starlingx
/
integ
Code Issues Proposed changes

Add debian package for openldap 

Ported all patches from CentOS.
Ported patch rootdn-should-not-bypass-ppolicy.patch + deleted unit test for it.

meta_data patches were not needed as they were only modifying the rpm spec.

Disabled unit tests part of debian build.
Ran the unit tests once before disabling and they pass.

Story: 2009221
Task: 43407
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: Ia0b640c5cd2594daae5722b1c9743a3a800485ab
This commit is contained in:
Yue Tao 2021-09-23 09:29:25 +08:00
parent 229a6b32af
commit 2821680c8b
5 changed files with 750 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ldap/openldap/debian/deb_patches/debian-disable-unit-tests.patch Normal file
View File

@ -0,0 +1,18 @@
Disable the unit tests, which consumes a lot of time.
Don't need to run it each building BTY,Centos also disable it.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
diff --git a/debian/rules.old b/debian/rules
index 5b8b75f..fbefa7b 100755
--- a/debian/rules.old
+++ b/debian/rules
@@ -131,7 +131,7 @@ ifeq ($(DEB_HOST_ARCH),ppc64el)
# Disable test060-mt-host on ppc64el until #866122 is fixed.
rm -f tests/scripts/test060-mt-hot
endif
- dh_auto_test
+ #dh_auto_test
override_dh_auto_install:
dh_auto_install -- $(MAKEVARS)

1
ldap/openldap/debian/deb_patches/series Normal file
View File

@ -0,0 +1 @@
debian-disable-unit-tests.patch

9
ldap/openldap/debian/meta_data.yaml Normal file
View File

@ -0,0 +1,9 @@
---
debver: 2.4.57+dfsg-3
dl_path:
name: openldap-2.4.57+dfsg-3.tar.gz
url: https://salsa.debian.org/openldap-team/openldap/-/archive/2.4.57+dfsg-3/openldap-2.4.57+dfsg-3.tar.gz
md5sum: 85c7de35e79b8fe45b5d6aabba2b9a3d
revision:
dist: $STX_DIST
PKG_GITREVCOUNT:

721
ldap/openldap/debian/patches/rootdn-should-not-bypass-ppolicy.patch Normal file
View File

@ -0,0 +1,721 @@
From 9456b0eee753d9fd368347b6974a2f6f8d941d4f Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Tue, 11 Apr 2017 17:23:03 -0400
Subject: [PATCH] rootdn should not bypass ppolicy
test022-ppolicy fails due to the change. The ppolicy behavior is
different with origian design, but that is intended, so remove
the testcase.
---
servers/slapd/overlays/ppolicy.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index b446deb..fa79872 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1950,7 +1950,8 @@ ppolicy_modify( Operation *op, SlapReply
for(p=tl; p; p=p->next, hsize++); /* count history size */
}
- if (be_isroot( op )) goto do_modify;
+ /* WRS UPDATE: Run ppolicy for all user password modify ops */
+ //if (be_isroot( op )) goto do_modify;
/* NOTE: according to draft-behera-ldap-password-policy
* pwdAllowUserChange == FALSE must only prevent pwd changes
@@ -2054,7 +2055,13 @@ ppolicy_modify( Operation *op, SlapReply
}
bv = newpw.bv_val ? &newpw : &addmod->sml_values[0];
- if (pp.pwdCheckQuality > 0) {
+
+ /* WRS UPDATE:
+ * If this is a rootDN op and this is the first password
+ * then bypass password policies as this is a new account
+ * creation
+ */
+ if (pp.pwdCheckQuality > 0 && !(be_isroot( op ) && !pa)) {
rc = check_password_quality( bv, &pp, &pErr, e, (char **)&txt );
if (rc != LDAP_SUCCESS) {
--- ./tests/scripts/test022-ppolicy
+++ /dev/null
@@ -1,673 +0,0 @@
-#! /bin/sh
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2021 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-echo "running defines.sh"
-. $SRCDIR/scripts/defines.sh
-
-if test $PPOLICY = ppolicyno; then
- echo "Password policy overlay not available, test skipped"
- exit 0
-fi
-
-mkdir -p $TESTDIR $DBDIR1
-
-$SLAPPASSWD -g -n >$CONFIGPWF
-echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
-
-echo "Starting slapd on TCP/IP port $PORT1..."
-. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1
-$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
-PID=$!
-if test $WAIT != 0 ; then
- echo PID $PID
- read foo
-fi
-KILLPIDS="$PID"
-
-USER="uid=nd, ou=People, dc=example, dc=com"
-PASS=testpassword
-
-sleep 1
-
-echo "Using ldapsearch to check that slapd is running..."
-for i in 0 1 2 3 4 5; do
- $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
- 'objectclass=*' > /dev/null 2>&1
- RC=$?
- if test $RC = 0 ; then
- break
- fi
- echo "Waiting 5 seconds for slapd to start..."
- sleep 5
-done
-if test $RC != 0 ; then
- echo "ldapsearch failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo /dev/null > $TESTOUT
-
-echo "Testing redundant ppolicy instance..."
-$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
-dn: olcOverlay=ppolicy,olcDatabase={1}$BACKEND,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcPPolicyConfig
-olcOverlay: ppolicy
-olcPPolicyDefault: cn=duplicate policy,ou=policies,dc=example,dc=com
-EOF
-RC=$?
-if test $RC = 0 ; then
- echo "ldapadd should have failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-echo "Using ldapadd to populate the database..."
-# may need "-e relax" for draft 09, but not yet.
-$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \
- $LDIFPPOLICY >> $TESTOUT 2>&1
-RC=$?
-if test $RC != 0 ; then
- echo "ldapadd failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Testing account lockout..."
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
-sleep 2
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
-sleep 2
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1
-sleep 2
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1
-COUNT=`grep "Account locked" $SEARCHOUT | wc -l`
-if test $COUNT != 2 ; then
- echo "Account lockout test failed"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-echo "Waiting 20 seconds for lockout to reset..."
-sleep 20
-
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
-RC=$?
-if test $RC != 0 ; then
- echo "ldapsearch failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Testing password expiration"
-echo "Waiting 20 seconds for password to expire..."
-sleep 20
-
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base > $SEARCHOUT 2>&1
-sleep 2
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
-sleep 2
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
-sleep 2
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
-RC=$?
-if test $RC = 0 ; then
- echo "Password expiration failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-COUNT=`grep "grace logins" $SEARCHOUT | wc -l`
-if test $COUNT != 3 ; then
- echo "Password expiration test failed"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-echo "Resetting password to clear expired status"
-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
- -w secret -s $PASS \
- -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
-RC=$?
-if test $RC != 0 ; then
- echo "ldappasswd failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Filling password history..."
-$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
- $TESTOUT 2>&1 << EOMODS
-dn: $USER
-changetype: modify
-delete: userpassword
-userpassword: $PASS
--
-replace: userpassword
-userpassword: 20urgle12-1
-
-dn: $USER
-changetype: modify
-delete: userpassword
-userpassword: 20urgle12-1
--
-replace: userpassword
-userpassword: 20urgle12-2
-
-dn: $USER
-changetype: modify
-delete: userpassword
-userpassword: 20urgle12-2
--
-replace: userpassword
-userpassword: 20urgle12-3
-
-dn: $USER
-changetype: modify
-delete: userpassword
-userpassword: 20urgle12-3
--
-replace: userpassword
-userpassword: 20urgle12-4
-
-dn: $USER
-changetype: modify
-delete: userpassword
-userpassword: 20urgle12-4
--
-replace: userpassword
-userpassword: 20urgle12-5
-
-dn: $USER
-changetype: modify
-delete: userpassword
-userpassword: 20urgle12-5
--
-replace: userpassword
-userpassword: 20urgle12-6
-
-EOMODS
-RC=$?
-if test $RC != 0 ; then
- echo "ldapmodify failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-echo "Testing password history..."
-$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
- $TESTOUT 2>&1 << EOMODS
-dn: $USER
-changetype: modify
-delete: userPassword
-userPassword: 20urgle12-6
--
-replace: userPassword
-userPassword: 20urgle12-2
-
-EOMODS
-RC=$?
-if test $RC = 0 ; then
- echo "ldapmodify failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-echo "Testing forced reset..."
-
-$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
- $TESTOUT 2>&1 << EOMODS
-dn: $USER
-changetype: modify
-replace: userPassword
-userPassword: $PASS
--
-replace: pwdReset
-pwdReset: TRUE
-
-EOMODS
-RC=$?
-if test $RC != 0 ; then
- echo "ldapmodify failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base > $SEARCHOUT 2>&1
-RC=$?
-if test $RC = 0 ; then
- echo "Forced reset failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l`
-if test $COUNT != 1 ; then
- echo "Forced reset test failed"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-echo "Clearing forced reset..."
-
-$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
- $TESTOUT 2>&1 << EOMODS
-dn: $USER
-changetype: modify
-delete: pwdReset
-
-EOMODS
-RC=$?
-if test $RC != 0 ; then
- echo "ldapmodify failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base > $SEARCHOUT 2>&1
-RC=$?
-if test $RC != 0 ; then
- echo "Clearing forced reset failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Testing Safe modify..."
-
-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
- -w $PASS -s failexpect \
- -D "$USER" >> $TESTOUT 2>&1
-RC=$?
-if test $RC = 0 ; then
- echo "Safe modify test 1 failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-sleep 2
-
-OLDPASS=$PASS
-PASS=successexpect
-
-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
- -w $OLDPASS -s $PASS -a $OLDPASS \
- -D "$USER" >> $TESTOUT 2>&1
-RC=$?
-if test $RC != 0 ; then
- echo "Safe modify test 2 failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Testing length requirement..."
-# check control in response (ITS#5711)
-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \
- -w $PASS -a $PASS -s 2shr \
- -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1
-RC=$?
-cat ${TESTOUT}.2 >> $TESTOUT
-if test $RC = 0 ; then
- echo "Length requirement test failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
-if test $COUNT != 1 ; then
- echo "Length requirement test failed"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l`
-if test $COUNT != 1 ; then
- echo "Control not returned in response"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-echo "Testing hashed length requirement..."
-
-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > \
- ${TESTOUT}.2 2>&1 << EOMODS
-dn: $USER
-changetype: modify
-delete: userPassword
-userPassword: $PASS
--
-add: userPassword
-userPassword: {MD5}xxxxxx
-
-EOMODS
-RC=$?
-cat ${TESTOUT}.2 >> $TESTOUT
-if test $RC = 0 ; then
- echo "Hashed length requirement test failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l`
-if test $COUNT != 1 ; then
- echo "Hashed length requirement test failed"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-echo "Testing multiple password add/modify checks..."
-
-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
- $TESTOUT 2>&1 << EOMODS
-dn: cn=Add Should Fail, ou=People, dc=example, dc=com
-changetype: add
-objectClass: inetOrgPerson
-cn: Add Should Fail
-sn: Fail
-userPassword: firstpw
-userPassword: secondpw
-EOMODS
-RC=$?
-if test $RC = 0 ; then
- echo "Multiple password add test failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
- $TESTOUT 2>&1 << EOMODS
-dn: $USER
-changetype: modify
-add: userPassword
-userPassword: firstpw
-userPassword: secondpw
-EOMODS
-RC=$?
-if test $RC = 0 ; then
- echo "Multiple password modify add test failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \
- $TESTOUT 2>&1 << EOMODS
-dn: $USER
-changetype: modify
-replace: userPassword
-userPassword: firstpw
-userPassword: secondpw
-EOMODS
-RC=$?
-if test $RC = 0 ; then
- echo "Multiple password modify replace test failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then
-echo ""
-echo "Setting up policy state forwarding test..."
-
-mkdir $DBDIR2
-sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
-echo "Starting slapd consumer on TCP/IP port $PORT2..."
-$SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 &
-PID=$!
-if test $WAIT != 0 ; then
- echo PID $PID
- read foo
-fi
-KILLPIDS="$KILLPIDS $PID"
-
-echo "Configuring syncprov on provider..."
-if [ "$SYNCPROV" = syncprovmod ]; then
- $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
-dn: cn=module,cn=config
-objectclass: olcModuleList
-cn: module
-olcModulePath: $TESTWD/../servers/slapd/overlays
-olcModuleLoad: syncprov.la
-
-EOF
- RC=$?
- if test $RC != 0 ; then
- echo "ldapadd failed for moduleLoad ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
- fi
-fi
-
-$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
-dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcSyncProvConfig
-olcOverlay: {1}syncprov
-
-EOF
-RC=$?
-if test $RC != 0 ; then
- echo "ldapadd failed for provider database config ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Using ldapsearch to check that slapd is running..."
-for i in 0 1 2 3 4 5; do
- $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
- 'objectclass=*' > /dev/null 2>&1
- RC=$?
- if test $RC = 0 ; then
- break
- fi
- echo "Waiting 5 seconds for slapd to start..."
- sleep 5
-done
-if test $RC != 0 ; then
- echo "ldapsearch failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Configuring syncrepl on consumer..."
-if [ "$BACKLDAP" = ldapmod ]; then
- $LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
-dn: cn=module,cn=config
-objectclass: olcModuleList
-cn: module
-olcModulePath: $TESTWD/../servers/slapd/back-ldap
-olcModuleLoad: back_ldap.la
-
-EOF
- RC=$?
- if test $RC != 0 ; then
- echo "ldapadd failed for moduleLoad ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
- fi
-fi
-$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
-dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
-changetype: add
-objectClass: olcOverlayConfig
-objectClass: olcChainConfig
-olcOverlay: {0}chain
-
-dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
-changetype: add
-objectClass: olcLDAPConfig
-objectClass: olcChainDatabase
-olcDBURI: $URI1
-olcDbIDAssertBind: bindmethod=simple
- binddn="cn=manager,dc=example,dc=com"
- credentials=secret
- mode=self
-
-dn: olcDatabase={1}$BACKEND,cn=config
-changetype: modify
-add: olcSyncrepl
-olcSyncrepl: rid=1
- provider=$URI1
- binddn="cn=manager,dc=example,dc=com"
- bindmethod=simple
- credentials=secret
- searchbase="dc=example,dc=com"
- type=refreshAndPersist
- retry="3 5 300 5"
--
-add: olcUpdateref
-olcUpdateref: $URI1
--
-
-dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
-changetype: modify
-replace: olcPPolicyForwardUpdates
-olcPPolicyForwardUpdates: TRUE
--
-
-EOF
-RC=$?
-if test $RC != 0 ; then
- echo "ldapmodify failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Waiting for consumer to sync..."
-sleep $SLEEP1
-
-echo "Testing policy state forwarding..."
-$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
-RC=$?
-if test $RC != 49 ; then
- echo "ldapsearch should have failed with 49, got ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1
-COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l`
-if test $COUNT != 1 ; then
- echo "Policy state forwarding failed"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-# End of chaining test
-
-fi
-
-echo ""
-echo "Testing obsolete Netscape ppolicy controls..."
-echo "Enabling Netscape controls..."
-$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
- $TESTOUT 2>&1 << EOMODS
-dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
-changetype: modify
-replace: olcPPolicySendNetscapeControls
-olcPPolicySendNetscapeControls: TRUE
--
-
-EOMODS
-RC=$?
-if test $RC != 0 ; then
- echo "ldapmodify failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Reconfiguring policy to remove grace logins..."
-$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
- $TESTOUT 2>&1 << EOMODS
-dn: cn=Standard Policy, ou=Policies, dc=example, dc=com
-changetype: modify
-delete: pwdGraceAuthnLimit
--
-replace: pwdMaxAge
-pwdMaxAge: 15
--
-
-EOMODS
-RC=$?
-if test $RC != 0 ; then
- echo "ldapmodify failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-OLDPASS=$PASS
-PASS=newpass
-$LDAPPASSWD -H $URI1 \
- -w secret -s $PASS \
- -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
-RC=$?
-if test $RC != 0 ; then
- echo "Setting new password failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Clearing forced reset..."
-$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
- $TESTOUT 2>&1 << EOMODS
-dn: $USER
-changetype: modify
-delete: pwdReset
-
-EOMODS
-
-DELAY=10
-
-echo "Testing password expiration"
-echo "Waiting $DELAY seconds for password to expire..."
-sleep $DELAY
-
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base > $SEARCHOUT 2>&1
-sleep 3
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
-sleep 3
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
-sleep 3
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
-sleep 3
-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1
-RC=$?
-if test $RC = 0 ; then
- echo "Password expiration failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l`
-if test $COUNT = 0 ; then
- echo "Password expiring warning test failed!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit 1
-fi
-
-test $KILLSERVERS != no && kill -HUP $KILLPIDS
-
-echo ">>>>> Test succeeded"
-
-test $KILLSERVERS != no && wait
-
-exit 0
--
1.9.1

1
ldap/openldap/debian/patches/series Normal file
View File

@ -0,0 +1 @@
rootdn-should-not-bypass-ppolicy.patch