>From cff66313706c607d4df6f074255703da8d87b35a Mon Sep 17 00:00:00 2001From: Quanah Gibson-Mount <quanah@openldap.org>Date: Wed, 10 May 2017 10:31:30 +0000Subject: [PATCH] ITS#8573 TLS options and test suite--- clients/tools/common.c                             |  97 +++++++++++++++- configure                                          |   4 + configure.in                                       |   4 + doc/man/man1/ldapcompare.1                         |  10 ++ doc/man/man1/ldapdelete.1                          |  10 ++ doc/man/man1/ldapexop.1                            |  10 ++ doc/man/man1/ldapmodify.1                          |  10 ++ doc/man/man1/ldapmodrdn.1                          |  10 ++ doc/man/man1/ldappasswd.1                          |  10 ++ doc/man/man1/ldapsearch.1                          |  10 ++ doc/man/man1/ldapwhoami.1                          |  10 ++ tests/data/slapd-tls-sasl.conf                     |  65 +++++++++++ tests/data/slapd-tls.conf                          |  61 ++++++++++ tests/data/tls/ca/certs/testsuiteCA.crt            |  16 +++ tests/data/tls/ca/private/testsuiteCA.key          |  16 +++ .../data/tls/certs/bjensen@mailgw.example.com.crt  |  16 +++ tests/data/tls/certs/localhost.crt                 |  16 +++ tests/data/tls/conf/openssl.cnf                    | 129 +++++++++++++++++++++ tests/data/tls/create-crt.sh                       |  78 +++++++++++++ .../tls/private/bjensen@mailgw.example.com.key     |  16 +++ tests/data/tls/private/localhost.key               |  16 +++ tests/run.in                                       |   3 +- tests/scripts/defines.sh                           |  21 +++- tests/scripts/test067-tls                          | 118 +++++++++++++++++++ tests/scripts/test068-sasl-tls-external            | 102 ++++++++++++++++ 25 files changed, 855 insertions(+), 3 deletions(-) create mode 100644 tests/data/slapd-tls-sasl.conf create mode 100644 tests/data/slapd-tls.conf create mode 100644 tests/data/tls/ca/certs/testsuiteCA.crt create mode 100644 tests/data/tls/ca/private/testsuiteCA.key create mode 100644 tests/data/tls/certs/bjensen@mailgw.example.com.crt create mode 100644 tests/data/tls/certs/localhost.crt create mode 100644 tests/data/tls/conf/openssl.cnf create mode 100755 tests/data/tls/create-crt.sh create mode 100644 tests/data/tls/private/bjensen@mailgw.example.com.key create mode 100644 tests/data/tls/private/localhost.key create mode 100755 tests/scripts/test067-tls create mode 100755 tests/scripts/test068-sasl-tls-externaldiff --git a/clients/tools/common.c b/clients/tools/common.cindex 5eb41aa..00314b4 100644--- a/clients/tools/common.c+++ b/clients/tools/common.c@@ -92,6 +92,35 @@ char		*sasl_mech = NULL; char		*sasl_secprops = NULL; #endif +/* TLS */+#ifdef HAVE_TLS+typedef struct tls_options {+	const char * name;+	char * value;+	size_t	offset;+} tls_options;++tls_options tls_opts[]= {+	{ "tls-cacertfile", NULL, LDAP_OPT_X_TLS_CACERTFILE },+	{ "tls-cacertdir", NULL, LDAP_OPT_X_TLS_CACERTDIR },+	{ "tls-certfile", NULL, LDAP_OPT_X_TLS_CERTFILE },+	{ "tls-keyfile", NULL, LDAP_OPT_X_TLS_KEYFILE },+	{ "tls-reqcert", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT },+	{ "tls-cipher-suite", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE },+#ifdef HAVE_OPENSSL+	{ "tls-protocol-min", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN },+	{ "tls-randfile", NULL, LDAP_OPT_X_TLS_RANDOM_FILE },+#endif+#ifdef HAVE_OPENSSL_CRL+	{ "tls-crl-check", NULL, LDAP_OPT_X_TLS_CRLCHECK },+#endif+#ifdef HAVE_GNUTLS+	{ "tls-crl-file", NULL, LDAP_OPT_X_TLS_CRLFILE },+#endif+	{ NULL, NULL, 0 },+};++#endif /* controls */ int		assertctl; char		*assertion = NULL;@@ -375,8 +404,26 @@ N_("  -n         show what would be done but don't actually do it\n"), N_("  -N         do not use reverse DNS to canonicalize SASL host name\n"), N_("  -O props   SASL security properties\n"), N_("  -o <opt>[=<optparam>] general options\n"),-N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"), N_("             ldif-wrap=<width> (in columns, or \"no\" for no wrapping)\n"),+N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),+#ifdef HAVE_TLS+N_("             tls-cacertfile=<path> (path to CA file for TLS operations)\n"),+N_("             tls-cacertdir=<path> (path to CA directory for TLS operations)\n"),+N_("             tls-certfile=<path> (path to public cert file for TLS certificate authentication)\n"),+N_("             tls-keyfile=<path> (path to private key file for TLS certificate authentication)\n"),+N_("             tls-reqcert=<level> (check to perform within a TLS session (never, allow, try, demand|hard))\n"),+N_("             tls-cipher-suite=<cipher-suite-spec> (specifies acceptable cipher suite(s) and preference order)\n"),+#ifdef HAVE_OPENSSL+N_("             tls-protocol-min=<major[.<minor>]> (specifies minimum TLS protocol version to negotiate))\n"),+N_("             tls-randfile=<path> (file to obtain random bits from when /dev/[u]random is not available)\n"),+#endif+#ifdef HAVE_OPENSSL_CRL+N_("             tls-crl-check=<level> (specifies if CRL of CA should be used for server certs (none, peer, all))\n"),+#endif+#ifdef HAVE_GNUTLS+N_("             tls-crl-file=<path> (specifies the file containing a CRL to be used for verification of server certs)\n"),+#endif+#endif /* HAVE_TLS */ N_("  -p port    port on LDAP server\n"), N_("  -Q         use SASL Quiet mode\n"), N_("  -R realm   SASL realm\n"),@@ -884,6 +931,24 @@ tool_args( int argc, char **argv ) 					ldif_wrap = (ber_len_t)u; 				} +#ifdef HAVE_TLS+			} else if (strstr(control, "tls-")) {+				int i;+				for ( i = 0; tls_opts[ i ].name != NULL; i++ ) {+					if ( strcasecmp( control, tls_opts[ i ].name ) == 0 ) {+						if ( tls_opts[ i ].value != NULL ) {+							fprintf( stderr, "%s option previously specified\n", control );+						}+						if( cvalue == NULL || cvalue[0] == '\0' ) {+							fprintf( stderr, "%s: option value expected\n", control );+							usage();+						}+						tls_opts[ i ].value = ber_strdup( cvalue );+						break;+					}+				}+#endif /* HAVE_TLS */+ 			} else { 				fprintf( stderr, "Invalid general option name: %s\n", 					control );@@ -1215,6 +1280,10 @@ tool_conn_setup( int dont, void (*private_setup)( LDAP * ) ) { 	LDAP *ld = NULL; +#ifdef HAVE_TLS+	int need_tls_ctx = 0;+#endif+ 	if ( debug ) { 		if( ber_set_option( NULL, LBER_OPT_DEBUG_LEVEL, &debug ) 			!= LBER_OPT_SUCCESS )@@ -1230,6 +1299,32 @@ tool_conn_setup( int dont, void (*private_setup)( LDAP * ) ) 		} 	} +#ifdef HAVE_TLS+		int i;+		for ( i = 0; tls_opts[ i ].name != NULL; i++ ) {+			if (tls_opts[ i ].value) {+				if ( ldap_pvt_tls_config( NULL, tls_opts[ i ].offset, tls_opts[ i ].value )+					!= LDAP_OPT_SUCCESS )+				{+					fprintf( stderr, "Could not set option %s to %s\n",+						tls_opts[ i ].name, tls_opts[ i ].value);+					tool_exit( ld, EXIT_FAILURE );+				}+				need_tls_ctx = 1;+			}+		}++		if ( need_tls_ctx ) {+			int new_ctx = 0;+			if ( ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &new_ctx)+				!= LDAP_OPT_SUCCESS )+			{+				fprintf( stderr, "Could not set LDAP_OPT_X_TLS_NEWCTX\n");+				tool_exit( ld, EXIT_FAILURE );+			}+		}++#endif /* HAVE_TLS */ #ifdef SIGPIPE 	(void) SIGNAL( SIGPIPE, SIG_IGN ); #endifdiff --git a/configure b/configureindex 620260e..574f9bc 100755--- a/configure+++ b/configure@@ -761,6 +761,7 @@ AUTH_LIBS LIBSLAPI SLAPI_LIBS MODULES_LIBS+WITH_TLS_TYPE TLS_LIBS SASL_LIBS KRB5_LIBS@@ -5223,6 +5224,7 @@ KRB4_LIBS= KRB5_LIBS= SASL_LIBS= TLS_LIBS=+WITH_TLS_TYPE= MODULES_LIBS= SLAPI_LIBS= LIBSLAPI=@@ -15656,6 +15658,7 @@ fi 		if test $have_openssl = yes ; then 			ol_with_tls=openssl 			ol_link_tls=yes+			WITH_TLS_TYPE=openssl   $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h@@ -15790,6 +15793,7 @@ fi 			if test $have_gnutls = yes ; then 				ol_with_tls=gnutls 				ol_link_tls=yes+				WITH_TLS_TYPE=gnutls  				TLS_LIBS="-lgnutls" diff --git a/configure.in b/configure.inindex 5bb2c11..19e9b39 100644--- a/configure.in+++ b/configure.in@@ -610,6 +610,7 @@ KRB4_LIBS= KRB5_LIBS= SASL_LIBS= TLS_LIBS=+WITH_TLS_TYPE= MODULES_LIBS= SLAPI_LIBS= LIBSLAPI=@@ -1198,6 +1199,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then 		if test $have_openssl = yes ; then 			ol_with_tls=openssl 			ol_link_tls=yes+			WITH_TLS_TYPE=openssl  			AC_DEFINE(HAVE_OPENSSL, 1,  				[define if you have OpenSSL])@@ -1238,6 +1240,7 @@ if test $ol_link_tls = no ; then 			if test $have_gnutls = yes ; then 				ol_with_tls=gnutls 				ol_link_tls=yes+				WITH_TLS_TYPE=gnutls  				TLS_LIBS="-lgnutls" @@ -3243,6 +3246,7 @@ AC_SUBST(KRB4_LIBS) AC_SUBST(KRB5_LIBS) AC_SUBST(SASL_LIBS) AC_SUBST(TLS_LIBS)+AC_SUBST(WITH_TLS_TYPE) AC_SUBST(MODULES_LIBS) AC_SUBST(SLAPI_LIBS) AC_SUBST(LIBSLAPI)diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1index e569deb..55865e9 100644--- a/doc/man/man1/ldapcompare.1+++ b/doc/man/man1/ldapcompare.1@@ -192,6 +192,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1index 1203beb..d78dbc8 100644--- a/doc/man/man1/ldapdelete.1+++ b/doc/man/man1/ldapdelete.1@@ -198,6 +198,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1index 0264507..daa26ef 100644--- a/doc/man/man1/ldapexop.1+++ b/doc/man/man1/ldapexop.1@@ -195,6 +195,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1index 84473bc..ef80578 100644--- a/doc/man/man1/ldapmodify.1+++ b/doc/man/man1/ldapmodify.1@@ -261,6 +261,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1index 644bd63..9a1f6a5 100644--- a/doc/man/man1/ldapmodrdn.1+++ b/doc/man/man1/ldapmodrdn.1@@ -192,6 +192,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1index 357442c..74ac9ed 100644--- a/doc/man/man1/ldappasswd.1+++ b/doc/man/man1/ldappasswd.1@@ -194,6 +194,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1index 2980c65..62b7116 100644--- a/doc/man/man1/ldapsearch.1+++ b/doc/man/man1/ldapsearch.1@@ -338,6 +338,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1index f92e116..22209a9 100644--- a/doc/man/man1/ldapwhoami.1+++ b/doc/man/man1/ldapwhoami.1@@ -149,6 +149,16 @@ General options: .nf   nettimeout=<timeout>  (in seconds, or "none" or "max")   ldif-wrap=<width>     (in columns, or "no" for no wrapping)+  tls-cacertfile=<path> (path to CA file for TLS operations)+  tls-cacertdir=<path>  (path to CA directory for TLS operations)+  tls-certfile=<path>   (path to public cert file for TLS certificate authentication)+  tls-keyfile=<path>    (path to private key file for TLS certificate authentication)+  tls-reqcert=<level>   (never, allow, try, demand|hard)+  tls-cipher-suite=<cipher-suite-spec>  (acceptable cipher suite(s) and preference order)+  tls-protocol-min=<major.[.minor]>  (minimum TLS protocol version to negotiate. OpenSSL only)+  tls-randfile=<path>   (file to obtain random bits from when /dev/[u]random is not available. OpenSSL only)+  tls-crl-check=<level> (none, peer, all. OpenSSL only)+  tls-crl-file=<path>   (file containing a CRL to be used for verification of server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.confnew file mode 100644index 0000000..f4bb077--- /dev/null+++ b/tests/data/slapd-tls-sasl.conf@@ -0,0 +1,65 @@+# stand-alone slapd config -- for testing (with indexing)+# $OpenLDAP$+## This work is part of OpenLDAP Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP Foundation.+## All rights reserved.+##+## Redistribution and use in source and binary forms, with or without+## modification, are permitted only as authorized by the OpenLDAP+## Public License.+##+## A copy of this license is available in the file LICENSE in the+## top-level directory of the distribution or, alternatively, at+## <http://www.OpenLDAP.org/license.html>.++#+include		@SCHEMADIR@/core.schema+include		@SCHEMADIR@/cosine.schema+#+include		@SCHEMADIR@/corba.schema+include		@SCHEMADIR@/java.schema+include		@SCHEMADIR@/inetorgperson.schema+include		@SCHEMADIR@/misc.schema+include		@SCHEMADIR@/nis.schema+include		@SCHEMADIR@/openldap.schema+#+include		@SCHEMADIR@/duaconf.schema+include		@SCHEMADIR@/dyngroup.schema+include		@SCHEMADIR@/ppolicy.schema++#+pidfile		@TESTDIR@/slapd.1.pid+argsfile	@TESTDIR@/slapd.1.args++# SSL configuration+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt+TLSVerifyClient hard++#+rootdse 	@DATADIR@/rootdse.ldif++#mod#modulepath	../servers/slapd/back-@BACKEND@/+#mod#moduleload	back_@BACKEND@.la+#monitormod#modulepath ../servers/slapd/back-monitor/+#monitormod#moduleload back_monitor.la++authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)++#######################################################################+# database definitions+#######################################################################++database	@BACKEND@+suffix          "dc=example,dc=com"+rootdn          "cn=Manager,dc=example,dc=com"+rootpw          secret+#~null~#directory	@TESTDIR@/db.1.a+#indexdb#index		objectClass eq+#indexdb#index		mail eq+#ndb#dbname db_1_a+#ndb#include @DATADIR@/ndb.conf++#monitor#database	monitordiff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.confnew file mode 100644index 0000000..6a77855--- /dev/null+++ b/tests/data/slapd-tls.conf@@ -0,0 +1,61 @@+# stand-alone slapd config -- for testing (with indexing)+# $OpenLDAP$+## This work is part of OpenLDAP Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP Foundation.+## All rights reserved.+##+## Redistribution and use in source and binary forms, with or without+## modification, are permitted only as authorized by the OpenLDAP+## Public License.+##+## A copy of this license is available in the file LICENSE in the+## top-level directory of the distribution or, alternatively, at+## <http://www.OpenLDAP.org/license.html>.++#+include		@SCHEMADIR@/core.schema+include		@SCHEMADIR@/cosine.schema+#+include		@SCHEMADIR@/corba.schema+include		@SCHEMADIR@/java.schema+include		@SCHEMADIR@/inetorgperson.schema+include		@SCHEMADIR@/misc.schema+include		@SCHEMADIR@/nis.schema+include		@SCHEMADIR@/openldap.schema+#+include		@SCHEMADIR@/duaconf.schema+include		@SCHEMADIR@/dyngroup.schema+include		@SCHEMADIR@/ppolicy.schema++#+pidfile		@TESTDIR@/slapd.1.pid+argsfile	@TESTDIR@/slapd.1.args++# SSL configuration+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt++#+rootdse 	@DATADIR@/rootdse.ldif++#mod#modulepath	../servers/slapd/back-@BACKEND@/+#mod#moduleload	back_@BACKEND@.la+#monitormod#modulepath ../servers/slapd/back-monitor/+#monitormod#moduleload back_monitor.la++#######################################################################+# database definitions+#######################################################################++database	@BACKEND@+suffix          "dc=example,dc=com"+rootdn          "cn=Manager,dc=example,dc=com"+rootpw          secret+#~null~#directory	@TESTDIR@/db.1.a+#indexdb#index		objectClass eq+#indexdb#index		mail eq+#ndb#dbname db_1_a+#ndb#include @DATADIR@/ndb.conf++#monitor#database	monitordiff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crtnew file mode 100644index 0000000..7458e74--- /dev/null+++ b/tests/data/tls/ca/certs/testsuiteCA.crt@@ -0,0 +1,16 @@+-----BEGIN CERTIFICATE-----+MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV+BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv+bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0+NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB+MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB+UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd+rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb+lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL+6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU+7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB+SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/+wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws+ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q+aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==+-----END CERTIFICATE-----diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.keynew file mode 100644index 0000000..2e14d70--- /dev/null+++ b/tests/data/tls/ca/private/testsuiteCA.key@@ -0,0 +1,16 @@+-----BEGIN PRIVATE KEY-----+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ+WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc+338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/+dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg+O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf+7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn+rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f+wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk+AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l+vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9+27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X+KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N+I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL++b2qljWeZbGH+-----END PRIVATE KEY-----diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crtnew file mode 100644index 0000000..93e3a0d--- /dev/null+++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt@@ -0,0 +1,16 @@+-----BEGIN CERTIFICATE-----+MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx+ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV+BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD+VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa+YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A+MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg+QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU+U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL+MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn+wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f+7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo+4DnnYQBDnq48VORVX94=+-----END CERTIFICATE-----diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crtnew file mode 100644index 0000000..194cb11--- /dev/null+++ b/tests/data/tls/certs/localhost.crt@@ -0,0 +1,16 @@+-----BEGIN CERTIFICATE-----+MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx+ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE+CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT+dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB+iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4+7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv+8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ+BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A+AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG+8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl+0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR+GjeZB1FxqDGHjxBq2O828iejw28bSz4=+-----END CERTIFICATE-----diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnfnew file mode 100644index 0000000..a3c8ad9--- /dev/null+++ b/tests/data/tls/conf/openssl.cnf@@ -0,0 +1,129 @@+HOME                    = .+RANDFILE                = $ENV::HOME/.rnd++oid_section             = new_oids++[ new_oids ]+tsa_policy1 = 1.2.3.4.1+tsa_policy2 = 1.2.3.4.5.6+tsa_policy3 = 1.2.3.4.5.7++[ ca ]+default_ca      = CA_default            # The default ca section++[ CA_default ]++dir             = ./cruft		# Where everything is kept+certs           = $dir/certs            # Where the issued certs are kept+crl_dir         = $dir/crl              # Where the issued crl are kept+database        = $dir/index.txt        # database index file.+new_certs_dir   = $dir/certs         # default place for new certs.+certificate     = $dir/cacert.pem       # The CA certificate+serial          = $dir/serial           # The current serial number+crlnumber       = $dir/crlnumber        # the current crl number+crl             = $dir/crl.pem          # The current CRL+private_key     = $dir/private/cakey.pem# The private key+RANDFILE        = $dir/private/.rand    # private random number file+x509_extensions = usr_cert              # The extentions to add to the cert+name_opt        = ca_default            # Subject Name options+cert_opt        = ca_default            # Certificate field options+default_days    = 365                   # how long to certify for+default_crl_days= 30                    # how long before next CRL+default_md      = default               # use public key default MD+preserve        = no                    # keep passed DN ordering+policy          = policy_match++[ policy_match ]+countryName             = match+stateOrProvinceName     = match+organizationName        = match+organizationalUnitName  = optional+commonName              = supplied+emailAddress            = optional++[ policy_anything ]+countryName             = optional+stateOrProvinceName     = optional+localityName            = optional+organizationName        = optional+organizationalUnitName  = optional+commonName              = supplied+emailAddress            = optional++[ req ]+default_bits            = 2048+default_keyfile         = privkey.pem+distinguished_name      = req_distinguished_name+attributes              = req_attributes+x509_extensions = v3_ca # The extentions to add to the self signed cert++string_mask = utf8only++[ req_distinguished_name ]+basicConstraints=CA:FALSE++[ req_attributes ]+challengePassword               = A challenge password+challengePassword_min           = 4+challengePassword_max           = 20++unstructuredName                = An optional company name++[ usr_cert ]++basicConstraints=CA:FALSE+nsComment                       = "OpenSSL Generated Certificate"++subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid,issuer++[ v3_req ]++basicConstraints = CA:FALSE+keyUsage = nonRepudiation, digitalSignature, keyEncipherment+subjectAltName = DNS:localhost,IP:127.0.0.1,IP:::1++[ v3_ca ]+subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid:always,issuer+basicConstraints = CA:true++[ crl_ext ]++authorityKeyIdentifier=keyid:always++[ proxy_cert_ext ]+basicConstraints=CA:FALSE+nsComment                       = "OpenSSL Generated Certificate"++subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid,issuer+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo++[ tsa ]++default_tsa = tsa_config1       # the default TSA section++[ tsa_config1 ]++dir             = ./demoCA              # TSA root directory+serial          = $dir/tsaserial        # The current serial number (mandatory)+crypto_device   = builtin               # OpenSSL engine to use for signing+signer_cert     = $dir/tsacert.pem      # The TSA signing certificate+                                        # (optional)+certs           = $dir/cacert.pem       # Certificate chain to include in reply+                                        # (optional)+signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)++default_policy  = tsa_policy1           # Policy if request did not specify it+                                        # (optional)+other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)+digests         = md5, sha1             # Acceptable message digests (mandatory)+accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)+clock_precision_digits  = 0     # number of digits after dot. (optional)+ordering                = yes   # Is ordering defined for timestamps?+                                # (optional, default: no)+tsa_name                = yes   # Must the TSA name be included in the reply?+                                # (optional, default: no)+ess_cert_id_chain       = no    # Must the ESS cert id chain be included?+                                # (optional, default: no)diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.shnew file mode 100755index 0000000..8c33a24--- /dev/null+++ b/tests/data/tls/create-crt.sh@@ -0,0 +1,78 @@+#!/bin/sh+openssl=$(which openssl)++if [ x"$openssl" = "x" ]; then+echo "OpenSSL command line binary not found, skipping..."+fi++USAGE="$0 [-s] [-u <user@domain.com>]"+SERVER=0+USER=0+EMAIL=++while test $# -gt 0 ; do+	case "$1" in+		-s | -server)+			SERVER=1;+			shift;;+		-u | -user)+			if [ x"$2" = "x" ]; then+				echo "User cert requires an email address as an argument"+				exit;+			fi+			USER=1;+			EMAIL="$2";+			shift; shift;;+		-)+			shift;;+		-*)+			echo "$USAGE"; exit 1+			;;+		*)+			break;;+	esac+done++if [ $SERVER = 0 -a $USER = 0 ]; then+	echo "$USAGE";+	exit 1;+fi++rm -rf ./openssl.cnf cruft+mkdir -p private certs cruft/private cruft/certs++echo "00" > cruft/serial+touch cruft/index.txt+touch cruft/index.txt.attr+hn=$(hostname -f)+sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf >  ./openssl.cnf++if [ $SERVER = 1 ]; then+	rm -rf private/localhost.key certs/localhost.crt++	$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \+		-newkey rsa:1024 -config ./openssl.cnf \+		-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \+		-batch > /dev/null 2>&1++	$openssl ca -out certs/localhost.crt -notext -config ./openssl.cnf -days 183000 -in localhost.csr \+		-keyfile ca/private/testsuiteCA.key -extensions v3_req -cert ca/certs/testsuiteCA.crt \+		-batch >/dev/null 2>&1++	rm -rf ./openssl.cnf ./localhost.csr cruft+fi++if [ $USER = 1 ]; then+	rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr++	$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \+		-newkey rsa:1024 -config ./openssl.cnf \+		-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \+		-batch >/dev/null 2>&1++	$openssl ca -out certs/$EMAIL.crt -notext -config ./openssl.cnf -days 183000 -in $EMAIL.csr \+		-keyfile ca/private/testsuiteCA.key -extensions req_distinguished_name \+		-cert ca/certs/testsuiteCA.crt -batch >/dev/null 2>&1++	rm -rf ./openssl.cnf ./$EMAIL.csr cruft+fidiff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.keynew file mode 100644index 0000000..5f4625f--- /dev/null+++ b/tests/data/tls/private/bjensen@mailgw.example.com.key@@ -0,0 +1,16 @@+-----BEGIN PRIVATE KEY-----+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2+xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4+9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z+yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r+oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e+nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg+xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra+EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd+9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/+pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI+tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ+3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D+tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg+36Ixj3L+5H18+-----END PRIVATE KEY-----diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.keynew file mode 100644index 0000000..8a24f69--- /dev/null+++ b/tests/data/tls/private/localhost.key@@ -0,0 +1,16 @@+-----BEGIN PRIVATE KEY-----+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg+ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM+w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM+brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij+Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf+2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ+bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q+1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf+3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U+VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7+TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b+iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP+5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3+b61hkjQZfbEg5cg=+-----END PRIVATE KEY-----diff --git a/tests/run.in b/tests/run.inindex 73db243..3a77ef2 100644--- a/tests/run.in+++ b/tests/run.in@@ -57,6 +57,7 @@ AC_valsort=valsort@BUILD_VALSORT@ # misc AC_WITH_SASL=@WITH_SASL@ AC_WITH_TLS=@WITH_TLS@+AC_TLS_TYPE=@WITH_TLS_TYPE@ AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@ AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@ AC_THREADS=threads@BUILD_THREAD@@@ -75,7 +76,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null AC_relay AC_sql \ 	AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \ 	AC_valsort \ 	AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \-	AC_THREADS AC_LIBS_DYNAMIC+	AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE  if test ! -x ../servers/slapd/slapd ; then 	echo "Could not locate slapd(8)"diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.shindex 0750f88..96c41ff 100755--- a/tests/scripts/defines.sh+++ b/tests/scripts/defines.sh@@ -46,6 +46,9 @@ VALSORT=${AC_valsort-valsortno} # misc WITH_SASL=${AC_WITH_SASL-no} USE_SASL=${SLAPD_USE_SASL-no}+WITH_TLS=${AC_WITH_TLS-no}+WITH_TLS_TYPE=${AC_TLS_TYPE-no}+ ACI=${AC_ACI_ENABLED-acino} THREADS=${AC_THREADS-threadsno} SLEEP0=${SLEEP0-1}@@ -104,6 +107,8 @@ P2SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist2.conf P3SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist3.conf REFSLAVECONF=$DATADIR/slapd-ref-slave.conf SCHEMACONF=$DATADIR/slapd-schema.conf+TLSCONF=$DATADIR/slapd-tls.conf+TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf GLUECONF=$DATADIR/slapd-glue.conf REFINTCONF=$DATADIR/slapd-refint.conf RETCODECONF=$DATADIR/slapd-retcode.conf@@ -164,6 +169,7 @@ SLURPLOG=$TESTDIR/slurp.log CONFIGPWF=$TESTDIR/configpw  # args+SASLARGS="-Q" TOOLARGS="-x $LDAP_TOOLARGS" TOOLPROTO="-P 3" @@ -186,7 +192,8 @@ BCMP="diff -iB" CMPOUT=/dev/null SLAPD="$TESTWD/../servers/slapd/slapd -s0" LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS"-LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL"+LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $SASLARGS $TOOLPROTO $LDAP_TOOLARGS -LLL"+LDAPSASLWHOAMI="$CLIENTDIR/ldapwhoami $SASLARGS $LDAP_TOOLARGS" LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL" LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS" LDAPDELETE="$CLIENTDIR/ldapdelete $TOOLPROTO $TOOLARGS"@@ -201,6 +208,7 @@ LDIFFILTER=$PROGDIR/ldif-filter SLAPDMTREAD=$PROGDIR/slapd-mtread LVL=${SLAPD_DEBUG-0x4105} LOCALHOST=localhost+LOCALIP=127.0.0.1 BASEPORT=${SLAPD_BASEPORT-9010} PORT1=`expr $BASEPORT + 1` PORT2=`expr $BASEPORT + 2`@@ -209,11 +217,22 @@ PORT4=`expr $BASEPORT + 4` PORT5=`expr $BASEPORT + 5` PORT6=`expr $BASEPORT + 6` URI1="ldap://${LOCALHOST}:$PORT1/"+URIP1="ldap://${LOCALIP}:$PORT1/" URI2="ldap://${LOCALHOST}:$PORT2/"+URIP2="ldap://${LOCALIP}:$PORT2/" URI3="ldap://${LOCALHOST}:$PORT3/"+URIP3="ldap://${LOCALIP}:$PORT3/" URI4="ldap://${LOCALHOST}:$PORT4/" URI5="ldap://${LOCALHOST}:$PORT5/" URI6="ldap://${LOCALHOST}:$PORT6/"+SURI1="ldaps://${LOCALHOST}:$PORT1/"+SURIP1="ldaps://${LOCALIP}:$PORT1/"+SURI2="ldaps://${LOCALHOST}:$PORT2/"+SURIP2="ldaps://${LOCALIP}:$PORT2/"+SURI3="ldaps://${LOCALHOST}:$PORT3/"+SURI4="ldaps://${LOCALHOST}:$PORT4/"+SURI5="ldaps://${LOCALHOST}:$PORT5/"+SURI6="ldaps://${LOCALHOST}:$PORT6/"  # LDIF LDIF=$DATADIR/test.ldifdiff --git a/tests/scripts/test067-tls b/tests/scripts/test067-tlsnew file mode 100755index 0000000..3e087f1--- /dev/null+++ b/tests/scripts/test067-tls@@ -0,0 +1,118 @@+#! /bin/sh+# $OpenLDAP$+## This work is part of OpenLDAP Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP Foundation.+## All rights reserved.+##+## Redistribution and use in source and binary forms, with or without+## modification, are permitted only as authorized by the OpenLDAP+## Public License.+##+## A copy of this license is available in the file LICENSE in the+## top-level directory of the distribution or, alternatively, at+## <http://www.OpenLDAP.org/license.html>.++echo "running defines.sh"+. $SRCDIR/scripts/defines.sh++if test $WITH_TLS = no ; then+        echo "TLS support not available, test skipped"+        exit 0+fi++mkdir -p $TESTDIR $DBDIR1+cp -r $DATADIR/tls $TESTDIR++cd $TESTWD++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."+. $CONFFILTER $BACKEND $MONITORDB < $TLSCONF > $CONF1+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &+PID=$!+if test $WAIT != 0 ; then+    echo PID $PID+    read foo+fi+KILLPIDS="$PID"++sleep 1++for i in 0 1 2 3 4 5; do+	$LDAPSEARCH -s base -b "" -H $URI1 \+		'objectclass=*' > /dev/null 2>&1+        RC=$?+        if test $RC = 0 ; then+                break+        fi+        echo "Waiting 5 seconds for slapd to start..."+        sleep 5+done++if test $RC != 0 ; then+	echo "ldapsearch failed ($RC)!"+	test $KILLSERVERS != no && kill -HUP $KILLPIDS+	exit $RC+fi++echo -n "Using ldapsearch with startTLS...."+$LDAPSEARCH -o tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -ZZ -b "" -s base -H $URIP1 \+	'@extensibleObject' > $SEARCHOUT 2>&1+RC=$?+if test $RC != 0 ; then+	echo "ldapsearch (startTLS) failed ($RC)!"+	exit $RC+else+	echo "success"+fi+++if test $WITH_TLS_TYPE = openssl ; then+	echo -n "Using ldapsearch with startTLS and specific protocol version...."+	$LDAPSEARCH -o tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -o tls-protocol-min=3.3 -ZZ -b "" -s base -H $URIP1 \+		'@extensibleObject' > $SEARCHOUT 2>&1+	RC=$?+	if test $RC != 0 ; then+		echo "ldapsearch (protocol-min) failed ($RC)!"+		exit $RC+	else+		echo "success"+	fi+fi++echo -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert.  Should fail..."+$LDAPSEARCH -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \+	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \+	>> $SEARCHOUT  2>&1+RC=$?+if test $RC = 0 ; then+	echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"+	exit 1+else+	echo "failed correctly with error code ($RC)"+fi++echo -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..."+$LDAPSEARCH -o tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \+	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \+	>> $SEARCHOUT  2>&1+RC=$?+if test $RC != 0 ; then+	echo "ldapsearch (ldaps) failed ($RC)!"+	exit $RC+else+	echo "success"+fi++test $KILLSERVERS != no && kill -HUP $KILLPIDS++if test $RC != 0 ; then+	echo ">>>>> Test failed"+else+	echo ">>>>> Test succeeded"+	RC=0+fi++test $KILLSERVERS != no && wait++exit $RCdiff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-externalnew file mode 100755index 0000000..329d66a--- /dev/null+++ b/tests/scripts/test068-sasl-tls-external@@ -0,0 +1,102 @@+#! /bin/sh+# $OpenLDAP$+## This work is part of OpenLDAP Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP Foundation.+## All rights reserved.+##+## Redistribution and use in source and binary forms, with or without+## modification, are permitted only as authorized by the OpenLDAP+## Public License.+##+## A copy of this license is available in the file LICENSE in the+## top-level directory of the distribution or, alternatively, at+## <http://www.OpenLDAP.org/license.html>.++echo "running defines.sh"+. $SRCDIR/scripts/defines.sh++if test $WITH_TLS = no ; then+        echo "TLS support not available, test skipped"+        exit 0+fi++mkdir -p $TESTDIR $DBDIR1+cp -r $DATADIR/tls $TESTDIR++cd $TESTWD++echo "Running slapadd to build slapd database..."+. $CONFFILTER $BACKEND $MONITORDB < $TLSSASLCONF > $CONF1+$SLAPADD -f $CONF1 -l $LDIFORDERED+RC=$?+if test $RC != 0 ; then+        echo "slapadd failed ($RC)!"+        exit $RC+fi++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &+PID=$!+if test $WAIT != 0 ; then+    echo PID $PID+    read foo+fi+KILLPIDS="$PID"++sleep 1++for i in 0 1 2 3 4 5; do+	$LDAPSEARCH -s base -b "" -H $URI1 \+		'objectclass=*' > /dev/null 2>&1+        RC=$?+        if test $RC = 0 ; then+                break+        fi+        echo "Waiting 5 seconds for slapd to start..."+        sleep 5+done++if test $RC != 0 ; then+	echo "ldapsearch failed ($RC)!"+	test $KILLSERVERS != no && kill -HUP $KILLPIDS+	exit $RC+fi++echo -n "Using ldapwhoami with SASL/EXTERNAL...."+$LDAPSASLWHOAMI -o tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard \+	-o tls-certfile=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt -o tls-keyfile=$TESTDIR/tls/private/bjensen@mailgw.example.com.key -ZZ -Y EXTERNAL -H $URIP1 \+	> $TESTOUT 2>&1+RC=$?+if test $RC != 0 ; then+	echo "ldapwhoami (startTLS) failed ($RC)!"+	exit $RC+else+	echo "success"+fi++echo -n "Validating mapped SASL ID..."+echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT++RC=$?+if test $RC != 0 ; then+	echo "Comparison failed"+	test $KILLSERVERS != no && kill -HUP $PID+	exit $RC+else+	echo "success"+fi++test $KILLSERVERS != no && kill -HUP $KILLPIDS++if test $RC != 0 ; then+	echo ">>>>> Test failed"+else+	echo ">>>>> Test succeeded"+	RC=0+fi++test $KILLSERVERS != no && wait++exit $RC-- 2.7.4