1#! /bin/sh 2# $OpenLDAP$ 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2021 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16case "$BACKEND" in ldif | null) 17 echo "$BACKEND backend does not support access controls, test skipped" 18 exit 0 19 ;; 20esac 21 22echo "running defines.sh" 23. $SRCDIR/scripts/defines.sh 24 25if test "$ACI" = "acino" ; then 26 echo "ACI not enabled, test skipped" 27 exit 0 28fi 29 30mkdir -p $TESTDIR $DBDIR1 31 32echo "Running slapadd to build slapd database..." 33. $CONFFILTER $BACKEND < $ACICONF > $CONF1 34$SLAPADD -f $CONF1 -l $LDIFORDERED 35RC=$? 36if test $RC != 0 ; then 37 echo "slapadd failed ($RC)!" 38 exit $RC 39fi 40 41echo "Starting slapd on TCP/IP port $PORT1..." 42$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & 43PID=$! 44if test $WAIT != 0 ; then 45 echo PID $PID 46 read foo 47fi 48KILLPIDS="$PID" 49 50sleep 1 51 52echo "Testing slapd ACI access control..." 53for i in 0 1 2 3 4 5; do 54 $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ 55 'objectclass=*' > /dev/null 2>&1 56 RC=$? 57 if test $RC = 0 ; then 58 break 59 fi 60 echo "Waiting 5 seconds for slapd to start..." 61 sleep 5 62done 63 64if test $RC != 0 ; then 65 echo "ldapsearch failed ($RC)!" 66 test $KILLSERVERS != no && kill -HUP $KILLPIDS 67 exit $RC 68fi 69 70cat /dev/null > $SEARCHOUT 71cat /dev/null > $TESTOUT 72 73# Search must fail 74BASEDN="dc=example,dc=com" 75echo "Searching \"$BASEDN\" (should fail)..." 76echo "# Searching \"$BASEDN\" (should fail)..." >> $SEARCHOUT 77$LDAPSEARCH -s base -b "$BASEDN" -H $URI1 \ 78 '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT 79RC=$? 80if test $RC != 32 ; then 81 echo "ldapsearch should have failed with noSuchObject ($RC)!" 82 test $KILLSERVERS != no && kill -HUP $KILLPIDS 83 if test $RC = 0 ; then 84 exit 1 85 fi 86 exit $RC 87fi 88 89# Bind must fail 90BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 91BINDPW=bjensen 92echo "Testing ldapwhoami as ${BINDDN} (should fail)..." 93$LDAPWHOAMI -H $URI1 -D "$BINDDN" -w $BINDPW 94RC=$? 95if test $RC = 0 ; then 96 echo "ldapwhoami should have failed!" 97 test $KILLSERVERS != no && kill -HUP $KILLPIDS 98 exit 1 99fi 100 101# Populate ACIs 102echo "Writing ACIs as \"$MANAGERDN\"..." 103$LDAPMODIFY -D "$MANAGERDN" -w $PASSWD -H $URI1 \ 104 >> $TESTOUT 2>&1 << EOMODS0 105dn: dc=example,dc=com 106changetype: modify 107add: OpenLDAPaci 108OpenLDAPaci: 0#subtree#grant;d,c,s,r;[all]#group/groupOfUniqueNames/uniqueMe 109 mber#cn=ITD Staff,ou=Groups,dc=example,dc=com 110OpenLDAPaci: 1#entry#grant;d;[all]#public# 111 112dn: ou=People,dc=example,dc=com 113changetype: modify 114add: OpenLDAPaci 115OpenLDAPaci: 0#subtree#grant;x;userPassword#public# 116OpenLDAPaci: 1#subtree#grant;w;userPassword#self# 117OpenLDAPaci: 2#subtree#grant;w;userPassword#access-id#cn=Bjorn Jensen,ou=Inf 118 ormation Technology Division,ou=People,dc=example,dc=com 119 120dn: ou=Groups,dc=example,dc=com 121changetype: modify 122add: OpenLDAPaci 123OpenLDAPaci: 0#entry#grant;s;[all]#public# 124OpenLDAPaci: 1#children#grant;r;member;r;uniqueMember#access-id#cn=Bjorn Jen 125 sen,ou=Information Technology Division,ou=People,dc=example,dc=com 126EOMODS0 127RC=$? 128if test $RC != 0 ; then 129 echo "ldapmodify failed ($RC)!" 130 test $KILLSERVERS != no && kill -HUP $KILLPIDS 131 exit $RC 132fi 133 134# Search must succeed with no results 135BASEDN="dc=example,dc=com" 136echo "Searching \"$BASEDN\" (should succeed with no results)..." 137echo "# Searching \"$BASEDN\" (should succeed with no results)..." >> $SEARCHOUT 138$LDAPSEARCH -s base -b "$BASEDN" -H $URI1 \ 139 '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT 140RC=$? 141if test $RC != 0 ; then 142 ### TEMPORARY (see ITS#3963) 143 echo "ldapsearch failed ($RC)! IGNORED..." 144 ###echo "ldapsearch failed ($RC)!" 145 ###test $KILLSERVERS != no && kill -HUP $KILLPIDS 146 ###exit $RC 147fi 148 149BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 150BINDPW=bjensen 151echo "Testing ldapwhoami as ${BINDDN}..." 152$LDAPWHOAMI -H $URI1 -D "$BINDDN" -w $BINDPW 153RC=$? 154if test $RC != 0 ; then 155 echo "ldapwhoami failed ($RC)!" 156 test $KILLSERVERS != no && kill -HUP $KILLPIDS 157 exit $RC 158fi 159 160# Search must succeed 161BINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 162BINDPW=bjorn 163BASEDN="dc=example,dc=com" 164echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." 165echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." >> $SEARCHOUT 166$LDAPSEARCH -s base -b "$BASEDN" -H $URI1 \ 167 -D "$BINDDN" -w "$BINDPW" \ 168 '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 169RC=$? 170if test $RC != 0 ; then 171 echo "ldapsearch failed ($RC)!" 172 test $KILLSERVERS != no && kill -HUP $KILLPIDS 173 exit $RC 174fi 175 176# Passwd must succeed 177BINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 178BINDPW=bjorn 179TGT="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 180NEWPW=jdoe 181echo "Setting \"$TGT\" password..." 182$LDAPPASSWD -H $URI1 \ 183 -w "$BINDPW" -s "$NEWPW" \ 184 -D "$BINDDN" "$TGT" >> $TESTOUT 2>&1 185RC=$? 186if test $RC != 0 ; then 187 echo "ldappasswd failed ($RC)!" 188 test $KILLSERVERS != no && kill -HUP $KILLPIDS 189 exit $RC 190fi 191 192# Re-change as self... 193echo "Changing self password..." 194BINDDN="$TGT" 195BINDPW=$NEWPW 196TGT="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com" 197NEWPW=newcred 198$LDAPPASSWD -H $URI1 \ 199 -w "$BINDPW" -s "$NEWPW" \ 200 -D "$BINDDN" "$TGT" >> $TESTOUT 2>&1 201RC=$? 202if test $RC != 0 ; then 203 echo "ldappasswd failed ($RC)!" 204 test $KILLSERVERS != no && kill -HUP $KILLPIDS 205 exit $RC 206fi 207 208# Searching groups 209BINDPW=$NEWPW 210BASEDN="ou=Groups,dc=example,dc=com" 211echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." 212echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." >> $SEARCHOUT 213$LDAPSEARCH -s one -b "$BASEDN" -H $URI1 \ 214 -D "$BINDDN" -w "$BINDPW" \ 215 '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 216RC=$? 217if test $RC != 0 ; then 218 echo "ldapsearch failed ($RC)!" 219 test $KILLSERVERS != no && kill -HUP $KILLPIDS 220 exit $RC 221fi 222 223# Search must fail 224BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" 225BINDPW=bjensen 226echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed with no results)..." 227echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed with no results)..." >> $SEARCHOUT 228$LDAPSEARCH -s one -b "$BASEDN" -H $URI1 \ 229 -D "$BINDDN" -w "$BINDPW" \ 230 '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT 231RC=$? 232if test $RC != 0 ; then 233 echo "ldapsearch failed ($RC)!" 234 test $KILLSERVERS != no && kill -HUP $KILLPIDS 235 exit $RC 236fi 237 238test $KILLSERVERS != no && kill -HUP $KILLPIDS 239 240LDIF=$ACIOUT 241 242echo "Filtering ldapsearch results..." 243$LDIFFILTER -s mdb=e < $SEARCHOUT > $SEARCHFLT 244echo "Filtering original ldif used to create database..." 245$LDIFFILTER -s mdb=e < $LDIF > $LDIFFLT 246echo "Comparing filter output..." 247$CMP $SEARCHFLT $LDIFFLT > $CMPOUT 248 249if test $? != 0 ; then 250 echo "comparison failed - operations did not complete correctly" 251 exit 1 252fi 253 254echo ">>>>> Test succeeded" 255 256test $KILLSERVERS != no && wait 257 258exit 0 259