From 4697625becadbd2d3eea9feb3eaacd2bf91ecdd4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 21 Jan 2013 02:15:29 +0100 Subject: Adapted the test suite to domain creation. --- ldap/test-user-acl.sh | 300 ++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 241 insertions(+), 59 deletions(-) (limited to 'ldap/test-user-acl.sh') diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 9b954c7..1dda3dc 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -19,7 +19,7 @@ RES=$(tempfile) || exit 1 checkACL () { CMD=${SLAPACL} - BIND="${1},${SUFFIX}" + if [ x"${1}" = x"''" ]; then BIND=${SUFFIX}; else BIND="${1},${SUFFIX}"; fi if [ -n "${1}" ]; then CMD="${CMD} -D ${BIND}"; fi if [ -n "${2}" ]; then BASE="${2},${SUFFIXV}"; else BASE="${SUFFIXV}"; fi shift; shift @@ -79,7 +79,7 @@ LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \ LISTSC=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualListCommand" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+), *([^,]+),.*/fvlc=\1,fvl=\2,fvd=\3/') -OPERATTRS="structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp" +OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN modifiersName modifyTimestamp" ######################################################################## @@ -92,40 +92,96 @@ echo "Anonymous users:" msg "Have =xd access to \"userPassword\" attributes" for U in ${USERS}; do checkACL "" "${U}" userPassword -done | isOK 'auth(=xd)$' +done | isOK '=xd$' [ $? -eq 0 ] || exit $? msg "Have =0 access to the rest of user entries" for U in ${USERS}; do checkACL "" "${U}" -done | grep -v '^userPassword=.*: auth(=xd)$' | isOK '=0$' entry +done | grep -v '^userPassword=.*: =xd$' | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to alias entries" for A in ${ALIASES}; do checkACL "" "${A}" -done | isOK '=0' entry +done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to list entries" for L in ${LISTS}; do checkACL "" "${L}" -done | isOK '=0' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to list commands entries" +for LC in ${LISTSC}; do + checkACL "" "${LC}" +done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to domain entries" for D in ${DOMAINS}; do checkACL "" "${D}" -done | isOK '=0' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to the base" +checkACL "" "" | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +########################################################################### + +echo +echo "Authenticated non-users" +NU="'' ${DOMAINS} ${ALIASES} ${LISTS} ${LISTSC}" + +msg "Have =0 access to alias entries" +for X in ${NU}; do + for A in ${ALIASES}; do + checkACL "${X}" "${A}" + done +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to list entries" +for X in ${NU}; do + for L in ${LISTS}; do + checkACL "${X}" "${L}" + done +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to list commands entries" +for X in ${NU}; do + for LC in ${LISTSC}; do + checkACL "${X}" "${LC}" + done +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to domain entries" +for X in ${NU}; do + for D in ${DOMAINS}; do + checkACL "${X}" "${D}" + done +done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to the base" -checkACL "" "" | isOK '=0' entry +for X in ${NU}; do + checkACL "${X}" "" +done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -148,10 +204,9 @@ usersB entry | isOK '=s' entry [ $? -eq 0 ] || exit $? -# Needed to delete domains. They cannot create domains though, as they -# would need =a on the "children" attribute. -msg "Have =z access on the base's \"children\" attribute" -usersB children | isOK '=z$' children +# Needed to create/delete domains. +msg "Have =w access on the base's \"children\" attribute" +usersB children | isOK '=w$' children [ $? -eq 0 ] || exit $? @@ -167,7 +222,8 @@ echo echo "Authenticated users, access to domain entries" # * entry: -# =s-a for all +# =s for all +# +a if canAddDomain # +rd if children, canAdd{Alias,List}, owner or postmaster # +z if owner or postmaster # * children: @@ -180,6 +236,8 @@ echo "Authenticated users, access to domain entries" # * fripostIsStatusActive # =rscd if children, canAdd{Alias,List}, owner or postmaster # +w if owner or postmaster +# * fripostPendingToken +# =zscd if owner or postmaster # * fripostCanAddAlias # =rscd if canAddAlias, owner or postmaster # +w if postmaster @@ -208,11 +266,68 @@ usersD () { done } -msg "Cannot appoint domain Owners or Postmasters; Cannot add a domain" +msg "Cannot appoint domain Owners or Postmasters" usersD fripostOwner/add fripostOwner/delete \ fripostPostmaster/add fripostPostmaster/delete \ - entry/add \ - | isOK 'DENIED$' entry + entryUUID/add \ + | isOK 'DENIED$' entryUUID +[ $? -eq 0 ] || exit $? + + +msg "Have =0 rights on the \"pending\" status (unless owner or postmaster)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + checkACL "${U}" "${D}" fripostPendingToken + done +done | isOK '=0$' +[ $? -eq 0 ] || exit $? + + +msg "Have =zscd access on the \"pending\" status (if owner or postmaster)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" fripostPendingToken + done +done | isOK '=zscd$' +[ $? -eq 0 ] || exit $? + + +# Needed to create new entries. ("+z" is required to delete, btw.) +msg "Have >=a access to \"entry\" (if CanAddDomain, exact)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${SUFFIX}" "fripostCanAddDomain=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" entry/add + done +done | isOK 'ALLOWED$' entry add +[ $? -eq 0 ] || exit $? + + +# Needed to create new entries. ("+z" is required to delete, btw.) +msg "Have >=a access to \"entry\" (if CanAddDomain, wildcard)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for D in ${DOMAINS}; do + search -s base -b "${SUFFIX}" "fripostCanAddDomain=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" entry/add + done +done | isOK 'ALLOWED$' entry add +[ $? -eq 0 ] || exit $? + + +msg "Do not have >=a access to \"entry\" (unless canAddDomain)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for D in ${DOMAINS}; do + search -s base -b "${SUFFIX}" "(|(fripostCanAddDomain=${U},${SUFFIX}) + (fripostCanAddDomain=${DU},${SUFFIX}))" | grep -q '^dn: ' || \ + checkACL "${U}" "${D}" entry/add + done +done | isOK 'DENIED$' entry add [ $? -eq 0 ] || exit $? # We ensure not to give +a/+z access to the \"entry\" attribute of the @@ -372,9 +487,9 @@ for U in ${USERS}; do (fripostCanAddList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add + checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entryUUID/add done -done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count +done | isOK 'DENIED$' entryUUID # "entryUUID" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -387,9 +502,9 @@ for U in ${USERS}; do (fripostCanAddAlias=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" fripostCanAddAlias entry/add + checkACL "${U}" "${D}" fripostCanAddAlias entryUUID/add done -done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count +done | isOK '\(=0\|DENIED\)$' entryUUID # "entryUUID" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -402,9 +517,9 @@ for U in ${USERS}; do (fripostCanAddList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" fripostCanAddList entry/add + checkACL "${U}" "${D}" fripostCanAddList entryUUID/add done -done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count +done | isOK '\(=0\|DENIED\)$' entryUUID # "entryUUID" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -425,9 +540,9 @@ msg "Do not have >=w access to \"canAdd{Alias,List}\" (unless Postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" ${ATTRSP} entry/add + checkACL "${U}" "${D}" ${ATTRSP} entryUUID/add done -done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count +done | isOK 'DENIED$' entryUUID # "entryUUID" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -466,16 +581,16 @@ usersU () { # They would need write access to their fripostUserQuota. # In practice they can't write fvu either, since it's single valued. -msg "Have =rscxd access to their \"fripostUserQuota\"" -usersU fripostUserQuota | isOK 'read(=rscxd)$' +msg "Have =rscd access to their \"fripostUserQuota\"" +usersU fripostUserQuota | isOK '=rscd$' [ $? -eq 0 ] || exit $? -msg "Have =wd access to their own \"userPassword\"" +msg "Have =w access to their own \"userPassword\"" usersU userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? -msg "Have =wrscxd access to the other attributes of their own entry" -usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu +msg "Have =wrscd access to the other attributes of their own entry" +usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu [ $? -eq 0 ] || exit $? msg "Have >=rsd access to the \"entry\" attribute of their own entry" @@ -519,16 +634,16 @@ usersP () { done } -msg "Have =rscxd access to their user's \"fripostUserQuota\" (if Postmaster)" -usersP fripostUserQuota | isOK 'read(=rscxd)$' +msg "Have =rscd access to their user's \"fripostUserQuota\" (if Postmaster)" +usersP fripostUserQuota | isOK '=rscd$' [ $? -eq 0 ] || exit $? msg "Have =wd access to their user's \"userPassword\" (if Postmaster)" usersP userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? -msg "Have =wrscxd access to the other attributes of their users' entry (if Postmaster)" -usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu +msg "Have =wrscd access to the other attributes of their users' entry (if Postmaster)" +usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu [ $? -eq 0 ] || exit $? # "+a" is needed to create new accounts. "+z" would be required to @@ -716,7 +831,7 @@ echo "Authenticated users, access to list entries" # =rscd if list owner, domain owner or domain postmaster # * fripostIsStatusActive: # =wrscd if list owner, domain owner or domain postmaster -# * fripostIsStatusPending: +# * fripostPendingToken: # =rscd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all @@ -753,12 +868,12 @@ done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? -msg "Cannot edit pending status; Cannot delete entry" +msg "Cannot read or delete the pending status; Cannot delete entry" for U in ${USERS}; do for L in ${LISTS}; do - checkACL "${U}" "${L}" fripostIsStatusPending/write entry/delete + checkACL "${U}" "${L}" fripostPendingToken/read fripostPendingToken/add fripostPendingToken/delete entry/delete done -done | isOK 'DENIED$' fripostIsStatusPending +done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? @@ -766,7 +881,7 @@ ATTRS="entry/read entry/disclose fvl/write fvl/read fvl/search fvl/compare fvl/disclose fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose - fripostIsStatusPending/read fripostIsStatusPending/search fripostIsStatusPending/compare fripostIsStatusPending/disclose + fripostPendingToken/search fripostPendingToken/compare fripostPendingToken/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/compare description/disclose" ATTRS2="fripostOwner/add fripostOwner/delete" @@ -888,53 +1003,93 @@ echo "Service SMTP" msg "Can read and search the domain attributes it needs" for D in ${DOMAINS}; do - checkACL "cn=SMTP" "${D}" entry objectClass fvd fripostIsStatusActive fripostOptionalMaildrop + checkACL "cn=SMTP" "${D}" entry fvd fripostOptionalMaildrop done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the domain attributes it needs" +for D in ${DOMAINS}; do + checkACL "cn=SMTP" "${D}" objectClass fripostPendingToken fripostIsStatusActive +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other domain attributes" for D in ${DOMAINS}; do checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description -done | isOK 'none(=0)$' children +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? msg "Can read and search the user attributes it needs" for U in ${USERS}; do - checkACL "cn=SMTP" "${U}" entry objectClass fvu fripostIsStatusActive fripostOptionalMaildrop + checkACL "cn=SMTP" "${U}" entry fvu fripostOptionalMaildrop done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the user attributes it needs" +for U in ${USERS}; do + checkACL "cn=SMTP" "${U}" objectClass fripostIsStatusActive +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other user attributes" for U in ${USERS}; do - checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUser description -done | isOK 'none(=0)$' children + checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? msg "Can read and search the alias attributes it needs" for A in ${ALIASES}; do - checkACL "cn=SMTP" "${A}" entry objectClass fva fripostMaildrop fripostIsStatusActive + checkACL "cn=SMTP" "${A}" entry fva fripostMaildrop done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the alias attributes it needs" +for A in ${ALIASES}; do + checkACL "cn=SMTP" "${A}" objectClass fripostIsStatusActive +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other alias attributes" for A in ${ALIASES}; do checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description -done | isOK 'none(=0)$' children +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? msg "Can read and search the list attributes it needs" for L in ${LISTS}; do - checkACL "cn=SMTP" "${L}" entry objectClass fvl fripostIsStatusActive fripostLocalAlias fripostIsStatusPending + checkACL "cn=SMTP" "${L}" entry fvl fripostLocalAlias done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the list attributes it needs" +for L in ${LISTS}; do + checkACL "cn=SMTP" "${L}" objectClass fripostIsStatusActive fripostPendingToken +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" for L in ${LISTS}; do checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description -done | isOK 'none(=0)$' children +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? msg "Can read and search the list command attributes it needs" for LC in ${LISTSC}; do - checkACL "cn=SMTP" "${LC}" entry objectClass fvlc fripostIsStatusActive fripostLocalAlias + checkACL "cn=SMTP" "${LC}" entry fvlc done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the list command attributes it needs" +for LC in ${LISTSC}; do + checkACL "cn=SMTP" "${LC}" objectClass +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} -done | isOK 'none(=0)$' children +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? ########################################################################### @@ -946,46 +1101,55 @@ msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on user attributes" for U in ${USERS}; do checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on alias attributes" for A in ${ALIASES}; do checkACL "cn=ListCreator" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? -msg "Have =zrd access on lists' pending status" +msg "Have =zsd access on lists' pending status" for L in ${LISTS}; do - checkACL "cn=ListCreator" "${L}" fripostIsStatusPending -done | isOK '=zrd$' + checkACL "cn=ListCreator" "${L}" fripostPendingToken +done | isOK '=zsd$' +[ $? -eq 0 ] || exit $? msg "Have =rsd access on lists' entry attribute" for L in ${LISTS}; do checkACL "cn=ListCreator" "${L}" entry done | isOK '=rsd$' +[ $? -eq 0 ] || exit $? msg "Have =a access on lists' children attribute" for L in ${LISTS}; do checkACL "cn=ListCreator" "${L}" children done | isOK '=a$' +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" for L in ${LISTS}; do checkACL "cn=ListCreator" "${L}" ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description done | isOK '=0$' fvl +[ $? -eq 0 ] || exit $? msg "Have =a access on list commands' entry attribute" for LC in ${LISTSC}; do checkACL "cn=ListCreator" "${LC}" entry done | isOK '=a$' +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do checkACL "cn=ListCreator" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias done | isOK '=0$' children +[ $? -eq 0 ] || exit $? ########################################################################### @@ -996,28 +1160,46 @@ echo "Service AdminWebPanel" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description -done | isOK 'none(=0)$' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on user attributes" for U in ${USERS}; do checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description -done | isOK 'none(=0)$' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on alias attributes" for A in ${ALIASES}; do checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description -done | isOK 'none(=0)$' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on list attributes" for L in ${LISTS}; do - checkACL "cn=AdminWebPanel" "${L}" entry children ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description fripostIsStatusPending -done | isOK 'none(=0)$' entry + checkACL "cn=AdminWebPanel" "${L}" entry children ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description fripostPendingToken +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias -done | isOK 'none(=0)$' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + +MECH='DIGEST-MD5' +PANEL='AdminWebPanel@fripost.org' +msg "Check authcID" +slapauth -U "${PANEL}" 2>&1 | grep '^ID: ' | isOK 'check succeeded$' +[ $? -eq 0 ] || exit $? + +msg "Can proxy authorize (${MECH})" +for U in ${USERS}; do + DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z]) + slapauth -U "${PANEL}" -X "${DN}" 2>&1 | grep '^authorization ' +done | isOK '^authorization failed$' +# TODO: is that needed? if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then msg "Can SASL authenticate (GSSAPI)" DN=$(echo "dn:cn=AdminWebPanel,${SUFFIXS}" | tr [A-Z] [a-z]) @@ -1031,7 +1213,7 @@ if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then if [ "${DN}" = "${DN2}" ]; then echo ok; else echo fail; fi done | isOK '^ok$' else - echo "WARN: No valid ticket found. Didn't check SSAL authentication" + echo "WARN: No valid ticket found. Didn't check SASL GSSAPI authentication" fi rm "${RES}" -- cgit v1.2.3