mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
ITS#9189 add channel-bindings tests
This commit is contained in:
parent
3cd50fa8b3
commit
7b0017ad49
@ -63,3 +63,6 @@ rootpw secret
|
||||
|
||||
sasl-realm @KRB5REALM@
|
||||
sasl-host localhost
|
||||
|
||||
database config
|
||||
rootpw secret
|
||||
|
@ -142,3 +142,11 @@ if test $RC != 0 ; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
HAVE_SASL_GSS_CBIND=no
|
||||
|
||||
grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
|
||||
RC=$?
|
||||
if test $RC = 0 ; then
|
||||
HAVE_SASL_GSS_CBIND=yes
|
||||
fi
|
||||
|
@ -88,6 +88,28 @@ else
|
||||
echo "success"
|
||||
fi
|
||||
|
||||
# Exercise channel-bindings code in builds without SASL support
|
||||
for cb in "none" "tls-unique" "tls-endpoint" ; do
|
||||
|
||||
echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
|
||||
|
||||
$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
|
||||
-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \
|
||||
-o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \
|
||||
-o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1 \
|
||||
> $TESTOUT 2>&1
|
||||
|
||||
RC=$?
|
||||
if test $RC != 0 ; then
|
||||
echo "ldapwhoami failed ($RC)!"
|
||||
test $KILLSERVERS != no && kill -HUP $PID
|
||||
exit $RC
|
||||
else
|
||||
echo "success"
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
|
||||
if test $RC != 0 ; then
|
||||
|
@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
mkdir -p $TESTDIR $DBDIR1
|
||||
SLAPTEST="$TESTWD/../servers/slapd/slaptest"
|
||||
CONFDIR=$TESTDIR/slapd.d
|
||||
|
||||
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
|
||||
cp -r $DATADIR/tls $TESTDIR
|
||||
|
||||
cd $TESTWD
|
||||
@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."
|
||||
|
||||
echo "Running slapadd to build slapd database..."
|
||||
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
|
||||
$SLAPADD -f $CONF1 -l $LDIFORDERED
|
||||
$SLAPTEST -f $CONF1 -F $CONFDIR
|
||||
$SLAPADD -F $CONFDIR -l $LDIFORDERED
|
||||
RC=$?
|
||||
if test $RC != 0 ; then
|
||||
echo "slapadd failed ($RC)!"
|
||||
@ -41,7 +45,7 @@ if test $RC != 0 ; then
|
||||
fi
|
||||
|
||||
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
|
||||
$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||
$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||
PID=$!
|
||||
if test $WAIT != 0 ; then
|
||||
echo PID $PID
|
||||
@ -144,6 +148,79 @@ else
|
||||
fi
|
||||
fi
|
||||
|
||||
if test $WITH_TLS = no ; then
|
||||
echo "TLS support not available, skipping channe-binding test"
|
||||
elif test $HAVE_SASL_GSS_CBIND = no ; then
|
||||
echo "SASL has no channel-binding support in GSSAPI, test skipped"
|
||||
else
|
||||
echo "Testing SASL/GSSAPI with SASL_CBINDING..."
|
||||
|
||||
for acb in "none" "tls-unique" "tls-endpoint" ; do
|
||||
|
||||
echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
|
||||
$LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
replace: olcSaslCBinding
|
||||
olcSaslCBinding: ${acb}
|
||||
EOF
|
||||
RC=$?
|
||||
if test $RC != 0 ; then
|
||||
echo "ldapmodify failed ($RC)!"
|
||||
kill $KDCPROC
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
exit $RC
|
||||
fi
|
||||
|
||||
for icb in "none" "tls-unique" "tls-endpoint" ; do
|
||||
|
||||
# The gnutls implemantation of "tls-unique" seems broken
|
||||
if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
|
||||
if test $WITH_TLS_TYPE == gnutls ; then
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
fail="no"
|
||||
if test $icb != $acb -a $acb != "none" ; then
|
||||
# This currently fails in MIT, but it is planned to be
|
||||
# fixed not to fail like in heimdal - avoid testing.
|
||||
if test $icb = "none" ; then
|
||||
continue
|
||||
fi
|
||||
# Otherwise unmatching bindings are expected to fail.
|
||||
fail="yes"
|
||||
fi
|
||||
|
||||
echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
|
||||
echo -ne "(client: ${icb},\tserver: ${acb}): "
|
||||
|
||||
$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
|
||||
-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
|
||||
-o SASL_CBINDING=$icb > $TESTOUT 2>&1
|
||||
|
||||
RC=$?
|
||||
if test $RC != 0 ; then
|
||||
if test $fail = "no" ; then
|
||||
echo "test failed ($RC)!"
|
||||
kill $KDCPROC
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
exit $RC
|
||||
fi
|
||||
elif test $fail = "yes" ; then
|
||||
echo "failed: command succeeded unexpectedly."
|
||||
kill $KDCPROC
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "success"
|
||||
RC=0
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
kill $KDCPROC
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user