#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software .
##
## Copyright 2016-2021 Ondřej Kuzník, Symas Corp.
## Copyright 2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## .
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
if test $OTP = otpno; then
echo "OTP overlay not available, test skipped"
exit 0
fi
OTP_DATA=$DATADIR/otp/hotp.ldif
# OTPs for this token
TOKEN_0=818800
TOKEN_1=320382
TOKEN_2=404533
TOKEN_3=127122
TOKEN_4=892599
TOKEN_5=407030
TOKEN_6=880935
TOKEN_7=920291
TOKEN_8=145192
TOKEN_9=316404
TOKEN_10=409144
# OTPs for the second set of parameters
TOKEN_SHA512_11=17544155
TOKEN_SHA512_12=48953477
mkdir -p $TESTDIR $DBDIR1
echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND < $CONF > $ADDCONF
$SLAPADD -f $ADDCONF -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
exit $RC
fi
mkdir $TESTDIR/confdir
. $CONFFILTER $BACKEND < $CONF > $CONF1
$SLAPPASSWD -g -n >$CONFIGPWF
echo "database config" >>$CONF1
echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >>$CONF1
echo "Starting slapd on TCP/IP port $PORT1..."
$SLAPD -f $CONF1 -F $TESTDIR/confdir -h $URI1 -d $LVL > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
read foo
fi
KILLPIDS="$PID"
sleep $SLEEP0
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting ${SLEEP1} seconds for slapd to start..."
sleep ${SLEEP1}
done
if [ "$OTP" = otpmod ]; then
$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF \
>> $TESTOUT 2>&1 <> $TESTOUT 2>&1 <> $TESTOUT 2>&1 < $OTP_DATA
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Authentication tests:"
echo "\ttoken that's not valid yet..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_10" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\ta valid and expected token..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_4" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\ta valid token skipping some..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_6" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\treusing the same token..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_6" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\tanother account sharing the same token..."
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_7" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\ttrying an old token..."
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_5" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\tright token, wrong password..."
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjensen$TOKEN_8" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\tmaking sure previous token has been retired too..."
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_8" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\tthe first token we tested that's just become valid..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_10" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Reconfiguring token parameters..."
$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
>/dev/null 2>&1 << EOMODS
dn: ou=Information Technology Division,ou=People,dc=example,dc=com
changetype: modify
replace: oathHOTPParams
oathHOTPParams: ou=Alumni Association,ou=People,dc=example,dc=com
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "A new round of tests:"
echo "\ta long token that's not valid yet..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_12" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\ta valid and expected token..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_11" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "\tthe previous long token that's just become valid..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_12" \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Retrieving token status..."
$LDAPSEARCH -b "ou=Information Technology Division,ou=People,dc=example,dc=com" \
-H $URI1 objectclass=oathHOTPToken '@oathHOTPToken' \
>> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
test $KILLSERVERS != no && kill -HUP $KILLPIDS
LDIF=$DATADIR/otp/test001-out.ldif
echo "Filtering ldapsearch results..."
$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
echo "Filtering ldif with expected data..."
$LDIFFILTER < $LDIF > $LDIFFLT
echo "Comparing filter output..."
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
if test $? != 0 ; then
echo "Comparison failed"
exit 1
fi
echo ">>>>> Test succeeded"
test $KILLSERVERS != no && wait
exit 0