external/bsd/openldap/dist/tests/scripts/test041-aci

   1 #! /bin/sh
   2 # $OpenLDAP: pkg/ldap/tests/scripts/test041-aci,v 1.9.2.4 2008/02/11 23:26:51 kurt Exp $
   3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
   4 ##
   5 ## Copyright 1998-2008 The OpenLDAP Foundation.
   6 ## All rights reserved.
   7 ##
   8 ## Redistribution and use in source and binary forms, with or without
   9 ## modification, are permitted only as authorized by the OpenLDAP
  10 ## Public License.
  11 ##
  12 ## A copy of this license is available in the file LICENSE in the
  13 ## top-level directory of the distribution or, alternatively, at
  14 ## <http://www.OpenLDAP.org/license.html>.
  15
  16 case "$BACKEND" in
  17 bdb|hdb)
  18         ;;
  19 *)
  20         echo "Test does not support $BACKEND backend"
  21         exit 0
  22         ;;
  23 esac
  24
  25 echo "running defines.sh"
  26 . $SRCDIR/scripts/defines.sh
  27
  28 if test "$ACI" = "acino" ; then
  29         echo "ACI not enabled, test skipped"
  30         exit 0
  31 fi
  32
  33 mkdir -p $TESTDIR $DBDIR1
  34
  35 echo "Running slapadd to build slapd database..."
  36 . $CONFFILTER $BACKEND $MONITORDB < $ACICONF > $CONF1
  37 $SLAPADD -f $CONF1 -l $LDIFORDERED
  38 RC=$?
  39 if test $RC != 0 ; then
  40         echo "slapadd failed ($RC)!"
  41         exit $RC
  42 fi
  43
  44 echo "Starting slapd on TCP/IP port $PORT1..."
  45 $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
  46 PID=$!
  47 if test $WAIT != 0 ; then
  48     echo PID $PID
  49     read foo
  50 fi
  51 KILLPIDS="$PID"
  52
  53 sleep 1
  54
  55 echo "Testing slapd ACI access control..."
  56 for i in 0 1 2 3 4 5; do
  57         $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
  58                 'objectclass=*' > /dev/null 2>&1
  59         RC=$?
  60         if test $RC = 0 ; then
  61                 break
  62         fi
  63         echo "Waiting 5 seconds for slapd to start..."
  64         sleep 5
  65 done
  66
  67 if test $RC != 0 ; then
  68         echo "ldapsearch failed ($RC)!"
  69         test $KILLSERVERS != no && kill -HUP $KILLPIDS
  70         exit $RC
  71 fi
  72
  73 cat /dev/null > $SEARCHOUT
  74 cat /dev/null > $TESTOUT
  75
  76 # Search must fail
  77 BASEDN="dc=example,dc=com"
  78 echo "Searching \"$BASEDN\" (should fail)..."
  79 echo "# Searching \"$BASEDN\" (should fail)..." >> $SEARCHOUT
  80 $LDAPSEARCH -s base -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
  81         '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT
  82 RC=$?
  83 if test $RC != 32 ; then
  84         echo "ldapsearch should have failed with noSuchObject ($RC)!"
  85         test $KILLSERVERS != no && kill -HUP $KILLPIDS
  86         if test $RC = 0 ; then
  87                 exit -1
  88         fi
  89         exit $RC
  90 fi
  91
  92 # Bind must fail
  93 BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
  94 BINDPW=bjensen
  95 echo "Testing ldapwhoami as ${BINDDN} (should fail)..."
  96 $LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$BINDDN" -w $BINDPW
  97 RC=$?
  98 if test $RC = 0 ; then
  99         echo "ldapwhoami should have failed!"
 100         test $KILLSERVERS != no && kill -HUP $KILLPIDS
 101         exit -1
 102 fi
 103
 104 # Populate ACIs
 105 echo "Writing ACIs as \"$MANAGERDN\"..."
 106 $LDAPMODIFY -D "$MANAGERDN" -w $PASSWD -h $LOCALHOST -p $PORT1 \
 107         >> $TESTOUT 2>&1 << EOMODS0
 108 dn: dc=example,dc=com
 109 changetype: modify
 110 add: OpenLDAPaci
 111 OpenLDAPaci: 0#subtree#grant;d,c,s,r;[all]#group/groupOfUniqueNames/uniqueMe
 112  mber#cn=ITD Staff,ou=Groups,dc=example,dc=com
 113 OpenLDAPaci: 1#entry#grant;d;[all]#public#
 114
 115 dn: ou=People,dc=example,dc=com
 116 changetype: modify
 117 add: OpenLDAPaci
 118 OpenLDAPaci: 0#subtree#grant;x;userPassword#public#
 119 OpenLDAPaci: 1#subtree#grant;w;userPassword#self#
 120 OpenLDAPaci: 2#subtree#grant;w;userPassword#access-id#cn=Bjorn Jensen,ou=Inf
 121  ormation Technology Division,ou=People,dc=example,dc=com
 122
 123 dn: ou=Groups,dc=example,dc=com
 124 changetype: modify
 125 add: OpenLDAPaci
 126 OpenLDAPaci: 0#entry#grant;s;[all]#public#
 127 OpenLDAPaci: 1#children#grant;r;member;r;uniqueMember#access-id#cn=Bjorn Jen
 128  sen,ou=Information Technology Division,ou=People,dc=example,dc=com
 129 EOMODS0
 130 RC=$?
 131 if test $RC != 0 ; then
 132         echo "ldapmodify failed ($RC)!"
 133         test $KILLSERVERS != no && kill -HUP $KILLPIDS
 134         exit $RC
 135 fi
 136
 137 # Search must succeed with no results
 138 BASEDN="dc=example,dc=com"
 139 echo "Searching \"$BASEDN\" (should succeed with no results)..."
 140 echo "# Searching \"$BASEDN\" (should succeed with no results)..." >> $SEARCHOUT
 141 $LDAPSEARCH -s base -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 142         '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT
 143 RC=$?
 144 if test $RC != 0 ; then
 145         ### TEMPORARY (see ITS#3963)
 146         echo "ldapsearch failed ($RC)! IGNORED..."
 147         ###echo "ldapsearch failed ($RC)!"
 148         ###test $KILLSERVERS != no && kill -HUP $KILLPIDS
 149         ###exit $RC
 150 fi
 151
 152 BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
 153 BINDPW=bjensen
 154 echo "Testing ldapwhoami as ${BINDDN}..."
 155 $LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$BINDDN" -w $BINDPW
 156 RC=$?
 157 if test $RC != 0 ; then
 158         echo "ldapwhoami failed ($RC)!"
 159         test $KILLSERVERS != no && kill -HUP $KILLPIDS
 160         exit $RC
 161 fi
 162
 163 # Search must succeed
 164 BINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
 165 BINDPW=bjorn
 166 BASEDN="dc=example,dc=com"
 167 echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..."
 168 echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." >> $SEARCHOUT
 169 $LDAPSEARCH -s base -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 170         -D "$BINDDN" -w "$BINDPW" \
 171         '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT
 172 RC=$?
 173 if test $RC != 0 ; then
 174         echo "ldapsearch failed ($RC)!"
 175         test $KILLSERVERS != no && kill -HUP $KILLPIDS
 176         exit $RC
 177 fi
 178
 179 # Passwd must succeed
 180 BINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
 181 BINDPW=bjorn
 182 TGT="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
 183 NEWPW=jdoe
 184 echo "Setting \"$TGT\" password..."
 185 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
 186         -w "$BINDPW" -s "$NEWPW" \
 187         -D "$BINDDN" "$TGT" >> $TESTOUT 2>&1
 188 RC=$?
 189 if test $RC != 0 ; then
 190         echo "ldappasswd failed ($RC)!"
 191         test $KILLSERVERS != no && kill -HUP $KILLPIDS
 192         exit $RC
 193 fi
 194
 195 # Re-change as self...
 196 echo "Changing self password..."
 197 BINDDN="$TGT"
 198 BINDPW=$NEWPW
 199 TGT="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
 200 NEWPW=newcred
 201 $LDAPPASSWD -h $LOCALHOST -p $PORT1 \
 202         -w "$BINDPW" -s "$NEWPW" \
 203         -D "$BINDDN" "$TGT" >> $TESTOUT 2>&1
 204 RC=$?
 205 if test $RC != 0 ; then
 206         echo "ldappasswd failed ($RC)!"
 207         test $KILLSERVERS != no && kill -HUP $KILLPIDS
 208         exit $RC
 209 fi
 210
 211 # Searching groups
 212 BINDPW=$NEWPW
 213 BASEDN="ou=Groups,dc=example,dc=com"
 214 echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..."
 215 echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed)..." >> $SEARCHOUT
 216 $LDAPSEARCH -s one -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 217         -D "$BINDDN" -w "$BINDPW" \
 218         '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT
 219 RC=$?
 220 if test $RC != 0 ; then
 221         echo "ldapsearch failed ($RC)!"
 222         test $KILLSERVERS != no && kill -HUP $KILLPIDS
 223         exit $RC
 224 fi
 225
 226 # Search must fail
 227 BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
 228 BINDPW=bjensen
 229 echo "Searching \"$BASEDN\" as \"$BINDDN\" (should succeed with no results)..."
 230 echo "# Searching \"$BASEDN\" as \"$BINDDN\" (should succeed with no results)..." >> $SEARCHOUT
 231 $LDAPSEARCH -s one -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 232         -D "$BINDDN" -w "$BINDPW" \
 233         '(objectClass=*)' >> $SEARCHOUT 2>> $TESTOUT
 234 RC=$?
 235 if test $RC != 0 ; then
 236         echo "ldapsearch failed ($RC)!"
 237         test $KILLSERVERS != no && kill -HUP $KILLPIDS
 238         exit $RC
 239 fi
 240
 241 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 242
 243 LDIF=$ACIOUT
 244
 245 echo "Filtering ldapsearch results..."
 246 . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
 247 echo "Filtering original ldif used to create database..."
 248 . $LDIFFILTER < $LDIF > $LDIFFLT
 249 echo "Comparing filter output..."
 250 $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
 251
 252 if test $? != 0 ; then
 253         echo "comparison failed - operations did not complete correctly"
 254         exit 1
 255 fi
 256
 257 echo ">>>>> Test succeeded"
 258
 259 test $KILLSERVERS != no && wait
 260
 261 exit 0