1 #! /bin/sh 2 # $OpenLDAP$ 3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4 ## 5 ## Copyright 1998-2024 The OpenLDAP Foundation. 6 ## All rights reserved. 7 ## 8 ## Redistribution and use in source and binary forms, with or without 9 ## modification, are permitted only as authorized by the OpenLDAP 10 ## Public License. 11 ## 12 ## A copy of this license is available in the file LICENSE in the 13 ## top-level directory of the distribution or, alternatively, at 14 ## <http://www.OpenLDAP.org/license.html>. 15 16 echo "running defines.sh" 17 . $SRCDIR/scripts/defines.sh 18 19 if test $AUTOCA = autocano; then 20 echo "Automatic CA overlay not available, test skipped" 21 exit 0 22 fi 23 24 if test $BACKEND = ldif ; then 25 # autoca tries to modify an entry in a search response, 26 # which deadlocks because the tree is readlocked by the search. 27 echo "Test does not support $BACKEND backend, test skipped" 28 exit 0 29 fi 30 31 CFDIR=$TESTDIR/slapd.d 32 33 mkdir -p $TESTDIR $CFDIR $DBDIR1 34 35 $SLAPPASSWD -g -n >$CONFIGPWF 36 37 # 38 # Test operation of autoca: 39 # - configure over ldap without TLS 40 # - populate over ldap 41 # - add host entry 42 # - add autoca overlay 43 # - generate server and user certs 44 # - check for TLS operation 45 # 46 47 echo "Starting slapd on TCP/IP port $PORT1..." 48 . $CONFFILTER $BACKEND < $DYNAMICCONF > $CONFLDIF 49 $SLAPADD -F $CFDIR -n 0 -l $CONFLDIF 50 RC=$? 51 if test $RC != 0 ; then 52 echo "slapadd failed ($RC)!" 53 exit $RC 54 fi 55 56 $SLAPD -F $CFDIR -h $URIP1 -d $LVL > $LOG1 2>&1 & 57 PID=$! 58 if test $WAIT != 0 ; then 59 echo PID $PID 60 read foo 61 fi 62 KILLPIDS="$PID" 63 cd $TESTWD 64 65 sleep 1 66 67 echo "Using ldapsearch to check that slapd is running..." 68 for i in 0 1 2 3 4 5; do 69 $LDAPSEARCH -s base -b "" -H $URIP1 \ 70 'objectclass=*' > /dev/null 2>&1 71 RC=$? 72 if test $RC = 0 ; then 73 break 74 fi 75 echo "Waiting 5 seconds for slapd to start..." 76 sleep 5 77 done 78 79 if test $RC != 0 ; then 80 echo "ldapsearch failed ($RC)!" 81 test $KILLSERVERS != no && kill -HUP $KILLPIDS 82 exit $RC 83 fi 84 85 echo "Adding schema and databases on slapd..." 86 $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 87 include: file://$ABS_SCHEMADIR/core.ldif 88 89 include: file://$ABS_SCHEMADIR/cosine.ldif 90 91 include: file://$ABS_SCHEMADIR/inetorgperson.ldif 92 93 include: file://$ABS_SCHEMADIR/openldap.ldif 94 95 include: file://$ABS_SCHEMADIR/nis.ldif 96 EOF 97 RC=$? 98 if test $RC != 0 ; then 99 echo "ldapadd failed for schema config ($RC)!" 100 test $KILLSERVERS != no && kill -HUP $KILLPIDS 101 exit $RC 102 fi 103 104 nullExclude="" nullOK="" 105 test $BACKEND = null && nullExclude="# " nullOK="OK" 106 107 if [ "$BACKENDTYPE" = mod ]; then 108 $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 109 dn: cn=module,cn=config 110 objectClass: olcModuleList 111 cn: module 112 olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND 113 olcModuleLoad: back_$BACKEND.la 114 EOF 115 RC=$? 116 if test $RC != 0 ; then 117 echo "ldapadd failed for backend config ($RC)!" 118 test $KILLSERVERS != no && kill -HUP $KILLPIDS 119 exit $RC 120 fi 121 fi 122 123 $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 124 dn: olcDatabase={1}$BACKEND,cn=config 125 objectClass: olcDatabaseConfig 126 ${nullExclude}objectClass: olc${BACKEND}Config 127 olcDatabase: {1}$BACKEND 128 olcSuffix: $BASEDN 129 ${nullExclude}olcDbDirectory: $DBDIR1 130 olcRootDN: $MANAGERDN 131 olcRootPW: $PASSWD 132 EOF 133 RC=$? 134 if test $RC != 0 ; then 135 echo "ldapadd failed for database config ($RC)!" 136 test $KILLSERVERS != no && kill -HUP $KILLPIDS 137 exit $RC 138 fi 139 140 if test $INDEXDB = indexdb ; then 141 $LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 142 dn: olcDatabase={1}$BACKEND,cn=config 143 changetype: modify 144 add: olcDbIndex 145 olcDbIndex: objectClass,entryUUID,entryCSN eq 146 olcDbIndex: cn,uid pres,eq,sub 147 EOF 148 RC=$? 149 if test $RC != 0 ; then 150 echo "ldapadd modify for database config ($RC)!" 151 test $KILLSERVERS != no && kill -HUP $KILLPIDS 152 exit $RC 153 fi 154 fi 155 156 echo "Using ldapadd to populate slapd..." 157 $LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD -f $LDIFORDERED \ 158 >> $TESTOUT 2>&1 159 RC=$? 160 if test $RC != 0 ; then 161 echo "ldapadd failed for database populate ($RC)!" 162 test $KILLSERVERS != no && kill -HUP $KILLPIDS 163 exit $RC 164 fi 165 166 echo "Adding server entries to slapd..." 167 $LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD <<EOF >> $TESTOUT 2>&1 168 dn: ou=Servers,$BASEDN 169 objectClass: organizationalUnit 170 ou: Servers 171 172 dn: cn=localhost,ou=Servers,$BASEDN 173 objectClass: device 174 objectClass: ipHost 175 cn: localhost 176 ipHostNumber: 127.0.0.1 177 178 dn: cn=www.example.com,ou=Servers,$BASEDN 179 objectClass: device 180 objectClass: ipHost 181 cn: localhost 182 ipHostNumber: 93.184.216.34 183 EOF 184 RC=$? 185 if test $RC != 0 ; then 186 echo "ldapadd failed for database populate ($RC)!" 187 test $KILLSERVERS != no && kill -HUP $KILLPIDS 188 exit $RC 189 fi 190 191 echo "Inserting autoca overlay on slapd..." 192 if [ "$AUTOCA" = autocamod ]; then 193 $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1 194 dn: cn=module,cn=config 195 objectClass: olcModuleList 196 cn: module 197 olcModulePath: $TESTWD/../servers/slapd/overlays 198 olcModuleLoad: autoca.la 199 EOF 200 RC=$? 201 if test $RC != 0 ; then 202 echo "ldapadd failed for moduleLoad ($RC)!" 203 test $KILLSERVERS != no && kill -HUP $KILLPIDS 204 exit $RC 205 fi 206 fi 207 $LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 208 dn: olcOverlay=autoca,olcDatabase={1}$BACKEND,cn=config 209 changetype: add 210 objectClass: olcOverlayConfig 211 objectClass: olcAutoCAConfig 212 olcOverlay: autoca 213 olcAutoCAlocalDN: cn=localhost,ou=Servers,$BASEDN 214 EOF 215 RC=$? 216 if test $RC != 0 ; then 217 echo "ldapmodify failed for autoca config ($RC)!" 218 test $KILLSERVERS != no && kill -HUP $KILLPIDS 219 exit $RC 220 fi 221 echo "Using ldapsearch to retrieve CA cert..." 222 $LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \ 223 'objectclass=*' 'cACertificate;binary' > $SEARCHOUT 2>&1 224 RC=$? 225 226 if test $RC != 0 ; then 227 echo "ldapsearch failed ($RC)!" 228 test $KILLSERVERS != no && kill -HUP $KILLPIDS 229 exit $RC 230 fi 231 232 echo "Setting up CA cert..." 233 echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/cacert.pem 234 sed -e "/^dn:/d" -e "s/cACertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/cacert.pem 235 echo "-----END CERTIFICATE-----" >> $TESTDIR/cacert.pem 236 237 echo "Using ldapsearch to generate localhost cert..." 238 $LDAPSEARCH -b cn=localhost,ou=Servers,$BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \ 239 -A 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary' >> $TESTOUT 2>&1 240 RC=$? 241 242 if test $RC != 0 ; then 243 echo "ldapsearch failed ($RC)!" 244 test $KILLSERVERS != no && kill -HUP $KILLPIDS 245 exit $RC 246 fi 247 248 echo "Using ldapsearch to attempt TLS..." 249 unset LDAPNOINIT 250 LDAPTLS_CACERT=$TESTDIR/cacert.pem 251 export LDAPTLS_CACERT 252 $LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \ 253 'objectclass=*' >> $TESTOUT 2>&1 254 RC=$? 255 256 if test $RC != 0 ; then 257 echo "ldapsearch failed ($RC)!" 258 test $KILLSERVERS != no && kill -HUP $KILLPIDS 259 exit $RC 260 fi 261 262 if test $WITH_SASL = no ; then 263 echo "SASL support not available, skipping client cert authentication" 264 else 265 # note - the attrs are being saved in raw DER form. 266 # they need to be base64 encoded into PEM for most programs to use them 267 # so we ignore those files for now. 268 echo "Using ldapsearch to generate user cert..." 269 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \ 270 -T $TESTDIR -t 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary' >> $TESTOUT 2>&1 271 RC=$? 272 273 if test $RC != 0 ; then 274 echo "ldapsearch failed ($RC)!" 275 test $KILLSERVERS != no && kill -HUP $KILLPIDS 276 exit $RC 277 fi 278 279 echo "Using ldapsearch to retrieve user cert..." 280 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \ 281 'objectclass=*' 'userCertificate;binary' > $SEARCHOUT 2>&1 282 RC=$? 283 284 if test $RC != 0 ; then 285 echo "ldapsearch failed ($RC)!" 286 test $KILLSERVERS != no && kill -HUP $KILLPIDS 287 exit $RC 288 fi 289 290 echo "Setting up user cert..." 291 echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/usercert.pem 292 sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userCertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/usercert.pem 293 echo "-----END CERTIFICATE-----" >> $TESTDIR/usercert.pem 294 295 echo "Using ldapsearch to retrieve user key..." 296 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \ 297 'objectclass=*' 'userPrivateKey;binary' > $SEARCHOUT 2>&1 298 RC=$? 299 300 if test $RC != 0 ; then 301 echo "ldapsearch failed ($RC)!" 302 test $KILLSERVERS != no && kill -HUP $KILLPIDS 303 exit $RC 304 fi 305 306 echo "Setting up user key..." 307 echo "-----BEGIN PRIVATE KEY-----" > $TESTDIR/userkey.pem 308 sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userPrivateKey;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/userkey.pem 309 echo "-----END PRIVATE KEY-----" >> $TESTDIR/userkey.pem 310 311 LDAPTLS_CERT=$TESTDIR/usercert.pem 312 LDAPTLS_KEY=$TESTDIR/userkey.pem 313 export LDAPTLS_CERT 314 export LDAPTLS_KEY 315 316 echo "Setting TLSVerifyClient to try..." 317 $LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 318 dn: cn=config 319 changetype: modify 320 replace: olcTLSVerifyClient 321 olcTLSVerifyClient: try 322 EOF 323 RC=$? 324 if test $RC != 0 ; then 325 echo "ldapmodify failed for autoca config ($RC)!" 326 test $KILLSERVERS != no && kill -HUP $KILLPIDS 327 exit $RC 328 fi 329 330 $CLIENTDIR/ldapwhoami -Y EXTERNAL -H $URIP1 -ZZ 331 332 if test $RC != 0 ; then 333 echo "ldapwhoami failed ($RC)!" 334 test $KILLSERVERS != no && kill -HUP $KILLPIDS 335 exit $RC 336 fi 337 fi 338 339 test $KILLSERVERS != no && kill -HUP $KILLPIDS 340 341 echo ">>>>> Test succeeded" 342 343 test $KILLSERVERS != no && wait 344 345 exit 0 346
Indexes created Fri Jun 19 00:25:02 UTC 2026