2821680c8b
Ported all patches from CentOS. Ported patch rootdn-should-not-bypass-ppolicy.patch + deleted unit test for it. meta_data patches were not needed as they were only modifying the rpm spec. Disabled unit tests part of debian build. Ran the unit tests once before disabling and they pass. Story: 2009221 Task: 43407 Signed-off-by: Yue Tao <yue.tao@windriver.com> Change-Id: Ia0b640c5cd2594daae5722b1c9743a3a800485ab
722 lines
18 KiB
Diff
722 lines
18 KiB
Diff
From 9456b0eee753d9fd368347b6974a2f6f8d941d4f Mon Sep 17 00:00:00 2001
|
|
From: Kam Nasim <kam.nasim@windriver.com>
|
|
Date: Tue, 11 Apr 2017 17:23:03 -0400
|
|
Subject: [PATCH] rootdn should not bypass ppolicy
|
|
|
|
test022-ppolicy fails due to the change. The ppolicy behavior is
|
|
different with origian design, but that is intended, so remove
|
|
the testcase.
|
|
|
|
---
|
|
servers/slapd/overlays/ppolicy.c | 11 +++++++++--
|
|
1 file changed, 9 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
|
|
index b446deb..fa79872 100644
|
|
--- a/servers/slapd/overlays/ppolicy.c
|
|
+++ b/servers/slapd/overlays/ppolicy.c
|
|
@@ -1950,7 +1950,8 @@ ppolicy_modify( Operation *op, SlapReply
|
|
for(p=tl; p; p=p->next, hsize++); /* count history size */
|
|
}
|
|
|
|
- if (be_isroot( op )) goto do_modify;
|
|
+ /* WRS UPDATE: Run ppolicy for all user password modify ops */
|
|
+ //if (be_isroot( op )) goto do_modify;
|
|
|
|
/* NOTE: according to draft-behera-ldap-password-policy
|
|
* pwdAllowUserChange == FALSE must only prevent pwd changes
|
|
@@ -2054,7 +2055,13 @@ ppolicy_modify( Operation *op, SlapReply
|
|
}
|
|
|
|
bv = newpw.bv_val ? &newpw : &addmod->sml_values[0];
|
|
- if (pp.pwdCheckQuality > 0) {
|
|
+
|
|
+ /* WRS UPDATE:
|
|
+ * If this is a rootDN op and this is the first password
|
|
+ * then bypass password policies as this is a new account
|
|
+ * creation
|
|
+ */
|
|
+ if (pp.pwdCheckQuality > 0 && !(be_isroot( op ) && !pa)) {
|
|
|
|
rc = check_password_quality( bv, &pp, &pErr, e, (char **)&txt );
|
|
if (rc != LDAP_SUCCESS) {
|
|
--- ./tests/scripts/test022-ppolicy
|
|
+++ /dev/null
|
|
@@ -1,673 +0,0 @@
|
|
-#! /bin/sh
|
|
-# $OpenLDAP$
|
|
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
-##
|
|
-## Copyright 1998-2021 The OpenLDAP Foundation.
|
|
-## All rights reserved.
|
|
-##
|
|
-## Redistribution and use in source and binary forms, with or without
|
|
-## modification, are permitted only as authorized by the OpenLDAP
|
|
-## Public License.
|
|
-##
|
|
-## A copy of this license is available in the file LICENSE in the
|
|
-## top-level directory of the distribution or, alternatively, at
|
|
-## <http://www.OpenLDAP.org/license.html>.
|
|
-
|
|
-echo "running defines.sh"
|
|
-. $SRCDIR/scripts/defines.sh
|
|
-
|
|
-if test $PPOLICY = ppolicyno; then
|
|
- echo "Password policy overlay not available, test skipped"
|
|
- exit 0
|
|
-fi
|
|
-
|
|
-mkdir -p $TESTDIR $DBDIR1
|
|
-
|
|
-$SLAPPASSWD -g -n >$CONFIGPWF
|
|
-echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
|
|
-
|
|
-echo "Starting slapd on TCP/IP port $PORT1..."
|
|
-. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
|
|
-$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
|
|
-PID=$!
|
|
-if test $WAIT != 0 ; then
|
|
- echo PID $PID
|
|
- read foo
|
|
-fi
|
|
-KILLPIDS="$PID"
|
|
-
|
|
-USER="uid=nd, ou=People, dc=example, dc=com"
|
|
-PASS=testpassword
|
|
-
|
|
-sleep 1
|
|
-
|
|
-echo "Using ldapsearch to check that slapd is running..."
|
|
-for i in 0 1 2 3 4 5; do
|
|
- $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
|
|
- 'objectclass=*' > /dev/null 2>&1
|
|
- RC=$?
|
|
- if test $RC = 0 ; then
|
|
- break
|
|
- fi
|
|
- echo "Waiting 5 seconds for slapd to start..."
|
|
- sleep 5
|
|
-done
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapsearch failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo /dev/null > $TESTOUT
|
|
-
|
|
-echo "Testing redundant ppolicy instance..."
|
|
-$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
-dn: olcOverlay=ppolicy,olcDatabase={1}$BACKEND,cn=config
|
|
-objectClass: olcOverlayConfig
|
|
-objectClass: olcPPolicyConfig
|
|
-olcOverlay: ppolicy
|
|
-olcPPolicyDefault: cn=duplicate policy,ou=policies,dc=example,dc=com
|
|
-EOF
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "ldapadd should have failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-echo "Using ldapadd to populate the database..."
|
|
-# may need "-e relax" for draft 09, but not yet.
|
|
-$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
|
|
- $LDIFPPOLICY >> $TESTOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapadd failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Testing account lockout..."
|
|
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
|
|
-sleep 2
|
|
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
|
|
-sleep 2
|
|
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
|
|
-sleep 2
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
|
|
-COUNT=`grep "Account locked" $SEARCHOUT | wc -l`
|
|
-if test $COUNT != 2 ; then
|
|
- echo "Account lockout test failed"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-echo "Waiting 20 seconds for lockout to reset..."
|
|
-sleep 20
|
|
-
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapsearch failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Testing password expiration"
|
|
-echo "Waiting 20 seconds for password to expire..."
|
|
-sleep 20
|
|
-
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base > $SEARCHOUT 2>&1
|
|
-sleep 2
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
|
|
-sleep 2
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
|
|
-sleep 2
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "Password expiration failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-COUNT=`grep "grace logins" $SEARCHOUT | wc -l`
|
|
-if test $COUNT != 3 ; then
|
|
- echo "Password expiration test failed"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-echo "Resetting password to clear expired status"
|
|
-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
|
|
- -w secret -s $PASS \
|
|
- -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldappasswd failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Filling password history..."
|
|
-$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: userpassword
|
|
-userpassword: $PASS
|
|
--
|
|
-replace: userpassword
|
|
-userpassword: 20urgle12-1
|
|
-
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: userpassword
|
|
-userpassword: 20urgle12-1
|
|
--
|
|
-replace: userpassword
|
|
-userpassword: 20urgle12-2
|
|
-
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: userpassword
|
|
-userpassword: 20urgle12-2
|
|
--
|
|
-replace: userpassword
|
|
-userpassword: 20urgle12-3
|
|
-
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: userpassword
|
|
-userpassword: 20urgle12-3
|
|
--
|
|
-replace: userpassword
|
|
-userpassword: 20urgle12-4
|
|
-
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: userpassword
|
|
-userpassword: 20urgle12-4
|
|
--
|
|
-replace: userpassword
|
|
-userpassword: 20urgle12-5
|
|
-
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: userpassword
|
|
-userpassword: 20urgle12-5
|
|
--
|
|
-replace: userpassword
|
|
-userpassword: 20urgle12-6
|
|
-
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapmodify failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-echo "Testing password history..."
|
|
-$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: userPassword
|
|
-userPassword: 20urgle12-6
|
|
--
|
|
-replace: userPassword
|
|
-userPassword: 20urgle12-2
|
|
-
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "ldapmodify failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-echo "Testing forced reset..."
|
|
-
|
|
-$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-replace: userPassword
|
|
-userPassword: $PASS
|
|
--
|
|
-replace: pwdReset
|
|
-pwdReset: TRUE
|
|
-
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapmodify failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base > $SEARCHOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "Forced reset failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
|
|
-if test $COUNT != 1 ; then
|
|
- echo "Forced reset test failed"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-echo "Clearing forced reset..."
|
|
-
|
|
-$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: pwdReset
|
|
-
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapmodify failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base > $SEARCHOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "Clearing forced reset failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Testing Safe modify..."
|
|
-
|
|
-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
|
|
- -w $PASS -s failexpect \
|
|
- -D "$USER" >> $TESTOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "Safe modify test 1 failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-sleep 2
|
|
-
|
|
-OLDPASS=$PASS
|
|
-PASS=successexpect
|
|
-
|
|
-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
|
|
- -w $OLDPASS -s $PASS -a $OLDPASS \
|
|
- -D "$USER" >> $TESTOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "Safe modify test 2 failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Testing length requirement..."
|
|
-# check control in response (ITS#5711)
|
|
-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
|
|
- -w $PASS -a $PASS -s 2shr \
|
|
- -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1
|
|
-RC=$?
|
|
-cat ${TESTOUT}.2 >> $TESTOUT
|
|
-if test $RC = 0 ; then
|
|
- echo "Length requirement test failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
|
|
-if test $COUNT != 1 ; then
|
|
- echo "Length requirement test failed"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l`
|
|
-if test $COUNT != 1 ; then
|
|
- echo "Control not returned in response"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-echo "Testing hashed length requirement..."
|
|
-
|
|
-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > \
|
|
- ${TESTOUT}.2 2>&1 << EOMODS
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: userPassword
|
|
-userPassword: $PASS
|
|
--
|
|
-add: userPassword
|
|
-userPassword: {MD5}xxxxxx
|
|
-
|
|
-EOMODS
|
|
-RC=$?
|
|
-cat ${TESTOUT}.2 >> $TESTOUT
|
|
-if test $RC = 0 ; then
|
|
- echo "Hashed length requirement test failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
|
|
-if test $COUNT != 1 ; then
|
|
- echo "Hashed length requirement test failed"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-echo "Testing multiple password add/modify checks..."
|
|
-
|
|
-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: cn=Add Should Fail, ou=People, dc=example, dc=com
|
|
-changetype: add
|
|
-objectClass: inetOrgPerson
|
|
-cn: Add Should Fail
|
|
-sn: Fail
|
|
-userPassword: firstpw
|
|
-userPassword: secondpw
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "Multiple password add test failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-add: userPassword
|
|
-userPassword: firstpw
|
|
-userPassword: secondpw
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "Multiple password modify add test failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-replace: userPassword
|
|
-userPassword: firstpw
|
|
-userPassword: secondpw
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "Multiple password modify replace test failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then
|
|
-echo ""
|
|
-echo "Setting up policy state forwarding test..."
|
|
-
|
|
-mkdir $DBDIR2
|
|
-sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
|
|
-echo "Starting slapd consumer on TCP/IP port $PORT2..."
|
|
-$SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 &
|
|
-PID=$!
|
|
-if test $WAIT != 0 ; then
|
|
- echo PID $PID
|
|
- read foo
|
|
-fi
|
|
-KILLPIDS="$KILLPIDS $PID"
|
|
-
|
|
-echo "Configuring syncprov on provider..."
|
|
-if [ "$SYNCPROV" = syncprovmod ]; then
|
|
- $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
-dn: cn=module,cn=config
|
|
-objectclass: olcModuleList
|
|
-cn: module
|
|
-olcModulePath: $TESTWD/../servers/slapd/overlays
|
|
-olcModuleLoad: syncprov.la
|
|
-
|
|
-EOF
|
|
- RC=$?
|
|
- if test $RC != 0 ; then
|
|
- echo "ldapadd failed for moduleLoad ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
- fi
|
|
-fi
|
|
-
|
|
-$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
-dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
|
|
-objectClass: olcOverlayConfig
|
|
-objectClass: olcSyncProvConfig
|
|
-olcOverlay: {1}syncprov
|
|
-
|
|
-EOF
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapadd failed for provider database config ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Using ldapsearch to check that slapd is running..."
|
|
-for i in 0 1 2 3 4 5; do
|
|
- $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
|
|
- 'objectclass=*' > /dev/null 2>&1
|
|
- RC=$?
|
|
- if test $RC = 0 ; then
|
|
- break
|
|
- fi
|
|
- echo "Waiting 5 seconds for slapd to start..."
|
|
- sleep 5
|
|
-done
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapsearch failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Configuring syncrepl on consumer..."
|
|
-if [ "$BACKLDAP" = ldapmod ]; then
|
|
- $LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
-dn: cn=module,cn=config
|
|
-objectclass: olcModuleList
|
|
-cn: module
|
|
-olcModulePath: $TESTWD/../servers/slapd/back-ldap
|
|
-olcModuleLoad: back_ldap.la
|
|
-
|
|
-EOF
|
|
- RC=$?
|
|
- if test $RC != 0 ; then
|
|
- echo "ldapadd failed for moduleLoad ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
- fi
|
|
-fi
|
|
-$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
|
|
-dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
|
|
-changetype: add
|
|
-objectClass: olcOverlayConfig
|
|
-objectClass: olcChainConfig
|
|
-olcOverlay: {0}chain
|
|
-
|
|
-dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
|
|
-changetype: add
|
|
-objectClass: olcLDAPConfig
|
|
-objectClass: olcChainDatabase
|
|
-olcDBURI: $URI1
|
|
-olcDbIDAssertBind: bindmethod=simple
|
|
- binddn="cn=manager,dc=example,dc=com"
|
|
- credentials=secret
|
|
- mode=self
|
|
-
|
|
-dn: olcDatabase={1}$BACKEND,cn=config
|
|
-changetype: modify
|
|
-add: olcSyncrepl
|
|
-olcSyncrepl: rid=1
|
|
- provider=$URI1
|
|
- binddn="cn=manager,dc=example,dc=com"
|
|
- bindmethod=simple
|
|
- credentials=secret
|
|
- searchbase="dc=example,dc=com"
|
|
- type=refreshAndPersist
|
|
- retry="3 5 300 5"
|
|
--
|
|
-add: olcUpdateref
|
|
-olcUpdateref: $URI1
|
|
--
|
|
-
|
|
-dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
|
|
-changetype: modify
|
|
-replace: olcPPolicyForwardUpdates
|
|
-olcPPolicyForwardUpdates: TRUE
|
|
--
|
|
-
|
|
-EOF
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapmodify failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Waiting for consumer to sync..."
|
|
-sleep $SLEEP1
|
|
-
|
|
-echo "Testing policy state forwarding..."
|
|
-$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC != 49 ; then
|
|
- echo "ldapsearch should have failed with 49, got ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1
|
|
-COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l`
|
|
-if test $COUNT != 1 ; then
|
|
- echo "Policy state forwarding failed"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-# End of chaining test
|
|
-
|
|
-fi
|
|
-
|
|
-echo ""
|
|
-echo "Testing obsolete Netscape ppolicy controls..."
|
|
-echo "Enabling Netscape controls..."
|
|
-$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
|
|
-changetype: modify
|
|
-replace: olcPPolicySendNetscapeControls
|
|
-olcPPolicySendNetscapeControls: TRUE
|
|
--
|
|
-
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapmodify failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Reconfiguring policy to remove grace logins..."
|
|
-$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: cn=Standard Policy, ou=Policies, dc=example, dc=com
|
|
-changetype: modify
|
|
-delete: pwdGraceAuthnLimit
|
|
--
|
|
-replace: pwdMaxAge
|
|
-pwdMaxAge: 15
|
|
--
|
|
-
|
|
-EOMODS
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "ldapmodify failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-OLDPASS=$PASS
|
|
-PASS=newpass
|
|
-$LDAPPASSWD -H $URI1 \
|
|
- -w secret -s $PASS \
|
|
- -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC != 0 ; then
|
|
- echo "Setting new password failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit $RC
|
|
-fi
|
|
-
|
|
-echo "Clearing forced reset..."
|
|
-$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
|
|
- $TESTOUT 2>&1 << EOMODS
|
|
-dn: $USER
|
|
-changetype: modify
|
|
-delete: pwdReset
|
|
-
|
|
-EOMODS
|
|
-
|
|
-DELAY=10
|
|
-
|
|
-echo "Testing password expiration"
|
|
-echo "Waiting $DELAY seconds for password to expire..."
|
|
-sleep $DELAY
|
|
-
|
|
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base > $SEARCHOUT 2>&1
|
|
-sleep 3
|
|
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
|
|
-sleep 3
|
|
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
|
|
-sleep 3
|
|
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
|
|
-sleep 3
|
|
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
|
|
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
|
|
-RC=$?
|
|
-if test $RC = 0 ; then
|
|
- echo "Password expiration failed ($RC)!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l`
|
|
-if test $COUNT = 0 ; then
|
|
- echo "Password expiring warning test failed!"
|
|
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
- exit 1
|
|
-fi
|
|
-
|
|
-test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
-
|
|
-echo ">>>>> Test succeeded"
|
|
-
|
|
-test $KILLSERVERS != no && wait
|
|
-
|
|
-exit 0
|
|
--
|
|
1.9.1
|
|
|