diff --git a/ldap/openldap/debian/deb_patches/debian-disable-unit-tests.patch b/ldap/openldap/debian/deb_patches/debian-disable-unit-tests.patch new file mode 100644 index 000000000..312bad957 --- /dev/null +++ b/ldap/openldap/debian/deb_patches/debian-disable-unit-tests.patch @@ -0,0 +1,18 @@ +Disable the unit tests, which consumes a lot of time. +Don't need to run it each building BTY,Centos also disable it. + +Signed-off-by: Yue Tao + +diff --git a/debian/rules.old b/debian/rules +index 5b8b75f..fbefa7b 100755 +--- a/debian/rules.old ++++ b/debian/rules +@@ -131,7 +131,7 @@ ifeq ($(DEB_HOST_ARCH),ppc64el) + # Disable test060-mt-host on ppc64el until #866122 is fixed. + rm -f tests/scripts/test060-mt-hot + endif +- dh_auto_test ++ #dh_auto_test + + override_dh_auto_install: + dh_auto_install -- $(MAKEVARS) diff --git a/ldap/openldap/debian/deb_patches/series b/ldap/openldap/debian/deb_patches/series new file mode 100644 index 000000000..e00dc49c9 --- /dev/null +++ b/ldap/openldap/debian/deb_patches/series @@ -0,0 +1 @@ +debian-disable-unit-tests.patch diff --git a/ldap/openldap/debian/meta_data.yaml b/ldap/openldap/debian/meta_data.yaml new file mode 100644 index 000000000..ab3dcd1ea --- /dev/null +++ b/ldap/openldap/debian/meta_data.yaml @@ -0,0 +1,9 @@ +--- +debver: 2.4.57+dfsg-3 +dl_path: + name: openldap-2.4.57+dfsg-3.tar.gz + url: https://salsa.debian.org/openldap-team/openldap/-/archive/2.4.57+dfsg-3/openldap-2.4.57+dfsg-3.tar.gz + md5sum: 85c7de35e79b8fe45b5d6aabba2b9a3d +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: diff --git a/ldap/openldap/debian/patches/rootdn-should-not-bypass-ppolicy.patch b/ldap/openldap/debian/patches/rootdn-should-not-bypass-ppolicy.patch new file mode 100644 index 000000000..be2198ab1 --- /dev/null +++ b/ldap/openldap/debian/patches/rootdn-should-not-bypass-ppolicy.patch @@ -0,0 +1,721 @@ +From 9456b0eee753d9fd368347b6974a2f6f8d941d4f Mon Sep 17 00:00:00 2001 +From: Kam Nasim +Date: Tue, 11 Apr 2017 17:23:03 -0400 +Subject: [PATCH] rootdn should not bypass ppolicy + +test022-ppolicy fails due to the change. The ppolicy behavior is +different with origian design, but that is intended, so remove +the testcase. + +--- + servers/slapd/overlays/ppolicy.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c +index b446deb..fa79872 100644 +--- a/servers/slapd/overlays/ppolicy.c ++++ b/servers/slapd/overlays/ppolicy.c +@@ -1950,7 +1950,8 @@ ppolicy_modify( Operation *op, SlapReply + for(p=tl; p; p=p->next, hsize++); /* count history size */ + } + +- if (be_isroot( op )) goto do_modify; ++ /* WRS UPDATE: Run ppolicy for all user password modify ops */ ++ //if (be_isroot( op )) goto do_modify; + + /* NOTE: according to draft-behera-ldap-password-policy + * pwdAllowUserChange == FALSE must only prevent pwd changes +@@ -2054,7 +2055,13 @@ ppolicy_modify( Operation *op, SlapReply + } + + bv = newpw.bv_val ? &newpw : &addmod->sml_values[0]; +- if (pp.pwdCheckQuality > 0) { ++ ++ /* WRS UPDATE: ++ * If this is a rootDN op and this is the first password ++ * then bypass password policies as this is a new account ++ * creation ++ */ ++ if (pp.pwdCheckQuality > 0 && !(be_isroot( op ) && !pa)) { + + rc = check_password_quality( bv, &pp, &pErr, e, (char **)&txt ); + if (rc != LDAP_SUCCESS) { +--- ./tests/scripts/test022-ppolicy ++++ /dev/null +@@ -1,673 +0,0 @@ +-#! /bin/sh +-# $OpenLDAP$ +-## This work is part of OpenLDAP Software . +-## +-## Copyright 1998-2021 The OpenLDAP Foundation. +-## All rights reserved. +-## +-## Redistribution and use in source and binary forms, with or without +-## modification, are permitted only as authorized by the OpenLDAP +-## Public License. +-## +-## A copy of this license is available in the file LICENSE in the +-## top-level directory of the distribution or, alternatively, at +-## . +- +-echo "running defines.sh" +-. $SRCDIR/scripts/defines.sh +- +-if test $PPOLICY = ppolicyno; then +- echo "Password policy overlay not available, test skipped" +- exit 0 +-fi +- +-mkdir -p $TESTDIR $DBDIR1 +- +-$SLAPPASSWD -g -n >$CONFIGPWF +-echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf +- +-echo "Starting slapd on TCP/IP port $PORT1..." +-. $CONFFILTER $BACKEND $MONITORDB < $PPOLICYCONF > $CONF1 +-$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & +-PID=$! +-if test $WAIT != 0 ; then +- echo PID $PID +- read foo +-fi +-KILLPIDS="$PID" +- +-USER="uid=nd, ou=People, dc=example, dc=com" +-PASS=testpassword +- +-sleep 1 +- +-echo "Using ldapsearch to check that slapd is running..." +-for i in 0 1 2 3 4 5; do +- $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ +- 'objectclass=*' > /dev/null 2>&1 +- RC=$? +- if test $RC = 0 ; then +- break +- fi +- echo "Waiting 5 seconds for slapd to start..." +- sleep 5 +-done +-if test $RC != 0 ; then +- echo "ldapsearch failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo /dev/null > $TESTOUT +- +-echo "Testing redundant ppolicy instance..." +-$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <> $TESTOUT 2>&1 +-dn: olcOverlay=ppolicy,olcDatabase={1}$BACKEND,cn=config +-objectClass: olcOverlayConfig +-objectClass: olcPPolicyConfig +-olcOverlay: ppolicy +-olcPPolicyDefault: cn=duplicate policy,ou=policies,dc=example,dc=com +-EOF +-RC=$? +-if test $RC = 0 ; then +- echo "ldapadd should have failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-echo "Using ldapadd to populate the database..." +-# may need "-e relax" for draft 09, but not yet. +-$LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \ +- $LDIFPPOLICY >> $TESTOUT 2>&1 +-RC=$? +-if test $RC != 0 ; then +- echo "ldapadd failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Testing account lockout..." +-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 +-sleep 2 +-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 +-sleep 2 +-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >>$SEARCHOUT 2>&1 +-sleep 2 +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w wrongpw >> $SEARCHOUT 2>&1 +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS >> $SEARCHOUT 2>&1 +-COUNT=`grep "Account locked" $SEARCHOUT | wc -l` +-if test $COUNT != 2 ; then +- echo "Account lockout test failed" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-echo "Waiting 20 seconds for lockout to reset..." +-sleep 20 +- +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +-RC=$? +-if test $RC != 0 ; then +- echo "ldapsearch failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Testing password expiration" +-echo "Waiting 20 seconds for password to expire..." +-sleep 20 +- +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +-sleep 2 +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +-sleep 2 +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +-sleep 2 +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +-RC=$? +-if test $RC = 0 ; then +- echo "Password expiration failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-COUNT=`grep "grace logins" $SEARCHOUT | wc -l` +-if test $COUNT != 3 ; then +- echo "Password expiration test failed" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-echo "Resetting password to clear expired status" +-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ +- -w secret -s $PASS \ +- -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 +-RC=$? +-if test $RC != 0 ; then +- echo "ldappasswd failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Filling password history..." +-$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: $USER +-changetype: modify +-delete: userpassword +-userpassword: $PASS +-- +-replace: userpassword +-userpassword: 20urgle12-1 +- +-dn: $USER +-changetype: modify +-delete: userpassword +-userpassword: 20urgle12-1 +-- +-replace: userpassword +-userpassword: 20urgle12-2 +- +-dn: $USER +-changetype: modify +-delete: userpassword +-userpassword: 20urgle12-2 +-- +-replace: userpassword +-userpassword: 20urgle12-3 +- +-dn: $USER +-changetype: modify +-delete: userpassword +-userpassword: 20urgle12-3 +-- +-replace: userpassword +-userpassword: 20urgle12-4 +- +-dn: $USER +-changetype: modify +-delete: userpassword +-userpassword: 20urgle12-4 +-- +-replace: userpassword +-userpassword: 20urgle12-5 +- +-dn: $USER +-changetype: modify +-delete: userpassword +-userpassword: 20urgle12-5 +-- +-replace: userpassword +-userpassword: 20urgle12-6 +- +-EOMODS +-RC=$? +-if test $RC != 0 ; then +- echo "ldapmodify failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +-echo "Testing password history..." +-$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: $USER +-changetype: modify +-delete: userPassword +-userPassword: 20urgle12-6 +-- +-replace: userPassword +-userPassword: 20urgle12-2 +- +-EOMODS +-RC=$? +-if test $RC = 0 ; then +- echo "ldapmodify failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-echo "Testing forced reset..." +- +-$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: $USER +-changetype: modify +-replace: userPassword +-userPassword: $PASS +-- +-replace: pwdReset +-pwdReset: TRUE +- +-EOMODS +-RC=$? +-if test $RC != 0 ; then +- echo "ldapmodify failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +-RC=$? +-if test $RC = 0 ; then +- echo "Forced reset failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-COUNT=`grep "Operations are restricted" $SEARCHOUT | wc -l` +-if test $COUNT != 1 ; then +- echo "Forced reset test failed" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-echo "Clearing forced reset..." +- +-$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: $USER +-changetype: modify +-delete: pwdReset +- +-EOMODS +-RC=$? +-if test $RC != 0 ; then +- echo "ldapmodify failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-$LDAPSEARCH -e ppolicy -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +-RC=$? +-if test $RC != 0 ; then +- echo "Clearing forced reset failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Testing Safe modify..." +- +-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ +- -w $PASS -s failexpect \ +- -D "$USER" >> $TESTOUT 2>&1 +-RC=$? +-if test $RC = 0 ; then +- echo "Safe modify test 1 failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-sleep 2 +- +-OLDPASS=$PASS +-PASS=successexpect +- +-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ +- -w $OLDPASS -s $PASS -a $OLDPASS \ +- -D "$USER" >> $TESTOUT 2>&1 +-RC=$? +-if test $RC != 0 ; then +- echo "Safe modify test 2 failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Testing length requirement..." +-# check control in response (ITS#5711) +-$LDAPPASSWD -h $LOCALHOST -p $PORT1 \ +- -w $PASS -a $PASS -s 2shr \ +- -D "$USER" -e ppolicy > ${TESTOUT}.2 2>&1 +-RC=$? +-cat ${TESTOUT}.2 >> $TESTOUT +-if test $RC = 0 ; then +- echo "Length requirement test failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +-COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` +-if test $COUNT != 1 ; then +- echo "Length requirement test failed" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +-COUNT=`grep "Password is too short for policy" ${TESTOUT}.2 | wc -l` +-if test $COUNT != 1 ; then +- echo "Control not returned in response" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-echo "Testing hashed length requirement..." +- +-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$USER" -w $PASS > \ +- ${TESTOUT}.2 2>&1 << EOMODS +-dn: $USER +-changetype: modify +-delete: userPassword +-userPassword: $PASS +-- +-add: userPassword +-userPassword: {MD5}xxxxxx +- +-EOMODS +-RC=$? +-cat ${TESTOUT}.2 >> $TESTOUT +-if test $RC = 0 ; then +- echo "Hashed length requirement test failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +-COUNT=`grep "Password fails quality" ${TESTOUT}.2 | wc -l` +-if test $COUNT != 1 ; then +- echo "Hashed length requirement test failed" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-echo "Testing multiple password add/modify checks..." +- +-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: cn=Add Should Fail, ou=People, dc=example, dc=com +-changetype: add +-objectClass: inetOrgPerson +-cn: Add Should Fail +-sn: Fail +-userPassword: firstpw +-userPassword: secondpw +-EOMODS +-RC=$? +-if test $RC = 0 ; then +- echo "Multiple password add test failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: $USER +-changetype: modify +-add: userPassword +-userPassword: firstpw +-userPassword: secondpw +-EOMODS +-RC=$? +-if test $RC = 0 ; then +- echo "Multiple password modify add test failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-$LDAPMODIFY -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: $USER +-changetype: modify +-replace: userPassword +-userPassword: firstpw +-userPassword: secondpw +-EOMODS +-RC=$? +-if test $RC = 0 ; then +- echo "Multiple password modify replace test failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno" ; then +-echo "" +-echo "Setting up policy state forwarding test..." +- +-mkdir $DBDIR2 +-sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2 +-echo "Starting slapd consumer on TCP/IP port $PORT2..." +-$SLAPD -f $CONF2 -h $URI2 -d $LVL $TIMING > $LOG2 2>&1 & +-PID=$! +-if test $WAIT != 0 ; then +- echo PID $PID +- read foo +-fi +-KILLPIDS="$KILLPIDS $PID" +- +-echo "Configuring syncprov on provider..." +-if [ "$SYNCPROV" = syncprovmod ]; then +- $LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <> $TESTOUT 2>&1 +-dn: cn=module,cn=config +-objectclass: olcModuleList +-cn: module +-olcModulePath: $TESTWD/../servers/slapd/overlays +-olcModuleLoad: syncprov.la +- +-EOF +- RC=$? +- if test $RC != 0 ; then +- echo "ldapadd failed for moduleLoad ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +- fi +-fi +- +-$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <> $TESTOUT 2>&1 +-dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config +-objectClass: olcOverlayConfig +-objectClass: olcSyncProvConfig +-olcOverlay: {1}syncprov +- +-EOF +-RC=$? +-if test $RC != 0 ; then +- echo "ldapadd failed for provider database config ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Using ldapsearch to check that slapd is running..." +-for i in 0 1 2 3 4 5; do +- $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \ +- 'objectclass=*' > /dev/null 2>&1 +- RC=$? +- if test $RC = 0 ; then +- break +- fi +- echo "Waiting 5 seconds for slapd to start..." +- sleep 5 +-done +-if test $RC != 0 ; then +- echo "ldapsearch failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Configuring syncrepl on consumer..." +-if [ "$BACKLDAP" = ldapmod ]; then +- $LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <> $TESTOUT 2>&1 +-dn: cn=module,cn=config +-objectclass: olcModuleList +-cn: module +-olcModulePath: $TESTWD/../servers/slapd/back-ldap +-olcModuleLoad: back_ldap.la +- +-EOF +- RC=$? +- if test $RC != 0 ; then +- echo "ldapadd failed for moduleLoad ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +- fi +-fi +-$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <> $TESTOUT 2>&1 +-dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config +-changetype: add +-objectClass: olcOverlayConfig +-objectClass: olcChainConfig +-olcOverlay: {0}chain +- +-dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config +-changetype: add +-objectClass: olcLDAPConfig +-objectClass: olcChainDatabase +-olcDBURI: $URI1 +-olcDbIDAssertBind: bindmethod=simple +- binddn="cn=manager,dc=example,dc=com" +- credentials=secret +- mode=self +- +-dn: olcDatabase={1}$BACKEND,cn=config +-changetype: modify +-add: olcSyncrepl +-olcSyncrepl: rid=1 +- provider=$URI1 +- binddn="cn=manager,dc=example,dc=com" +- bindmethod=simple +- credentials=secret +- searchbase="dc=example,dc=com" +- type=refreshAndPersist +- retry="3 5 300 5" +-- +-add: olcUpdateref +-olcUpdateref: $URI1 +-- +- +-dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config +-changetype: modify +-replace: olcPPolicyForwardUpdates +-olcPPolicyForwardUpdates: TRUE +-- +- +-EOF +-RC=$? +-if test $RC != 0 ; then +- echo "ldapmodify failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Waiting for consumer to sync..." +-sleep $SLEEP1 +- +-echo "Testing policy state forwarding..." +-$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 +-RC=$? +-if test $RC != 49 ; then +- echo "ldapsearch should have failed with 49, got ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >> $SEARCHOUT 2>&1 +-COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l` +-if test $COUNT != 1 ; then +- echo "Policy state forwarding failed" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-# End of chaining test +- +-fi +- +-echo "" +-echo "Testing obsolete Netscape ppolicy controls..." +-echo "Enabling Netscape controls..." +-$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config +-changetype: modify +-replace: olcPPolicySendNetscapeControls +-olcPPolicySendNetscapeControls: TRUE +-- +- +-EOMODS +-RC=$? +-if test $RC != 0 ; then +- echo "ldapmodify failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Reconfiguring policy to remove grace logins..." +-$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: cn=Standard Policy, ou=Policies, dc=example, dc=com +-changetype: modify +-delete: pwdGraceAuthnLimit +-- +-replace: pwdMaxAge +-pwdMaxAge: 15 +-- +- +-EOMODS +-RC=$? +-if test $RC != 0 ; then +- echo "ldapmodify failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-OLDPASS=$PASS +-PASS=newpass +-$LDAPPASSWD -H $URI1 \ +- -w secret -s $PASS \ +- -D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1 +-RC=$? +-if test $RC != 0 ; then +- echo "Setting new password failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Clearing forced reset..." +-$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ +- $TESTOUT 2>&1 << EOMODS +-dn: $USER +-changetype: modify +-delete: pwdReset +- +-EOMODS +- +-DELAY=10 +- +-echo "Testing password expiration" +-echo "Waiting $DELAY seconds for password to expire..." +-sleep $DELAY +- +-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base > $SEARCHOUT 2>&1 +-sleep 3 +-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +-sleep 3 +-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +-sleep 3 +-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +-sleep 3 +-$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \ +- -b "$BASEDN" -s base >> $SEARCHOUT 2>&1 +-RC=$? +-if test $RC = 0 ; then +- echo "Password expiration failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +-COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l` +-if test $COUNT = 0 ; then +- echo "Password expiring warning test failed!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit 1 +-fi +- +-test $KILLSERVERS != no && kill -HUP $KILLPIDS +- +-echo ">>>>> Test succeeded" +- +-test $KILLSERVERS != no && wait +- +-exit 0 +-- +1.9.1 + diff --git a/ldap/openldap/debian/patches/series b/ldap/openldap/debian/patches/series new file mode 100644 index 000000000..869daf1d3 --- /dev/null +++ b/ldap/openldap/debian/patches/series @@ -0,0 +1 @@ +rootdn-should-not-bypass-ppolicy.patch