLoad: otp.la
|
|
EOMOD
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapmodify failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
fi
|
|
|
|
echo "Loading test otp configuration..."
|
|
$LDAPMODIFY -v -D cn=config -H $URI2 -y $CONFIGPWF \
|
|
>> $TESTOUT 2>&1 <<EOMOD
|
|
dn: olcOverlay={0}otp,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: add
|
|
objectClass: olcOverlayConfig
|
|
EOMOD
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapmodify failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Waiting for consumer to sync..."
|
|
sleep $SLEEP1
|
|
|
|
echo "Consumer+chaining tests:"
|
|
|
|
echo "\tconsumer accepts a new token..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI2 -w "bjensen$TOKEN_SHA512_14" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapwhoami failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "\ta used up token reached the provider..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_14" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 49 ; then
|
|
echo "ldapwhoami should have failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
echo "Checking token status..."
|
|
$LDAPCOMPARE -D "$MANAGERDN" -H $URI1 -w $PASSWD \
|
|
"ou=Information Technology Division,ou=People,dc=example,dc=com" \
|
|
oathHOTPCounter:14 \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 6 ; then
|
|
echo "ldapcompare failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
echo "Stopping provider..."
|
|
kill -HUP $PROVIDERPID
|
|
wait $PROVIDERPID
|
|
KILLPIDS="$CONSUMERPID"
|
|
|
|
echo "Testing that successful chaining is mandatory..."
|
|
$LDAPWHOAMI -D "$BABSDN" -H $URI2 -w "bjensen$TOKEN_SHA512_15" \
|
|
>> $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 49 ; then
|
|
echo "ldapwhoami should have failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit 1
|
|
fi
|
|
|
|
fi
|
|
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
|
LDIF=$DATADIR/otp/test001-out.ldif
|
|
|
|
echo "Filtering ldapsearch results..."
|
|
$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
|
|
echo "Filtering ldif with expected data..."
|
|
$LDIFFILTER < $LDIF > $LDIFFLT
|
|
echo "Comparing filter output..."
|
|
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
|
|
|
|
if test $? != 0 ; then
|
|
echo "Comparison failed"
|
|
exit 1
|
|
fi
|
|
|
|
echo ">>>>> Test succeeded"
|
|
|
|
test $KILLSERVERS != no && wait
|
|
|
|
exit 0
|