summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--azure/apt.yml4
-rwxr-xr-xazure/setup-slapd.sh169
-rw-r--r--azure/setup.yml4
-rw-r--r--ext/ldap/tests/CONFLICTS1
-rw-r--r--ext/ldap/tests/connect.inc3
-rw-r--r--ext/ldap/tests/ldap_sasl_bind_basic.phpt13
-rw-r--r--ext/ldap/tests/ldap_sasl_bind_error.phpt21
7 files changed, 207 insertions, 8 deletions
diff --git a/azure/apt.yml b/azure/apt.yml
index 2beb625f62..8e51d80629 100644
--- a/azure/apt.yml
+++ b/azure/apt.yml
@@ -7,6 +7,9 @@ steps:
sudo apt install bison \
re2c \
locales \
+ ldap-utils \
+ openssl \
+ slapd \
language-pack-de \
re2c \
libgmp-dev \
@@ -29,7 +32,6 @@ steps:
libpq-dev \
libreadline-dev \
libldap2-dev \
- libsasl2-dev \
libsodium-dev \
libargon2-0-dev \
postgresql \
diff --git a/azure/setup-slapd.sh b/azure/setup-slapd.sh
new file mode 100755
index 0000000000..72a509f7e0
--- /dev/null
+++ b/azure/setup-slapd.sh
@@ -0,0 +1,169 @@
+#!/bin/sh
+set -ev
+
+# Create TLS certificate
+sudo mkdir -p /etc/ldap/ssl
+
+alt_names() {
+ (
+ (
+ (hostname && hostname -a && hostname -A && hostname -f) |
+ xargs -n 1 |
+ sort -u |
+ sed -e 's/\(\S\+\)/DNS:\1/g'
+ ) && (
+ (hostname -i && hostname -I && echo "127.0.0.1 ::1") |
+ xargs -n 1 |
+ sort -u |
+ sed -e 's/\(\S\+\)/IP:\1/g'
+ )
+ ) | paste -d, -s
+}
+
+sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \
+ -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \
+ -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \
+ -addext "subjectAltName = `alt_names`"
+
+sudo chown -R openldap:openldap /etc/ldap/ssl
+
+# Display the TLS certificate (should be world readable)
+openssl x509 -noout -text -in /etc/ldap/ssl/server.crt
+
+# Point to the certificate generated
+if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then
+ sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf
+ echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf
+fi
+
+# Configure LDAP protocols to serve.
+sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd
+
+# Configure LDAP database.
+DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`;
+
+sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
+
+sudo service slapd restart
+
+sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: $DBDN
+changetype: modify
+replace: olcSuffix
+olcSuffix: dc=my-domain,dc=com
+-
+replace: olcRootDN
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+-
+replace: olcRootPW
+olcRootPW: secret
+
+dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/ssl/server.crt
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ssl/server.crt
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key
+-
+add: olcTLSVerifyClient
+olcTLSVerifyClient: never
+-
+add: olcAuthzRegexp
+olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com
+-
+replace: olcLogLevel
+olcLogLevel: -1
+
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: sssvlv
+-
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+-
+add: olcModuleLoad
+olcModuleLoad: dds
+EOF
+
+sudo service slapd restart
+
+sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: olcOverlay=sssvlv,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcSssVlvConfig
+olcOverlay: sssvlv
+olcSssVlvMax: 10
+olcSssVlvMaxKeys: 5
+
+dn: olcOverlay=ppolicy,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: ppolicy
+### This would clutter our DIT and make tests to fail, while ppolicy does not
+### seem to work as we expect (it does not seem to provide expected controls)
+## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com
+## olcPPolicyHashCleartext: FALSE
+## olcPPolicyUseLockout: TRUE
+
+dn: olcOverlay=dds,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcDdsConfig
+olcOverlay: dds
+EOF
+
+sudo service slapd restart
+
+sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: $DBDN
+changetype: modify
+add: olcDbIndex
+olcDbIndex: entryExpireTimestamp eq
+EOF
+
+sudo service slapd restart
+
+ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF
+dn: dc=my-domain,dc=com
+objectClass: top
+objectClass: organization
+objectClass: dcObject
+dc: my-domain
+o: php ldap tests
+
+### This would clutter our DIT and make tests to fail, while ppolicy does not
+### seem to work as we expect (it does not seem to provide expected controls)
+## dn: ou=pwpolicies,dc=my-domain,dc=com
+## objectClass: top
+## objectClass: organizationalUnit
+## ou: pwpolicies
+##
+## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com
+## objectClass: top
+## objectClass: person
+## objectClass: pwdPolicy
+## cn: default
+## sn: default
+## pwdAttribute: userPassword
+## pwdMaxAge: 2592000
+## pwdExpireWarning: 3600
+## #pwdInHistory: 0
+## pwdCheckQuality: 0
+## pwdMaxFailure: 5
+## pwdLockout: TRUE
+## #pwdLockoutDuration: 0
+## #pwdGraceAuthNLimit: 0
+## #pwdFailureCountInterval: 0
+## pwdMustChange: FALSE
+## pwdMinLength: 3
+## pwdAllowUserChange: TRUE
+## pwdSafeModify: FALSE
+EOF
+
+# Verify TLS connection
+
+ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*'
diff --git a/azure/setup.yml b/azure/setup.yml
index dbf7921c47..523bb3b401 100644
--- a/azure/setup.yml
+++ b/azure/setup.yml
@@ -3,7 +3,11 @@ steps:
set -e
sudo service mysql start
sudo service postgresql start
+ sudo service slapd start
mysql -uroot -proot -e "CREATE DATABASE IF NOT EXISTS test"
sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'postgres';"
sudo -u postgres psql -c "CREATE DATABASE test;"
displayName: 'Setup'
+ - script: ./azure/setup-slapd.sh
+ displayName: 'Configure slapd'
+
diff --git a/ext/ldap/tests/CONFLICTS b/ext/ldap/tests/CONFLICTS
new file mode 100644
index 0000000000..c1142c3c5c
--- /dev/null
+++ b/ext/ldap/tests/CONFLICTS
@@ -0,0 +1 @@
+ldap
diff --git a/ext/ldap/tests/connect.inc b/ext/ldap/tests/connect.inc
index bd6a144d2e..e3a9d1c777 100644
--- a/ext/ldap/tests/connect.inc
+++ b/ext/ldap/tests/connect.inc
@@ -9,8 +9,9 @@ $host = getenv("LDAP_TEST_HOST") ?: "localhost";
$port = getenv("LDAP_TEST_PORT") ?: 389;
$base = getenv("LDAP_TEST_BASE") ?: "dc=my-domain,dc=com";
$user = getenv("LDAP_TEST_USER") ?: "cn=Manager,$base";
-$sasl_user = getenv("LDAP_TEST_SASL_USER") ?: "Manager";
$passwd = getenv("LDAP_TEST_PASSWD") ?: "secret";
+$sasl_user = getenv("LDAP_TEST_SASL_USER") ?: "userA";
+$sasl_passwd = getenv("LDAP_TEST_SASL_PASSWD") ?: "oops";
$protocol_version = getenv("LDAP_TEST_OPT_PROTOCOL_VERSION") ?: 3;
$skip_on_bind_failure = getenv("LDAP_TEST_SKIP_BIND_FAILURE") ?: true;
diff --git a/ext/ldap/tests/ldap_sasl_bind_basic.phpt b/ext/ldap/tests/ldap_sasl_bind_basic.phpt
index d447572e09..3ab977b854 100644
--- a/ext/ldap/tests/ldap_sasl_bind_basic.phpt
+++ b/ext/ldap/tests/ldap_sasl_bind_basic.phpt
@@ -17,9 +17,20 @@ Patrick Allaert <patrickallaert@php.net>
<?php
require "connect.inc";
+$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
+insert_dummy_data($link, $base);
+ldap_unbind($link);
+
$link = ldap_connect($host, $port);
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
-var_dump(ldap_sasl_bind($link, null, $passwd, 'DIGEST-MD5', 'realm', $sasl_user));
+var_dump(ldap_sasl_bind($link, null, $sasl_passwd, 'DIGEST-MD5', 'realm', $sasl_user));
+?>
+--CLEAN--
+<?php
+include "connect.inc";
+
+$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
+remove_dummy_data($link, $base);
?>
--EXPECT--
bool(true)
diff --git a/ext/ldap/tests/ldap_sasl_bind_error.phpt b/ext/ldap/tests/ldap_sasl_bind_error.phpt
index eb68370ff6..53a84eae1a 100644
--- a/ext/ldap/tests/ldap_sasl_bind_error.phpt
+++ b/ext/ldap/tests/ldap_sasl_bind_error.phpt
@@ -11,22 +11,33 @@ Patrick Allaert <patrickallaert@php.net>
<?php
require "connect.inc";
+$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
+insert_dummy_data($link, $base);
+ldap_unbind($link);
+
$link = ldap_connect($host, $port);
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
// Invalid DN
-var_dump(ldap_sasl_bind($link, "Invalid DN", $passwd, 'DIGEST-MD5', 'realm', $sasl_user));
+var_dump(ldap_sasl_bind($link, "Invalid DN", $sasl_passwd, 'DIGEST-MD5', 'realm', $sasl_user));
// Invalid user
-var_dump(ldap_sasl_bind($link, null, "ThisIsNotCorrect$passwd", 'DIGEST-MD5', "realm", "invalid$sasl_user"));
+var_dump(ldap_sasl_bind($link, null, "ThisIsNotCorrect$sasl_passwd", 'DIGEST-MD5', "realm", "invalid$sasl_user"));
// Invalid password
-var_dump(ldap_sasl_bind($link, null, "ThisIsNotCorrect$passwd", 'DIGEST-MD5', "realm", $sasl_user));
+var_dump(ldap_sasl_bind($link, null, "ThisIsNotCorrect$sasl_passwd", 'DIGEST-MD5', "realm", $sasl_user));
-var_dump(ldap_sasl_bind($link, null, $passwd, 'DIGEST-MD5', "realm", "Manager", "test"));
+var_dump(ldap_sasl_bind($link, null, $sasl_passwd, 'DIGEST-MD5', "realm", "Manager", "test"));
// Invalid DN syntax
-var_dump(ldap_sasl_bind($link, "unexistingProperty=weirdValue,$user", $passwd));
+var_dump(ldap_sasl_bind($link, "unexistingProperty=weirdValue,$user", $sasl_passwd));
+?>
+--CLEAN--
+<?php
+include "connect.inc";
+
+$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
+remove_dummy_data($link, $base);
?>
--EXPECTF--
Warning: ldap_sasl_bind(): Unable to bind to server: Invalid DN syntax in %s on line %d
View Lorry Controller Status