mirror of
https://github.com/samba-team/samba.git
synced 2025-01-20 14:03:59 +03:00
s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 065da873296c23ef3b9051fba39be097cfff60fa) Autobuild-User(v4-20-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-20-test): Tue Jul 9 10:53:40 UTC 2024 on atb-devel-224
This commit is contained in:
parent
ac22551de3
commit
16b430e740
@ -1,6 +1,21 @@
|
|||||||
#
|
#
|
||||||
## We assert all "ldap server require strong auth" combinations
|
## We assert all "ldap server require strong auth" combinations
|
||||||
#
|
#
|
||||||
^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
|
^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_without_tls_channel_bindings
|
||||||
^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes
|
^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes
|
||||||
^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc # ldap server require strong auth = yes
|
# fl2003dc has ldap server require strong auth = yes
|
||||||
|
# and correct channel bindings are required for TLS
|
||||||
|
^samba4.ldb.simple.ldaps.*SASL-BIND.*ldap_testing:tls_channel_bindings=no.*fl2003dc
|
||||||
|
# ad_dc_ntvfs and fl2008r2dc have
|
||||||
|
# ldap server require strong auth = allow_sasl_without_tls_channel_bindings
|
||||||
|
# it means correct channel bindings are required, if the client indicated
|
||||||
|
# explicit (even null) channel bindings are provided
|
||||||
|
#
|
||||||
|
# The following are in expectedfail_heimdal for now, as MIT
|
||||||
|
# behaves differently:
|
||||||
|
#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
|
||||||
|
#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
|
||||||
|
^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=yes.*ldap_testing:forced_channel_binding=wRoNg
|
||||||
|
^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=no.*ldap_testing:forced_channel_binding=wRoNg
|
||||||
|
^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
|
||||||
|
^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
|
||||||
|
12
selftest/expectedfail_heimdal
Normal file
12
selftest/expectedfail_heimdal
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# ad_dc_ntvfs and fl2008r2dc have
|
||||||
|
# ldap server require strong auth = allow_sasl_without_tls_channel_bindings
|
||||||
|
# it means correct channel bindings are required, if the client indicated
|
||||||
|
# explicit (even null) channel bindings are provided
|
||||||
|
#
|
||||||
|
# Note currently only embedded_heimdal supports
|
||||||
|
# GSS_C_CHANNEL_BOUND_FLAG as client.
|
||||||
|
# See also:
|
||||||
|
# https://github.com/heimdal/heimdal/pull/1234
|
||||||
|
# https://github.com/krb5/krb5/pull/1329
|
||||||
|
^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
|
||||||
|
^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
|
@ -274,6 +274,10 @@ def cmd_testonly(opt):
|
|||||||
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
|
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
|
||||||
"knownfail_heimdal_kdc"
|
"knownfail_heimdal_kdc"
|
||||||
|
|
||||||
|
if CONFIG_SET(opt, 'USING_EMBEDDED_HEIMDAL'):
|
||||||
|
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
|
||||||
|
"expectedfail_heimdal"
|
||||||
|
|
||||||
if CONFIG_GET(opt, 'SIZEOF_VOID_P') == 4:
|
if CONFIG_GET(opt, 'SIZEOF_VOID_P') == 4:
|
||||||
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/knownfail-32bit"
|
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/knownfail-32bit"
|
||||||
env.OPTIONS += " --default-ldb-backend=tdb --exclude=${srcdir}/selftest/skip-32bit"
|
env.OPTIONS += " --default-ldb-backend=tdb --exclude=${srcdir}/selftest/skip-32bit"
|
||||||
|
@ -163,20 +163,45 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
|
|||||||
'--use-kerberos=required --option=clientldapsaslwrapping=plain',
|
'--use-kerberos=required --option=clientldapsaslwrapping=plain',
|
||||||
'--use-kerberos=required --client-protection=sign',
|
'--use-kerberos=required --client-protection=sign',
|
||||||
'--use-kerberos=required --client-protection=encrypt',
|
'--use-kerberos=required --client-protection=encrypt',
|
||||||
|
'--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes"',
|
||||||
|
'--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no"',
|
||||||
|
'--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
|
||||||
|
'--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
|
||||||
'--use-kerberos=disabled --option=clientldapsaslwrapping=plain',
|
'--use-kerberos=disabled --option=clientldapsaslwrapping=plain',
|
||||||
'--use-kerberos=disabled --client-protection=sign --option=ntlmssp_client:ldap_style_send_seal=no',
|
'--use-kerberos=disabled --client-protection=sign --option=ntlmssp_client:ldap_style_send_seal=no',
|
||||||
'--use-kerberos=disabled --client-protection=sign',
|
'--use-kerberos=disabled --client-protection=sign',
|
||||||
'--use-kerberos=disabled --client-protection=encrypt',
|
'--use-kerberos=disabled --client-protection=encrypt',
|
||||||
|
'--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes"',
|
||||||
|
'--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no"',
|
||||||
|
'--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
|
||||||
|
'--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
|
||||||
]
|
]
|
||||||
|
|
||||||
for auth_option in auth_options:
|
for auth_option in auth_options:
|
||||||
options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option
|
options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option
|
||||||
plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env),
|
plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env),
|
||||||
env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
|
env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
|
||||||
options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"'
|
|
||||||
|
auth_options = [
|
||||||
|
'--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
|
||||||
|
'--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
|
||||||
|
'--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
|
||||||
|
'--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=no"',
|
||||||
|
'--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=yes"',
|
||||||
|
'--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
|
||||||
|
'--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
|
||||||
|
'--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
|
||||||
|
'--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
|
||||||
|
'--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=no"',
|
||||||
|
'--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=yes"',
|
||||||
|
'--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
|
||||||
|
]
|
||||||
|
for auth_option in auth_options:
|
||||||
|
options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check" ' + auth_option
|
||||||
plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
|
plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
|
||||||
env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
|
env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
|
||||||
|
|
||||||
|
|
||||||
envraw = "fl2008r2dc"
|
envraw = "fl2008r2dc"
|
||||||
env = "%s:local" % envraw
|
env = "%s:local" % envraw
|
||||||
plantestsuite("samba4.ldap_tls_reload(%s)" % (env), env,
|
plantestsuite("samba4.ldap_tls_reload(%s)" % (env), env,
|
||||||
|
Loading…
x
Reference in New Issue
Block a user