openldap/openldap-cbinding-Convert-test077-to-LDIF-config.patch
2021-04-09 13:51:19 +02:00

237 lines
6.8 KiB
Diff

From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Mon, 27 Apr 2020 23:24:16 -0700
Subject: [PATCH] Convert test077 to LDIF config
---
tests/data/slapd-sasl-gssapi.conf | 65 ------------------
tests/scripts/defines.sh | 1 -
tests/scripts/test077-sasl-gssapi | 108 ++++++++++++++++++++++++++++--
3 files changed, 103 insertions(+), 71 deletions(-)
delete mode 100644 tests/data/slapd-sasl-gssapi.conf
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
deleted file mode 100644
index 611fc7097..000000000
--- a/tests/data/slapd-sasl-gssapi.conf
+++ /dev/null
@@ -1,65 +0,0 @@
-# stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2020 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-#
-include @SCHEMADIR@/core.schema
-include @SCHEMADIR@/cosine.schema
-#
-include @SCHEMADIR@/corba.schema
-include @SCHEMADIR@/java.schema
-include @SCHEMADIR@/inetorgperson.schema
-include @SCHEMADIR@/misc.schema
-include @SCHEMADIR@/nis.schema
-include @SCHEMADIR@/openldap.schema
-#
-include @SCHEMADIR@/duaconf.schema
-include @SCHEMADIR@/dyngroup.schema
-
-#
-pidfile @TESTDIR@/slapd.1.pid
-argsfile @TESTDIR@/slapd.1.args
-
-# SSL configuration
-TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
-TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
-TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
-
-#
-rootdse @DATADIR@/rootdse.ldif
-
-#mod#modulepath ../servers/slapd/back-@BACKEND@/
-#mod#moduleload back_@BACKEND@.la
-#monitormod#modulepath ../servers/slapd/back-monitor/
-#monitormod#moduleload back_monitor.la
-
-
-#######################################################################
-# database definitions
-#######################################################################
-
-database @BACKEND@
-suffix "dc=example,dc=com"
-rootdn "cn=Manager,dc=example,dc=com"
-rootpw secret
-#~null~#directory @TESTDIR@/db.1.a
-#indexdb#index objectClass eq
-#indexdb#index mail eq
-#ndb#dbname db_1_a
-#ndb#include @DATADIR@/ndb.conf
-
-#monitor#database monitor
-
-sasl-realm @KRB5REALM@
-sasl-host localhost
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 78dc1f8ae..76c85b442 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -108,7 +108,6 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
SCHEMACONF=$DATADIR/slapd-schema.conf
TLSCONF=$DATADIR/slapd-tls.conf
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
-SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
GLUECONF=$DATADIR/slapd-glue.conf
REFINTCONF=$DATADIR/slapd-refint.conf
RETCODECONF=$DATADIR/slapd-retcode.conf
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index bde9006ca..322df60a4 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
exit 0
fi
-mkdir -p $TESTDIR $DBDIR1
+CONFDIR=$TESTDIR/slapd.d
+CONFLDIF=$TESTDIR/slapd.ldif
+
+mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
+$SLAPPASSWD -g -n >$CONFIGPWF
echo "Starting KDC for SASL/GSSAPI tests..."
. $SRCDIR/scripts/setup_kdc.sh
-echo "Running slapadd to build slapd database..."
-. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED
+echo "Configuring slapd..."
+cat > $CONFLDIF <<EOF
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcSaslHost: localhost
+olcSaslRealm: $KRB5REALM
+olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
+olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
+olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file://$ABS_SCHEMADIR/core.ldif
+
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcRootPW:< file://$TESTDIR/configpw
+
+EOF
+$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
@@ -38,7 +63,7 @@ if test $RC != 0 ; then
fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
@@ -141,6 +166,79 @@ else
fi
fi
+if test $WITH_TLS = no ; then
+ echo "TLS support not available, skipping channe-binding test"
+elif test $HAVE_SASL_GSS_CBIND = no ; then
+ echo "SASL has no channel-binding support in GSSAPI, test skipped"
+else
+ echo "Testing SASL/GSSAPI with SASL_CBINDING..."
+
+ for acb in "none" "tls-unique" "tls-endpoint" ; do
+
+ echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
+ $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+replace: olcSaslCBinding
+olcSaslCBinding: ${acb}
+EOF
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
+ for icb in "none" "tls-unique" "tls-endpoint" ; do
+
+ # The gnutls implemantation of "tls-unique" seems broken
+ if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
+ if test $WITH_TLS_TYPE == gnutls ; then
+ continue
+ fi
+ fi
+
+ fail="no"
+ if test $icb != $acb -a $acb != "none" ; then
+ # This currently fails in MIT, but it is planned to be
+ # fixed not to fail like in heimdal - avoid testing.
+ if test $icb = "none" ; then
+ continue
+ fi
+ # Otherwise unmatching bindings are expected to fail.
+ fail="yes"
+ fi
+
+ echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
+ echo -ne "(client: ${icb},\tserver: ${acb}): "
+
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ -o SASL_CBINDING=$icb > $TESTOUT 2>&1
+
+ RC=$?
+ if test $RC != 0 ; then
+ if test $fail = "no" ; then
+ echo "test failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+ elif test $fail = "yes" ; then
+ echo "failed: command succeeded unexpectedly."
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+ fi
+
+ echo "success"
+ RC=0
+ done
+ done
+fi
+
+
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
--
2.29.2