From 49bf43a55182ee5f6a41b06a59ecbf1332f81cdc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 13 Feb 2024 15:50:14 +0100 Subject: [PATCH] s4:selftest: also test samba4.ldb.simple.ldaps with ldap_testing:tls_channel_bindings=no Signed-off-by: Stefan Metzmacher --- .../expectedfail.d/samba4.ldb.simple.ldap-tls | 16 ++++++++++++++++ selftest/knownfail | 16 ---------------- source4/selftest/tests.py | 6 +++++- 3 files changed, 21 insertions(+), 17 deletions(-) create mode 100644 selftest/expectedfail.d/samba4.ldb.simple.ldap-tls diff --git a/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls b/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls new file mode 100644 index 000000000000..16bef97c86f7 --- /dev/null +++ b/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls @@ -0,0 +1,16 @@ +# +## We assert all "ldap server require strong auth" combinations +# +^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_without_tls_channel_bindings +^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes +^samba4.ldb.simple.ldaps.*SASL-BIND.*ldap_testing:tls_channel_bindings=no.*fl2003dc # ldap server require strong auth = yes +# These are supposed to fail as we want to verify the "tls verify peer" +# restrictions. Note that fl2008r2dc uses a self-signed certificate +# with does not have a crl file. +# +^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\( +^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\( +^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\( +^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\( +^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\( +^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc diff --git a/selftest/knownfail b/selftest/knownfail index a89616c1dbe5..dda157ac24f6 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -308,22 +308,6 @@ # ^samba4.ldap.sort.python.+UnicodeSortTests # -## We assert all "ldap server require strong auth" combinations -# -^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls -^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes -^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc # ldap server require strong auth = yes -# These are supposed to fail as we want to verify the "tls verify peer" -# restrictions. Note that fl2008r2dc uses a self-signed certificate -# with does not have a crl file. -# -^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\( -^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\( -^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\( -^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\( -^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\( -^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc -# # we don't allow auth_level_connect anymore... # ^samba3.blackbox.rpcclient.*ncacn_np.*with.*connect.*rpcclient # we don't allow auth_level_connect anymore diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 7e37c1f4e4cc..2fe707a8a288 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -148,7 +148,11 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]: options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env), env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options)) - options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"' + base_options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"' + options = base_options + plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env), + env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options)) + options += ' --option="ldap_testing:tls_channel_bindings=no"' plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env), env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options)) -- 2.34.1