mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
6d6a330057
Still needs to retrieve the entry for ACL resolution until we can restrict controls with ACLs.
846 lines
22 KiB
Bash
Executable File
846 lines
22 KiB
Bash
Executable File
#! /bin/sh
|
|
# $OpenLDAP$
|
|
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
##
|
|
## Copyright 2004-2020 The OpenLDAP Foundation.
|
|
## All rights reserved.
|
|
##
|
|
## Redistribution and use in source and binary forms, with or without
|
|
## modification, are permitted only as authorized by the OpenLDAP
|
|
## Public License.
|
|
##
|
|
## A copy of this license is available in the file LICENSE in the
|
|
## top-level directory of the distribution or, alternatively, at
|
|
## <http://www.OpenLDAP.org/license.html>.
|
|
|
|
echo "running defines.sh"
|
|
. $SRCDIR/scripts/defines.sh
|
|
|
|
if test $UNIQUE = uniqueno; then
|
|
echo "Attribute Uniqueness overlay not available, test skipped"
|
|
exit 0
|
|
fi
|
|
|
|
RCODEconstraint=19
|
|
RCODEnorelax=50
|
|
test $BACKEND = null && RCODEconstraint=0
|
|
|
|
mkdir -p $TESTDIR $DBDIR1
|
|
|
|
$SLAPPASSWD -g -n >$CONFIGPWF
|
|
echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
|
|
|
|
echo "Running slapadd to build slapd database..."
|
|
. $CONFFILTER $BACKEND $MONITORDB < $UNIQUECONF > $CONF1
|
|
$SLAPADD -f $CONF1 -l $LDIFUNIQUE
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "slapadd failed ($RC)!"
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Starting slapd on TCP/IP port $PORT1..."
|
|
mkdir $TESTDIR/confdir
|
|
$SLAPD -f $CONF1 -F $TESTDIR/confdir -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
|
|
PID=$!
|
|
if test $WAIT != 0 ; then
|
|
echo PID $PID
|
|
read foo
|
|
fi
|
|
KILLPIDS="$PID"
|
|
|
|
sleep 1
|
|
|
|
echo "Testing slapd attribute uniqueness operations..."
|
|
for i in 0 1 2 3 4 5; do
|
|
$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
|
|
'objectclass=*' > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC = 0 ; then
|
|
break
|
|
fi
|
|
echo "Waiting 5 seconds for slapd to start..."
|
|
sleep 5
|
|
done
|
|
|
|
if test $RC != 0 ; then
|
|
echo "ldapsearch failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Adding a unique record..."
|
|
$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
|
> /dev/null << EOTUNIQ1
|
|
dn: uid=dave,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
objectClass: simpleSecurityObject
|
|
uid: dave
|
|
sn: nothere
|
|
cn: dave
|
|
businessCategory: otest
|
|
carLicense: TEST
|
|
departmentNumber: 42
|
|
# NOTE: use special chars in attr value to be used
|
|
# in internal searches ITS#4212
|
|
displayName: Dave (ITS#4212)
|
|
employeeNumber: 69
|
|
employeeType: contractor
|
|
givenName: Dave
|
|
userpassword: $PASSWD
|
|
EOTUNIQ1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "ldapadd failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Adding a non-unique record..."
|
|
$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOTUNIQ2
|
|
dn: uid=bill,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: bill
|
|
sn: johnson
|
|
cn: bill
|
|
businessCategory: rtest
|
|
carLicense: ABC123
|
|
departmentNumber: 42
|
|
displayName: Bill
|
|
employeeNumber: 5150
|
|
employeeType: contractor
|
|
givenName: Bill
|
|
EOTUNIQ2
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
# ITS#6641/8057/8245
|
|
echo "Trying to bypass uniqueness as a normal user..."
|
|
$LDAPADD -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOTUNIQ2
|
|
dn: uid=bill,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: bill
|
|
sn: johnson
|
|
cn: bill
|
|
businessCategory: rtest
|
|
carLicense: ABC123
|
|
departmentNumber: 42
|
|
displayName: Bill
|
|
employeeNumber: 5150
|
|
employeeType: contractor
|
|
givenName: Bill
|
|
EOTUNIQ2
|
|
RC=$?
|
|
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Trying to bypass uniqueness as a normal user with ManageDSAIt..."
|
|
$LDAPADD -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOTUNIQ2
|
|
dn: uid=bill,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: bill
|
|
sn: johnson
|
|
cn: bill
|
|
businessCategory: rtest
|
|
carLicense: ABC123
|
|
departmentNumber: 42
|
|
displayName: Bill
|
|
employeeNumber: 5150
|
|
employeeType: contractor
|
|
givenName: Bill
|
|
EOTUNIQ2
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Bypassing uniqueness as an admin user..."
|
|
$LDAPADD -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOTUNIQ2
|
|
dn: uid=bill,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: bill
|
|
sn: johnson
|
|
cn: bill
|
|
businessCategory: rtest
|
|
carLicense: ABC123
|
|
departmentNumber: 42
|
|
displayName: Bill
|
|
employeeNumber: 5150
|
|
employeeType: contractor
|
|
givenName: Bill
|
|
EOTUNIQ2
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "spurious unique error ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Cleaning up"
|
|
$LDAPDELETE -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
|
"uid=bill,ou=users,o=unique" > $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0; then
|
|
echo "ldapdelete failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo Dynamically retrieving initial configuration...
|
|
$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/initial-config.ldif
|
|
cat <<EOF >$TESTDIR/initial-reference.ldif
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcUniqueConfig
|
|
olcOverlay: {0}unique
|
|
olcUniqueBase: o=unique
|
|
olcUniqueAttribute: employeeNumber
|
|
olcUniqueAttribute: displayName
|
|
|
|
EOF
|
|
diff $TESTDIR/initial-config.ldif $TESTDIR/initial-reference.ldif > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Initial configuration is not reported correctly."
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically trying to add a URI with legacy attrs present...
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcUniqueURI
|
|
olcUniqueURI: ldap:///?employeeNumber,displayName?sub
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 80 ; then
|
|
echo "legacy and unique_uri allowed together"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically trying to add legacy ignored attrs with legacy attrs present...
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcUniqueIgnore
|
|
olcUniqueIgnore: objectClass
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 80 ; then
|
|
echo "legacy attrs and legacy ignore attrs allowed together"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Verifying initial configuration intact...
|
|
$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/initial-config-recheck.ldif
|
|
diff $TESTDIR/initial-config-recheck.ldif $TESTDIR/initial-reference.ldif > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Initial configuration damaged by unsuccessful modifies."
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically removing legacy base...
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
delete: olcUniqueBase
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "base removal failed"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Verifying base removal...
|
|
$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/baseremoval-config.ldif
|
|
cat >$TESTDIR/baseremoval-reference.ldif <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcUniqueConfig
|
|
olcOverlay: {0}unique
|
|
olcUniqueAttribute: employeeNumber
|
|
olcUniqueAttribute: displayName
|
|
|
|
EOF
|
|
diff $TESTDIR/baseremoval-config.ldif $TESTDIR/baseremoval-reference.ldif > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Configuration damaged by base removal"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Adding a non-unique record..."
|
|
$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOTUNIQ2
|
|
dn: uid=bill,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: bill
|
|
sn: johnson
|
|
cn: bill
|
|
businessCategory: rtest
|
|
carLicense: ABC123
|
|
departmentNumber: 42
|
|
displayName: Bill
|
|
employeeNumber: 5150
|
|
employeeType: contractor
|
|
givenName: Bill
|
|
EOTUNIQ2
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Trying a legacy base outside of the backend...
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcUniqueBase
|
|
olcUniqueBase: cn=config
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 80 ; then
|
|
echo "out of backend scope base allowed"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Adding and removing attrs..."
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcUniqueAttribute
|
|
olcUniqueAttribute: description
|
|
olcUniqueAttribute: telephoneNumber
|
|
-
|
|
delete: olcUniqueAttribute
|
|
olcUniqueAttribute: displayName
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Unable to remove an attribute"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Verifying we removed the right attr..."
|
|
$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOTUNIQ2
|
|
dn: uid=bill,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: bill
|
|
sn: johnson
|
|
cn: bill
|
|
businessCategory: rtest
|
|
carLicense: ABC123
|
|
departmentNumber: 42
|
|
displayName: Bill
|
|
employeeNumber: 5150
|
|
employeeType: contractor
|
|
givenName: Bill
|
|
EOTUNIQ2
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "olcUniqueAttribute single deletion hit the wrong value"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Removing legacy config and adding URIs...
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
delete: olcUniqueAttribute
|
|
-
|
|
add: olcUniqueURI
|
|
olcUniqueURI: ldap:///?employeeNumber,displayName?sub
|
|
olcUniqueURI: ldap:///?description?one
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Reconfiguration to URIs failed"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically retrieving second configuration...
|
|
$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/second-config.ldif
|
|
cat >$TESTDIR/second-reference.ldif <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcUniqueConfig
|
|
olcOverlay: {0}unique
|
|
olcUniqueURI: ldap:///?employeeNumber,displayName?sub
|
|
olcUniqueURI: ldap:///?description?one
|
|
|
|
EOF
|
|
diff $TESTDIR/second-config.ldif $TESTDIR/second-reference.ldif > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Second configuration is not reported correctly."
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Adding a non-unique record..."
|
|
$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOTUNIQ2
|
|
dn: uid=bill,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: bill
|
|
sn: johnson
|
|
cn: bill
|
|
businessCategory: rtest
|
|
carLicense: ABC123
|
|
departmentNumber: 42
|
|
displayName: Bill
|
|
employeeNumber: 5150
|
|
employeeType: contractor
|
|
givenName: Bill
|
|
EOTUNIQ2
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically trying to add legacy base
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcUniqueBase
|
|
olcUniqueBase: o=unique
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 80 ; then
|
|
echo "legacy base allowed with URIs"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically trying to add legacy attrs
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcUniqueAttribute
|
|
olcUniqueAttribute: description
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 80 ; then
|
|
echo "legacy attributes allowed with URIs"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically trying to add legacy strictness
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcUniqueStrict
|
|
olcUniqueStrict: TRUE
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 80 ; then
|
|
echo "legacy strictness allowed with URIs"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
#echo ----------------------
|
|
echo Dynamically trying a bad filter...
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
replace: olcUniqueURI
|
|
olcUniqueURI: ldap:///?sn?sub?((cn=e*))
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 80 ; then
|
|
echo "bad filter allowed"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Verifying second configuration intact...
|
|
$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/second-config-recheck.ldif
|
|
diff $TESTDIR/second-config-recheck.ldif $TESTDIR/second-reference.ldif > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Second configuration damaged by rejected modifies."
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
#echo ----------------------
|
|
echo Dynamically reconfiguring to use different URIs...
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
add: olcUniqueURI
|
|
olcUniqueURI: ldap:///?sn?sub?(cn=e*)
|
|
olcUniqueURI: ldap:///?uid?sub?(cn=edgar)
|
|
-
|
|
delete: olcUniqueURI
|
|
olcUniqueURI: ldap:///?description?one
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "unable to reconfigure"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically retrieving third configuration...
|
|
$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/third-config.ldif
|
|
cat >$TESTDIR/third-reference.ldif <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcUniqueConfig
|
|
olcOverlay: {0}unique
|
|
olcUniqueURI: ldap:///?employeeNumber,displayName?sub
|
|
olcUniqueURI: ldap:///?sn?sub?(cn=e*)
|
|
olcUniqueURI: ldap:///?uid?sub?(cn=edgar)
|
|
|
|
EOF
|
|
diff $TESTDIR/third-config.ldif $TESTDIR/third-reference.ldif > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Third configuration is not reported correctly."
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Adding a record unique in both domains if filtered..."
|
|
|
|
$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=edgar,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: edgar
|
|
sn: johnson
|
|
cn: edgar
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Adding a record unique in all domains because of filter conditions "
|
|
$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=empty,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: edgar
|
|
cn: empty
|
|
sn: empty
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "spurious unique error ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Sending an empty modification"
|
|
|
|
$LDAPMODIFY -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=empty,ou=users,o=unique
|
|
changetype: modify
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "spurious unique error ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Making a record non-unique"
|
|
$LDAPMODIFY -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=empty,ou=users,o=unique
|
|
changetype: modify
|
|
replace: sn
|
|
sn: johnson
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
# ITS#6641/8057/8245
|
|
echo "Trying to bypass uniqueness as a normal user..."
|
|
$LDAPMODIFY -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=empty,ou=users,o=unique
|
|
changetype: modify
|
|
replace: sn
|
|
sn: johnson
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Trying to bypass uniqueness as a normal user with ManageDSAIt..."
|
|
$LDAPMODIFY -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=empty,ou=users,o=unique
|
|
changetype: modify
|
|
replace: sn
|
|
sn: johnson
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Bypassing uniqueness as an admin user..."
|
|
$LDAPMODIFY -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=empty,ou=users,o=unique
|
|
changetype: modify
|
|
replace: sn
|
|
sn: johnson
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "spurious unique error ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Cleaning up"
|
|
$LDAPMODIFY -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=empty,ou=users,o=unique
|
|
changetype: modify
|
|
replace: sn
|
|
sn: empty
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != 0; then
|
|
echo "ldapmodify failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Adding another unique record..."
|
|
$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=not edgar,uid=edgar,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: not edgar
|
|
sn: Alan
|
|
cn: not edgar
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Making the record non-unique with modrdn..."
|
|
$LDAPMODRDN -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
|
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
|
|
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
# ITS#6641/8057/8245
|
|
echo "Trying to bypass uniqueness as a normal user..."
|
|
$LDAPMODRDN -e \!relax -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
|
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
|
|
|
|
RC=$?
|
|
if test $RC != $RCODEnorelax && test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Trying to bypass uniqueness as a normal user with a ManageDSAIt control..."
|
|
$LDAPMODRDN -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
|
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
|
|
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Bypassing uniqueness as an admin user..."
|
|
$LDAPMODRDN -e \!relax -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
|
"uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
|
|
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "spurious unique error ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Cleaning up"
|
|
$LDAPDELETE -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
|
|
"uid=edgar,uid=edgar,ou=users,o=unique" > $TESTOUT 2>&1
|
|
RC=$?
|
|
if test $RC != 0; then
|
|
echo "ldapdelete failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit $RC
|
|
fi
|
|
|
|
echo "Adding a record unique in one domain, non-unique in the filtered domain..."
|
|
|
|
$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=elvis,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: elvis
|
|
sn: johnson
|
|
cn: elvis
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
#echo ----------------------
|
|
echo Dynamically reconfiguring to use attribute-ignore URIs...
|
|
$LDAPMODIFY -D cn=config -h $LOCALHOST -p $PORT1 -y $CONFIGPWF \
|
|
> $TESTOUT 2>&1 <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
changetype: modify
|
|
replace: olcUniqueURI
|
|
olcUniqueURI: ignore ldap:///?objectClass,uid,cn,sn?sub
|
|
EOF
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "unable to reconfigure"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo Dynamically retrieving fourth configuration...
|
|
$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/fourth-config.ldif
|
|
cat >$TESTDIR/fourth-reference.ldif <<EOF
|
|
dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
|
|
objectClass: olcOverlayConfig
|
|
objectClass: olcUniqueConfig
|
|
olcOverlay: {0}unique
|
|
olcUniqueURI: ignore ldap:///?objectClass,uid,cn,sn?sub
|
|
|
|
EOF
|
|
diff $TESTDIR/fourth-config.ldif $TESTDIR/fourth-reference.ldif > /dev/null 2>&1
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "Fourth configuration is not reported correctly."
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Adding a record unique in the ignore-domain..."
|
|
|
|
$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=elvis,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: elvis
|
|
sn: johnson
|
|
cn: elvis
|
|
description: left the building
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != 0 ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
echo "Adding a record non-unique in the ignore-domain..."
|
|
|
|
$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
|
|
$TESTOUT 2>&1 << EOF
|
|
dn: uid=harry,ou=users,o=unique
|
|
objectClass: inetOrgPerson
|
|
uid: harry
|
|
sn: johnson
|
|
cn: harry
|
|
description: left the building
|
|
EOF
|
|
|
|
RC=$?
|
|
if test $RC != $RCODEconstraint ; then
|
|
echo "unique check failed ($RC)!"
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
exit -1
|
|
fi
|
|
|
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
|
|
|
echo ">>>>> Test succeeded"
|
|
|
|
test $KILLSERVERS != no && wait
|
|
|
|
exit 0
|