1 #! /bin/sh 2 # $OpenLDAP$ 3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4 ## 5 ## Copyright 1998-2024 The OpenLDAP Foundation. 6 ## All rights reserved. 7 ## 8 ## Redistribution and use in source and binary forms, with or without 9 ## modification, are permitted only as authorized by the OpenLDAP 10 ## Public License. 11 ## 12 ## A copy of this license is available in the file LICENSE in the 13 ## top-level directory of the distribution or, alternatively, at 14 ## <http://www.OpenLDAP.org/license.html>. 15 16 echo "running defines.sh" 17 . $SRCDIR/scripts/defines.sh 18 19 if test $PPOLICY = ppolicyno; then 20 echo "Password policy overlay not available, test skipped" 21 exit 0 22 fi 23 24 mkdir -p $TESTDIR $DBDIR1 25 26 $SLAPPASSWD -g -n >$CONFIGPWF 27 echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf 28 29 echo "Starting slapd on TCP/IP port $PORT1..." 30 . $CONFFILTER $BACKEND < $PPOLICYCONF > $CONF1 31 $SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & 32 PID=$! 33 if test $WAIT != 0 ; then 34 echo PID $PID 35 read foo 36 fi 37 KILLPIDS="$PID" 38 39 USER="uid=nd, ou=People, dc=example, dc=com" 40 PASS=testpassword 41 PWADMIN="uid=ndadmin, ou=People, dc=example, dc=com" 42 ADMINPASSWD=testpw 43 44 sleep 1 45 46 echo "Using ldapsearch to check that slapd is running..." 47 for i in 0 1 2 3 4 5; do 48 $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ 49 'objectclass=*' > /dev/null 2>&1 50 RC=$? 51 if test $RC = 0 ; then 52 break 53 fi 54 echo "Waiting 5 seconds for slapd to start..." 55 sleep 5 56 done 57 if test $RC != 0 ; then 58 echo "ldapsearch failed ($RC)!" 59 test $KILLSERVERS != no && kill -HUP $KILLPIDS 60 exit $RC 61 fi 62 63 echo /dev/null > $TESTOUT 64 65 echo "Testing redundant ppolicy instance..." 66 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 67 dn: olcOverlay=ppolicy,olcDatabase={1}$BACKEND,cn=config 68 objectClass: olcOverlayConfig 69 objectClass: olcPPolicyConfig 70 olcOverlay: ppolicy 71 olcPPolicyDefault: cn=duplicate policy,ou=policies,dc=example,dc=com 72 EOF 73 RC=$? 74 if test $RC = 0 ; then 75 echo "ldapadd should have failed ($RC)!" 76 test $KILLSERVERS != no && kill -HUP $KILLPIDS 77 exit 1 78 fi 79 80 echo "Using ldapadd to populate the database..." 81 $LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD \ 82 < $LDIFPPOLICY >> $TESTOUT 2>&1 83 RC=$? 84 if test $RC != 0 ; then 85 echo "ldapadd failed ($RC)!" 86 test $KILLSERVERS != no && kill -HUP $KILLPIDS 87 exit $RC 88 fi 89 90 echo "Testing account lockout..." 91 $LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 92 sleep 2 93 $LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 94 sleep 2 95 $LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 96 sleep 2 97 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1 98 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 99 COUNT=`grep "Account locked" $SEARCHOUT | wc -l` 100 if test $COUNT != 2 ; then 101 echo "Account lockout test failed" 102 test $KILLSERVERS != no && kill -HUP $KILLPIDS 103 exit 1 104 fi 105 106 DELAYATTR=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD -b "$USER" -E accountUsability 1.1` 107 echo "$DELAYATTR" >> $SEARCHOUT 108 DELAY=`echo "$DELAYATTR" | sed -n -e 's/.*seconds_before_unlock=\([[:digit:]]*\)/\1/p'` 109 110 echo "Waiting $DELAY seconds for lockout to reset..." 111 sleep $DELAY 112 sleep 1 113 114 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 115 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 116 RC=$? 117 if test $RC != 0 ; then 118 echo "ldapsearch failed ($RC)!" 119 test $KILLSERVERS != no && kill -HUP $KILLPIDS 120 exit $RC 121 fi 122 123 DELAYATTR=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD -b "$USER" -E accountUsability 1.1` 124 echo "$DELAYATTR" >> $SEARCHOUT 125 DELAY=`echo "$DELAYATTR" | sed -n -e 's/.*expire=\([[:digit:]]*\)/\1/p'` 126 127 echo "Testing password expiration" 128 echo "Waiting $DELAY seconds for password to expire..." 129 sleep $DELAY 130 sleep 1 131 132 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 133 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 134 sleep 2 135 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 136 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 137 sleep 2 138 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 139 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 140 sleep 2 141 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 142 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 143 RC=$? 144 if test $RC = 0 ; then 145 echo "Password expiration failed ($RC)!" 146 test $KILLSERVERS != no && kill -HUP $KILLPIDS 147 exit 1 148 fi 149 150 COUNT=`grep "grace logins" $SEARCHOUT | wc -l` 151 if test $COUNT != 3 ; then 152 echo "Password expiration test failed" 153 test $KILLSERVERS != no && kill -HUP $KILLPIDS 154 exit 1 155 fi 156 157 echo "Resetting password to clear expired status" 158 $LDAPPASSWD -H $URI1 \ 159 -w secret -s $PASS \ 160 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 161 RC=$? 162 if test $RC != 0 ; then 163 echo "ldappasswd failed ($RC)!" 164 test $KILLSERVERS != no && kill -HUP $KILLPIDS 165 exit $RC 166 fi 167 168 echo "Filling password history..." 169 $LDAPMODIFY -v -D "$USER" -H $URI1 -w $PASS >> \ 170 $TESTOUT 2>&1 << EOMODS 171 dn: $USER 172 changetype: modify 173 delete: userpassword 174 userpassword: $PASS 175 - 176 replace: userpassword 177 userpassword: 20urgle12-1 178 179 dn: $USER 180 changetype: modify 181 delete: userpassword 182 userpassword: 20urgle12-1 183 - 184 replace: userpassword 185 userpassword: 20urgle12-2 186 187 dn: $USER 188 changetype: modify 189 delete: userpassword 190 userpassword: 20urgle12-2 191 - 192 replace: userpassword 193 userpassword: 20urgle12-3 194 195 dn: $USER 196 changetype: modify 197 delete: userpassword 198 userpassword: 20urgle12-3 199 - 200 replace: userpassword 201 userpassword: 20urgle12-4 202 203 dn: $USER 204 changetype: modify 205 delete: userpassword 206 userpassword: 20urgle12-4 207 - 208 replace: userpassword 209 userpassword: 20urgle12-5 210 211 dn: $USER 212 changetype: modify 213 delete: userpassword 214 userpassword: 20urgle12-5 215 - 216 replace: userpassword 217 userpassword: 20urgle12-6 218 219 EOMODS 220 RC=$? 221 if test $RC != 0 ; then 222 echo "ldapmodify failed ($RC)!" 223 test $KILLSERVERS != no && kill -HUP $KILLPIDS 224 exit $RC 225 fi 226 echo "Testing password history..." 227 $LDAPMODIFY -v -D "$USER" -H $URI1 -w 20urgle12-6 >> \ 228 $TESTOUT 2>&1 << EOMODS 229 dn: $USER 230 changetype: modify 231 delete: userPassword 232 userPassword: 20urgle12-6 233 - 234 replace: userPassword 235 userPassword: 20urgle12-2 236 237 EOMODS 238 RC=$? 239 if test $RC = 0 ; then 240 echo "ldapmodify failed ($RC)!" 241 test $KILLSERVERS != no && kill -HUP $KILLPIDS 242 exit 1 243 fi 244 245 echo "Testing failed logins when password/policy missing..." 246 247 $LDAPSEARCH -e ppolicy -H $URI1 \ 248 -D "uid=test, ou=People,$BASEDN" -w hasnopolicy \ 249 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 250 RC=$? 251 if test $RC = 0 ; then 252 echo "Password accepted ($RC)!" 253 test $KILLSERVERS != no && kill -HUP $KILLPIDS 254 exit 1 255 fi 256 257 $LDAPSEARCH -e ppolicy -H $URI1 -D "$BASEDN" -w hasnopw \ 258 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 259 RC=$? 260 if test $RC = 0 ; then 261 echo "Password accepted ($RC)!" 262 test $KILLSERVERS != no && kill -HUP $KILLPIDS 263 exit 1 264 fi 265 266 $LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$BASEDN" \* \+ > $SEARCHOUT 2>&1 267 COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l` 268 if test $COUNT != 0 ; then 269 echo "Failed login stored on an account without policy and or password" 270 test $KILLSERVERS != no && kill -HUP $KILLPIDS 271 exit 1 272 fi 273 274 echo "Testing forced reset..." 275 276 $LDAPMODIFY -v -D "$PWADMIN" -H $URI1 -w $ADMINPASSWD >> \ 277 $TESTOUT 2>&1 << EOMODS 278 dn: $USER 279 changetype: modify 280 replace: userPassword 281 userPassword: $PASS 282 283 EOMODS 284 RC=$? 285 if test $RC != 0 ; then 286 echo "ldapmodify failed ($RC)!" 287 test $KILLSERVERS != no && kill -HUP $KILLPIDS 288 exit $RC 289 fi 290 291 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 292 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 293 RC=$? 294 if test $RC = 0 ; then 295 echo "Forced reset failed ($RC)!" 296 test $KILLSERVERS != no && kill -HUP $KILLPIDS 297 exit 1 298 fi 299 300 COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l` 301 if test $COUNT != 1 ; then 302 echo "Forced reset test failed" 303 test $KILLSERVERS != no && kill -HUP $KILLPIDS 304 exit 1 305 fi 306 307 echo "Clearing forced reset..." 308 309 $LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 310 $TESTOUT 2>&1 << EOMODS 311 dn: $USER 312 changetype: modify 313 delete: pwdReset 314 315 EOMODS 316 RC=$? 317 if test $RC != 0 ; then 318 echo "ldapmodify failed ($RC)!" 319 test $KILLSERVERS != no && kill -HUP $KILLPIDS 320 exit $RC 321 fi 322 323 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 324 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 325 RC=$? 326 if test $RC != 0 ; then 327 echo "Clearing forced reset failed ($RC)!" 328 test $KILLSERVERS != no && kill -HUP $KILLPIDS 329 exit $RC 330 fi 331 332 echo "Testing Safe modify..." 333 334 $LDAPPASSWD -H $URI1 \ 335 -w $PASS -s failexpect \ 336 -D "$USER" >> $TESTOUT 2>&1 337 RC=$? 338 if test $RC = 0 ; then 339 echo "Safe modify test 1 failed ($RC)!" 340 test $KILLSERVERS != no && kill -HUP $KILLPIDS 341 exit 1 342 fi 343 344 sleep 2 345 346 OLDPASS=$PASS 347 PASS=successexpect 348 349 $LDAPPASSWD -H $URI1 \ 350 -w $OLDPASS -s $PASS -a $OLDPASS \ 351 -D "$USER" >> $TESTOUT 2>&1 352 RC=$? 353 if test $RC != 0 ; then 354 echo "Safe modify test 2 failed ($RC)!" 355 test $KILLSERVERS != no && kill -HUP $KILLPIDS 356 exit $RC 357 fi 358 359 echo "Testing length requirement..." 360 # check control in response (ITS#5711) 361 $LDAPPASSWD -H $URI1 \ 362 -w $PASS -a $PASS -s 2shr \ 363 -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1 364 RC=$? 365 cat ${TESTOUT}.2 >> $TESTOUT 366 if test $RC = 0 ; then 367 echo "Length requirement test failed ($RC)!" 368 test $KILLSERVERS != no && kill -HUP $KILLPIDS 369 exit 1 370 fi 371 COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` 372 if test $COUNT != 1 ; then 373 echo "Length requirement test failed" 374 test $KILLSERVERS != no && kill -HUP $KILLPIDS 375 exit 1 376 fi 377 COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l` 378 if test $COUNT != 1 ; then 379 echo "Control not returned in response" 380 test $KILLSERVERS != no && kill -HUP $KILLPIDS 381 exit 1 382 fi 383 384 $LDAPPASSWD -H $URI1 \ 385 -w $PASS -a $PASS -s passwordthatistoolong \ 386 -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1 387 RC=$? 388 cat ${TESTOUT}.2 >> $TESTOUT 389 COUNT=`grep "Password is too long for policy" ${TESTOUT}.2 | wc -l` 390 if test $COUNT != 1 ; then 391 echo "Control not returned in response" 392 test $KILLSERVERS != no && kill -HUP $KILLPIDS 393 exit 1 394 fi 395 396 echo "Testing hashed length requirement..." 397 398 $LDAPMODIFY -H $URI1 -D "$USER" -w $PASS > \ 399 ${TESTOUT}.2 2>&1 << EOMODS 400 dn: $USER 401 changetype: modify 402 delete: userPassword 403 userPassword: $PASS 404 - 405 add: userPassword 406 userPassword: {MD5}xxxxxx 407 408 EOMODS 409 RC=$? 410 cat ${TESTOUT}.2 >> $TESTOUT 411 if test $RC = 0 ; then 412 echo "Hashed length requirement test failed ($RC)!" 413 test $KILLSERVERS != no && kill -HUP $KILLPIDS 414 exit 1 415 fi 416 COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` 417 if test $COUNT != 1 ; then 418 echo "Hashed length requirement test failed" 419 test $KILLSERVERS != no && kill -HUP $KILLPIDS 420 exit 1 421 fi 422 423 echo "Testing multiple password add/modify checks..." 424 425 $LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \ 426 $TESTOUT 2>&1 << EOMODS 427 dn: cn=Add Should Fail, ou=People, dc=example, dc=com 428 changetype: add 429 objectClass: inetOrgPerson 430 cn: Add Should Fail 431 sn: Fail 432 userPassword: firstpw 433 userPassword: secondpw 434 EOMODS 435 RC=$? 436 if test $RC = 0 ; then 437 echo "Multiple password add test failed ($RC)!" 438 test $KILLSERVERS != no && kill -HUP $KILLPIDS 439 exit 1 440 fi 441 442 $LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \ 443 $TESTOUT 2>&1 << EOMODS 444 dn: $USER 445 changetype: modify 446 add: userPassword 447 userPassword: firstpw 448 userPassword: secondpw 449 EOMODS 450 RC=$? 451 if test $RC = 0 ; then 452 echo "Multiple password modify add test failed ($RC)!" 453 test $KILLSERVERS != no && kill -HUP $KILLPIDS 454 exit 1 455 fi 456 457 $LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD >> \ 458 $TESTOUT 2>&1 << EOMODS 459 dn: $USER 460 changetype: modify 461 replace: userPassword 462 userPassword: firstpw 463 userPassword: secondpw 464 EOMODS 465 RC=$? 466 if test $RC = 0 ; then 467 echo "Multiple password modify replace test failed ($RC)!" 468 test $KILLSERVERS != no && kill -HUP $KILLPIDS 469 exit 1 470 fi 471 472 echo "Testing idle password expiration" 473 echo "Reconfiguring policy to replace expiration with idle expiration..." 474 $LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 475 $TESTOUT 2>&1 << EOMODS 476 dn: cn=Standard Policy, ou=Policies, dc=example, dc=com 477 changetype: modify 478 delete: pwdMaxAge 479 - 480 add: pwdMaxIdle 481 pwdMaxIdle: 15 482 483 EOMODS 484 RC=$? 485 if test $RC != 0 ; then 486 echo "ldapmodify failed ($RC)!" 487 test $KILLSERVERS != no && kill -HUP $KILLPIDS 488 exit $RC 489 fi 490 491 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 492 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 493 494 DELAYATTR=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD -b "$USER" -E accountUsability 1.1` 495 echo "$DELAYATTR" >> $SEARCHOUT 496 DELAY=`echo "$DELAYATTR" | sed -n -e 's/.*expire=\([[:digit:]]*\)/\1/p'` 497 498 echo "Waiting $DELAY seconds for password to expire..." 499 sleep $DELAY 500 sleep 1 501 502 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \ 503 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 504 RC=$? 505 if test $RC != 49 ; then 506 echo "Password idle expiration failed ($RC)!" 507 test $KILLSERVERS != no && kill -HUP $KILLPIDS 508 exit 1 509 fi 510 511 echo "Reverting policy changes..." 512 $LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 513 $TESTOUT 2>&1 << EOMODS 514 dn: cn=Standard Policy, ou=Policies, dc=example, dc=com 515 changetype: modify 516 delete: pwdMaxIdle 517 - 518 add: pwdMaxAge 519 pwdMaxAge: 30 520 521 EOMODS 522 RC=$? 523 if test $RC != 0 ; then 524 echo "ldapmodify failed ($RC)!" 525 test $KILLSERVERS != no && kill -HUP $KILLPIDS 526 exit $RC 527 fi 528 529 if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then 530 echo "" 531 echo "Setting up policy state forwarding test..." 532 533 mkdir $DBDIR2 534 sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2 535 echo "Starting slapd consumer on TCP/IP port $PORT2..." 536 $SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 & 537 PID=$! 538 if test $WAIT != 0 ; then 539 echo PID $PID 540 read foo 541 fi 542 KILLPIDS="$KILLPIDS $PID" 543 544 echo "Configuring syncprov on provider..." 545 if [ "$SYNCPROV" = syncprovmod ]; then 546 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 547 dn: cn=module,cn=config 548 objectclass: olcModuleList 549 cn: module 550 olcModulePath: $TESTWD/../servers/slapd/overlays 551 olcModuleLoad: syncprov.la 552 553 EOF 554 RC=$? 555 if test $RC != 0 ; then 556 echo "ldapadd failed for moduleLoad ($RC)!" 557 test $KILLSERVERS != no && kill -HUP $KILLPIDS 558 exit $RC 559 fi 560 fi 561 562 $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 563 dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config 564 objectClass: olcOverlayConfig 565 objectClass: olcSyncProvConfig 566 olcOverlay: {1}syncprov 567 568 EOF 569 RC=$? 570 if test $RC != 0 ; then 571 echo "ldapadd failed for provider database config ($RC)!" 572 test $KILLSERVERS != no && kill -HUP $KILLPIDS 573 exit $RC 574 fi 575 576 echo "Using ldapsearch to check that slapd is running..." 577 for i in 0 1 2 3 4 5; do 578 $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \ 579 'objectclass=*' > /dev/null 2>&1 580 RC=$? 581 if test $RC = 0 ; then 582 break 583 fi 584 echo "Waiting 5 seconds for slapd to start..." 585 sleep 5 586 done 587 if test $RC != 0 ; then 588 echo "ldapsearch failed ($RC)!" 589 test $KILLSERVERS != no && kill -HUP $KILLPIDS 590 exit $RC 591 fi 592 593 echo "Configuring syncrepl on consumer..." 594 if [ "$BACKLDAP" = ldapmod ]; then 595 $LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 596 dn: cn=module,cn=config 597 objectclass: olcModuleList 598 cn: module 599 olcModulePath: $TESTWD/../servers/slapd/back-ldap 600 olcModuleLoad: back_ldap.la 601 602 EOF 603 RC=$? 604 if test $RC != 0 ; then 605 echo "ldapadd failed for moduleLoad ($RC)!" 606 test $KILLSERVERS != no && kill -HUP $KILLPIDS 607 exit $RC 608 fi 609 fi 610 $LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 611 dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config 612 changetype: add 613 objectClass: olcOverlayConfig 614 objectClass: olcChainConfig 615 olcOverlay: {0}chain 616 617 dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config 618 changetype: add 619 objectClass: olcLDAPConfig 620 objectClass: olcChainDatabase 621 olcDBURI: $URI1 622 olcDbIDAssertBind: bindmethod=simple 623 binddn="cn=manager,dc=example,dc=com" 624 credentials=secret 625 mode=self 626 627 dn: olcDatabase={1}$BACKEND,cn=config 628 changetype: modify 629 add: olcSyncrepl 630 olcSyncrepl: rid=1 631 provider=$URI1 632 binddn="cn=manager,dc=example,dc=com" 633 bindmethod=simple 634 credentials=secret 635 searchbase="dc=example,dc=com" 636 type=refreshAndPersist 637 retry="3 5 300 5" 638 - 639 add: olcUpdateref 640 olcUpdateref: $URI1 641 - 642 643 dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config 644 changetype: modify 645 replace: olcPPolicyForwardUpdates 646 olcPPolicyForwardUpdates: TRUE 647 - 648 649 EOF 650 RC=$? 651 if test $RC != 0 ; then 652 echo "ldapmodify failed ($RC)!" 653 test $KILLSERVERS != no && kill -HUP $KILLPIDS 654 exit $RC 655 fi 656 657 echo "Waiting for consumer to sync..." 658 sleep $SLEEP1 659 660 echo "Testing policy state forwarding..." 661 $LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 662 RC=$? 663 if test $RC != 49 ; then 664 echo "ldapsearch should have failed with 49, got ($RC)!" 665 test $KILLSERVERS != no && kill -HUP $KILLPIDS 666 exit 1 667 fi 668 669 $LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1 670 COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l` 671 if test $COUNT != 1 ; then 672 echo "Policy state forwarding failed" 673 test $KILLSERVERS != no && kill -HUP $KILLPIDS 674 exit 1 675 fi 676 677 # End of chaining test 678 679 fi 680 681 echo "" 682 echo "Testing obsolete Netscape ppolicy controls..." 683 echo "Enabling Netscape controls..." 684 $LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \ 685 $TESTOUT 2>&1 << EOMODS 686 dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config 687 changetype: modify 688 replace: olcPPolicySendNetscapeControls 689 olcPPolicySendNetscapeControls: TRUE 690 - 691 692 EOMODS 693 RC=$? 694 if test $RC != 0 ; then 695 echo "ldapmodify failed ($RC)!" 696 test $KILLSERVERS != no && kill -HUP $KILLPIDS 697 exit $RC 698 fi 699 700 echo "Reconfiguring policy to remove grace logins..." 701 $LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 702 $TESTOUT 2>&1 << EOMODS 703 dn: cn=Standard Policy, ou=Policies, dc=example, dc=com 704 changetype: modify 705 delete: pwdGraceAuthnLimit 706 - 707 replace: pwdMaxAge 708 pwdMaxAge: 15 709 - 710 711 EOMODS 712 RC=$? 713 if test $RC != 0 ; then 714 echo "ldapmodify failed ($RC)!" 715 test $KILLSERVERS != no && kill -HUP $KILLPIDS 716 exit $RC 717 fi 718 719 OLDPASS=$PASS 720 PASS=newpass 721 $LDAPPASSWD -H $URI1 \ 722 -w secret -s $PASS \ 723 -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 724 RC=$? 725 if test $RC != 0 ; then 726 echo "Setting new password failed ($RC)!" 727 test $KILLSERVERS != no && kill -HUP $KILLPIDS 728 exit $RC 729 fi 730 731 echo "Clearing forced reset..." 732 $LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 733 $TESTOUT 2>&1 << EOMODS 734 dn: $USER 735 changetype: modify 736 delete: pwdReset 737 738 EOMODS 739 740 DELAYATTR=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD -b "$USER" -E accountUsability 1.1` 741 echo "$DELAYATTR" >> $TESTOUT 742 DELAY=`echo "$DELAYATTR" | sed -n -e 's/.*expire=\([[:digit:]]*\)/\1/p'` 743 DELAY=`expr $DELAY - 10` 744 745 echo "Testing password expiration" 746 echo "Waiting $DELAY seconds for password to expire..." 747 sleep $DELAY 748 749 $LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 750 -b "$BASEDN" -s base > $SEARCHOUT 2>&1 751 sleep 3 752 $LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 753 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 754 sleep 3 755 $LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 756 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 757 sleep 3 758 $LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 759 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 760 sleep 3 761 $LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ 762 -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 763 RC=$? 764 if test $RC = 0 ; then 765 echo "Password expiration failed ($RC)!" 766 test $KILLSERVERS != no && kill -HUP $KILLPIDS 767 exit 1 768 fi 769 COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l` 770 if test $COUNT = 0 ; then 771 echo "Password expiring warning test failed!" 772 test $KILLSERVERS != no && kill -HUP $KILLPIDS 773 exit 1 774 fi 775 776 test $KILLSERVERS != no && kill -HUP $KILLPIDS 777 778 echo ">>>>> Test succeeded" 779 780 test $KILLSERVERS != no && wait 781 782 exit 0 783
Indexes created Tue Feb 24 08:35:24 UTC 2026