2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
5 Copyright (C) Stefan Metzmacher 2004
6 Copyright (C) Simo Sorce 2004
7 Copyright (C) Matthias Dieter Wallnöfer 2009
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/ldap/ldap_client.h"
26 #include "lib/cmdline/popt_common.h"
28 #include "torture/torture.h"
29 #include "torture/ldap/proto.h"
31 #include "param/param.h"
33 static bool test_bind_simple(struct ldap_connection *conn, const char *userdn, const char *password)
38 status = torture_ldap_bind(conn, userdn, password);
39 if (!NT_STATUS_IS_OK(status)) {
46 static bool test_bind_sasl(struct torture_context *tctx,
47 struct ldap_connection *conn, struct cli_credentials *creds)
52 printf("Testing sasl bind as user\n");
54 status = torture_ldap_bind_sasl(conn, creds, tctx->lp_ctx);
55 if (!NT_STATUS_IS_OK(status)) {
62 static bool test_multibind(struct ldap_connection *conn, const char *userdn, const char *password)
66 printf("Testing multiple binds on a single connnection as anonymous and user\n");
68 ret = test_bind_simple(conn, NULL, NULL);
70 printf("1st bind as anonymous failed\n");
74 ret = test_bind_simple(conn, userdn, password);
76 printf("2nd bind as authenticated user failed\n");
82 static bool test_search_rootDSE(struct ldap_connection *conn, char **basedn)
85 struct ldap_message *msg, *result;
86 struct ldap_request *req;
88 struct ldap_SearchResEntry *r;
91 printf("Testing RootDSE Search\n");
95 msg = new_ldap_message(conn);
100 msg->type = LDAP_TAG_SearchRequest;
101 msg->r.SearchRequest.basedn = "";
102 msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE;
103 msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
104 msg->r.SearchRequest.timelimit = 0;
105 msg->r.SearchRequest.sizelimit = 0;
106 msg->r.SearchRequest.attributesonly = false;
107 msg->r.SearchRequest.tree = ldb_parse_tree(msg, "(objectclass=*)");
108 msg->r.SearchRequest.num_attributes = 0;
109 msg->r.SearchRequest.attributes = NULL;
111 req = ldap_request_send(conn, msg);
113 printf("Could not setup ldap search\n");
117 status = ldap_result_one(req, &result, LDAP_TAG_SearchResultEntry);
118 if (!NT_STATUS_IS_OK(status)) {
119 printf("search failed - %s\n", nt_errstr(status));
123 printf("received %d replies\n", req->num_replies);
125 r = &result->r.SearchResultEntry;
127 DEBUG(1,("\tdn: %s\n", r->dn));
128 for (i=0; i<r->num_attributes; i++) {
130 for (j=0; j<r->attributes[i].num_values; j++) {
131 DEBUG(1,("\t%s: %d %.*s\n", r->attributes[i].name,
132 (int)r->attributes[i].values[j].length,
133 (int)r->attributes[i].values[j].length,
134 (char *)r->attributes[i].values[j].data));
136 strcasecmp("defaultNamingContext",r->attributes[i].name)==0) {
137 *basedn = talloc_asprintf(conn, "%.*s",
138 (int)r->attributes[i].values[j].length,
139 (char *)r->attributes[i].values[j].data);
149 static bool test_compare_sasl(struct ldap_connection *conn, const char *basedn)
151 struct ldap_message *msg, *rep;
152 struct ldap_request *req;
156 printf("Testing SASL Compare: %s\n", basedn);
162 msg = new_ldap_message(conn);
167 msg->type = LDAP_TAG_CompareRequest;
168 msg->r.CompareRequest.dn = basedn;
169 msg->r.CompareRequest.attribute = talloc_strdup(msg, "objectClass");
171 msg->r.CompareRequest.value = data_blob_talloc(msg, val, strlen(val));
173 req = ldap_request_send(conn, msg);
178 status = ldap_result_one(req, &rep, LDAP_TAG_CompareResponse);
179 if (!NT_STATUS_IS_OK(status)) {
180 printf("error in ldap compare request - %s\n", nt_errstr(status));
184 DEBUG(5,("Code: %d DN: [%s] ERROR:[%s] REFERRAL:[%s]\n",
185 rep->r.CompareResponse.resultcode,
186 rep->r.CompareResponse.dn,
187 rep->r.CompareResponse.errormessage,
188 rep->r.CompareResponse.referral));
194 * This takes an AD error message and splits it into the WERROR code
195 * (WERR_DS_GENERIC if none found) and the reason (remaining string).
197 static WERROR ad_error(const char *err_msg, char **reason)
199 WERROR err = W_ERROR(strtol(err_msg, reason, 16));
201 if ((reason != NULL) && (*reason[0] != ':')) {
202 return WERR_DS_GENERIC_ERROR; /* not an AD std error message */
205 if (reason != NULL) {
206 *reason += 2; /* skip ": " */
211 static bool test_error_codes(struct torture_context *tctx,
212 struct ldap_connection *conn, const char *basedn)
214 struct ldap_message *msg, *rep;
215 struct ldap_request *req;
216 char *err_code_str, *endptr;
220 printf("Testing error codes - to make this test pass against SAMBA 4 you have to specify the target!\n");
226 msg = new_ldap_message(conn);
231 printf(" Try a wrong addition\n");
233 msg->type = LDAP_TAG_AddRequest;
234 msg->r.AddRequest.dn = basedn;
235 msg->r.AddRequest.num_attributes = 0;
236 msg->r.AddRequest.attributes = NULL;
238 req = ldap_request_send(conn, msg);
243 status = ldap_result_one(req, &rep, LDAP_TAG_AddResponse);
244 if (!NT_STATUS_IS_OK(status)) {
245 printf("error in ldap addition request - %s\n", nt_errstr(status));
249 if ((rep->r.AddResponse.resultcode == 0)
250 || (rep->r.AddResponse.errormessage == NULL)
251 || (strtol(rep->r.AddResponse.errormessage, &endptr,16) <= 0)
252 || (*endptr != ':')) {
253 printf("Invalid error message!\n");
257 err = ad_error(rep->r.AddResponse.errormessage, &endptr);
258 err_code_str = win_errstr(err);
259 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
260 if (!torture_setting_bool(tctx, "samba4", false)) {
261 if ((!W_ERROR_EQUAL(err, WERR_DS_REFERRAL))
262 || (rep->r.AddResponse.resultcode != 10)) {
266 if ((!W_ERROR_EQUAL(err, WERR_DS_GENERIC_ERROR))
267 || (rep->r.AddResponse.resultcode != 80)) {
272 printf(" Try a wrong modification\n");
274 msg->type = LDAP_TAG_ModifyRequest;
275 msg->r.ModifyRequest.dn = "";
276 msg->r.ModifyRequest.num_mods = 0;
277 msg->r.ModifyRequest.mods = NULL;
279 req = ldap_request_send(conn, msg);
284 status = ldap_result_one(req, &rep, LDAP_TAG_ModifyResponse);
285 if (!NT_STATUS_IS_OK(status)) {
286 printf("error in ldap modifification request - %s\n", nt_errstr(status));
290 if ((rep->r.ModifyResponse.resultcode == 0)
291 || (rep->r.ModifyResponse.errormessage == NULL)
292 || (strtol(rep->r.ModifyResponse.errormessage, &endptr,16) <= 0)
293 || (*endptr != ':')) {
294 printf("Invalid error message!\n");
298 err = ad_error(rep->r.ModifyResponse.errormessage, &endptr);
299 err_code_str = win_errstr(err);
300 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
301 if (!torture_setting_bool(tctx, "samba4", false)) {
302 if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAM))
303 || (rep->r.ModifyResponse.resultcode != 53)) {
307 if ((!W_ERROR_EQUAL(err, WERR_DS_GENERIC_ERROR))
308 || (rep->r.ModifyResponse.resultcode != 80)) {
313 printf(" Try a wrong removal\n");
315 msg->type = LDAP_TAG_DelRequest;
316 msg->r.DelRequest.dn = "";
318 req = ldap_request_send(conn, msg);
323 status = ldap_result_one(req, &rep, LDAP_TAG_DelResponse);
324 if (!NT_STATUS_IS_OK(status)) {
325 printf("error in ldap removal request - %s\n", nt_errstr(status));
329 if ((rep->r.DelResponse.resultcode == 0)
330 || (rep->r.DelResponse.errormessage == NULL)
331 || (strtol(rep->r.DelResponse.errormessage, &endptr,16) <= 0)
332 || (*endptr != ':')) {
333 printf("Invalid error message!\n");
337 err = ad_error(rep->r.DelResponse.errormessage, &endptr);
338 err_code_str = win_errstr(err);
339 printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
340 if (!torture_setting_bool(tctx, "samba4", false)) {
341 if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_NOT_FOUND))
342 || (rep->r.DelResponse.resultcode != 32)) {
346 if ((!W_ERROR_EQUAL(err, WERR_DS_INVALID_DN_SYNTAX))
347 || (rep->r.DelResponse.resultcode != 34)) {
355 bool torture_ldap_basic(struct torture_context *torture)
358 struct ldap_connection *conn;
361 const char *host = torture_setting_string(torture, "host", NULL);
362 const char *userdn = torture_setting_string(torture, "ldap_userdn", NULL);
363 const char *secret = torture_setting_string(torture, "ldap_secret", NULL);
367 mem_ctx = talloc_init("torture_ldap_basic");
369 url = talloc_asprintf(mem_ctx, "ldap://%s/", host);
371 status = torture_ldap_connection(torture, &conn, url);
372 if (!NT_STATUS_IS_OK(status)) {
376 if (!test_search_rootDSE(conn, &basedn)) {
380 /* other bind tests here */
382 if (!test_multibind(conn, userdn, secret)) {
386 if (!test_bind_sasl(torture, conn, cmdline_credentials)) {
390 if (!test_compare_sasl(conn, basedn)) {
394 /* error codes test here */
396 if (!test_error_codes(torture, conn, basedn)) {
400 /* if there are no more tests we are closing */
401 torture_ldap_close(conn);
402 talloc_free(mem_ctx);