test066-autoca revision 1.1
1 #! /bin/sh 2 # $OpenLDAP$ 3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4 ## 5 ## Copyright 1998-2021 The OpenLDAP Foundation. 6 ## All rights reserved. 7 ## 8 ## Redistribution and use in source and binary forms, with or without 9 ## modification, are permitted only as authorized by the OpenLDAP 10 ## Public License. 11 ## 12 ## A copy of this license is available in the file LICENSE in the 13 ## top-level directory of the distribution or, alternatively, at 14 ## <http://www.OpenLDAP.org/license.html>. 15 16 echo "running defines.sh" 17 . $SRCDIR/scripts/defines.sh 18 19 if test $AUTOCA = autocano; then 20 echo "Automatic CA overlay not available, test skipped" 21 exit 0 22 fi 23 24 CFDIR=$TESTDIR/slapd.d 25 26 mkdir -p $TESTDIR $CFDIR $DBDIR1 27 28 $SLAPPASSWD -g -n >$CONFIGPWF 29 30 # 31 # Test operation of autoca: 32 # - configure over ldap without TLS 33 # - populate over ldap 34 # - add host entry 35 # - add autoca overlay 36 # - generate server and user certs 37 # - check for TLS operation 38 # 39 40 echo "Starting slapd on TCP/IP port $PORT1..." 41 . $CONFFILTER $BACKEND < $DYNAMICCONF > $CONFLDIF 42 $SLAPADD -F $CFDIR -n 0 -l $CONFLDIF 43 $SLAPD -F $CFDIR -h $URIP1 -d $LVL > $LOG1 2>&1 & 44 PID=$! 45 if test $WAIT != 0 ; then 46 echo PID $PID 47 read foo 48 fi 49 KILLPIDS="$PID" 50 cd $TESTWD 51 52 sleep 1 53 54 echo "Using ldapsearch to check that slapd is running..." 55 for i in 0 1 2 3 4 5; do 56 $LDAPSEARCH -s base -b "" -H $URIP1 \ 57 'objectclass=*' > /dev/null 2>&1 58 RC=$? 59 if test $RC = 0 ; then 60 break 61 fi 62 echo "Waiting 5 seconds for slapd to start..." 63 sleep 5 64 done 65 66 if test $RC != 0 ; then 67 echo "ldapsearch failed ($RC)!" 68 test $KILLSERVERS != no && kill -HUP $KILLPIDS 69 exit $RC 70 fi 71 72 echo "Adding schema and databases on slapd..." 73 $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 74 include: file://$ABS_SCHEMADIR/core.ldif 75 76 include: file://$ABS_SCHEMADIR/cosine.ldif 77 78 include: file://$ABS_SCHEMADIR/inetorgperson.ldif 79 80 include: file://$ABS_SCHEMADIR/openldap.ldif 81 82 include: file://$ABS_SCHEMADIR/nis.ldif 83 EOF 84 RC=$? 85 if test $RC != 0 ; then 86 echo "ldapadd failed for schema config ($RC)!" 87 test $KILLSERVERS != no && kill -HUP $KILLPIDS 88 exit $RC 89 fi 90 91 nullExclude="" nullOK="" 92 test $BACKEND = null && nullExclude="# " nullOK="OK" 93 94 if [ "$BACKENDTYPE" = mod ]; then 95 $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 96 dn: cn=module,cn=config 97 objectClass: olcModuleList 98 cn: module 99 olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND 100 olcModuleLoad: back_$BACKEND.la 101 EOF 102 RC=$? 103 if test $RC != 0 ; then 104 echo "ldapadd failed for backend config ($RC)!" 105 test $KILLSERVERS != no && kill -HUP $KILLPIDS 106 exit $RC 107 fi 108 fi 109 110 $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 111 dn: olcDatabase={1}$BACKEND,cn=config 112 objectClass: olcDatabaseConfig 113 ${nullExclude}objectClass: olc${BACKEND}Config 114 olcDatabase: {1}$BACKEND 115 olcSuffix: $BASEDN 116 ${nullExclude}olcDbDirectory: $DBDIR1 117 olcRootDN: $MANAGERDN 118 olcRootPW: $PASSWD 119 EOF 120 RC=$? 121 if test $RC != 0 ; then 122 echo "ldapadd failed for database config ($RC)!" 123 test $KILLSERVERS != no && kill -HUP $KILLPIDS 124 exit $RC 125 fi 126 127 if test $INDEXDB = indexdb ; then 128 $LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 129 dn: olcDatabase={1}$BACKEND,cn=config 130 changetype: modify 131 add: olcDbIndex 132 olcDbIndex: objectClass,entryUUID,entryCSN eq 133 olcDbIndex: cn,uid pres,eq,sub 134 EOF 135 RC=$? 136 if test $RC != 0 ; then 137 echo "ldapadd modify for database config ($RC)!" 138 test $KILLSERVERS != no && kill -HUP $KILLPIDS 139 exit $RC 140 fi 141 fi 142 143 echo "Using ldapadd to populate slapd..." 144 $LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD -f $LDIFORDERED \ 145 >> $TESTOUT 2>&1 146 RC=$? 147 if test $RC != 0 ; then 148 echo "ldapadd failed for database populate ($RC)!" 149 test $KILLSERVERS != no && kill -HUP $KILLPIDS 150 exit $RC 151 fi 152 153 echo "Adding server entries to slapd..." 154 $LDAPADD -D "$MANAGERDN" -H $URIP1 -w $PASSWD <<EOF >> $TESTOUT 2>&1 155 dn: ou=Servers,$BASEDN 156 objectClass: organizationalUnit 157 ou: Servers 158 159 dn: cn=localhost,ou=Servers,$BASEDN 160 objectClass: device 161 objectClass: ipHost 162 cn: localhost 163 ipHostNumber: 127.0.0.1 164 165 dn: cn=www.example.com,ou=Servers,$BASEDN 166 objectClass: device 167 objectClass: ipHost 168 cn: localhost 169 ipHostNumber: 93.184.216.34 170 EOF 171 RC=$? 172 if test $RC != 0 ; then 173 echo "ldapadd failed for database populate ($RC)!" 174 test $KILLSERVERS != no && kill -HUP $KILLPIDS 175 exit $RC 176 fi 177 178 echo "Inserting autoca overlay on slapd..." 179 if [ "$AUTOCA" = autocamod ]; then 180 $LDAPADD -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1 181 dn: cn=module,cn=config 182 objectClass: olcModuleList 183 cn: module 184 olcModulePath: $TESTWD/../servers/slapd/overlays 185 olcModuleLoad: autoca.la 186 EOF 187 RC=$? 188 if test $RC != 0 ; then 189 echo "ldapadd failed for moduleLoad ($RC)!" 190 test $KILLSERVERS != no && kill -HUP $KILLPIDS 191 exit $RC 192 fi 193 fi 194 $LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 195 dn: olcOverlay=autoca,olcDatabase={1}$BACKEND,cn=config 196 changetype: add 197 objectClass: olcOverlayConfig 198 objectClass: olcAutoCAConfig 199 olcOverlay: autoca 200 olcAutoCAlocalDN: cn=localhost,ou=Servers,$BASEDN 201 EOF 202 RC=$? 203 if test $RC != 0 ; then 204 echo "ldapmodify failed for autoca config ($RC)!" 205 test $KILLSERVERS != no && kill -HUP $KILLPIDS 206 exit $RC 207 fi 208 echo "Using ldapsearch to retrieve CA cert..." 209 $LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \ 210 'objectclass=*' 'cACertificate;binary' > $SEARCHOUT 2>&1 211 RC=$? 212 213 if test $RC != 0 ; then 214 echo "ldapsearch failed ($RC)!" 215 test $KILLSERVERS != no && kill -HUP $KILLPIDS 216 exit $RC 217 fi 218 219 echo "Setting up CA cert..." 220 echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/cacert.pem 221 sed -e "/^dn:/d" -e "s/cACertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/cacert.pem 222 echo "-----END CERTIFICATE-----" >> $TESTDIR/cacert.pem 223 224 echo "Using ldapsearch to generate localhost cert..." 225 $LDAPSEARCH -b cn=localhost,ou=Servers,$BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base \ 226 -A 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary' >> $TESTOUT 2>&1 227 RC=$? 228 229 if test $RC != 0 ; then 230 echo "ldapsearch failed ($RC)!" 231 test $KILLSERVERS != no && kill -HUP $KILLPIDS 232 exit $RC 233 fi 234 235 echo "Using ldapsearch to attempt TLS..." 236 unset LDAPNOINIT 237 LDAPTLS_CACERT=$TESTDIR/cacert.pem 238 export LDAPTLS_CACERT 239 $LDAPSEARCH -b $BASEDN -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \ 240 'objectclass=*' >> $TESTOUT 2>&1 241 RC=$? 242 243 if test $RC != 0 ; then 244 echo "ldapsearch failed ($RC)!" 245 test $KILLSERVERS != no && kill -HUP $KILLPIDS 246 exit $RC 247 fi 248 249 if test $WITH_SASL = no ; then 250 echo "SASL support not available, skipping client cert authentication" 251 else 252 # note - the attrs are being saved in raw DER form. 253 # they need to be base64 encoded into PEM for most programs to use them 254 # so we ignore those files for now. 255 echo "Using ldapsearch to generate user cert..." 256 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \ 257 -T $TESTDIR -t 'objectclass=*' 'userCertificate;binary' 'userPrivateKey;binary' >> $TESTOUT 2>&1 258 RC=$? 259 260 if test $RC != 0 ; then 261 echo "ldapsearch failed ($RC)!" 262 test $KILLSERVERS != no && kill -HUP $KILLPIDS 263 exit $RC 264 fi 265 266 echo "Using ldapsearch to retrieve user cert..." 267 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \ 268 'objectclass=*' 'userCertificate;binary' > $SEARCHOUT 2>&1 269 RC=$? 270 271 if test $RC != 0 ; then 272 echo "ldapsearch failed ($RC)!" 273 test $KILLSERVERS != no && kill -HUP $KILLPIDS 274 exit $RC 275 fi 276 277 echo "Setting up user cert..." 278 echo "-----BEGIN CERTIFICATE-----" > $TESTDIR/usercert.pem 279 sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userCertificate;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/usercert.pem 280 echo "-----END CERTIFICATE-----" >> $TESTDIR/usercert.pem 281 282 echo "Using ldapsearch to retrieve user key..." 283 $LDAPSEARCH -b "$BABSDN" -D $MANAGERDN -H $URIP1 -w $PASSWD -s base -ZZ \ 284 'objectclass=*' 'userPrivateKey;binary' > $SEARCHOUT 2>&1 285 RC=$? 286 287 if test $RC != 0 ; then 288 echo "ldapsearch failed ($RC)!" 289 test $KILLSERVERS != no && kill -HUP $KILLPIDS 290 exit $RC 291 fi 292 293 echo "Setting up user key..." 294 echo "-----BEGIN PRIVATE KEY-----" > $TESTDIR/userkey.pem 295 sed -e "/^dn:/d" -e "/^ dc=com/d" -e "s/userPrivateKey;binary:://" -e "/^$/d" $SEARCHOUT >> $TESTDIR/userkey.pem 296 echo "-----END PRIVATE KEY-----" >> $TESTDIR/userkey.pem 297 298 LDAPTLS_CERT=$TESTDIR/usercert.pem 299 LDAPTLS_KEY=$TESTDIR/userkey.pem 300 export LDAPTLS_CERT 301 export LDAPTLS_KEY 302 303 echo "Setting TLSVerifyClient to try..." 304 $LDAPMODIFY -D cn=config -H $URIP1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1 305 dn: cn=config 306 changetype: modify 307 replace: olcTLSVerifyClient 308 olcTLSVerifyClient: try 309 EOF 310 RC=$? 311 if test $RC != 0 ; then 312 echo "ldapmodify failed for autoca config ($RC)!" 313 test $KILLSERVERS != no && kill -HUP $KILLPIDS 314 exit $RC 315 fi 316 317 $CLIENTDIR/ldapwhoami -Y EXTERNAL -H $URIP1 -ZZ 318 319 if test $RC != 0 ; then 320 echo "ldapwhoami failed ($RC)!" 321 test $KILLSERVERS != no && kill -HUP $KILLPIDS 322 exit $RC 323 fi 324 fi 325 326 test $KILLSERVERS != no && kill -HUP $KILLPIDS 327 328 echo ">>>>> Test succeeded" 329 330 test $KILLSERVERS != no && wait 331 332 exit 0 333
Indexes created Thu Jun 25 00:25:11 UTC 2026