Added tests for password policy overlay

2025-02-23 14:09:39 +08:00 · 2004-03-16 10:16:21 +00:00 · 2004-03-16 10:16:21 +00:00 · c564301d34
commit c564301d34
parent b59da518cf
6 changed files with 439 additions and 1 deletions
--- a/tests/data/ppolicy.ldif
+++ b/tests/data/ppolicy.ldif
@ -0,0 +1,65 @@
+dn: o=University of Michigan, c=US
+objectClass: top
+objectClass: organization
+o: University of Michigan
+
+dn: ou=People, o=University of Michigan, c=US
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Policies, o=University of Michigan, c=US
+objectClass: top
+objectClass: organizationalUnit
+ou: Policies
+
+dn: cn=Standard Policy, ou=Policies, o=University of Michigan, c=US
+objectClass: top
+objectClass: device
+objectClass: pwdPolicy
+cn: Standard Policy
+pwdAttribute: 2.5.4.35
+pwdLockoutDuration: 30
+pwdInHistory: 6
+pwdCheckQuality: 1
+pwdExpireWarning: 300
+pwdMaxAge: 600
+pwdMinLength: 5
+pwdGraceLoginLimit: 3
+pwdAllowUserChange: TRUE
+pwdMustChange: TRUE
+pwdMaxFailure: 3
+pwdFailureCountInterval: 120
+pwdSafeModify: TRUE
+
+dn: uid=nd, ou=People, o=University of Michigan, c=US
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: Neil Dunbar
+uid: nd
+sn: Dunbar
+givenName: Neil
+userPassword: testpassword
+
+dn: uid=ndadmin, ou=People, o=University of Michigan, c=US
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: Neil Dunbar (Admin)
+uid: ndadmin
+sn: Dunbar
+givenName: Neil
+userPassword: testpw
+
+dn: uid=test, ou=People, o=University of Michigan, c=US
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: test test
+uid: test
+sn: Test
+givenName:  Test
+userPassword: kfhgkjhfdgkfd
+pwdPolicySubEntry: cn=No Policy, ou=Policies, o=University of Michigan, c=US
+
--- a/tests/data/slapd-ppolicy.conf
+++ b/tests/data/slapd-ppolicy.conf
@ -0,0 +1,49 @@
+# master slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2004 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+ucdata-path	./ucdata
+include ./schema/core.schema
+include ./schema/cosine.schema
+include ./schema/inetorgperson.schema
+include ./schema/openldap.schema
+include ./schema/nis.schema
+include ./schema/ppolicy.schema
+pidfile     ./test-db/slapd.pid
+argsfile    ./test-db/slapd.args
+
+#mod#modulepath	../servers/slapd/back-@BACKEND@/
+#mod#moduleload	back_@BACKEND@.la
+#ppolicymod#moduleload ../servers/slapd/overlays/ppolicy.la
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+
+database	@BACKEND@
+suffix		"o=University of Michigan,c=US"
+directory	./testrun/db.1.a
+rootdn		"cn=Manager,o=University of Michigan,c=US"
+rootpw		secret
+index		objectClass eq
+overlay		ppolicy
+ppolicy_default	"cn=Standard Policy,ou=Policies,o=University of Michigan,c=US"
+
+access to attr=userpassword
+	by self write
+	by * auth
+
+access to *
+	by self write
+	by * read
--- a/tests/run.in
+++ b/tests/run.in
@ -27,10 +27,11 @@ AC_hdb=@BUILD_HDB@
 AC_ldbm=@BUILD_LDBM@
 AC_ldap=ldap@BUILD_LDAP@
 AC_pcache=pcache@BUILD_PROXYCACHE@
+AC_ppolicy=ppolicy@BUILD_PPOLICY@
 AC_MONITOR=@BUILD_MONITOR@
 AC_WITH_TLS=@WITH_TLS@

-export AC_MONITOR AC_WITH_TLS AC_ldap AC_pcache
+export AC_MONITOR AC_WITH_TLS AC_ldap AC_pcache AC_ppolicy

 if test ! -x ../servers/slapd/slapd ; then
 	echo "Could not locate slapd(8)"
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@ -22,6 +22,7 @@ sed -e "s/@BACKEND@/${BACKEND}/"	\
 	-e "s/^#${BACKENDTYPE}#//"			\
 	-e "s/^#${AC_ldap}#//"			\
 	-e "s/^#${AC_pcache}#//"			\
+	-e "s/^#${AC_ppolicy}#//"			\
 	-e "s/^#${MON}#//"				\
 	-e "s/@CACHETTL@/${CACHETTL}/"   \
 	-e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/"   
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@ -15,6 +15,7 @@

 MONITORDB=${AC_MONITOR-no}
 PROXYCACHE=${AC_pcache-pcacheno}
+PPOLICY=${AC_ppolicy-ppolicyno}
 WITHTLS=${AC_WITHTLS-yes}

 DATADIR=./testdata
@ -40,6 +41,7 @@ RCONF=$DATADIR/slapd-referrals.conf
 MASTERCONF=$DATADIR/slapd-repl-master.conf
 SRMASTERCONF=$DATADIR/slapd-syncrepl-master.conf
 SLAVECONF=$DATADIR/slapd-repl-slave.conf
+PPOLICYCONF=$DATADIR/slapd-ppolicy.conf
 PROXYCACHECONF=$DATADIR/slapd-proxycache.conf
 CACHEMASTERCONF=$DATADIR/slapd-cache-master.conf
 R1SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-refresh1.conf
@ -111,6 +113,7 @@ LDIFORDEREDNOCP=$DATADIR/test-ordered-nocp.ldif
 LDIFBASE=$DATADIR/test-base.ldif
 LDIFPASSWD=$DATADIR/passwd.ldif
 LDIFPASSWDOUT=$DATADIR/passwd-out.ldif
+LDIFPPOLICY=$DATADIR/ppolicy.ldif
 LDIFLANG=$DATADIR/test-lang.ldif
 LDIFLANGOUT=$DATADIR/lang-out.ldif
 LDIFREF=$DATADIR/referrals.ldif
--- a/tests/scripts/test022-ppolicy
+++ b/tests/scripts/test022-ppolicy
@ -0,0 +1,319 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2004 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+if test $PPOLICY = ppolicyno; then 
+	echo "Password policy overlay not available, test skipped"
+	exit 0
+fi 
+
+mkdir -p $TESTDIR $DBDIR1
+
+echo "Starting slapd on TCP/IP port $PORT1..."
+. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
+$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+    echo PID $PID
+    read foo
+fi
+KILLPIDS="$PID"
+
+USER="uid=nd, ou=People, o=University of Michigan, c=US"
+PASS=testpassword
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 5 seconds for slapd to start..."
+	sleep 5
+done
+if test $RC != 0 ; then
+	echo "ldapsearch failed $(RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Using ldapadd to populate the database..."
+$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
+	$LDIFPPOLICY > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapadd failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Testing account lockout..."
+$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
+sleep 2
+$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
+sleep 2
+$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
+sleep 2
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
+COUNT=`grep "Account locked" $SEARCHOUT | wc -l`
+if test $COUNT != 2 ; then
+	echo "Account lockout test failed"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Waiting 30 seconds for lockout to reset..."
+sleep 30
+
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Testing password expiration..."
+$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+	$TESTOUT 2>&1 << EOMODS
+dn: uid=nd, ou=People, o=University of Michigan, c=US
+changetype: modify
+replace: pwdChangedTime
+pwdChangedTime: 20031231000001Z
+
+EOMODS
+
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > $SEARCHOUT 2>&1
+sleep 2
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
+sleep 2
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
+sleep 2
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
+RC=$?
+if test $RC = 0 ; then
+	echo "Password expiration failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+COUNT=`grep "grace logins" $SEARCHOUT | wc -l`
+if test $COUNT != 3 ; then
+	echo "Password expiration test failed"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Resetting password to clear expired status"
+$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
+	-w secret -s $PASS \
+	-D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldappasswd failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Filling password history..."
+$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS > \
+	$TESTOUT 2>&1 << EOMODS
+dn: uid=nd, ou=People, o=University of Michigan,c=US
+changetype: modify
+delete: userpassword
+userpassword: testpassword
+-
+replace: userpassword
+userpassword: 20urgle12-1
+
+dn: uid=nd, ou=People, o=University of Michigan,c=US
+changetype: modify
+delete: userpassword
+userpassword: 20urgle12-1
+-
+replace: userpassword
+userpassword: 20urgle12-2
+
+dn: uid=nd, ou=People, o=University of Michigan,c=US
+changetype: modify
+delete: userpassword
+userpassword: 20urgle12-2
+-
+replace: userpassword
+userpassword: 20urgle12-3
+
+dn: uid=nd, ou=People, o=University of Michigan,c=US
+changetype: modify
+delete: userpassword
+userpassword: 20urgle12-3
+-
+replace: userpassword
+userpassword: 20urgle12-4
+
+dn: uid=nd, ou=People, o=University of Michigan,c=US
+changetype: modify
+delete: userpassword
+userpassword: 20urgle12-4
+-
+replace: userpassword
+userpassword: 20urgle12-5
+
+dn: uid=nd, ou=People, o=University of Michigan,c=US
+changetype: modify
+delete: userpassword
+userpassword: 20urgle12-5
+-
+replace: userpassword
+userpassword: 20urgle12-6
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+echo "Testing password history..."
+$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 > \
+	$TESTOUT 2>&1 << EOMODS
+dn: uid=nd, ou=People, o=University of Michigan, c=US
+changetype: modify
+delete: userPassword
+userPassword: 20urgle12-6
+-
+replace: userPassword
+userPassword: 20urgle12-2
+
+EOMODS
+RC=$?
+if test $RC = 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Testing forced reset..."
+
+$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+	$TESTOUT 2>&1 << EOMODS
+dn: uid=nd, ou=People, o=University of Michigan, c=US
+changetype: modify
+replace: userPassword
+userPassword: testpassword
+-
+replace: pwdReset
+pwdReset: TRUE
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
+RC=$?
+if test $RC = 0 ; then
+	echo "Forced reset failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
+if test $COUNT != 1 ; then
+	echo "Forced reset test failed"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Clearing forced reset..."
+
+$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+	$TESTOUT 2>&1 << EOMODS
+dn: uid=nd, ou=People, o=University of Michigan, c=US
+changetype: modify
+delete: pwdReset
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "Clearing forced reset failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Testing Safe modify..."
+
+$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
+	-w $PASS -s failexpect \
+	-D "$USER" > $TESTOUT 2>&1
+RC=$?
+if test $RC = 0 ; then
+	echo "Safe modify test 1 failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+sleep 2
+
+$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
+	-w $PASS -s failexpect -a $PASS \
+	-D "$USER" > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "Safe modify test 2 failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Testing length requirement..."
+
+$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
+	-w failexpect -a failexpect -s spw \
+	-D "$USER" > $TESTOUT 2>&1
+RC=$?
+if test $RC = 0 ; then
+	echo "Length requirement test failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+COUNT=`grep "Password fails quality" $TESTOUT | wc -l`
+if test $COUNT != 1 ; then
+	echo "Length requirement test failed"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+echo ">>>>> Test succeeded"
+exit 0