Attached for review is code to add TLS command line options to the client
tools. Included are documentation updates to the manual pages and a
related test suite.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
>From cff66313706c607d4df6f074255703da8d87b35a Mon Sep 17 00:00:00 2001From:
>Quanah Gibson-Mount <qua...@openldap.org>Date: Wed, 10 May 2017 10:31:30
>+0000Subject: [PATCH] ITS#8573 TLS options and test suite---
>clients/tools/common.c | 97 +++++++++++++++-
>configure | 4 + configure.in
> | 4 + doc/man/man1/ldapcompare.1
> | 10 ++ doc/man/man1/ldapdelete.1 | 10
>++ doc/man/man1/ldapexop.1 | 10 ++
>doc/man/man1/ldapmodify.1 | 10 ++
>doc/man/man1/ldapmodrdn.1 | 10 ++
>doc/man/man1/ldappasswd.1 | 10 ++
>doc/man/man1/ldapsearch.1 | 10 ++
>doc/man/man1/ldapwhoami.1 | 10 ++
>tests/data/slapd-tls-sasl.conf | 65 +++++++++++
>tests/data/slapd-tls.conf | 61 ++++++++++
>tests/data/tls/ca/certs/testsuiteCA.crt | 16 +++
>tests/data/tls/ca/private/testsuiteCA.key | 16 +++
>.../data/tls/certs/bjen...@mailgw.example.com.crt | 16 +++
>tests/data/tls/certs/localhost.crt | 16 +++
>tests/data/tls/conf/openssl.cnf | 129 +++++++++++++++++++++
>tests/data/tls/create-crt.sh | 78 +++++++++++++
>.../tls/private/bjen...@mailgw.example.com.key | 16 +++
>tests/data/tls/private/localhost.key | 16 +++ tests/run.in
> | 3 +- tests/scripts/defines.sh
> | 21 +++- tests/scripts/test067-tls |
>118 +++++++++++++++++++ tests/scripts/test068-sasl-tls-external |
>102 ++++++++++++++++ 25 files changed, 855 insertions(+), 3 deletions(-)
>create mode 100644 tests/data/slapd-tls-sasl.conf create mode 100644
>tests/data/slapd-tls.conf create mode 100644
>tests/data/tls/ca/certs/testsuiteCA.crt create mode 100644
>tests/data/tls/ca/private/testsuiteCA.key create mode 100644
>tests/data/tls/certs/bjen...@mailgw.example.com.crt create mode 100644
>tests/data/tls/certs/localhost.crt create mode 100644
>tests/data/tls/conf/openssl.cnf create mode 100755
>tests/data/tls/create-crt.sh create mode 100644
>tests/data/tls/private/bjen...@mailgw.example.com.key create mode 100644
>tests/data/tls/private/localhost.key create mode 100755
>tests/scripts/test067-tls create mode 100755
>tests/scripts/test068-sasl-tls-externaldiff --git a/clients/tools/common.c
>b/clients/tools/common.cindex 5eb41aa..00314b4 100644---
>a/clients/tools/common.c+++ b/clients/tools/common.c@@ -92,6 +92,35 @@ char
> *sasl_mech = NULL; char *sasl_secprops = NULL; #endif +/* TLS
>*/+#ifdef HAVE_TLS+typedef struct tls_options {+ const char * name;+ char
>* value;+ size_t offset;+} tls_options;++tls_options tls_opts[]= {+ {
>"tls-cacertfile", NULL, LDAP_OPT_X_TLS_CACERTFILE },+ { "tls-cacertdir", NULL,
>LDAP_OPT_X_TLS_CACERTDIR },+ { "tls-certfile", NULL, LDAP_OPT_X_TLS_CERTFILE
>},+ { "tls-keyfile", NULL, LDAP_OPT_X_TLS_KEYFILE },+ {
>"tls-reqcert", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT },+ { "tls-cipher-suite",
>NULL, LDAP_OPT_X_TLS_CIPHER_SUITE },+#ifdef HAVE_OPENSSL+ {
>"tls-protocol-min", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN },+ {
>"tls-randfile", NULL, LDAP_OPT_X_TLS_RANDOM_FILE },+#endif+#ifdef
>HAVE_OPENSSL_CRL+ { "tls-crl-check", NULL, LDAP_OPT_X_TLS_CRLCHECK
>},+#endif+#ifdef HAVE_GNUTLS+ { "tls-crl-file", NULL, LDAP_OPT_X_TLS_CRLFILE
>},+#endif+ { NULL, NULL, 0 },+};++#endif /* controls */ int
> assertctl; char *assertion = NULL;@@ -375,8 +404,26 @@ N_(" -n
> show what would be done but don't actually do it\n"), N_(" -N do
>not use reverse DNS to canonicalize SASL host name\n"), N_(" -O props SASL
>security properties\n"), N_(" -o <opt>[=<optparam>] general options\n"),-N_("
> nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
>N_(" ldif-wrap=<width> (in columns, or \"no\" for no
>wrapping)\n"),+N_(" nettimeout=<timeout> (in seconds, or \"none\"
>or \"max\")\n"),+#ifdef HAVE_TLS+N_(" tls-cacertfile=<path> (path
>to CA file for TLS operations)\n"),+N_(" tls-cacertdir=<path>
>(path to CA directory for TLS operations)\n"),+N_("
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)\n"),+N_(" tls-keyfile=<path> (path to private key
>file for TLS certificate authentication)\n"),+N_("
>tls-reqcert=<level> (check to perform within a TLS session (never, allow, try,
>demand|hard))\n"),+N_(" tls-cipher-suite=<cipher-suite-spec>
>(specifies acceptable cipher suite(s) and preference order)\n"),+#ifdef
>HAVE_OPENSSL+N_(" tls-protocol-min=<major[.<minor>]> (specifies
>minimum TLS protocol version to negotiate))\n"),+N_("
>tls-randfile=<path> (file to obtain random bits from when /dev/[u]random is
>not available)\n"),+#endif+#ifdef HAVE_OPENSSL_CRL+N_("
>tls-crl-check=<level> (specifies if CRL of CA should be used for server certs
>(none, peer, all))\n"),+#endif+#ifdef HAVE_GNUTLS+N_("
>tls-crl-file=<path> (specifies the file containing a CRL to be used for
>verification of server certs)\n"),+#endif+#endif /* HAVE_TLS */ N_(" -p port
> port on LDAP server\n"), N_(" -Q use SASL Quiet mode\n"), N_(" -R
>realm SASL realm\n"),@@ -884,6 +931,24 @@ tool_args( int argc, char **argv )
> ldif_wrap = (ber_len_t)u;
> } +#ifdef HAVE_TLS+ } else if
>(strstr(control, "tls-")) {+ int i;+
> for ( i = 0; tls_opts[ i ].name != NULL; i++ ) {+
> if ( strcasecmp( control, tls_opts[ i ].name ) == 0 ) {+
> if ( tls_opts[ i ].value != NULL ) {+
> fprintf( stderr, "%s option
>previously specified\n", control );+
> }+ if( cvalue == NULL ||
>cvalue[0] == '\0' ) {+
>fprintf( stderr, "%s: option value expected\n", control );+
> usage();+
> }+ tls_opts[ i ].value
>= ber_strdup( cvalue );+ break;+
> }+ }+#endif /*
>HAVE_TLS */+ } else {
>fprintf( stderr, "Invalid general option name: %s\n",
> control );@@ -1215,6 +1280,10 @@ tool_conn_setup( int dont, void
>(*private_setup)( LDAP * ) ) { LDAP *ld = NULL; +#ifdef HAVE_TLS+
>int need_tls_ctx = 0;+#endif+ if ( debug ) { if( ber_set_option(
>NULL, LBER_OPT_DEBUG_LEVEL, &debug ) !=
>LBER_OPT_SUCCESS )@@ -1230,6 +1299,32 @@ tool_conn_setup( int dont, void
>(*private_setup)( LDAP * ) ) } } +#ifdef HAVE_TLS+
> int i;+ for ( i = 0; tls_opts[ i ].name != NULL; i++ ) {+
> if (tls_opts[ i ].value) {+ if (
>ldap_pvt_tls_config( NULL, tls_opts[ i ].offset, tls_opts[ i ].value )+
> != LDAP_OPT_SUCCESS )+ {+
> fprintf( stderr, "Could not set option %s
>to %s\n",+ tls_opts[ i ].name,
>tls_opts[ i ].value);+ tool_exit( ld,
>EXIT_FAILURE );+ }+
>need_tls_ctx = 1;+ }+ }++ if (
>need_tls_ctx ) {+ int new_ctx = 0;+ if
>( ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &new_ctx)+
> != LDAP_OPT_SUCCESS )+ {+
>fprintf( stderr, "Could not set LDAP_OPT_X_TLS_NEWCTX\n");+
> tool_exit( ld, EXIT_FAILURE );+ }+
>}++#endif /* HAVE_TLS */ #ifdef SIGPIPE (void) SIGNAL( SIGPIPE,
>SIG_IGN ); #endifdiff --git a/configure b/configureindex 620260e..574f9bc
>100755--- a/configure+++ b/configure@@ -761,6 +761,7 @@ AUTH_LIBS LIBSLAPI
>SLAPI_LIBS MODULES_LIBS+WITH_TLS_TYPE TLS_LIBS SASL_LIBS KRB5_LIBS@@ -5223,6
>+5224,7 @@ KRB4_LIBS= KRB5_LIBS= SASL_LIBS= TLS_LIBS=+WITH_TLS_TYPE=
>MODULES_LIBS= SLAPI_LIBS= LIBSLAPI=@@ -15656,6 +15658,7 @@ fi if
>test $have_openssl = yes ; then ol_with_tls=openssl
> ol_link_tls=yes+ WITH_TLS_TYPE=openssl
>$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h@@ -15790,6 +15793,7 @@ fi
> if test $have_gnutls = yes ; then
> ol_with_tls=gnutls ol_link_tls=yes+
> WITH_TLS_TYPE=gnutls
>TLS_LIBS="-lgnutls" diff --git a/configure.in b/configure.inindex
>5bb2c11..19e9b39 100644--- a/configure.in+++ b/configure.in@@ -610,6 +610,7 @@
>KRB4_LIBS= KRB5_LIBS= SASL_LIBS= TLS_LIBS=+WITH_TLS_TYPE= MODULES_LIBS=
>SLAPI_LIBS= LIBSLAPI=@@ -1198,6 +1199,7 @@ if test $ol_with_tls = openssl ||
>test $ol_with_tls = auto ; then if test $have_openssl = yes ; then
> ol_with_tls=openssl ol_link_tls=yes+
> WITH_TLS_TYPE=openssl
>AC_DEFINE(HAVE_OPENSSL, 1, [define if you have
>OpenSSL])@@ -1238,6 +1240,7 @@ if test $ol_link_tls = no ; then
> if test $have_gnutls = yes ; then
>ol_with_tls=gnutls ol_link_tls=yes+
> WITH_TLS_TYPE=gnutls
>TLS_LIBS="-lgnutls" @@ -3243,6 +3246,7 @@ AC_SUBST(KRB4_LIBS)
>AC_SUBST(KRB5_LIBS) AC_SUBST(SASL_LIBS)
>AC_SUBST(TLS_LIBS)+AC_SUBST(WITH_TLS_TYPE) AC_SUBST(MODULES_LIBS)
>AC_SUBST(SLAPI_LIBS) AC_SUBST(LIBSLAPI)diff --git a/doc/man/man1/ldapcompare.1
>b/doc/man/man1/ldapcompare.1index e569deb..55865e9 100644---
>a/doc/man/man1/ldapcompare.1+++ b/doc/man/man1/ldapcompare.1@@ -192,6 +192,16
>@@ General options: .nf nettimeout=<timeout> (in seconds, or "none" or
>"max") ldif-wrap=<width> (in columns, or "no" for no wrapping)+
>tls-cacertfile=<path> (path to CA file for TLS operations)+
>tls-cacertdir=<path> (path to CA directory for TLS operations)+
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)+ tls-keyfile=<path> (path to private key file for TLS
>certificate authentication)+ tls-reqcert=<level> (never, allow, try,
>demand|hard)+ tls-cipher-suite=<cipher-suite-spec> (acceptable cipher
>suite(s) and preference order)+ tls-protocol-min=<major.[.minor]> (minimum
>TLS protocol version to negotiate. OpenSSL only)+ tls-randfile=<path> (file
>to obtain random bits from when /dev/[u]random is not available. OpenSSL
>only)+ tls-crl-check=<level> (none, peer, all. OpenSSL only)+
>tls-crl-file=<path> (file containing a CRL to be used for verification of
>server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git
>a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1index 1203beb..d78dbc8
>100644--- a/doc/man/man1/ldapdelete.1+++ b/doc/man/man1/ldapdelete.1@@ -198,6
>+198,16 @@ General options: .nf nettimeout=<timeout> (in seconds, or "none"
>or "max") ldif-wrap=<width> (in columns, or "no" for no wrapping)+
>tls-cacertfile=<path> (path to CA file for TLS operations)+
>tls-cacertdir=<path> (path to CA directory for TLS operations)+
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)+ tls-keyfile=<path> (path to private key file for TLS
>certificate authentication)+ tls-reqcert=<level> (never, allow, try,
>demand|hard)+ tls-cipher-suite=<cipher-suite-spec> (acceptable cipher
>suite(s) and preference order)+ tls-protocol-min=<major.[.minor]> (minimum
>TLS protocol version to negotiate. OpenSSL only)+ tls-randfile=<path> (file
>to obtain random bits from when /dev/[u]random is not available. OpenSSL
>only)+ tls-crl-check=<level> (none, peer, all. OpenSSL only)+
>tls-crl-file=<path> (file containing a CRL to be used for verification of
>server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git
>a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1index 0264507..daa26ef
>100644--- a/doc/man/man1/ldapexop.1+++ b/doc/man/man1/ldapexop.1@@ -195,6
>+195,16 @@ General options: .nf nettimeout=<timeout> (in seconds, or "none"
>or "max") ldif-wrap=<width> (in columns, or "no" for no wrapping)+
>tls-cacertfile=<path> (path to CA file for TLS operations)+
>tls-cacertdir=<path> (path to CA directory for TLS operations)+
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)+ tls-keyfile=<path> (path to private key file for TLS
>certificate authentication)+ tls-reqcert=<level> (never, allow, try,
>demand|hard)+ tls-cipher-suite=<cipher-suite-spec> (acceptable cipher
>suite(s) and preference order)+ tls-protocol-min=<major.[.minor]> (minimum
>TLS protocol version to negotiate. OpenSSL only)+ tls-randfile=<path> (file
>to obtain random bits from when /dev/[u]random is not available. OpenSSL
>only)+ tls-crl-check=<level> (none, peer, all. OpenSSL only)+
>tls-crl-file=<path> (file containing a CRL to be used for verification of
>server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git
>a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1index 84473bc..ef80578
>100644--- a/doc/man/man1/ldapmodify.1+++ b/doc/man/man1/ldapmodify.1@@ -261,6
>+261,16 @@ General options: .nf nettimeout=<timeout> (in seconds, or "none"
>or "max") ldif-wrap=<width> (in columns, or "no" for no wrapping)+
>tls-cacertfile=<path> (path to CA file for TLS operations)+
>tls-cacertdir=<path> (path to CA directory for TLS operations)+
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)+ tls-keyfile=<path> (path to private key file for TLS
>certificate authentication)+ tls-reqcert=<level> (never, allow, try,
>demand|hard)+ tls-cipher-suite=<cipher-suite-spec> (acceptable cipher
>suite(s) and preference order)+ tls-protocol-min=<major.[.minor]> (minimum
>TLS protocol version to negotiate. OpenSSL only)+ tls-randfile=<path> (file
>to obtain random bits from when /dev/[u]random is not available. OpenSSL
>only)+ tls-crl-check=<level> (none, peer, all. OpenSSL only)+
>tls-crl-file=<path> (file containing a CRL to be used for verification of
>server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git
>a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1index 644bd63..9a1f6a5
>100644--- a/doc/man/man1/ldapmodrdn.1+++ b/doc/man/man1/ldapmodrdn.1@@ -192,6
>+192,16 @@ General options: .nf nettimeout=<timeout> (in seconds, or "none"
>or "max") ldif-wrap=<width> (in columns, or "no" for no wrapping)+
>tls-cacertfile=<path> (path to CA file for TLS operations)+
>tls-cacertdir=<path> (path to CA directory for TLS operations)+
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)+ tls-keyfile=<path> (path to private key file for TLS
>certificate authentication)+ tls-reqcert=<level> (never, allow, try,
>demand|hard)+ tls-cipher-suite=<cipher-suite-spec> (acceptable cipher
>suite(s) and preference order)+ tls-protocol-min=<major.[.minor]> (minimum
>TLS protocol version to negotiate. OpenSSL only)+ tls-randfile=<path> (file
>to obtain random bits from when /dev/[u]random is not available. OpenSSL
>only)+ tls-crl-check=<level> (none, peer, all. OpenSSL only)+
>tls-crl-file=<path> (file containing a CRL to be used for verification of
>server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git
>a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1index 357442c..74ac9ed
>100644--- a/doc/man/man1/ldappasswd.1+++ b/doc/man/man1/ldappasswd.1@@ -194,6
>+194,16 @@ General options: .nf nettimeout=<timeout> (in seconds, or "none"
>or "max") ldif-wrap=<width> (in columns, or "no" for no wrapping)+
>tls-cacertfile=<path> (path to CA file for TLS operations)+
>tls-cacertdir=<path> (path to CA directory for TLS operations)+
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)+ tls-keyfile=<path> (path to private key file for TLS
>certificate authentication)+ tls-reqcert=<level> (never, allow, try,
>demand|hard)+ tls-cipher-suite=<cipher-suite-spec> (acceptable cipher
>suite(s) and preference order)+ tls-protocol-min=<major.[.minor]> (minimum
>TLS protocol version to negotiate. OpenSSL only)+ tls-randfile=<path> (file
>to obtain random bits from when /dev/[u]random is not available. OpenSSL
>only)+ tls-crl-check=<level> (none, peer, all. OpenSSL only)+
>tls-crl-file=<path> (file containing a CRL to be used for verification of
>server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git
>a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1index 2980c65..62b7116
>100644--- a/doc/man/man1/ldapsearch.1+++ b/doc/man/man1/ldapsearch.1@@ -338,6
>+338,16 @@ General options: .nf nettimeout=<timeout> (in seconds, or "none"
>or "max") ldif-wrap=<width> (in columns, or "no" for no wrapping)+
>tls-cacertfile=<path> (path to CA file for TLS operations)+
>tls-cacertdir=<path> (path to CA directory for TLS operations)+
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)+ tls-keyfile=<path> (path to private key file for TLS
>certificate authentication)+ tls-reqcert=<level> (never, allow, try,
>demand|hard)+ tls-cipher-suite=<cipher-suite-spec> (acceptable cipher
>suite(s) and preference order)+ tls-protocol-min=<major.[.minor]> (minimum
>TLS protocol version to negotiate. OpenSSL only)+ tls-randfile=<path> (file
>to obtain random bits from when /dev/[u]random is not available. OpenSSL
>only)+ tls-crl-check=<level> (none, peer, all. OpenSSL only)+
>tls-crl-file=<path> (file containing a CRL to be used for verification of
>server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git
>a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1index f92e116..22209a9
>100644--- a/doc/man/man1/ldapwhoami.1+++ b/doc/man/man1/ldapwhoami.1@@ -149,6
>+149,16 @@ General options: .nf nettimeout=<timeout> (in seconds, or "none"
>or "max") ldif-wrap=<width> (in columns, or "no" for no wrapping)+
>tls-cacertfile=<path> (path to CA file for TLS operations)+
>tls-cacertdir=<path> (path to CA directory for TLS operations)+
>tls-certfile=<path> (path to public cert file for TLS certificate
>authentication)+ tls-keyfile=<path> (path to private key file for TLS
>certificate authentication)+ tls-reqcert=<level> (never, allow, try,
>demand|hard)+ tls-cipher-suite=<cipher-suite-spec> (acceptable cipher
>suite(s) and preference order)+ tls-protocol-min=<major.[.minor]> (minimum
>TLS protocol version to negotiate. OpenSSL only)+ tls-randfile=<path> (file
>to obtain random bits from when /dev/[u]random is not available. OpenSSL
>only)+ tls-crl-check=<level> (none, peer, all. OpenSSL only)+
>tls-crl-file=<path> (file containing a CRL to be used for verification of
>server certs. GnuTLS only) .fi .TP .BI \-O \ security-propertiesdiff --git
>a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.confnew file mode
>100644index 0000000..f4bb077--- /dev/null+++
>b/tests/data/slapd-tls-sasl.conf@@ -0,0 +1,65 @@+# stand-alone slapd config --
>for testing (with indexing)+# $OpenLDAP$+## This work is part of OpenLDAP
>Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP
>Foundation.+## All rights reserved.+##+## Redistribution and use in source and
>binary forms, with or without+## modification, are permitted only as
>authorized by the OpenLDAP+## Public License.+##+## A copy of this license is
>available in the file LICENSE in the+## top-level directory of the
>distribution or, alternatively, at+##
><http://www.OpenLDAP.org/license.html>.++#+include
>@SCHEMADIR@/core.schema+include @SCHEMADIR@/cosine.schema+#+include
> @SCHEMADIR@/corba.schema+include
>@SCHEMADIR@/java.schema+include
>@SCHEMADIR@/inetorgperson.schema+include
>@SCHEMADIR@/misc.schema+include @SCHEMADIR@/nis.schema+include
> @SCHEMADIR@/openldap.schema+#+include
>@SCHEMADIR@/duaconf.schema+include
>@SCHEMADIR@/dyngroup.schema+include
>@SCHEMADIR@/ppolicy.schema++#+pidfile @TESTDIR@/slapd.1.pid+argsfile
> @TESTDIR@/slapd.1.args++# SSL configuration+TLSCACertificateFile
>@TESTDIR@/tls/ca/certs/testsuiteCA.crt+TLSCertificateKeyFile
>@TESTDIR@/tls/private/localhost.key+TLSCertificateFile
>@TESTDIR@/tls/certs/localhost.crt+TLSVerifyClient hard++#+rootdse
>@DATADIR@/rootdse.ldif++#mod#modulepath
>../servers/slapd/back-@BACKEND@/+#mod#moduleload
>back_@BACKEND@.la+#monitormod#modulepath
>../servers/slapd/back-monitor/+#monitormod#moduleload
>back_monitor.la++authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP
>Foundation,st=CA,c=US"
>ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)++#######################################################################+#
> database
>definitions+#######################################################################++database
> @BACKEND@+suffix "dc=example,dc=com"+rootdn
>"cn=Manager,dc=example,dc=com"+rootpw secret+#~null~#directory
>@TESTDIR@/db.1.a+#indexdb#index objectClass eq+#indexdb#index
> mail eq+#ndb#dbname db_1_a+#ndb#include @DATADIR@/ndb.conf++#monitor#database
> monitordiff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.confnew
>file mode 100644index 0000000..6a77855--- /dev/null+++
>b/tests/data/slapd-tls.conf@@ -0,0 +1,61 @@+# stand-alone slapd config -- for
>testing (with indexing)+# $OpenLDAP$+## This work is part of OpenLDAP Software
><http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP
>Foundation.+## All rights reserved.+##+## Redistribution and use in source and
>binary forms, with or without+## modification, are permitted only as
>authorized by the OpenLDAP+## Public License.+##+## A copy of this license is
>available in the file LICENSE in the+## top-level directory of the
>distribution or, alternatively, at+##
><http://www.OpenLDAP.org/license.html>.++#+include
>@SCHEMADIR@/core.schema+include @SCHEMADIR@/cosine.schema+#+include
> @SCHEMADIR@/corba.schema+include
>@SCHEMADIR@/java.schema+include
>@SCHEMADIR@/inetorgperson.schema+include
>@SCHEMADIR@/misc.schema+include @SCHEMADIR@/nis.schema+include
> @SCHEMADIR@/openldap.schema+#+include
>@SCHEMADIR@/duaconf.schema+include
>@SCHEMADIR@/dyngroup.schema+include
>@SCHEMADIR@/ppolicy.schema++#+pidfile @TESTDIR@/slapd.1.pid+argsfile
> @TESTDIR@/slapd.1.args++# SSL configuration+TLSCertificateKeyFile
>@TESTDIR@/tls/private/localhost.key+TLSCertificateFile
>@TESTDIR@/tls/certs/localhost.crt++#+rootdse
>@DATADIR@/rootdse.ldif++#mod#modulepath
>../servers/slapd/back-@BACKEND@/+#mod#moduleload
>back_@BACKEND@.la+#monitormod#modulepath
>../servers/slapd/back-monitor/+#monitormod#moduleload
>back_monitor.la++#######################################################################+#
> database
>definitions+#######################################################################++database
> @BACKEND@+suffix "dc=example,dc=com"+rootdn
>"cn=Manager,dc=example,dc=com"+rootpw secret+#~null~#directory
>@TESTDIR@/db.1.a+#indexdb#index objectClass eq+#indexdb#index
> mail eq+#ndb#dbname db_1_a+#ndb#include @DATADIR@/ndb.conf++#monitor#database
> monitordiff --git a/tests/data/tls/ca/certs/testsuiteCA.crt
>b/tests/data/tls/ca/certs/testsuiteCA.crtnew file mode 100644index
>0000000..7458e74--- /dev/null+++ b/tests/data/tls/ca/certs/testsuiteCA.crt@@
>-0,0 +1,16 @@+-----BEGIN
>CERTIFICATE-----+MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV+BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv+bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0+NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB+MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB+UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd+rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb+lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL+6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU+7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB+SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/+wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws+ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q+aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==+-----END
> CERTIFICATE-----diff --git a/tests/data/tls/ca/private/testsuiteCA.key
>b/tests/data/tls/ca/private/testsuiteCA.keynew file mode 100644index
>0000000..2e14d70--- /dev/null+++ b/tests/data/tls/ca/private/testsuiteCA.key@@
>-0,0 +1,16 @@+-----BEGIN PRIVATE
>KEY-----+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ+WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc+338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/+dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg+O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf+7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn+rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f+wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk+AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l+vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9+27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X+KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N+I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL++b2qljWeZbGH+-----END
> PRIVATE KEY-----diff --git
>a/tests/data/tls/certs/bjen...@mailgw.example.com.crt
>b/tests/data/tls/certs/bjen...@mailgw.example.com.crtnew file mode 100644index
>0000000..93e3a0d--- /dev/null+++
>b/tests/data/tls/certs/bjen...@mailgw.example.com.crt@@ -0,0 +1,16
>@@+-----BEGIN
>CERTIFICATE-----+MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx+ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV+BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD+VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa+YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A+MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg+QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU+U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL+MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn+wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f+7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo+4DnnYQBDnq48VORVX94=+-----END
> CERTIFICATE-----diff --git a/tests/data/tls/certs/localhost.crt
>b/tests/data/tls/certs/localhost.crtnew file mode 100644index
>0000000..194cb11--- /dev/null+++ b/tests/data/tls/certs/localhost.crt@@ -0,0
>+1,16 @@+-----BEGIN
>CERTIFICATE-----+MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx+ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE+CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT+dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB+iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4+7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv+8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ+BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A+AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG+8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl+0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR+GjeZB1FxqDGHjxBq2O828iejw28bSz4=+-----END
> CERTIFICATE-----diff --git a/tests/data/tls/conf/openssl.cnf
>b/tests/data/tls/conf/openssl.cnfnew file mode 100644index 0000000..a3c8ad9---
>/dev/null+++ b/tests/data/tls/conf/openssl.cnf@@ -0,0 +1,129 @@+HOME
> = .+RANDFILE = $ENV::HOME/.rnd++oid_section
> = new_oids++[ new_oids ]+tsa_policy1 = 1.2.3.4.1+tsa_policy2 =
>1.2.3.4.5.6+tsa_policy3 = 1.2.3.4.5.7++[ ca ]+default_ca = CA_default
> # The default ca section++[ CA_default ]++dir = ./cruft
> # Where everything is kept+certs = $dir/certs #
>Where the issued certs are kept+crl_dir = $dir/crl #
>Where the issued crl are kept+database = $dir/index.txt #
>database index file.+new_certs_dir = $dir/certs # default place for
>new certs.+certificate = $dir/cacert.pem # The CA certificate+serial
> = $dir/serial # The current serial number+crlnumber =
>$dir/crlnumber # the current crl number+crl = $dir/crl.pem
> # The current CRL+private_key = $dir/private/cakey.pem# The
>private key+RANDFILE = $dir/private/.rand # private random number
>file+x509_extensions = usr_cert # The extentions to add to the
>cert+name_opt = ca_default # Subject Name options+cert_opt
> = ca_default # Certificate field options+default_days = 365
> # how long to certify for+default_crl_days= 30
> # how long before next CRL+default_md = default # use
>public key default MD+preserve = no # keep passed DN
>ordering+policy = policy_match++[ policy_match ]+countryName
> = match+stateOrProvinceName = match+organizationName =
>match+organizationalUnitName = optional+commonName =
>supplied+emailAddress = optional++[ policy_anything ]+countryName
> = optional+stateOrProvinceName = optional+localityName
> = optional+organizationName = optional+organizationalUnitName =
>optional+commonName = supplied+emailAddress =
>optional++[ req ]+default_bits = 2048+default_keyfile =
>privkey.pem+distinguished_name = req_distinguished_name+attributes
> = req_attributes+x509_extensions = v3_ca # The extentions to add to the
>self signed cert++string_mask = utf8only++[ req_distinguished_name
>]+basicConstraints=CA:FALSE++[ req_attributes ]+challengePassword
> = A challenge password+challengePassword_min =
>4+challengePassword_max = 20++unstructuredName = An
>optional company name++[ usr_cert ]++basicConstraints=CA:FALSE+nsComment
> = "OpenSSL Generated
>Certificate"++subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid,issuer++[
>v3_req ]++basicConstraints = CA:FALSE+keyUsage = nonRepudiation,
>digitalSignature, keyEncipherment+subjectAltName =
>DNS:localhost,IP:127.0.0.1,IP:::1++[ v3_ca
>]+subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid:always,issuer+basicConstraints
> = CA:true++[ crl_ext ]++authorityKeyIdentifier=keyid:always++[ proxy_cert_ext
>]+basicConstraints=CA:FALSE+nsComment = "OpenSSL
>Generated
>Certificate"++subjectKeyIdentifier=hash+authorityKeyIdentifier=keyid,issuer+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo++[
> tsa ]++default_tsa = tsa_config1 # the default TSA section++[
>tsa_config1 ]++dir = ./demoCA # TSA root
>directory+serial = $dir/tsaserial # The current serial number
>(mandatory)+crypto_device = builtin # OpenSSL engine to use
>for signing+signer_cert = $dir/tsacert.pem # The TSA signing
>certificate+ # (optional)+certs
> = $dir/cacert.pem # Certificate chain to include in reply+
> # (optional)+signer_key =
>$dir/private/tsakey.pem # The TSA private key (optional)++default_policy =
>tsa_policy1 # Policy if request did not specify it+
> # (optional)+other_policies = tsa_policy2, tsa_policy3
> # acceptable policies (optional)+digests = md5, sha1 #
>Acceptable message digests (mandatory)+accuracy = secs:1,
>millisecs:500, microsecs:100 # (optional)+clock_precision_digits = 0 #
>number of digits after dot. (optional)+ordering = yes # Is
>ordering defined for timestamps?+ # (optional,
>default: no)+tsa_name = yes # Must the TSA name be included
>in the reply?+ # (optional, default:
>no)+ess_cert_id_chain = no # Must the ESS cert id chain be included?+
> # (optional, default: no)diff --git
>a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.shnew file mode
>100755index 0000000..8c33a24--- /dev/null+++ b/tests/data/tls/create-crt.sh@@
>-0,0 +1,78 @@+#!/bin/sh+openssl=$(which openssl)++if [ x"$openssl" = "x" ];
>then+echo "OpenSSL command line binary not found, skipping..."+fi++USAGE="$0
>[-s] [-u <u...@domain.com>]"+SERVER=0+USER=0+EMAIL=++while test $# -gt 0 ; do+
> case "$1" in+ -s | -server)+ SERVER=1;+
> shift;;+ -u | -user)+ if [
>x"$2" = "x" ]; then+ echo "User cert requires an
>email address as an argument"+ exit;+
> fi+ USER=1;+ EMAIL="$2";+
> shift; shift;;+ -)+ shift;;+
> -*)+ echo "$USAGE"; exit 1+ ;;+
> *)+ break;;+ esac+done++if [ $SERVER = 0 -a
>$USER = 0 ]; then+ echo "$USAGE";+ exit 1;+fi++rm -rf ./openssl.cnf
>cruft+mkdir -p private certs cruft/private cruft/certs++echo "00" >
>cruft/serial+touch cruft/index.txt+touch cruft/index.txt.attr+hn=$(hostname
>-f)+sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf > ./openssl.cnf++if [ $SERVER
>= 1 ]; then+ rm -rf private/localhost.key certs/localhost.crt++
>$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \+
> -newkey rsa:1024 -config ./openssl.cnf \+ -subj
>"/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \+
> -batch > /dev/null 2>&1++ $openssl ca -out
>certs/localhost.crt -notext -config ./openssl.cnf -days 183000 -in
>localhost.csr \+ -keyfile ca/private/testsuiteCA.key -extensions
>v3_req -cert ca/certs/testsuiteCA.crt \+ -batch >/dev/null
>2>&1++ rm -rf ./openssl.cnf ./localhost.csr cruft+fi++if [ $USER = 1 ];
>then+ rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr++ $openssl req
>-new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \+ -newkey
>rsa:1024 -config ./openssl.cnf \+ -subj
>"/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US"
>\+ -batch >/dev/null 2>&1++ $openssl ca -out certs/$EMAIL.crt
>-notext -config ./openssl.cnf -days 183000 -in $EMAIL.csr \+ -keyfile
>ca/private/testsuiteCA.key -extensions req_distinguished_name \+
>-cert ca/certs/testsuiteCA.crt -batch >/dev/null 2>&1++ rm -rf ./openssl.cnf
>./$EMAIL.csr cruft+fidiff --git
>a/tests/data/tls/private/bjen...@mailgw.example.com.key
>b/tests/data/tls/private/bjen...@mailgw.example.com.keynew file mode
>100644index 0000000..5f4625f--- /dev/null+++
>b/tests/data/tls/private/bjen...@mailgw.example.com.key@@ -0,0 +1,16
>@@+-----BEGIN PRIVATE
>KEY-----+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2+xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4+9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z+yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r+oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e+nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg+xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra+EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd+9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/+pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI+tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ+3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D+tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg+36Ixj3L+5H18+-----END
> PRIVATE KEY-----diff --git a/tests/data/tls/private/localhost.key
>b/tests/data/tls/private/localhost.keynew file mode 100644index
>0000000..8a24f69--- /dev/null+++ b/tests/data/tls/private/localhost.key@@ -0,0
>+1,16 @@+-----BEGIN PRIVATE
>KEY-----+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg+ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM+w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM+brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij+Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf+2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ+bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q+1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf+3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U+VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7+TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b+iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP+5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3+b61hkjQZfbEg5cg=+-----END
> PRIVATE KEY-----diff --git a/tests/run.in b/tests/run.inindex
>73db243..3a77ef2 100644--- a/tests/run.in+++ b/tests/run.in@@ -57,6 +57,7 @@
>AC_valsort=valsort@BUILD_VALSORT@ # misc AC_WITH_SASL=@WITH_SASL@
>AC_WITH_TLS=@WITH_TLS@+AC_TLS_TYPE=@WITH_TLS_TYPE@
>AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@
>AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@ AC_THREADS=threads@BUILD_THREAD@@@ -75,7
>+76,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null
>AC_relay AC_sql \ AC_refint AC_retcode AC_rwm AC_unique AC_syncprov
>AC_translucent \ AC_valsort \ AC_WITH_SASL AC_WITH_TLS
>AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \- AC_THREADS AC_LIBS_DYNAMIC+
>AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE if test ! -x
>../servers/slapd/slapd ; then echo "Could not locate slapd(8)"diff --git
>a/tests/scripts/defines.sh b/tests/scripts/defines.shindex 0750f88..96c41ff
>100755--- a/tests/scripts/defines.sh+++ b/tests/scripts/defines.sh@@ -46,6
>+46,9 @@ VALSORT=${AC_valsort-valsortno} # misc WITH_SASL=${AC_WITH_SASL-no}
>USE_SASL=${SLAPD_USE_SASL-no}+WITH_TLS=${AC_WITH_TLS-no}+WITH_TLS_TYPE=${AC_TLS_TYPE-no}+
> ACI=${AC_ACI_ENABLED-acino} THREADS=${AC_THREADS-threadsno}
>SLEEP0=${SLEEP0-1}@@ -104,6 +107,8 @@
>P2SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist2.conf
>P3SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist3.conf
>REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
>SCHEMACONF=$DATADIR/slapd-schema.conf+TLSCONF=$DATADIR/slapd-tls.conf+TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
> GLUECONF=$DATADIR/slapd-glue.conf REFINTCONF=$DATADIR/slapd-refint.conf
>RETCODECONF=$DATADIR/slapd-retcode.conf@@ -164,6 +169,7 @@
>SLURPLOG=$TESTDIR/slurp.log CONFIGPWF=$TESTDIR/configpw # args+SASLARGS="-Q"
>TOOLARGS="-x $LDAP_TOOLARGS" TOOLPROTO="-P 3" @@ -186,7 +192,8 @@ BCMP="diff
>-iB" CMPOUT=/dev/null SLAPD="$TESTWD/../servers/slapd/slapd -s0"
>LDAPPASSWD="$CLIENTDIR/ldappasswd
>$TOOLARGS"-LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS
>-LLL"+LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $SASLARGS $TOOLPROTO
>$LDAP_TOOLARGS -LLL"+LDAPSASLWHOAMI="$CLIENTDIR/ldapwhoami $SASLARGS
>$LDAP_TOOLARGS" LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL"
>LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS"
>LDAPDELETE="$CLIENTDIR/ldapdelete $TOOLPROTO $TOOLARGS"@@ -201,6 +208,7 @@
>LDIFFILTER=$PROGDIR/ldif-filter SLAPDMTREAD=$PROGDIR/slapd-mtread
>LVL=${SLAPD_DEBUG-0x4105} LOCALHOST=localhost+LOCALIP=127.0.0.1
>BASEPORT=${SLAPD_BASEPORT-9010} PORT1=`expr $BASEPORT + 1` PORT2=`expr
>$BASEPORT + 2`@@ -209,11 +217,22 @@ PORT4=`expr $BASEPORT + 4` PORT5=`expr
>$BASEPORT + 5` PORT6=`expr $BASEPORT + 6`
>URI1="ldap://${LOCALHOST}:$PORT1/"+URIP1="ldap://${LOCALIP}:$PORT1/";
>URI2="ldap://${LOCALHOST}:$PORT2/"+URIP2="ldap://${LOCALIP}:$PORT2/";
>URI3="ldap://${LOCALHOST}:$PORT3/"+URIP3="ldap://${LOCALIP}:$PORT3/";
>URI4="ldap://${LOCALHOST}:$PORT4/"; URI5="ldap://${LOCALHOST}:$PORT5/";
>URI6="ldap://${LOCALHOST}:$PORT6/"+SURI1="ldaps://${LOCALHOST}:$PORT1/"+SURIP1="ldaps://${LOCALIP}:$PORT1/"+SURI2="ldaps://${LOCALHOST}:$PORT2/"+SURIP2="ldaps://${LOCALIP}:$PORT2/"+SURI3="ldaps://${LOCALHOST}:$PORT3/"+SURI4="ldaps://${LOCALHOST}:$PORT4/"+SURI5="ldaps://${LOCALHOST}:$PORT5/"+SURI6="ldaps://${LOCALHOST}:$PORT6/";
> # LDIF LDIF=$DATADIR/test.ldifdiff --git a/tests/scripts/test067-tls
>b/tests/scripts/test067-tlsnew file mode 100755index 0000000..3e087f1---
>/dev/null+++ b/tests/scripts/test067-tls@@ -0,0 +1,118 @@+#! /bin/sh+#
>$OpenLDAP$+## This work is part of OpenLDAP Software
><http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP
>Foundation.+## All rights reserved.+##+## Redistribution and use in source and
>binary forms, with or without+## modification, are permitted only as
>authorized by the OpenLDAP+## Public License.+##+## A copy of this license is
>available in the file LICENSE in the+## top-level directory of the
>distribution or, alternatively, at+##
><http://www.OpenLDAP.org/license.html>.++echo "running defines.sh"+.
>$SRCDIR/scripts/defines.sh++if test $WITH_TLS = no ; then+ echo "TLS
>support not available, test skipped"+ exit 0+fi++mkdir -p $TESTDIR
>$DBDIR1+cp -r $DATADIR/tls $TESTDIR++cd $TESTWD++echo "Starting ldap:/// slapd
>on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."+. $CONFFILTER $BACKEND
>$MONITORDB < $TLSCONF > $CONF1+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL
>$TIMING > $LOG1 2>&1 &+PID=$!+if test $WAIT != 0 ; then+ echo PID $PID+
>read foo+fi+KILLPIDS="$PID"++sleep 1++for i in 0 1 2 3 4 5; do+
>$LDAPSEARCH -s base -b "" -H $URI1 \+ 'objectclass=*' > /dev/null
>2>&1+ RC=$?+ if test $RC = 0 ; then+ break+
> fi+ echo "Waiting 5 seconds for slapd to start..."+ sleep
>5+done++if test $RC != 0 ; then+ echo "ldapsearch failed ($RC)!"+
>test $KILLSERVERS != no && kill -HUP $KILLPIDS+ exit $RC+fi++echo -n "Using
>ldapsearch with startTLS...."+$LDAPSEARCH -o
>tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -ZZ
>-b "" -s base -H $URIP1 \+ '@extensibleObject' > $SEARCHOUT
>2>&1+RC=$?+if test $RC != 0 ; then+ echo "ldapsearch (startTLS) failed
>($RC)!"+ exit $RC+else+ echo "success"+fi+++if test $WITH_TLS_TYPE =
>openssl ; then+ echo -n "Using ldapsearch with startTLS and specific
>protocol version...."+ $LDAPSEARCH -o
>tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -o
>tls-protocol-min=3.3 -ZZ -b "" -s base -H $URIP1 \+
>'@extensibleObject' > $SEARCHOUT 2>&1+ RC=$?+ if test $RC != 0 ; then+
> echo "ldapsearch (protocol-min) failed ($RC)!"+ exit $RC+
> else+ echo "success"+ fi+fi++echo -n "Using ldapsearch on $SURI2
>with reqcert HARD and no CA cert. Should fail..."+$LDAPSEARCH -o
>tls-reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \+
>'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \+ >>
>$SEARCHOUT 2>&1+RC=$?+if test $RC = 0 ; then+ echo "ldapsearch (ldaps)
>succeeded when it should have failed($RC)!"+ exit 1+else+ echo "failed
>correctly with error code ($RC)"+fi++echo -n "Using ldapsearch on $SURI2 with
>CA cert and reqcert HARD..."+$LDAPSEARCH -o
>tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard -b
>"cn=Subschema" -s base -H $SURIP2 \+
>'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \+ >>
>$SEARCHOUT 2>&1+RC=$?+if test $RC != 0 ; then+ echo "ldapsearch (ldaps)
>failed ($RC)!"+ exit $RC+else+ echo "success"+fi++test $KILLSERVERS !=
>no && kill -HUP $KILLPIDS++if test $RC != 0 ; then+ echo ">>>>> Test
>failed"+else+ echo ">>>>> Test succeeded"+ RC=0+fi++test $KILLSERVERS !=
>no && wait++exit $RCdiff --git a/tests/scripts/test068-sasl-tls-external
>b/tests/scripts/test068-sasl-tls-externalnew file mode 100755index
>0000000..329d66a--- /dev/null+++ b/tests/scripts/test068-sasl-tls-external@@
>-0,0 +1,102 @@+#! /bin/sh+# $OpenLDAP$+## This work is part of OpenLDAP
>Software <http://www.openldap.org/>.+##+## Copyright 1998-2017 The OpenLDAP
>Foundation.+## All rights reserved.+##+## Redistribution and use in source and
>binary forms, with or without+## modification, are permitted only as
>authorized by the OpenLDAP+## Public License.+##+## A copy of this license is
>available in the file LICENSE in the+## top-level directory of the
>distribution or, alternatively, at+##
><http://www.OpenLDAP.org/license.html>.++echo "running defines.sh"+.
>$SRCDIR/scripts/defines.sh++if test $WITH_TLS = no ; then+ echo "TLS
>support not available, test skipped"+ exit 0+fi++mkdir -p $TESTDIR
>$DBDIR1+cp -r $DATADIR/tls $TESTDIR++cd $TESTWD++echo "Running slapadd to
>build slapd database..."+. $CONFFILTER $BACKEND $MONITORDB < $TLSSASLCONF >
>$CONF1+$SLAPADD -f $CONF1 -l $LDIFORDERED+RC=$?+if test $RC != 0 ; then+
> echo "slapadd failed ($RC)!"+ exit $RC+fi++echo "Starting ldap:///
>slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."+$SLAPD -f $CONF1
>-h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &+PID=$!+if test $WAIT != 0 ;
>then+ echo PID $PID+ read foo+fi+KILLPIDS="$PID"++sleep 1++for i in 0 1
>2 3 4 5; do+ $LDAPSEARCH -s base -b "" -H $URI1 \+ 'objectclass=*' >
>/dev/null 2>&1+ RC=$?+ if test $RC = 0 ; then+
>break+ fi+ echo "Waiting 5 seconds for slapd to start..."+
> sleep 5+done++if test $RC != 0 ; then+ echo "ldapsearch failed ($RC)!"+
> test $KILLSERVERS != no && kill -HUP $KILLPIDS+ exit $RC+fi++echo -n
>"Using ldapwhoami with SASL/EXTERNAL...."+$LDAPSASLWHOAMI -o
>tls-cacertfile=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls-reqcert=hard \+
>-o tls-certfile=$TESTDIR/tls/certs/bjen...@mailgw.example.com.crt -o
>tls-keyfile=$TESTDIR/tls/private/bjen...@mailgw.example.com.key -ZZ -Y
>EXTERNAL -H $URIP1 \+ > $TESTOUT 2>&1+RC=$?+if test $RC != 0 ; then+
>echo "ldapwhoami (startTLS) failed ($RC)!"+ exit $RC+else+ echo
>"success"+fi++echo -n "Validating mapped SASL ID..."+echo 'dn:cn=barbara
>jensen,ou=information technology division,ou=people,dc=example,dc=com' >
>$TESTDIR/dn.out+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT++RC=$?+if test $RC !=
>0 ; then+ echo "Comparison failed"+ test $KILLSERVERS != no && kill
>-HUP $PID+ exit $RC+else+ echo "success"+fi++test $KILLSERVERS != no &&
>kill -HUP $KILLPIDS++if test $RC != 0 ; then+ echo ">>>>> Test
>failed"+else+ echo ">>>>> Test succeeded"+ RC=0+fi++test $KILLSERVERS !=
>no && wait++exit $RC-- 2.7.4
