From 4f593f55a62de8a6fbfc9eb5ee56d380bf8f7450 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sun, 20 Jun 2004 23:01:25 +0000 Subject: [PATCH] improve test028; add test029 about glueing ldap databases with identity assertion --- tests/data/ldapglue.out | 51 +++++++ tests/data/ldapglueanonymous.out | 6 + tests/data/slapd-idassert.conf | 12 +- tests/data/slapd-ldapglue.conf | 81 ++++++++++ tests/data/slapd-ldapgluegroups.conf | 59 +++++++ tests/data/slapd-ldapgluepeople.conf | 63 ++++++++ tests/data/test-idassert1.ldif | 1 + tests/data/test-ldapglue.ldif | 5 + tests/data/test-ldapgluegroups.ldif | 23 +++ tests/data/test-ldapgluepeople.ldif | 28 ++++ tests/scripts/conf.sh | 5 +- tests/scripts/defines.sh | 8 + tests/scripts/test028-idassert | 6 +- tests/scripts/test029-ldapglue | 220 +++++++++++++++++++++++++++ 14 files changed, 559 insertions(+), 9 deletions(-) create mode 100644 tests/data/ldapglue.out create mode 100644 tests/data/ldapglueanonymous.out create mode 100644 tests/data/slapd-ldapglue.conf create mode 100644 tests/data/slapd-ldapgluegroups.conf create mode 100644 tests/data/slapd-ldapgluepeople.conf create mode 100644 tests/data/test-ldapglue.ldif create mode 100644 tests/data/test-ldapgluegroups.ldif create mode 100644 tests/data/test-ldapgluepeople.ldif create mode 100755 tests/scripts/test029-ldapglue diff --git a/tests/data/ldapglue.out b/tests/data/ldapglue.out new file mode 100644 index 0000000000..e53f1a357d --- /dev/null +++ b/tests/data/ldapglue.out @@ -0,0 +1,51 @@ +dn: dc=example,dc=com +objectClass: organization +objectClass: dcObject +o: Example, Inc. +dc: example + +dn: ou=People,dc=example,dc=com +objectClass: organizationalUnit +ou: People + +dn: uid=bjorn,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +cn: Bjorn Jensen +sn: Jensen +uid: bjorn +mail: bjorn@example.com + +dn: uid=bjensen,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +cn: Barbara Jensen +sn: Jensen +uid: bjensen +mail: bjensen@example.com + +dn: uid=proxy,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +cn: Proxy +sn: Proxy +uid: proxy + +dn: ou=Groups,dc=example,dc=com +objectClass: organizationalUnit +ou: Groups + +dn: cn=All,ou=Groups,dc=example,dc=com +objectClass: groupOfNames +cn: All +member: uid=bjorn,ou=People,dc=example,dc=com +member: uid=bjensen,ou=People,dc=example,dc=com + +dn: cn=ITD,ou=Groups,dc=example,dc=com +objectClass: groupOfNames +cn: ITD +member: uid=bjorn,ou=People,dc=example,dc=com + +dn: uid=proxy,ou=Groups,dc=example,dc=com +objectClass: inetOrgPerson +cn: Proxy +sn: Proxy +uid: proxy + diff --git a/tests/data/ldapglueanonymous.out b/tests/data/ldapglueanonymous.out new file mode 100644 index 0000000000..f0b576b2d7 --- /dev/null +++ b/tests/data/ldapglueanonymous.out @@ -0,0 +1,6 @@ +dn: dc=example,dc=com +objectClass: organization +objectClass: dcObject +o: Example, Inc. +dc: example + diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf index 0892d07cd3..5b14b9fc3f 100644 --- a/tests/data/slapd-idassert.conf +++ b/tests/data/slapd-idassert.conf @@ -79,21 +79,21 @@ index cn,sn,uid pres,eq,sub database ldap suffix "o=Example,c=US" suffixmassage "o=Example,c=US" "dc=example,dc=com" -uri "ldap://:9011/" +uri "@URI1@" -#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" #SASL_MECH# +#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" @SASL_MECH@ #nosasl#idassert-method "simple" #nosasl#idassert-authcDN "cn=Proxy US,ou=Admin,dc=example,dc=com" #nosasl#idassert-passwd proxy idassert-mode self # authorizes database -idassert-authz "dn.subtree:dc=example,dc=it" +idassert-authzFrom "dn.subtree:dc=example,dc=it" database ldap suffix "o=Esempio,c=IT" suffixmassage "o=Esempio,c=IT" "dc=example,dc=com" -uri "ldap://:9011/" +uri "@URI1@" acl-authcDN "cn=Proxy IT,ou=Admin,dc=example,dc=com" acl-passwd proxy @@ -104,9 +104,9 @@ idassert-passwd proxy idassert-mode "dn:cn=Sandbox,ou=Admin,dc=example,dc=com" # authorizes database -idassert-authz "dn.subtree:dc=example,dc=com" +idassert-authzFrom "dn.subtree:dc=example,dc=com" # authorizes anonymous -idassert-authz "dn.exact:" +idassert-authzFrom "dn.exact:" access to attrs=entry,cn,sn,mail by users read diff --git a/tests/data/slapd-ldapglue.conf b/tests/data/slapd-ldapglue.conf new file mode 100644 index 0000000000..cf9d0cefd6 --- /dev/null +++ b/tests/data/slapd-ldapglue.conf @@ -0,0 +1,81 @@ +# master slapd config -- for testing +# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 + kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2003 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +#ucdata-path ./ucdata +include ./schema/core.schema +include ./schema/cosine.schema +include ./schema/inetorgperson.schema +include ./schema/openldap.schema +include ./schema/nis.schema +pidfile ./testrun/slapd.1.pid +argsfile ./testrun/slapd.1.args + +# password-hash {md5} + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la + +####################################################################### +# ldbm database definitions +####################################################################### + +authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com" + +# +# normal installations should protect root dse, +# cn=monitor, cn=schema, and cn=config +# + +access to attr=userpassword + by self =wx + by anonymous =x + +access to * + by * read + +# people branch +database ldap +suffix "ou=People,dc=example,dc=com" +uri "@URI2@" +# FIXME: doesn't work with authz=native +#sasl#idassert-method sasl authcid=proxy cred=proxy @SASL_MECH@ +#nosasl#idassert-method simple +#nosasl#idassert-authcDN "uid=proxy,ou=People,dc=example,dc=com" +#nosasl#idassert-passwd proxy +idassert-mode self +subordinate + +# groups branch +database ldap +suffix "ou=Groups,dc=example,dc=com" +uri "@URI3@" +# FIXME: doesn't work with authz=native +#sasl#idassert-method sasl authcid=proxy cred=proxy @SASL_MECH@ +#nosasl#idassert-method simple +#nosasl#idassert-authcDN "uid=proxy,ou=Groups,dc=example,dc=com" +#nosasl#idassert-passwd proxy +idassert-mode self +subordinate + +# root +database @BACKEND@ +suffix "dc=example,dc=com" +directory ./testrun/db.1.a +rootdn "cn=Manager,dc=example,dc=com" +rootpw secret +index objectClass eq +index cn,sn,uid pres,eq,sub + diff --git a/tests/data/slapd-ldapgluegroups.conf b/tests/data/slapd-ldapgluegroups.conf new file mode 100644 index 0000000000..e6fba2debb --- /dev/null +++ b/tests/data/slapd-ldapgluegroups.conf @@ -0,0 +1,59 @@ +# master slapd config -- for testing +# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 + kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2003 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +#ucdata-path ./ucdata +include ./schema/core.schema +include ./schema/cosine.schema +include ./schema/inetorgperson.schema +include ./schema/openldap.schema +include ./schema/nis.schema +pidfile ./testrun/slapd.3.pid +argsfile ./testrun/slapd.3.args + +# password-hash {md5} + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la + +####################################################################### +# ldbm database definitions +####################################################################### + +authz-policy to +authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=Groups,dc=example,dc=com" + +# +# normal installations should protect root dse, +# cn=monitor, cn=schema, and cn=config +# + +access to attr=userpassword + by self =wx + by anonymous =x + +access to * + by users read + by * search + +# people branch +database @BACKEND@ +suffix "ou=Groups,dc=example,dc=com" +directory ./testrun/db.3.a +rootdn "cn=Manager,ou=Groups,dc=example,dc=com" +rootpw secret +index objectClass eq +index cn,sn,uid pres,eq,sub + diff --git a/tests/data/slapd-ldapgluepeople.conf b/tests/data/slapd-ldapgluepeople.conf new file mode 100644 index 0000000000..48348755c7 --- /dev/null +++ b/tests/data/slapd-ldapgluepeople.conf @@ -0,0 +1,63 @@ +# master slapd config -- for testing +# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 + kurt Exp $ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2003 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +#ucdata-path ./ucdata +include ./schema/core.schema +include ./schema/cosine.schema +include ./schema/inetorgperson.schema +include ./schema/openldap.schema +include ./schema/nis.schema +pidfile ./testrun/slapd.2.pid +argsfile ./testrun/slapd.2.args + +# password-hash {md5} + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la + +####################################################################### +# ldbm database definitions +####################################################################### + +authz-policy to +authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com" + +# +# normal installations should protect root dse, +# cn=monitor, cn=schema, and cn=config +# + +# uid=proxy,ou=People,dc=example,dc=com needs to read userPassword +# to do SASL bind! +access to attr=userpassword + by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read + by self =wx + by anonymous =x + +access to * + by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read + by users read + by * search + +# people branch +database @BACKEND@ +suffix "ou=People,dc=example,dc=com" +directory ./testrun/db.2.a +rootdn "cn=Manager,ou=People,dc=example,dc=com" +rootpw secret +index objectClass eq +index cn,sn,uid pres,eq,sub + diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif index 7e5e26d52f..063d6ec450 100644 --- a/tests/data/test-idassert1.ldif +++ b/tests/data/test-idassert1.ldif @@ -17,6 +17,7 @@ userPassword:: Ympvcm4= mail: bjorn@example.com description: *** authzFrom: dn.exact:uid=jaj,o=Example,c=US +authzFrom: dn.subtree:ou=People,dc=example,dc=it dn: uid=bjensen,ou=People,dc=example,dc=com objectClass: inetOrgPerson diff --git a/tests/data/test-ldapglue.ldif b/tests/data/test-ldapglue.ldif new file mode 100644 index 0000000000..d3795cbafd --- /dev/null +++ b/tests/data/test-ldapglue.ldif @@ -0,0 +1,5 @@ +dn: dc=example,dc=com +objectClass: organization +objectClass: dcObject +o: Example, Inc. +dc: example diff --git a/tests/data/test-ldapgluegroups.ldif b/tests/data/test-ldapgluegroups.ldif new file mode 100644 index 0000000000..3d8254e398 --- /dev/null +++ b/tests/data/test-ldapgluegroups.ldif @@ -0,0 +1,23 @@ +dn: ou=Groups,dc=example,dc=com +objectClass: organizationalUnit +ou: Groups + +dn: cn=All,ou=Groups,dc=example,dc=com +objectClass: groupOfNames +cn: All +member: uid=bjorn,ou=People,dc=example,dc=com +member: uid=bjensen,ou=People,dc=example,dc=com + +dn: cn=ITD,ou=Groups,dc=example,dc=com +objectClass: groupOfNames +cn: ITD +member: uid=bjorn,ou=People,dc=example,dc=com + +dn: uid=proxy,ou=Groups,dc=example,dc=com +objectClass: inetOrgPerson +cn: Proxy +sn: Proxy +uid: proxy +userPassword:: cHJveHk= +authzTo: dn:* + diff --git a/tests/data/test-ldapgluepeople.ldif b/tests/data/test-ldapgluepeople.ldif new file mode 100644 index 0000000000..a8d35473c6 --- /dev/null +++ b/tests/data/test-ldapgluepeople.ldif @@ -0,0 +1,28 @@ +dn: ou=People,dc=example,dc=com +objectClass: organizationalUnit +ou: People + +dn: uid=bjorn,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +cn: Bjorn Jensen +sn: Jensen +uid: bjorn +userPassword:: Ympvcm4= +mail: bjorn@example.com + +dn: uid=bjensen,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +cn: Barbara Jensen +sn: Jensen +uid: bjensen +userPassword:: YmplbnNlbg== +mail: bjensen@example.com + +dn: uid=proxy,ou=People,dc=example,dc=com +objectClass: inetOrgPerson +cn: Proxy +sn: Proxy +uid: proxy +userPassword:: cHJveHk= +authzTo: dn:* + diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh index 42e623c3e1..4c2b6ed419 100755 --- a/tests/scripts/conf.sh +++ b/tests/scripts/conf.sh @@ -43,6 +43,9 @@ sed -e "s/@BACKEND@/${BACKEND}/" \ -e "s/^#${MON}#//" \ -e "s/^#${MONMOD}#//" \ -e "s/^#${SASL}#//" \ - -e "s/#SASL_MECH#/${SASL_MECH}/" \ + -e "s;@URI1@;${URI1};" \ + -e "s;@URI2@;${URI2};" \ + -e "s;@URI3@;${URI3};" \ + -e "s/@SASL_MECH@/${SASL_MECH}/" \ -e "s/@CACHETTL@/${CACHETTL}/" \ -e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/" diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh index 32bc64ec8c..858ab6c1f2 100755 --- a/tests/scripts/defines.sh +++ b/tests/scripts/defines.sh @@ -64,6 +64,9 @@ LIMITSCONF=$DATADIR/slapd-limits.conf DNCONF=$DATADIR/slapd-dn.conf EMPTYDNCONF=$DATADIR/slapd-emptydn.conf IDASSERTCONF=$DATADIR/slapd-idassert.conf +LDAPGLUECONF1=$DATADIR/slapd-ldapglue.conf +LDAPGLUECONF2=$DATADIR/slapd-ldapgluepeople.conf +LDAPGLUECONF3=$DATADIR/slapd-ldapgluegroups.conf CONF1=$TESTDIR/slapd.1.conf CONF2=$TESTDIR/slapd.2.conf @@ -139,6 +142,9 @@ LDIFEMPTYDN1=$DATADIR/test-emptydn1.ldif LDIFEMPTYDN2=$DATADIR/test-emptydn2.ldif LDIFIDASSERT1=$DATADIR/test-idassert1.ldif LDIFIDASSERT2=$DATADIR/test-idassert2.ldif +LDIFLDAPGLUE1=$DATADIR/test-ldapglue.ldif +LDIFLDAPGLUE2=$DATADIR/test-ldapgluepeople.ldif +LDIFLDAPGLUE3=$DATADIR/test-ldapgluegroups.ldif MONITOR="" REFDN="c=US" BASEDN="dc=example,dc=com" @@ -204,6 +210,8 @@ DNOUT=$DATADIR/dn.out EMPTYDNOUT1=$DATADIR/emptydn.out.slapadd EMPTYDNOUT2=$DATADIR/emptydn.out IDASSERTOUT=$DATADIR/idassert.out +LDAPGLUEOUT=$DATADIR/ldapglue.out +LDAPGLUEANONYMOUSOUT=$DATADIR/ldapglueanonymous.out # Just in case we linked the binaries dynamically LD_LIBRARY_PATH=`pwd`/../libraries:${LD_LIBRARY_PATH} export LD_LIBRARY_PATH diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert index 155f957f15..55db91c4ae 100755 --- a/tests/scripts/test028-idassert +++ b/tests/scripts/test028-idassert @@ -16,11 +16,11 @@ echo "running defines.sh" . $SRCDIR/scripts/defines.sh -echo "### This test needs the ldap backend." +echo "### This test requires the ldap backend." echo "### If available, and explicitly requested, it can use SASL bind;" echo "### note that SASL must be properly set up, and the requested" echo "### mechanism must be available. Define SLAPD_USE_SASL={yes|}," -echo "### wth \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]." +echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]." if test $BACKLDAP = "ldapno" ; then echo "LDAP backend not available, test skipped" @@ -201,6 +201,7 @@ $CMP $SEARCHFLT $LDIFFLT > $CMPOUT if test $? != 0 ; then echo "comparison failed - search with identity assertion didn't succeed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS exit 1 fi @@ -227,6 +228,7 @@ if test $USE_SASL != "no" ; then if test $? != 0 ; then echo "comparison failed - search with SASL bind and identity assertion didn't succeed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS exit 1 fi fi diff --git a/tests/scripts/test029-ldapglue b/tests/scripts/test029-ldapglue new file mode 100755 index 0000000000..1f8201ff8b --- /dev/null +++ b/tests/scripts/test029-ldapglue @@ -0,0 +1,220 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2004 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +echo "### This test requires the ldap backend." +echo "### If available, and explicitly requested, it can use SASL bind;" +echo "### note that SASL must be properly set up, and the requested" +echo "### mechanism must be available. Define SLAPD_USE_SASL={yes|}," +echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]." + +if test $BACKLDAP = "ldapno" ; then + echo "LDAP backend not available, test skipped" + exit 0 +fi + +if test $WITH_SASL = "yes" ; then + if test $USE_SASL != "no" ; then + if test $USE_SASL = "yes" ; then + MECH="DIGEST-MD5" + else + MECH="$USE_SASL" + fi + echo "Using SASL authc[/authz] with mech=$MECH; unset SLAPD_USE_SASL to disable" + else + echo "Using proxyAuthz with simple authc..." + fi +else + echo "SASL not available; using proxyAuthz with simple authc..." +fi + +mkdir -p $TESTDIR $DBDIR1 $DBDIR2 $DBDIR3 + +echo "Running slapadd to build slapd database..." +. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF1 > $ADDCONF +$SLAPADD -f $ADDCONF -l $LDIFLDAPGLUE1 +RC=$? +if test $RC != 0 ; then + echo "slapadd 1 failed ($RC)!" + exit $RC +fi + +. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF2 > $ADDCONF +$SLAPADD -f $ADDCONF -l $LDIFLDAPGLUE2 +RC=$? +if test $RC != 0 ; then + echo "slapadd 2 failed ($RC)!" + exit $RC +fi + +. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF3 > $ADDCONF +$SLAPADD -f $ADDCONF -l $LDIFLDAPGLUE3 +RC=$? +if test $RC != 0 ; then + echo "slapadd 3 failed ($RC)!" + exit $RC +fi + +echo "Starting local slapd on TCP/IP port $PORT1..." +. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF1 > $CONF1 +$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & +PID1=$! +if test $WAIT != 0 ; then + echo PID $PID1 + read foo +fi + +echo "Starting remote slapd 1 on TCP/IP port $PORT2..." +. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF2 > $CONF2 +$SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 & +PID2=$! +if test $WAIT != 0 ; then + echo PID $PID2 + read foo +fi + +echo "Starting remote slapd 2 on TCP/IP port $PORT3..." +. $CONFFILTER $BACKEND $MONITORDB < $LDAPGLUECONF3 > $CONF3 +$SLAPD -f $CONF3 -h $URI3 -d $LVL $TIMING > $LOG3 2>&1 & +PID3=$! +if test $WAIT != 0 ; then + echo PID $PID3 + read foo +fi +KILLPIDS="$PID1 $PID2 $PID3" + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT2 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT3 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +ID="uid=bjorn,ou=People,dc=example,dc=com" +BASE="dc=example,dc=com" +echo "Testing ldapsearch as $ID for \"$BASE\"..." +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ + -D "$ID" -w bjorn > $SEARCHOUT 2>&1 + +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Filtering ldapsearch results..." +. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT +echo "Filtering original ldif used to create database..." +. $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT +echo "Comparing filter output..." +$CMP $SEARCHFLT $LDIFFLT > $CMPOUT + +if test $? != 0 ; then + echo "comparison failed - glued search with identity assertion didn't succeed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +BASE="dc=example,dc=com" +echo "Testing ldapsearch as anonymous for \"$BASE\"..." +$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ + > $SEARCHOUT 2>&1 + +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Filtering ldapsearch results..." +. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT +echo "Filtering original ldif used to create database..." +. $LDIFFILTER < $LDAPGLUEANONYMOUSOUT > $LDIFFLT +echo "Comparing filter output..." +$CMP $SEARCHFLT $LDIFFLT > $CMPOUT + +if test $? != 0 ; then + echo "comparison failed - anonymous glued search with identity assertion didn't succeed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 +fi + +# FIXME: this cannot work as is, because SASL bind cannot be proxied! +#if test $USE_SASL != "no" ; then +# ID="bjorn" +# BASE="dc=example,dc=com" +# echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..." +# $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ +# -Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1 +# +# RC=$? +# if test $RC != 0 ; then +# echo "ldapsearch failed ($RC)!" +# test $KILLSERVERS != no && kill -HUP $KILLPIDS +# exit $RC +# fi +# +# echo "Filtering ldapsearch results..." +# . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT +# echo "Filtering original ldif used to create database..." +# . $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT +# echo "Comparing filter output..." +# $CMP $SEARCHFLT $LDIFFLT > $CMPOUT +# +# if test $? != 0 ; then +# echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed" +# test $KILLSERVERS != no && kill -HUP $KILLPIDS +# exit 1 +# fi +#fi + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +echo ">>>>> Test succeeded" +exit 0 +