#! /bin/sh # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## ## Copyright 1998-2004 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## . echo "running defines.sh" . $SRCDIR/scripts/defines.sh if test $PPOLICY = ppolicyno; then echo "Password policy overlay not available, test skipped" exit 0 fi mkdir -p $TESTDIR $DBDIR1 echo "Starting slapd on TCP/IP port $PORT1..." . $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1 $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & PID=$! if test $WAIT != 0 ; then echo PID $PID read foo fi KILLPIDS="$PID" USER="uid=nd, ou=People, dc=example, dc=com" PASS=testpassword echo "Using ldapsearch to check that slapd is running..." for i in 0 1 2 3 4 5; do $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ 'objectclass=*' > /dev/null 2>&1 RC=$? if test $RC = 0 ; then break fi echo "Waiting 5 seconds for slapd to start..." sleep 5 done if test $RC != 0 ; then echo "ldapsearch failed $(RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Using ldapadd to populate the database..." $LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \ $LDIFPPOLICY > $TESTOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapadd failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Testing account lockout..." $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 sleep 2 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 sleep 2 $LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 sleep 2 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 COUNT=`grep "Account locked" $SEARCHOUT | wc -l` if test $COUNT != 2 ; then echo "Account lockout test failed" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit 1 fi echo "Waiting 30 seconds for lockout to reset..." sleep 30 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Testing password expiration..." $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \ $TESTOUT 2>&1 << EOMODS dn: uid=nd, dc=example, dc=com changetype: modify replace: pwdChangedTime pwdChangedTime: 20031231000001Z EOMODS $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > $SEARCHOUT 2>&1 sleep 2 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 sleep 2 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 sleep 2 $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 RC=$? if test $RC = 0 ; then echo "Password expiration failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi COUNT=`grep "grace logins" $SEARCHOUT | wc -l` if test $COUNT != 3 ; then echo "Password expiration test failed" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit 1 fi echo "Resetting password to clear expired status" $LDAPPASSWD -h $LOCALHOST -p $PORT1 \ -w secret -s $PASS \ -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldappasswd failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Filling password history..." $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS > \ $TESTOUT 2>&1 << EOMODS dn: uid=nd, ou=People, dc=example, dc=com changetype: modify delete: userpassword userpassword: testpassword - replace: userpassword userpassword: 20urgle12-1 dn: uid=nd, ou=People, dc=example, dc=com changetype: modify delete: userpassword userpassword: 20urgle12-1 - replace: userpassword userpassword: 20urgle12-2 dn: uid=nd, ou=People, dc=example, dc=com changetype: modify delete: userpassword userpassword: 20urgle12-2 - replace: userpassword userpassword: 20urgle12-3 dn: uid=nd, ou=People, dc=example, dc=com changetype: modify delete: userpassword userpassword: 20urgle12-3 - replace: userpassword userpassword: 20urgle12-4 dn: uid=nd, ou=People, dc=example, dc=com changetype: modify delete: userpassword userpassword: 20urgle12-4 - replace: userpassword userpassword: 20urgle12-5 dn: uid=nd, ou=People, dc=example, dc=com changetype: modify delete: userpassword userpassword: 20urgle12-5 - replace: userpassword userpassword: 20urgle12-6 EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Testing password history..." $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 > \ $TESTOUT 2>&1 << EOMODS dn: uid=nd, ou=People, dc=example, dc=com changetype: modify delete: userPassword userPassword: 20urgle12-6 - replace: userPassword userPassword: 20urgle12-2 EOMODS RC=$? if test $RC = 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Testing forced reset..." $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \ $TESTOUT 2>&1 << EOMODS dn: uid=nd, ou=People, dc=example, dc=com changetype: modify replace: userPassword userPassword: testpassword - replace: pwdReset pwdReset: TRUE EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ -b "$BASEDN" -s base > $SEARCHOUT 2>&1 RC=$? if test $RC = 0 ; then echo "Forced reset failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l` if test $COUNT != 1 ; then echo "Forced reset test failed" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit 1 fi echo "Clearing forced reset..." $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \ $TESTOUT 2>&1 << EOMODS dn: uid=nd, ou=People, dc=example, dc=com changetype: modify delete: pwdReset EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ -b "$BASEDN" -s base > $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "Clearing forced reset failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Testing Safe modify..." $LDAPPASSWD -h $LOCALHOST -p $PORT1 \ -w $PASS -s failexpect \ -D "$USER" > $TESTOUT 2>&1 RC=$? if test $RC = 0 ; then echo "Safe modify test 1 failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi sleep 2 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \ -w $PASS -s failexpect -a $PASS \ -D "$USER" > $TESTOUT 2>&1 RC=$? if test $RC != 0 ; then echo "Safe modify test 2 failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Testing length requirement..." $LDAPPASSWD -h $LOCALHOST -p $PORT1 \ -w failexpect -a failexpect -s spw \ -D "$USER" > $TESTOUT 2>&1 RC=$? if test $RC = 0 ; then echo "Length requirement test failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi COUNT=`grep "Password fails quality" $TESTOUT | wc -l` if test $COUNT != 1 ; then echo "Length requirement test failed" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit 1 fi test $KILLSERVERS != no && kill -HUP $KILLPIDS echo ">>>>> Test succeeded" exit 0