2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
5 Copyright (C) Stefan Metzmacher 2004
6 Copyright (C) Simo Sorce 2004
7 Copyright (C) Matthias Dieter Wallnöfer 2009
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/ldap/ldap_client.h"
26 #include "lib/cmdline/popt_common.h"
28 #include "torture/torture.h"
29 #include "torture/ldap/proto.h"
31 #include "param/param.h"
33 static bool test_bind_simple(struct ldap_connection *conn, const char *userdn, const char *password)
38 status = torture_ldap_bind(conn, userdn, password);
39 if (!NT_STATUS_IS_OK(status)) {
46 static bool test_bind_sasl(struct torture_context *tctx,
47 struct ldap_connection *conn, struct cli_credentials *creds)
52 printf("Testing sasl bind as user\n");
54 status = torture_ldap_bind_sasl(conn, creds, tctx->lp_ctx);
55 if (!NT_STATUS_IS_OK(status)) {
62 static bool test_multibind(struct ldap_connection *conn, const char *userdn, const char *password)
66 printf("Testing multiple binds on a single connnection as anonymous and user\n");
68 ret = test_bind_simple(conn, NULL, NULL);
70 printf("1st bind as anonymous failed\n");
74 ret = test_bind_simple(conn, userdn, password);
76 printf("2nd bind as authenticated user failed\n");
82 static bool test_search_rootDSE(struct ldap_connection *conn, char **basedn)
85 struct ldap_message *msg, *result;
86 struct ldap_request *req;
88 struct ldap_SearchResEntry *r;
91 printf("Testing RootDSE Search\n");
95 msg = new_ldap_message(conn);
100 msg->type = LDAP_TAG_SearchRequest;
101 msg->r.SearchRequest.basedn = "";
102 msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE;
103 msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
104 msg->r.SearchRequest.timelimit = 0;
105 msg->r.SearchRequest.sizelimit = 0;
106 msg->r.SearchRequest.attributesonly = false;
107 msg->r.SearchRequest.tree = ldb_parse_tree(msg, "(objectclass=*)");
108 msg->r.SearchRequest.num_attributes = 0;
109 msg->r.SearchRequest.attributes = NULL;
111 req = ldap_request_send(conn, msg);
113 printf("Could not setup ldap search\n");
117 status = ldap_result_one(req, &result, LDAP_TAG_SearchResultEntry);
118 if (!NT_STATUS_IS_OK(status)) {
119 printf("search failed - %s\n", nt_errstr(status));
123 printf("received %d replies\n", req->num_replies);
125 r = &result->r.SearchResultEntry;
127 DEBUG(1,("\tdn: %s\n", r->dn));
128 for (i=0; i<r->num_attributes; i++) {
130 for (j=0; j<r->attributes[i].num_values; j++) {
131 DEBUG(1,("\t%s: %d %.*s\n", r->attributes[i].name,
132 (int)r->attributes[i].values[j].length,
133 (int)r->attributes[i].values[j].length,
134 (char *)r->attributes[i].values[j].data));
136 strcasecmp("defaultNamingContext",r->attributes[i].name)==0) {
137 *basedn = talloc_asprintf(conn, "%.*s",
138 (int)r->attributes[i].values[j].length,
139 (char *)r->attributes[i].values[j].data);
149 static bool test_compare_sasl(struct ldap_connection *conn, const char *basedn)
151 struct ldap_message *msg, *rep;
152 struct ldap_request *req;
156 printf("Testing SASL Compare: %s\n", basedn);
162 msg = new_ldap_message(conn);
167 msg->type = LDAP_TAG_CompareRequest;
168 msg->r.CompareRequest.dn = basedn;
169 msg->r.CompareRequest.attribute = talloc_strdup(msg, "objectClass");
171 msg->r.CompareRequest.value = data_blob_talloc(msg, val, strlen(val));
173 req = ldap_request_send(conn, msg);
178 status = ldap_result_one(req, &rep, LDAP_TAG_CompareResponse);
179 if (!NT_STATUS_IS_OK(status)) {
180 printf("error in ldap compare request - %s\n", nt_errstr(status));
184 DEBUG(5,("Code: %d DN: [%s] ERROR:[%s] REFERRAL:[%s]\n",
185 rep->r.CompareResponse.resultcode,
186 rep->r.CompareResponse.dn,
187 rep->r.CompareResponse.errormessage,
188 rep->r.CompareResponse.referral));
194 * This takes an AD error message and splits it into the WERROR code
195 * (WERR_DS_GENERIC if none found) and the reason (remaining string).
197 static WERROR ad_error(const char *err_msg, char **reason)
199 WERROR err = W_ERROR(strtol(err_msg, reason, 16));
201 if ((reason != NULL) && (*reason[0] != ':')) {
202 return WERR_DS_GENERIC_ERROR; /* not an AD std error message */
205 if (reason != NULL) {
206 *reason += 2; /* skip ": " */
211 static bool test_error_codes(struct torture_context *tctx,
212 struct ldap_connection *conn, const char *basedn)
214 struct ldap_message *msg, *rep;
215 struct ldap_request *req;
216 const char *err_code_str;
221 printf("Testing error codes - to make this test pass against SAMBA 4 you have to specify the target!\n");
227 msg = new_ldap_message(conn);
232 printf(" Try a wrong addition\n");
234 msg->type = LDAP_TAG_AddRequest;
235 msg->r.AddRequest.dn = basedn;
236 msg->r.AddRequest.num_attributes = 0;
237 msg->r.AddRequest.attributes = NULL;
239 req = ldap_request_send(conn, msg);
244 status = ldap_result_one(req, &rep, LDAP_TAG_AddResponse);
245 if (!NT_STATUS_IS_OK(status)) {
246 printf("error in ldap addition request - %s\n", nt_errstr(status));
250 if ((rep->r.AddResponse.resultcode == 0)
251 || (rep->r.AddResponse.errormessage == NULL)
252 || (strtol(rep->r.AddResponse.errormessage, &endptr,16) <= 0)
253 || (*endptr != ':')) {
254 printf("Invalid error message!\n");
258 err = ad_error(rep->r.AddResponse.errormessage, &endptr);
259 err_code_str = win_errstr(err);
260 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
261 if (!torture_setting_bool(tctx, "samba4", false)) {
262 if ((!W_ERROR_EQUAL(err, WERR_DS_REFERRAL))
263 || (rep->r.AddResponse.resultcode != 10)) {
267 if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_CLASS_VIOLATION))
268 || (rep->r.AddResponse.resultcode != 65)) {
273 printf(" Try a wrong modification\n");
275 msg->type = LDAP_TAG_ModifyRequest;
276 msg->r.ModifyRequest.dn = "";
277 msg->r.ModifyRequest.num_mods = 0;
278 msg->r.ModifyRequest.mods = NULL;
280 req = ldap_request_send(conn, msg);
285 status = ldap_result_one(req, &rep, LDAP_TAG_ModifyResponse);
286 if (!NT_STATUS_IS_OK(status)) {
287 printf("error in ldap modifification request - %s\n", nt_errstr(status));
291 if ((rep->r.ModifyResponse.resultcode == 0)
292 || (rep->r.ModifyResponse.errormessage == NULL)
293 || (strtol(rep->r.ModifyResponse.errormessage, &endptr,16) <= 0)
294 || (*endptr != ':')) {
295 printf("Invalid error message!\n");
299 err = ad_error(rep->r.ModifyResponse.errormessage, &endptr);
300 err_code_str = win_errstr(err);
301 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
302 if (!torture_setting_bool(tctx, "samba4", false)) {
303 if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAM))
304 || (rep->r.ModifyResponse.resultcode != 53)) {
308 if ((!W_ERROR_EQUAL(err, WERR_DS_OPERATIONS_ERROR))
309 || (rep->r.ModifyResponse.resultcode != 1)) {
314 printf(" Try a wrong removal\n");
316 msg->type = LDAP_TAG_DelRequest;
317 msg->r.DelRequest.dn = "";
319 req = ldap_request_send(conn, msg);
324 status = ldap_result_one(req, &rep, LDAP_TAG_DelResponse);
325 if (!NT_STATUS_IS_OK(status)) {
326 printf("error in ldap removal request - %s\n", nt_errstr(status));
330 if ((rep->r.DelResponse.resultcode == 0)
331 || (rep->r.DelResponse.errormessage == NULL)
332 || (strtol(rep->r.DelResponse.errormessage, &endptr,16) <= 0)
333 || (*endptr != ':')) {
334 printf("Invalid error message!\n");
338 err = ad_error(rep->r.DelResponse.errormessage, &endptr);
339 err_code_str = win_errstr(err);
340 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
341 if (!torture_setting_bool(tctx, "samba4", false)) {
342 if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_NOT_FOUND))
343 || (rep->r.DelResponse.resultcode != 32)) {
347 if ((!W_ERROR_EQUAL(err, WERR_DS_INVALID_DN_SYNTAX))
348 || (rep->r.DelResponse.resultcode != 34)) {
356 bool torture_ldap_basic(struct torture_context *torture)
359 struct ldap_connection *conn;
362 const char *host = torture_setting_string(torture, "host", NULL);
363 const char *userdn = torture_setting_string(torture, "ldap_userdn", NULL);
364 const char *secret = torture_setting_string(torture, "ldap_secret", NULL);
368 mem_ctx = talloc_init("torture_ldap_basic");
370 url = talloc_asprintf(mem_ctx, "ldap://%s/", host);
372 status = torture_ldap_connection(torture, &conn, url);
373 if (!NT_STATUS_IS_OK(status)) {
377 if (!test_search_rootDSE(conn, &basedn)) {
381 /* other bind tests here */
383 if (!test_multibind(conn, userdn, secret)) {
387 if (!test_bind_sasl(torture, conn, cmdline_credentials)) {
391 if (!test_compare_sasl(conn, basedn)) {
395 /* error codes test here */
397 if (!test_error_codes(torture, conn, basedn)) {
401 /* if there are no more tests we are closing */
402 torture_ldap_close(conn);
403 talloc_free(mem_ctx);