search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4: reorder action to permit old provision to be correctly upgraded
[Samba/nascimento.git] / source4 / torture / ldap / basic.c
blob87719f81ace428aeb86fc39e809b70a2e2d06507
1 /*
2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4
5 Copyright (C) Stefan Metzmacher 2004
6 Copyright (C) Simo Sorce 2004
7 Copyright (C) Matthias Dieter Wallnöfer 2009
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21
22 */
23
24 #include "includes.h"
25 #include "libcli/ldap/ldap_client.h"
26 #include "lib/cmdline/popt_common.h"
27
28 #include "torture/torture.h"
29 #include "torture/ldap/proto.h"
30
31
32 static bool test_bind_simple(struct ldap_connection *conn, const char *userdn, const char *password)
33 {
34 NTSTATUS status;
35 bool ret = true;
36
37 status = torture_ldap_bind(conn, userdn, password);
38 if (!NT_STATUS_IS_OK(status)) {
39 ret = false;
40 }
41
42 return ret;
43 }
44
45 static bool test_bind_sasl(struct torture_context *tctx,
46 struct ldap_connection *conn, struct cli_credentials *creds)
47 {
48 NTSTATUS status;
49 bool ret = true;
50
51 printf("Testing sasl bind as user\n");
52
53 status = torture_ldap_bind_sasl(conn, creds, tctx->lp_ctx);
54 if (!NT_STATUS_IS_OK(status)) {
55 ret = false;
56 }
57
58 return ret;
59 }
60
61 static bool test_multibind(struct ldap_connection *conn, const char *userdn, const char *password)
62 {
63 bool ret = true;
64
65 printf("Testing multiple binds on a single connnection as anonymous and user\n");
66
67 ret = test_bind_simple(conn, NULL, NULL);
68 if (!ret) {
69 printf("1st bind as anonymous failed\n");
70 return ret;
71 }
72
73 ret = test_bind_simple(conn, userdn, password);
74 if (!ret) {
75 printf("2nd bind as authenticated user failed\n");
76 }
77
78 return ret;
79 }
80
81 static bool test_search_rootDSE(struct ldap_connection *conn, char **basedn)
82 {
83 bool ret = true;
84 struct ldap_message *msg, *result;
85 struct ldap_request *req;
86 int i;
87 struct ldap_SearchResEntry *r;
88 NTSTATUS status;
89
90 printf("Testing RootDSE Search\n");
91
92 *basedn = NULL;
93
94 msg = new_ldap_message(conn);
95 if (!msg) {
96 return false;
97 }
98
99 msg->type = LDAP_TAG_SearchRequest;
100 msg->r.SearchRequest.basedn = "";
101 msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE;
102 msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
103 msg->r.SearchRequest.timelimit = 0;
104 msg->r.SearchRequest.sizelimit = 0;
105 msg->r.SearchRequest.attributesonly = false;
106 msg->r.SearchRequest.tree = ldb_parse_tree(msg, "(objectclass=*)");
107 msg->r.SearchRequest.num_attributes = 0;
108 msg->r.SearchRequest.attributes = NULL;
109
110 req = ldap_request_send(conn, msg);
111 if (req == NULL) {
112 printf("Could not setup ldap search\n");
113 return false;
114 }
115
116 status = ldap_result_one(req, &result, LDAP_TAG_SearchResultEntry);
117 if (!NT_STATUS_IS_OK(status)) {
118 printf("search failed - %s\n", nt_errstr(status));
119 return false;
120 }
121
122 printf("received %d replies\n", req->num_replies);
123
124 r = &result->r.SearchResultEntry;
125
126 DEBUG(1,("\tdn: %s\n", r->dn));
127 for (i=0; i<r->num_attributes; i++) {
128 int j;
129 for (j=0; j<r->attributes[i].num_values; j++) {
130 DEBUG(1,("\t%s: %d %.*s\n", r->attributes[i].name,
131 (int)r->attributes[i].values[j].length,
132 (int)r->attributes[i].values[j].length,
133 (char *)r->attributes[i].values[j].data));
134 if (!(*basedn) &&
135 strcasecmp("defaultNamingContext",r->attributes[i].name)==0) {
136 *basedn = talloc_asprintf(conn, "%.*s",
137 (int)r->attributes[i].values[j].length,
138 (char *)r->attributes[i].values[j].data);
139 }
140 }
141 }
142
143 talloc_free(req);
144
145 return ret;
146 }
147
148 static bool test_compare_sasl(struct ldap_connection *conn, const char *basedn)
149 {
150 struct ldap_message *msg, *rep;
151 struct ldap_request *req;
152 const char *val;
153 NTSTATUS status;
154
155 printf("Testing SASL Compare: %s\n", basedn);
156
157 if (!basedn) {
158 return false;
159 }
160
161 msg = new_ldap_message(conn);
162 if (!msg) {
163 return false;
164 }
165
166 msg->type = LDAP_TAG_CompareRequest;
167 msg->r.CompareRequest.dn = basedn;
168 msg->r.CompareRequest.attribute = talloc_strdup(msg, "objectClass");
169 val = "domain";
170 msg->r.CompareRequest.value = data_blob_talloc(msg, val, strlen(val));
171
172 req = ldap_request_send(conn, msg);
173 if (!req) {
174 return false;
175 }
176
177 status = ldap_result_one(req, &rep, LDAP_TAG_CompareResponse);
178 if (!NT_STATUS_IS_OK(status)) {
179 printf("error in ldap compare request - %s\n", nt_errstr(status));
180 return false;
181 }
182
183 DEBUG(5,("Code: %d DN: [%s] ERROR:[%s] REFERRAL:[%s]\n",
184 rep->r.CompareResponse.resultcode,
185 rep->r.CompareResponse.dn,
186 rep->r.CompareResponse.errormessage,
187 rep->r.CompareResponse.referral));
188
189 return true;
190 }
191
192 /*
193 * This takes an AD error message and splits it into the WERROR code
194 * (WERR_DS_GENERIC if none found) and the reason (remaining string).
195 */
196 static WERROR ad_error(const char *err_msg, char **reason)
197 {
198 WERROR err = W_ERROR(strtol(err_msg, reason, 16));
199
200 if ((reason != NULL) && (*reason[0] != ':')) {
201 return WERR_DS_GENERIC_ERROR; /* not an AD std error message */
202 }
203
204 if (reason != NULL) {
205 *reason += 2; /* skip ": " */
206 }
207 return err;
208 }
209
210 static bool test_error_codes(struct torture_context *tctx,
211 struct ldap_connection *conn, const char *basedn)
212 {
213 struct ldap_message *msg, *rep;
214 struct ldap_request *req;
215 const char *err_code_str;
216 char *endptr;
217 WERROR err;
218 NTSTATUS status;
219
220 printf("Testing error codes - to make this test pass against SAMBA 4 you have to specify the target!\n");
221
222 if (!basedn) {
223 return false;
224 }
225
226 msg = new_ldap_message(conn);
227 if (!msg) {
228 return false;
229 }
230
231 printf(" Try a wrong addition\n");
232
233 msg->type = LDAP_TAG_AddRequest;
234 msg->r.AddRequest.dn = basedn;
235 msg->r.AddRequest.num_attributes = 0;
236 msg->r.AddRequest.attributes = NULL;
237
238 req = ldap_request_send(conn, msg);
239 if (!req) {
240 return false;
241 }
242
243 status = ldap_result_one(req, &rep, LDAP_TAG_AddResponse);
244 if (!NT_STATUS_IS_OK(status)) {
245 printf("error in ldap addition request - %s\n", nt_errstr(status));
246 return false;
247 }
248
249 if ((rep->r.AddResponse.resultcode == 0)
250 || (rep->r.AddResponse.errormessage == NULL)
251 || (strtol(rep->r.AddResponse.errormessage, &endptr,16) <= 0)
252 || (*endptr != ':')) {
253 printf("Invalid error message!\n");
254 return false;
255 }
256
257 err = ad_error(rep->r.AddResponse.errormessage, &endptr);
258 err_code_str = win_errstr(err);
259 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
260 if (!torture_setting_bool(tctx, "samba4", false)) {
261 if ((!W_ERROR_EQUAL(err, WERR_DS_REFERRAL))
262 || (rep->r.AddResponse.resultcode != 10)) {
263 return false;
264 }
265 } else {
266 if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_CLASS_VIOLATION))
267 || (rep->r.AddResponse.resultcode != 65)) {
268 return false;
269 }
270 }
271
272 printf(" Try a wrong modification\n");
273
274 msg->type = LDAP_TAG_ModifyRequest;
275 msg->r.ModifyRequest.dn = "";
276 msg->r.ModifyRequest.num_mods = 0;
277 msg->r.ModifyRequest.mods = NULL;
278
279 req = ldap_request_send(conn, msg);
280 if (!req) {
281 return false;
282 }
283
284 status = ldap_result_one(req, &rep, LDAP_TAG_ModifyResponse);
285 if (!NT_STATUS_IS_OK(status)) {
286 printf("error in ldap modifification request - %s\n", nt_errstr(status));
287 return false;
288 }
289
290 if ((rep->r.ModifyResponse.resultcode == 0)
291 || (rep->r.ModifyResponse.errormessage == NULL)
292 || (strtol(rep->r.ModifyResponse.errormessage, &endptr,16) <= 0)
293 || (*endptr != ':')) {
294 printf("Invalid error message!\n");
295 return false;
296 }
297
298 err = ad_error(rep->r.ModifyResponse.errormessage, &endptr);
299 err_code_str = win_errstr(err);
300 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
301 if (!torture_setting_bool(tctx, "samba4", false)) {
302 if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAM))
303 || (rep->r.ModifyResponse.resultcode != 53)) {
304 return false;
305 }
306 } else {
307 if ((!W_ERROR_EQUAL(err, WERR_DS_OPERATIONS_ERROR))
308 || (rep->r.ModifyResponse.resultcode != 1)) {
309 return false;
310 }
311 }
312
313 printf(" Try a wrong removal\n");
314
315 msg->type = LDAP_TAG_DelRequest;
316 msg->r.DelRequest.dn = "";
317
318 req = ldap_request_send(conn, msg);
319 if (!req) {
320 return false;
321 }
322
323 status = ldap_result_one(req, &rep, LDAP_TAG_DelResponse);
324 if (!NT_STATUS_IS_OK(status)) {
325 printf("error in ldap removal request - %s\n", nt_errstr(status));
326 return false;
327 }
328
329 if ((rep->r.DelResponse.resultcode == 0)
330 || (rep->r.DelResponse.errormessage == NULL)
331 || (strtol(rep->r.DelResponse.errormessage, &endptr,16) <= 0)
332 || (*endptr != ':')) {
333 printf("Invalid error message!\n");
334 return false;
335 }
336
337 err = ad_error(rep->r.DelResponse.errormessage, &endptr);
338 err_code_str = win_errstr(err);
339 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
340 if (!torture_setting_bool(tctx, "samba4", false)) {
341 if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_NOT_FOUND))
342 || (rep->r.DelResponse.resultcode != 32)) {
343 return false;
344 }
345 } else {
346 if ((!W_ERROR_EQUAL(err, WERR_DS_INVALID_DN_SYNTAX))
347 || (rep->r.DelResponse.resultcode != 34)) {
348 return false;
349 }
350 }
351
352 return true;
353 }
354
355 bool torture_ldap_basic(struct torture_context *torture)
356 {
357 NTSTATUS status;
358 struct ldap_connection *conn;
359 TALLOC_CTX *mem_ctx;
360 bool ret = true;
361 const char *host = torture_setting_string(torture, "host", NULL);
362 const char *userdn = torture_setting_string(torture, "ldap_userdn", NULL);
363 const char *secret = torture_setting_string(torture, "ldap_secret", NULL);
364 char *url;
365 char *basedn;
366
367 mem_ctx = talloc_init("torture_ldap_basic");
368
369 url = talloc_asprintf(mem_ctx, "ldap://%s/", host);
370
371 status = torture_ldap_connection(torture, &conn, url);
372 if (!NT_STATUS_IS_OK(status)) {
373 return false;
374 }
375
376 if (!test_search_rootDSE(conn, &basedn)) {
377 ret = false;
378 }
379
380 /* other bind tests here */
381
382 if (!test_multibind(conn, userdn, secret)) {
383 ret = false;
384 }
385
386 if (!test_bind_sasl(torture, conn, cmdline_credentials)) {
387 ret = false;
388 }
389
390 if (!test_compare_sasl(conn, basedn)) {
391 ret = false;
392 }
393
394 /* error codes test here */
395
396 if (!test_error_codes(torture, conn, basedn)) {
397 ret = false;
398 }
399
400 /* if there are no more tests we are closing */
401 torture_ldap_close(conn);
402 talloc_free(mem_ctx);
403
404 return ret;
405 }
406