diff --git a/tests/data/slapd-cache-master-proxyauthz.conf b/tests/data/slapd-cache-master-proxyauthz.conf new file mode 100644 index 0000000000..3ab62bc720 --- /dev/null +++ b/tests/data/slapd-cache-master-proxyauthz.conf @@ -0,0 +1,47 @@ +# master slapd config -- for proxy cache testing +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2016 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +include @SCHEMADIR@/core.schema +include @SCHEMADIR@/cosine.schema +include @SCHEMADIR@/inetorgperson.schema +include @SCHEMADIR@/openldap.schema +include @SCHEMADIR@/nis.schema +# +pidfile @TESTDIR@/slapd.1.pid +argsfile @TESTDIR@/slapd.1.args + +disallow bind_anon + + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la +#monitormod#modulepath ../servers/slapd/back-monitor/ +#monitormod#moduleload back_monitor.la + +####################################################################### +# database definitions +####################################################################### + +database @BACKEND@ +suffix "dc=example,dc=com" +rootdn "cn=Manager,dc=example,dc=com" +rootpw secret +#~null~#directory @TESTDIR@/db.1.a +#indexdb#index objectClass eq +#indexdb#index cn,sn,uid pres,eq,sub +#ndb#dbname db_1 +#ndb#include @DATADIR@/ndb.conf + +#monitor#database monitor diff --git a/tests/data/slapd-proxyauthz.conf b/tests/data/slapd-proxyauthz.conf new file mode 100644 index 0000000000..b7adebf1bf --- /dev/null +++ b/tests/data/slapd-proxyauthz.conf @@ -0,0 +1,79 @@ +# proxy cache slapd config -- for testing +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2016 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +include @SCHEMADIR@/core.schema +include @SCHEMADIR@/cosine.schema +include @SCHEMADIR@/inetorgperson.schema +include @SCHEMADIR@/openldap.schema +include @SCHEMADIR@/nis.schema + +pidfile @TESTDIR@/slapd.2.pid +argsfile @TESTDIR@/slapd.2.args + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la +#ldapmod#modulepath ../servers/slapd/back-ldap/ +#ldapmod#moduleload back_ldap.la +#monitormod#modulepath ../servers/slapd/back-monitor/ +#monitormod#moduleload back_monitor.la +#pcachemod#modulepath ../servers/slapd/overlays/ +#pcachemod#moduleload pcache.la + + +####################################################################### +# database definitions +####################################################################### + +database ldap +suffix "dc=example,dc=com" +rootdn "dc=example,dc=com" +rootpw "secret" +uri "@URI1@" + +limits dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" size=1 + +idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret" + mode=self authz=proxyauthz flags="override" + +idassert-authzFrom "dn.children:dc=example,dc=com" + +#authz=proxyauthz + +overlay pcache +pcache @BACKEND@ 100 2 @ENTRY_LIMIT@ @CCPERIOD@ +pcacheattrset 0 sn cn title uid +pcacheattrset 1 mail postaladdress telephonenumber cn uid +pcachetemplate (|(cn=)(sn=)) 0 @TTL@ @NTTL@ @STTL@ +pcachetemplate (sn=) 0 @TTL@ @NTTL@ @STTL@ +pcachetemplate (uid=) 1 @TTL@ @NTTL@ @STTL@ +pcachetemplate (mail=) 0 @TTL@ @NTTL@ @STTL@ +pcachetemplate (&(objectclass=)(uid=)) 1 @TTL@ @NTTL@ @STTL@ @TTR@ +pcachetemplate (cn=) 0 86400 86400 86400 180 + +pcachebind (cn=) 0 3600 sub ou=people,dc=example,dc=com + +#bdb#cachesize 20 +#hdb#cachesize 20 +#bdb#dbnosync +#hdb#dbnosync +#mdb#dbnosync + +#~null~#directory @TESTDIR@/db.2.a +#indexdb#index objectClass eq +#indexdb#index cn,sn,uid,mail pres,eq,sub +#ndb#dbname db_2 +#ndb#include @DATADIR@/ndb.conf + +#monitor#database monitor diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh index 6d693be4db..a2dbbabcbf 100755 --- a/tests/scripts/defines.sh +++ b/tests/scripts/defines.sh @@ -93,7 +93,9 @@ DSRMASTERCONF=$DATADIR/slapd-deltasync-master.conf DSRSLAVECONF=$DATADIR/slapd-deltasync-slave.conf PPOLICYCONF=$DATADIR/slapd-ppolicy.conf PROXYCACHECONF=$DATADIR/slapd-proxycache.conf +PROXYAUTHZCONF=$DATADIR/slapd-proxyauthz.conf CACHEMASTERCONF=$DATADIR/slapd-cache-master.conf +PROXYAUTHZMASTERCONF=$DATADIR/slapd-cache-master-proxyauthz.conf R1SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-refresh1.conf R2SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-refresh2.conf P1SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist1.conf diff --git a/tests/scripts/test065-proxyauthz b/tests/scripts/test065-proxyauthz new file mode 100755 index 0000000000..1298aedfd6 --- /dev/null +++ b/tests/scripts/test065-proxyauthz @@ -0,0 +1,255 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2016 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +PCACHETTL=${PCACHETTL-"1m"} +PCACHENTTL=${PCACHENTTL-"1m"} +PCACHESTTL=${PCACHESTTL-"1m"} +PCACHE_ENTRY_LIMIT=${PCACHE_ENTRY_LIMIT-"6"} +PCACHE_CCPERIOD=${PCACHE_CCPERIOD-"2"} +PCACHETTR=${PCACHETTR-"2"} +PCACHEBTTR=${PCACHEBTTR-"5"} + +. $SRCDIR/scripts/defines.sh + +LVL=0x100 + +if test $PROXYCACHE = pcacheno; then + echo "Proxy cache overlay not available, test skipped" + exit 0 +fi + +if test $BACKLDAP = "ldapno" ; then + echo "LDAP backend not available, test skipped" + exit 0 +fi + +if test $BACKEND = ldif ; then + # The (mail=example.com*) queries hit a sizelimit, so which + # entry is returned depends on the ordering in the backend. + echo "Test does not support $BACKEND backend, test skipped" + exit 0 +fi + +mkdir -p $TESTDIR $DBDIR1 $DBDIR2 + +# Test proxy caching: +# - start master +# - start proxy cache +# - populate master +# - perform a first search +# - verify cacheability +# - perform a second search with the same filter and same user +# - verify answerability and cacheability of the bind +# - perform a third search with the same user but a different filter +# - verify cacheability of the bind and the non-answerability of the result + +echo "Starting master slapd on TCP/IP port $PORT1..." +. $CONFFILTER < $PROXYAUTHZMASTERCONF > $CONF1 +$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" + +sleep 1 + +echo "Using ldapsearch to check that master slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ + -D "cn=Manager,dc=example,dc=com" -w secret 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Using ldapadd to populate the master directory..." +$LDAPADD -x -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \ + $LDIFORDERED > /dev/null 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Starting proxy cache on TCP/IP port $PORT2..." +. $CONFFILTER < $PROXYAUTHZCONF | sed \ + -e "s/@TTL@/${PCACHETTL}/" \ + -e "s/@NTTL@/${PCACHENTTL}/" \ + -e "s/@STTL@/${PCACHENTTL}/" \ + -e "s/@TTR@/${PCACHETTR}/" \ + -e "s/@ENTRY_LIMIT@/${PCACHE_ENTRY_LIMIT}/" \ + -e "s/@CCPERIOD@/${PCACHE_CCPERIOD}/" \ + -e "s/@BTTR@/${PCACHEBTTR}/" \ + > $CONF2 + +$SLAPD -f $CONF2 -h $URI2 -d $LVL -d pcache > $LOG2 2>&1 & +CACHEPID=$! +if test $WAIT != 0 ; then + echo CACHEPID $CACHEPID + read foo +fi +KILLPIDS="$KILLPIDS $CACHEPID" + +sleep 1 + +echo "Using ldapsearch to check that proxy slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT2 \ + -D "cn=Manager,dc=example,dc=com" -w secret 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +cat /dev/null > $SEARCHOUT + +echo "Making queries on the proxy cache..." +CNT=0 + + +CNT=`expr $CNT + 1` +USERDN="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" +UPASSWD="jaj" +echo "Query $CNT: $USERDN" +echo "# Query $CNT: $USERDN" >> $SEARCHOUT + +$LDAPSEARCH -S "" -b "dc=example,dc=com" -s SUB -h $LOCALHOST -p $PORT2 \ + -D "$USERDN" -w "$UPASSWD" "(sn=je*)" sn >> $SEARCHOUT 2>> $TESTOUT +RC=$? + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +# Check that the bind is cached +grep "CACHING BIND for $USERDN" $LOG2 > /dev/null + +RC=$? +if test $RC != 0 ; then + echo "Refresh failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait + exit 1 +fi + +CNT=`expr $CNT + 1` +USERDN="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" +UPASSWD="jaj" +echo "Query $CNT: (Bind should be cached)" +echo "# Query $CNT: (Bind should be cached)" >> $SEARCHOUT + +$LDAPSEARCH -S "" -b "dc=example,dc=com" -s SUB -h $LOCALHOST -p $PORT2 \ + -D "$USERDN" -w "$UPASSWD" "(sn=je*)" sn >> $SEARCHOUT 2>> $TESTOUT + +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +grep "CACHED BIND for $USERDN" $LOG2 > /dev/null +RC=$? +if test $RC != 0 ; then + echo "Refresh failed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait + exit 1 +fi + +CNT=`expr $CNT + 1` +USERDN="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" + +echo "Query $CNT: (Bind should be cached)" +echo "# Query $CNT: (Bind should be cached)" >> $SEARCHOUT +$LDAPSEARCH -S "" -b "dc=example,dc=com" -s SUB -h $LOCALHOST -p $PORT2 \ + -D "$USERDN" -w "$UPASSWD" "(sn=je*)" sn >> $SEARCHOUT 2>> $TESTOUT + +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +RC=`grep "CACHED BIND for $USERDN" $LOG2 | wc -l` +if test $RC != 2 ; then + echo "Bind wasn't answered from cache" + test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait + exit 1 +fi + +echo "=== New search on (sn=jo*)" +cat /dev/null > $SEARCHOUT +echo "# Query $CNT: (Bind should be cached)" >> $SEARCHOUT +$LDAPSEARCH -S "" -b "dc=example,dc=com" -s SUB -h $LOCALHOST -p $PORT2 \ + -D "$USERDN" -w "$UPASSWD" "(sn=jo*)" sn >> $SEARCHOUT 2>> $TESTOUT + +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +RC=`grep "CACHED BIND for $USERDN" $LOG2 | wc -l` +if test $RC != 3 ; then + echo "Bind wasn't answered from cache" + test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait + exit 1 +fi + +RC=`grep "QUERY NOT ANSWERABLE" $LOG2 | wc -l` +if test $RC != 3 ; then + echo "Search wasn't searched on remote peer" + test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait + exit 1 +fi + +RC=`grep "dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" $SEARCHOUT | wc -l` +if test $RC != 1 ; then + echo "Search wasn't retrieved on remote peer" + test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait + exit 1 +fi + +echo "Test succeeded" + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +test $KILLSERVERS != no && wait + +exit 0