CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and...

We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index 7e533bf168b6a719bdac282ac65e47255aa5a9c8..84859490fd4ca8a38bfe271a793c78e69c1b3b9c 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -301,3 +301,9 @@
 # match Windows 2012R2 behaviour.
 #
 ^samba4.ldap.sort.python.+UnicodeSortTests
+#
+## We assert all "ldap server require strong auth" combinations
+#
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc    # ldap server require strong auth = yes
+^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc     # ldap server require strong auth = yes

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index b141202f44e4bfedfa4047111e22cee122263044..80f5ab9b227a8ab37beaafa59069b90f4f3196f8 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -74,6 +74,30 @@ if have_tls_support:
         plantestsuite("samba4.ldb.ldaps with options %s(ad_dc_ntvfs)" % options, "ad_dc_ntvfs",
                 "%s/test_ldb.sh ldaps $SERVER_IP %s" % (bbdir, options))
 
+# test all "ldap server require strong auth" combinations
+for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
+    options = '--simple-bind-dn="$USERNAME@$REALM" --password="$PASSWORD"'
+    plantestsuite("samba4.ldb.simple.ldap with SIMPLE-BIND %s(%s)" % (options, env),
+                  env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
+    if have_tls_support:
+        plantestsuite("samba4.ldb.simple.ldaps with SIMPLE-BIND %s(%s)" % (options, env),
+                      env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+
+    auth_options = [
+        '--option=clientldapsaslwrapping=plain',
+        '--sign',
+        '--encrypt',
+    ]
+
+    for auth_option in auth_options:
+        options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option
+        plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env),
+                      env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
+    if have_tls_support:
+        options = '-U"$USERNAME%$PASSWORD"'
+        plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
+                      env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+
 for options in ['-U"$USERNAME%$PASSWORD"']:
     plantestsuite("samba4.ldb.ldapi with options %s(ad_dc_ntvfs:local)" % options, "ad_dc_ntvfs:local",
             "%s/test_ldb.sh ldapi $PREFIX_ABS/ad_dc_ntvfs/private/ldapi %s" % (bbdir, options))

diff --git a/testprogs/blackbox/test_ldb_simple.sh b/testprogs/blackbox/test_ldb_simple.sh
new file mode 100755 (executable)
index 0000000..7375cbf
--- /dev/null
+++ b/testprogs/blackbox/test_ldb_simple.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: test_ldb_simple.sh PROTOCOL SERVER [OPTIONS]
+EOF
+exit 1;
+fi
+
+
+p=$1
+SERVER=$2
+PREFIX=$3
+shift 2
+options="$*"
+
+. `dirname $0`/subunit.sh
+
+check() {
+       name="$1"
+       shift
+       cmdline="$*"
+       echo "test: $name"
+       $cmdline
+       status=$?
+       if [ x$status = x0 ]; then
+               echo "success: $name"
+       else
+               echo "failure: $name"
+               failed=`expr $failed + 1`
+       fi
+       return $status
+}
+
+export PATH="$BINDIR:$PATH"
+
+ldbsearch="$VALGRIND ldbsearch"
+
+check "currentTime" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base currentTime || failed=`expr $failed + 1`
+
+exit $failed