testprogs/blackbox/test_ldap_token.sh

   1 #!/bin/bash
   2 # Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
   3
   4 if [ $# -lt 6 ]; then
   5         cat <<EOF
   6 Usage: $# test_ldap_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID
   7 EOF
   8         exit 1
   9 fi
  10
  11 SERVER=$1
  12 shift 1
  13 USERNAME=$1
  14 PASSWORD=$2
  15 REALM=$3
  16 DOMAIN=$4
  17 DOMSID=$5
  18 shift 5
  19 failed=0
  20
  21 . $(dirname $0)/subunit.sh
  22 . $(dirname $0)/common_test_fns.inc
  23
  24 ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
  25
  26 test_token()
  27 {
  28         auth_user="${1}"
  29         shift 1
  30         auth_sid="${1}"
  31         shift 1
  32         auth_args="$@"
  33
  34         out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM ${auth_user} -b '' --scope=base ${auth_args} tokenGroups 2>&1)
  35         ret=$?
  36         test x"$ret" = x"0" || {
  37                 echo "$out"
  38                 return 1
  39         }
  40
  41         domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l)
  42         test "$domain_sids" -ge "1" || {
  43                 echo "$out"
  44                 echo "Less than 1 sid from $DOMAIN $DOMSID"
  45                 return 1
  46         }
  47
  48         builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l)
  49         test "$builtin_sids" -ge "1" || {
  50                 echo "$out"
  51                 echo "Less than 1 sid from BUILTIN S-1-5-32"
  52                 return 1
  53         }
  54
  55         #
  56         # The following should always be present
  57         #
  58         # SID_WORLD(S-1-1-0)
  59         # SID_NT_NETWORK(S-1-5-2)
  60         # SID_NT_AUTHENTICATED_USERS(S-1-5-11)
  61         #
  62         required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
  63         for sid in $required_sids; do
  64                 found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l)
  65                 test x"$found" = x"1" || {
  66                         echo "$out"
  67                         echo "SID: ${sid} not found"
  68                         return 1
  69                 }
  70         done
  71
  72         return 0
  73 }
  74
  75 UARGS="-U$REALM\\$USERNAME%$PASSWORD"
  76 # Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
  77 AARGS="-k yes"
  78 testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
  79 AARGS="--use-kerberos=required"
  80 testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
  81 AARGS="--option=clientusekerberos=required"
  82 testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
  83 AARGS="--use-kerberos=required --option=clientusekerberos=off"
  84 testit "Test token with kerberos USER (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
  85 # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
  86 AARGS="-k no"
  87 testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
  88 AARGS="--use-kerberos=off"
  89 testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
  90 AARGS="--option=clientusekerberos=off"
  91 testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
  92 AARGS="--use-kerberos=off --option=clientusekerberos=required"
  93 testit "Test token with NTLMSSP USER (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
  94
  95 UARGS="-P"
  96 # Check that SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY(S-1-18-1) is added for krb5
  97 AARGS="-k yes"
  98 testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
  99 AARGS="--use-kerberos=required"
 100 testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
 101 AARGS="--option=clientusekerberos=required"
 102 testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
 103 AARGS="--use-kerberos=required --option=clientusekerberos=off"
 104 testit "Test token with kerberos MACHINE (${AARGS})" test_token "${UARGS}" "S-1-18-1" "${AARGS}" || failed=$(expr $failed + 1)
 105 # Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
 106 AARGS="-k no"
 107 testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
 108 AARGS="--use-kerberos=off"
 109 testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
 110 AARGS="--option=clientusekerberos=off"
 111 testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
 112 AARGS="--use-kerberos=off --option=clientusekerberos=required"
 113 testit "Test token with NTLMSSP MACHINE (${AARGS})" test_token "${UARGS}" "S-1-5-64-10" "${AARGS}" || failed=$(expr $failed + 1)
 114
 115 exit $failed