From a67b0bf8d7be9ceda0b480cbb27b7bf0229b7122 Mon Sep 17 00:00:00 2001
From: smaguin <smaguin@localhost>
Date: Mon, 02 Jul 2007 13:57:51 +0000
Subject: [PATCH] new client_auth testsuite
---
opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml | 471 +++++++++++
opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml | 264 ++++++
opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml | 204 +++++
opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml | 471 +++++++++++
opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml | 635 +++++++++++++++
opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml | 106 ++
opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml | 219 +++++
7 files changed, 2,370 insertions(+), 0 deletions(-)
diff --git a/opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml b/opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml
new file mode 100755
index 0000000..6b4d196
--- /dev/null
+++ b/opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE stax SYSTEM "../../../stax.dtd">
+<!--
+ ! CDDL HEADER START
+ !
+ ! The contents of this file are subject to the terms of the
+ ! Common Development and Distribution License, Version 1.0 only
+ ! (the "License"). You may not use this file except in compliance
+ ! with the License.
+ !
+ ! You can obtain a copy of the license at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! When distributing Covered Code, include this CDDL HEADER in each
+ ! file and include the License file at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ ! add the following below this CDDL HEADER, with the fields enclosed
+ ! by brackets "[]" replaced with your own identifying information:
+ ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CDDL HEADER END
+ !
+ ! Portions Copyright 2006-2007 Sun Microsystems, Inc.
+ ! -->
+<stax>
+
+ <defaultcall function="client_auth"/>
+
+ <function name="client_auth">
+
+ <sequence>
+
+ <block name="'client_auth'">
+
+ <sequence>
+
+ <script>
+ CurrentTestPath['group']='security'
+ CurrentTestPath['suite']=STAXCurrentBlock
+ </script>
+
+ <call function="'testSuite_Preamble'"/>
+
+
+ <import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
+ file="'%s/testcases/security/security_setup.xml' % (TESTS_DIR)"/>
+ <call function="'security_setup'"/>
+
+ <!-- client authentication setup -->
+
+ <import machine="'%s' % STAF_LOCAL_HOSTNAME"
+ file="'%s/testcases/security/client_auth/client_auth_setup.xml' % (TESTS_DIR)"/>
+ <call function="'client_auth_setup'" />
+
+
+ <!-- fingerprint certificates mapper -->
+ <!--
+ <import machine="'%s' % STAF_LOCAL_HOSTNAME"
+ file="'%s/testcases/security/client_auth/fingerprint.xml' % (TESTS_DIR)"/>
+ <call function="'fingerprint'" />
+ -->
+
+ <!-- subject DN to user attribut certificate mapper -->
+
+ <import machine="'%s' % STAF_LOCAL_HOSTNAME"
+ file="'%s/testcases/security/client_auth/subject_dn_mapper.xml' % (TESTS_DIR)"/>
+ <call function="'subject_dn_mapper'" />
+
+ <!-- subject attribute to user attribut certificate mapper -->
+
+ <import machine="'%s' % STAF_LOCAL_HOSTNAME"
+ file="'%s/testcases/security/client_auth/subject_attribute_mapper.xml' % (TESTS_DIR)"/>
+ <call function="'subject_attribute_mapper'" />
+
+ <!-- subject equals dn certificate mapper -->
+
+ <import machine="'%s' % STAF_LOCAL_HOSTNAME"
+ file="'%s/testcases/security/client_auth/equal_dn_mapper.xml' % (TESTS_DIR)"/>
+ <call function="'equal_dn_mapper'" />
+
+ <!-- client authentication teardown -->
+ <import machine="'%s' % STAF_LOCAL_HOSTNAME"
+ file="'%s/testcases/security/client_auth/client_auth_teardown.xml' % (TESTS_DIR)"/>
+ <call function="'client_auth_teardown'" />
+
+
+
+ <import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
+ file="'%s/testcases/security/security_cleanup.xml' % (TESTS_DIR)"/>
+ <call function="'security_cleanup'"/>
+
+
+ <call function="'testSuite_Postamble'"/>
+
+ </sequence>
+
+ </block>
+
+ </sequence>
+
+ </function>
+
+</stax>
diff --git a/opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml b/opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml
new file mode 100755
index 0000000..33146e7
--- /dev/null
+++ b/opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml
@@ -0,0 +1,635 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE stax SYSTEM "../../../stax.dtd">
+<!--
+ ! CDDL HEADER START
+ !
+ ! The contents of this file are subject to the terms of the
+ ! Common Development and Distribution License, Version 1.0 only
+ ! (the "License"). You may not use this file except in compliance
+ ! with the License.
+ !
+ ! You can obtain a copy of the license at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! When distributing Covered Code, include this CDDL HEADER in each
+ ! file and include the License file at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ ! add the following below this CDDL HEADER, with the fields enclosed
+ ! by brackets "[]" replaced with your own identifying information:
+ ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CDDL HEADER END
+ !
+ ! Portions Copyright 2006-2007 Sun Microsystems, Inc.
+ ! -->
+<stax>
+
+ <defaultcall function="client_auth_setup"/>
+
+ <function name="client_auth_setup" scope="local">
+
+ <sequence>
+
+ <!--- Test Case : Server Certificate configuration -->
+ <!---
+ #@TestMarker Setup Tests
+ #@TestName Create certificates for server and client
+ #@TestIssue
+ #@TestPurpose Create server and client certificates
+ #@TestPreamble none
+ #@TestStep Generate server and client certificates.
+ #@TestStep Self-sign the certificates.
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+ <!-- Generate Server Cert -->
+
+ <testcase name="'Security: client_auth: Setup. certificates configuration'">
+ <sequence>
+ <script>
+ USER_1_CERT="client-cert-1"
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+ USER_2_CERT="client-cert-2"
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ KEYPASS="password"
+ STOREPASS="password"
+ SERVER_KEYPASS="servercert"
+ SERVER_STOREPASS="servercert"
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
+ </script>
+
+
+ <message>
+ '---- Generating Server Certicate -----'
+ </message>
+
+ <!-- create a server certificate -->
+
+ <call function="'genCertificate'">
+ { 'certAlias' : 'server-cert' ,
+ 'dname' : "uid=server,%s" % (DIRECTORY_INSTANCE_SFX),
+ 'keystore' : 'keystore',
+ 'storepass' : SERVER_STOREPASS,
+ 'keypass' : SERVER_KEYPASS,
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- Self-Sign Server Cert -->
+
+ <message>
+ '---- Self-Signing Server Certicate ---- '
+ </message>
+
+ <call function="'SelfSignCertificate'">
+ { 'certAlias' : 'server-cert' ,
+ 'storepass' : SERVER_STOREPASS,
+ 'keypass' : SERVER_KEYPASS,
+ 'keystore' : 'keystore',
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- Create folder on local host where are store client keystore and certificate-->
+ <message>
+ 'Create folder %s' % (CERT_TMP)
+ </message>
+
+ <call function="'createFolder'">
+ { 'location' : '%s' % (DIRECTORY_INSTANCE_HOST),
+ 'foldername' : '%s' % (CERT_TMP) }
+ </call>
+ <call function="'checktestRC'">
+ { 'returncode' : RC ,
+ 'result' : STAXResult }
+ </call>
+
+ <message>
+ '---- Generating client Certicate : %s ---- ' % (USER_1_CERT)
+ </message>
+
+ <!-- create a client certificate : USER_1_CERT -->
+ <call function="'genCertificate'">
+ { 'certAlias' : '%s' % USER_1_CERT,
+ 'dname' : '%s' % (USER_1_DN),
+ 'storepass' : '%s' % (STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'keypass' : '%s' % (KEYPASS),
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- Self-Sign client Certificate : USER_1_CERT -->
+ <message>'---- Self-Signing client Certificate : %s ---- ' % (USER_1_CERT)</message>
+
+ <call function="'SelfSignCertificate'">
+ { 'certAlias' : '%s' % USER_1_CERT,
+ 'storepass' : '%s' % (STOREPASS),
+ 'keypass' : '%s' % (KEYPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- create a client certificate : USER_2_CERT -->
+ <message>'---- Self-Signing client Certificate : %s ---- ' % (USER_2_CERT)</message>
+
+ <call function="'genCertificate'">
+ { 'certAlias' : '%s' % USER_2_CERT,
+ 'dname' : '%s' % (USER_2_DN),
+ 'storepass' : '%s' % (STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'keypass' : '%s' % (KEYPASS),
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- Self-Sign client Certificate : USER_2_CERT -->
+ <message>'---- Self-Signing client Certificate : %s ---- ' % (USER_2_CERT)</message>
+
+ <call function="'SelfSignCertificate'">
+ { 'certAlias' : '%s' % USER_2_CERT,
+ 'storepass' : '%s' % (STOREPASS),
+ 'keypass' : '%s' % (KEYPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'storetype' : 'JKS' }
+ </call>
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+
+ <!--- Test Case : export client and server certificates -->
+ <!---
+ #@TestMarker Setup Tests
+ #@TestName Export and Import Certificates
+ #@TestIssue
+ #@TestPurpose Export and import client and server certificates
+ #@TestPreamble none
+ #@TestStep Export client and server certificates
+ #@TestStep Import the certificates in the server and clients Database
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+ <testcase name="'Security: client_auth: setup. Export and Import certificates'">
+ <sequence>
+ <script>
+
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
+
+ USER_1_CERT="client-cert-1"
+ USER_1_CERT_FILE="%s/client_cert_1.txt" % (CERT_TMP)
+ USER_1_CERT_FILE_RFC="%s/client_cert_1_rfc.txt" % (CERT_TMP)
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+ USER_2_CERT="client-cert-2"
+ USER_2_CERT_FILE="%s/client_cert_2.txt" % (CERT_TMP)
+ USER_2_CERT_FILE_RFC="%s/client_cert_2_rfc.txt" % (CERT_TMP)
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ SERVER_CERT_FILE="%s/server_cert.txt" % (CERT_TMP)
+
+ KEYPASS="password"
+ STOREPASS="password"
+ SERVER_KEYPASS="servercert"
+ SERVER_STOREPASS="servercert"
+ </script>
+
+
+ <call function="'testCase_Preamble'"/>
+
+
+ <!-- Export the server Cert -->
+
+ <message>'---- Export the Server Certicate ----'</message>
+
+ <call function="'ExportCertificate'">
+ { 'certAlias' : 'server-cert' ,
+ 'outputfile' : '%s' % (SERVER_CERT_FILE),
+ 'storepass' : SERVER_STOREPASS,
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- export client certificate : USER_1_CERT -->
+ <message> '---- Export the client certificate : : %s ---- ' % (USER_1_CERT)</message>
+
+ <call function="'ExportCertificate'">
+ { 'certAlias' : '%s' % USER_1_CERT,
+ 'outputfile' : '%s' % (USER_1_CERT_FILE),
+ 'storepass' : '%s' % (STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- export client certificate RFC format : USER_1_CERT -->
+ <message> '---- Export the client certificate in RFC : : %s ---- ' % (USER_1_CERT)</message>
+
+
+ <call function="'ExportCertificate'">
+ { 'certAlias' : '%s' % USER_1_CERT,
+ 'outputfile' : '%s' % (USER_1_CERT_FILE_RFC),
+ 'storepass' : '%s' % (STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'format' : 'rfc',
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- export client certificate : USER_2_CERT -->
+
+ <message>'---- Export the client certificate : : %s ---- ' % (USER_2_CERT)</message>
+
+ <call function="'ExportCertificate'">
+ { 'certAlias' :'%s' % USER_2_CERT,
+ 'outputfile' : '%s' % (USER_2_CERT_FILE),
+ 'storepass' : '%s' % (STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- export client certificate RFC format : USER_2_CERT -->
+
+ <message>'---- Export the client certificate in RFC format : : %s ---- ' % (USER_2_CERT)</message>
+
+ <call function="'ExportCertificate'">
+ { 'certAlias' :'%s' % USER_2_CERT,
+ 'outputfile' : '%s' % (USER_2_CERT_FILE_RFC),
+ 'storepass' : '%s' % (STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'format' : 'rfc',
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- Import the server Certificate under the client database -->
+
+ <message>
+ '---- Import the Server Certificate under the client keystore----'
+ </message>
+
+ <call function="'ImportCertificate'">
+ { 'certAlias' : 'server-cert' ,
+ 'inputfile' : '%s' % (SERVER_CERT_FILE),
+ 'storepass' : '%s' % (STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE),
+ 'storetype' : 'JKS' }
+ </call>
+
+ <!-- Import the client Certificates under the server keystore -->
+
+ <message> '---- Import the client Certificates %s under the server keystore----' % (USER_1_CERT)</message>
+
+
+ <call function="'ImportCertificate'">
+ { 'certAlias' : '%s' % (USER_1_CERT),
+ 'inputfile' : '%s' % (USER_1_CERT_FILE),
+ 'storepass' : SERVER_STOREPASS,
+ 'storetype' : 'JKS' }
+ </call>
+
+ <message> '---- Import the client Certificates %s under the server keystore----' % (USER_2_CERT)</message>
+
+ <call function="'ImportCertificate'">
+ { 'certAlias' : '%s' % (USER_2_CERT),
+ 'inputfile' : '%s' % (USER_2_CERT_FILE),
+ 'storepass' : SERVER_STOREPASS,
+ 'storetype' : 'JKS' }
+ </call>
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+
+ <!--- Test Case : configure SSL and StartTLS -->
+ <!---
+ #@TestMarker Setup Tests
+ #@TestName Configure SSL and startTLS
+ #@TestIssue
+ #@TestPurpose Configure SSL and StartTLS
+ #@TestPreamble none
+ #@TestStep Configure SSL
+ #@TestStep Configure StartTLS
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+
+ <testcase name="'Security: client_auth: setup. Configure SSL and StartTLS'">
+ <sequence>
+
+ <call function="'testCase_Preamble'"/>
+ <!-- Configure SSL-->
+
+ <message>
+ '---- Configure SSL ----'
+ </message>
+
+ <!--- Enable Key Manager Provider -->
+ <message>
+ 'Enabling Key Manager Provider'
+ </message>
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s/security/client_auth/setup/enable_key_mgr_provider.ldif' % (logsRemoteDataDir) }
+ </call>
+
+
+ <!--- Enable Trust Manager Provider -->
+ <message>
+ 'Enabling Trust Manager Provider'
+ </message>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s/security/client_auth/setup/enable_trust_mgr_provider.ldif' % (logsRemoteDataDir) }
+ </call>
+
+
+ <!--- Enable LDAPS Connection Handler -->
+ <message>
+ 'Enabling LDAPS Connection Handler - Port number'
+ </message>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s/security/ldaps_port.ldif' % (logsRemoteDataDir) }
+ </call>
+
+ <!-- Enabling LDAPS Connection Handler - Keystore type -->
+ <message>
+ 'Enabling LDAPS Connection Handler - Keystore type'
+ </message>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s/security/client_auth/setup/enable_ldaps_conn_handler.ldif' % (logsRemoteDataDir) }
+ </call>
+
+
+ <!--- Enable StartTLS -->
+ <message>
+ 'Enabling StartTLS'
+ </message>
+
+ <call function="'addEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeAdded' : '%s/security/client_auth/setup/enable_startTLS.ldif' % (logsRemoteDataDir) }
+ </call>
+
+
+ <!--- Initial Search With SSL -->
+ <message>
+ 'Security: Client_auth: Searching with SSL Connection'
+ </message>
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsScope' : 'base',
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsUseSSL' : ' ',
+ 'dsTrustAll' : ' ' }
+ </call>
+
+
+ <!--- Initial Search With startTLS-->
+ <message>
+ 'Security: Client_auth: Searching with StartTLS Connection'
+ </message>
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsScope' : 'base',
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsUseStartTLS' : ' ',
+ 'dsTrustAll' : ' ' }
+ </call>
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+
+ <!--- Test Case : Create users entries with userCertificates -->
+ <!---
+ #@TestMarker Setup Tests
+ #@TestName Create users entries
+ #@TestIssue
+ #@TestPurpose Create users entries
+ #@TestPreamble none
+ #@TestStep Create users entries with usercertificates
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+
+ <testcase name="'Security: client_auth: setup. Create users entries'">
+ <sequence>
+
+ <call function="'testCase_Preamble'"/>
+ <!-- Create users entries-->
+ <script>
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+
+ USER_1_CERT="client-cert-1"
+ USER_1_CERT_FILE="%s/client_cert_1.txt" % (CERT_TMP)
+ USER_1_CERT_FILE_RFC="%s/client_cert_1_rfc.txt" % (CERT_TMP)
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+ USER_2_CERT="client-cert-2"
+ USER_2_CERT_FILE_RFC="%s/client_cert_2_rfc.txt" % (CERT_TMP)
+ USER_2_CERT_FILE="%s/client_cert_2.txt" % (CERT_TMP)
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ SERVER_CERT_FILE="%s/server_cert.txt" % (CERT_TMP)
+
+ user1LdifFileName='user1_cert.ldif'
+ user2LdifFileName='user2_cert.ldif'
+ remoteUser1LdifFile='%s/../%s/%s' % (dsPath,relativeDataDir,user1LdifFileName)
+ remoteUser2LdifFile='%s/../%s/%s' % (dsPath,relativeDataDir,user2LdifFileName)
+ localUser1LdifFile='%s/%s' % (logsTempDir,user1LdifFileName)
+ localUser2LdifFile='%s/%s' % (logsTempDir,user2LdifFileName)
+ </script>
+
+ <!-- Create USER_1_DN -->
+ <message> '---- Create User entry : %s----' % USER_1_DN</message>
+
+ <script>
+ listAttr = []
+ listAttr.append('objectclass:top')
+ listAttr.append('objectclass:organizationalperson')
+ listAttr.append('objectclass:inetorgperson')
+ listAttr.append('objectclass:person')
+ listAttr.append('objectclass:ds-certificate-user')
+ listAttr.append('objectclass:strongAuthenticationUser')
+ listAttr.append('userCertificate;binary: bad_certificate')
+ listAttr.append('givenname:%s' % USER_1_CERT)
+ listAttr.append('sn:%s' % USER_1_CERT)
+ listAttr.append('cn:%s' % USER_1_CERT)
+ </script>
+
+ <call function="'addAnEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToAdd' : USER_1_DN,
+ 'listAttributes' : listAttr }
+ </call>
+
+
+ <!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
+ <script>
+ cert_file = open(USER_1_CERT_FILE_RFC,"r")
+ ret_str = ""
+ for line in cert_file.readlines():
+ index_cert = line.find("CERTIFICATE")
+ if index_cert == -1:
+ line=line.strip()
+ ret_str = ret_str + line
+ </script>
+ <script>
+ listAttr = []
+ listAttr.append('dn: %s' % USER_1_DN)
+ listAttr.append('changetype: modify')
+ listAttr.append('replace: userCertificate;binary')
+ listAttr.append('userCertificate;binary:: %s' % ret_str)
+ </script>
+
+ <!-- Write out the ldif -->
+ <script>
+ outfile = open(localUser1LdifFile,"w")
+
+ for line in listAttr:
+ outfile.write("%s\n" % line)
+
+ outfile.close()
+ </script>
+
+ <!-- Copy the ldif file containing user certificate to remote host -->
+ <message>'Copy ldif (%s) file to user entry %s to %s' % (localUser1LdifFile,USER_1_DN,remoteUser1LdifFile)</message>
+ <call function="'copyFile'">
+ { 'location' : STAXServiceMachine,
+ 'srcfile' : localUser1LdifFile,
+ 'destfile' : remoteUser1LdifFile,
+ 'remotehost' : STAF_REMOTE_HOSTNAME }
+ </call>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s' % remoteUser1LdifFile }
+ </call>
+
+ <!-- Create USER_2_DN : this used contains the objectclass ds-certificate-user -->
+
+ <message>'---- Create User entry : %s----' % USER_2_DN </message>
+ <message>'---- This user contains an objectclass ds-certificate-user' </message>
+
+ <script>
+ listAttr = []
+ listAttr.append('objectclass:top')
+ listAttr.append('objectclass:organizationalperson')
+ listAttr.append('objectclass:inetorgperson')
+ listAttr.append('objectclass:person')
+ listAttr.append('objectclass:ds-certificate-user')
+ listAttr.append('objectclass:strongAuthenticationUser')
+ listAttr.append('userCertificate;binary: bad_certificate')
+ listAttr.append('givenname:%s' % USER_2_CERT)
+ listAttr.append('sn:%s' % USER_2_CERT)
+ listAttr.append('cn:%s' % USER_2_CERT)
+ </script>
+
+ <call function="'addAnEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToAdd' : USER_2_DN,
+ 'listAttributes' : listAttr }
+ </call>
+
+
+
+ <!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
+ <script>
+ cert_file = open(USER_2_CERT_FILE_RFC,"r")
+ ret_str = ""
+ for line in cert_file.readlines():
+ index_cert = line.find("CERTIFICATE")
+ if index_cert == -1:
+ line=line.strip()
+ ret_str = ret_str + line
+ </script>
+
+ <!-- Modify the user Entry to store the certificates -->
+
+ <script>
+ listAttr = []
+ listAttr.append('dn: %s' % USER_2_DN)
+ listAttr.append('changetype: modify')
+ listAttr.append('replace: userCertificate;binary')
+ listAttr.append('userCertificate;binary:: %s' % ret_str)
+ </script>
+
+ <!-- Write out the ldif -->
+ <script>
+ outfile = open(localUser2LdifFile,"w")
+
+ for line in listAttr:
+ outfile.write("%s\n" % line)
+
+ outfile.close()
+ </script>
+
+ <!-- Copy the ldif file containing user certificate to remote host -->
+ <message>'Copy ldif (%s) file to user entry %s to %s' % (localUser2LdifFile,USER_2_DN,remoteUser2LdifFile)</message>
+ <call function="'copyFile'">
+ { 'location' : STAXServiceMachine,
+ 'srcfile' : localUser2LdifFile,
+ 'destfile' : remoteUser2LdifFile,
+ 'remotehost' : STAF_REMOTE_HOSTNAME }
+ </call>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s' % remoteUser2LdifFile }
+ </call>
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+</sequence>
+</function>
+
+</stax>
diff --git a/opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml b/opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml
new file mode 100755
index 0000000..694f5e0
--- /dev/null
+++ b/opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml
@@ -0,0 +1,204 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE stax SYSTEM "stax.dtd">
+<!--
+ ! CDDL HEADER START
+ !
+ ! The contents of this file are subject to the terms of the
+ ! Common Development and Distribution License, Version 1.0 only
+ ! (the "License"). You may not use this file except in compliance
+ ! with the License.
+ !
+ ! You can obtain a copy of the license at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! When distributing Covered Code, include this CDDL HEADER in each
+ ! file and include the License file at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ ! add the following below this CDDL HEADER, with the fields enclosed
+ ! by brackets "[]" replaced with your own identifying information:
+ ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CDDL HEADER END
+ !
+ ! Portions Copyright 2006-2007 Sun Microsystems, Inc.
+ ! -->
+<stax>
+
+ <defaultcall function="client_auth_teardown"/>
+
+ <function name="client_auth_teardown">
+
+ <sequence>
+
+ <!--- Test Case : client_auth Teardown -->
+ <!---
+ Place suite-specific test information here.
+ #@TestSuiteName Teardown Tests
+ #@TestSuitePurpose Unconfigure JKS keystore and the secure port.
+ #@TestSuiteGroup Security JKS Teardown Tests
+ #@TestScript teardown_client_auth.xml
+ -->
+ <!--- Delete Branch through SSL port -->
+ <testcase name="'Security: client_auth: teardown'">
+ <!---
+ Place test-specific test information here.
+ The tag, TestMarker, must be the same as the tag, TestSuiteName.
+ #@TestMarker Teardown Tests
+ #@TestName JKS Teardown Test
+ #@TestIssue 413
+ #@TestPurpose Unconfigure JKS keystore.
+ #@TestPreamble none
+ #@TestStep Delete entries that were used for the JKS tests.
+ #@TestStep Unconfigure JKS keystore.
+ #@TestStep Remove JKS keystore.
+ #@TestStep Test search with unsecure port.
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+
+ <script>
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ USER_1_CERT="client-cert-1"
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+ USER_2_CERT="client-cert-2"
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ </script>
+ <!--- Unconfigure SSL -->
+
+
+ <!--- Disable LDAPS Connection Handler -->
+ <message>
+ 'Disabling LDAPS Connection Handler'
+ </message>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s/security/client_auth/teardown/disable_ldaps_conn_handler.ldif' % (logsRemoteDataDir) }
+ </call>
+
+
+ <!--- Disable SSL Trust Manager Provider -->
+ <message> 'Disabling SSL Trust Manager Provider' </message>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s/security/client_auth/teardown/disable_trust_mgr_provider.ldif' % (logsRemoteDataDir) }
+ </call>
+
+
+
+ <!--- Disable Key Manager Provider -->
+ <message>
+ 'Disabling Key Manager Provider'
+ </message>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s/security/client_auth/teardown/disable_key_mgr_provider.ldif' % (logsRemoteDataDir) }
+ </call>
+
+
+
+
+ <!--- Disable StartTLS -->
+ <message>
+ 'Disabling StartTLS'
+ </message>
+
+ <call function="'modifyEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'entryToBeModified' : '%s/security/client_auth/teardown/disable_startTLS.ldif' % (logsRemoteDataDir) }
+ </call>
+
+
+ <!-- remove client certificates keystore -->
+ <message>
+ 'Delete folder %s' % (CERT_TMP)
+ </message>
+
+ <call function="'deleteFolder'">
+ { 'location' : '%s' % (DIRECTORY_INSTANCE_HOST),
+ 'foldername' : '%s' % (CERT_TMP) }
+ </call>
+
+ <!--- Remove JKS Keystore -->
+ <message>
+ 'Security: client_auth: Removing JKS Keystore'
+ </message>
+
+ <call function="'deleteFile'">
+ { 'location' : STAF_REMOTE_HOSTNAME,
+ 'filename' : '%s/../config/keystore' % OPENDS_BINPATH }
+ </call>
+
+ <call function="'checkRC'">
+ { 'returncode' : RC ,
+ 'result' : STAXResult }
+ </call>
+
+ <!--- Search With Unsecure Port -->
+ <message>
+ 'Security: client_auth: Postamble. Searching with Unsecure Connection'
+ </message>
+
+ <call function="'SearchObject'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX ,
+ 'dsScope' : 'base',
+ 'dsFilter' : 'objectclass=*' }
+ </call>
+
+ <call function="'DeleteEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'dsBaseDN' : USER_1_DN}
+ </call>
+
+ <call function="'checktestRC'">
+ { 'returncode' : RC ,
+ 'result' : STAXResult }
+ </call>
+
+ <call function="'DeleteEntry'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'dsBaseDN' : USER_2_DN}
+ </call>
+ <call function="'checktestRC'">
+ { 'returncode' : RC ,
+ 'result' : STAXResult }
+ </call>
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+ </sequence>
+
+ </function>
+
+</stax>
diff --git a/opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml b/opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml
new file mode 100755
index 0000000..254d349
--- /dev/null
+++ b/opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml
@@ -0,0 +1,219 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE stax SYSTEM "../../../stax.dtd">
+<!--
+ ! CDDL HEADER START
+ !
+ ! The contents of this file are subject to the terms of the
+ ! Common Development and Distribution License, Version 1.0 only
+ ! (the "License"). You may not use this file except in compliance
+ ! with the License.
+ !
+ ! You can obtain a copy of the license at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! When distributing Covered Code, include this CDDL HEADER in each
+ ! file and include the License file at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ ! add the following below this CDDL HEADER, with the fields enclosed
+ ! by brackets "[]" replaced with your own identifying information:
+ ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CDDL HEADER END
+ !
+ ! Portions Copyright 2006-2007 Sun Microsystems, Inc.
+ ! -->
+<stax>
+
+<defaultcall function="equal_dn_mapper"/>
+<function name="equal_dn_mapper" scope="local">
+
+<sequence>
+
+ <!--- Test Case : setup -->
+ <!---
+ #@TestMarker Setup Tests
+ #@TestName Set the SASL EXTERNAL mechanism to Subject Equal DN
+ #@TestIssue
+ #@TestPurpose Set the SASL EXTERNAL mechanism to Subject EqualN
+ #@TestPreamble none
+ #@TestStep Set the SASL EXTERNAL mechanism to Subject Equal DN
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+
+ <testcase name="'Security: client_auth: setup - equal_dn_mapper'">
+
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+
+ <message>
+ '---- Configure the SASL EXTERNAL mechanism -----'
+ </message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
+ 'attributeName' : 'ds-cfg-certificate-mapper-dn',
+ 'newAttributeValue' : 'cn=Subject Equals DN,cn=Certificate Mappers,cn=config',
+ 'changetype' : 'replace' }
+ </call>
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+
+<!---
+ #@TestMarker Equal DN mapping
+ #@TestName Mapping on DN
+ #@TestIssue
+ #@TestPurpose Use the Equal DN certificate mapper
+ #@TestPurpose The mapping will be done on entry DN
+ #@TestStep Two users entries are used to validate this mapper
+ #@TestPreamble none
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+ <testcase name="'Security: client_auth: Equal DN mapping '">
+ <sequence>
+ <script>
+
+ USER_1_CERT="client-cert-1"
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+ USER_2_CERT="client-cert-2"
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ STOREPASS="password"
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
+ </script>
+ <call function="'testCase_Preamble'"/>
+
+
+ <!-- Check mapping is working -->
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- bound as USER_2_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- bound as USER_1_DN -->
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- bound as USER_2_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+</sequence>
+</function>
+
+</stax>
diff --git a/opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml b/opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml
new file mode 100755
index 0000000..44e5f89
--- /dev/null
+++ b/opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml
@@ -0,0 +1,471 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE stax SYSTEM "../../../stax.dtd">
+<!--
+ ! CDDL HEADER START
+ !
+ ! The contents of this file are subject to the terms of the
+ ! Common Development and Distribution License, Version 1.0 only
+ ! (the "License"). You may not use this file except in compliance
+ ! with the License.
+ !
+ ! You can obtain a copy of the license at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! When distributing Covered Code, include this CDDL HEADER in each
+ ! file and include the License file at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ ! add the following below this CDDL HEADER, with the fields enclosed
+ ! by brackets "[]" replaced with your own identifying information:
+ ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CDDL HEADER END
+ !
+ ! Portions Copyright 2006-2007 Sun Microsystems, Inc.
+ ! -->
+<stax>
+
+<defaultcall function="fingerprint_mapper"/>
+<function name="fingerprint_mapper" scope="local">
+
+<sequence>
+
+ <!--- Test Case : setup -->
+ <!---
+ #@TestMarker Setup Tests
+ #@TestName Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
+ #@TestIssue
+ #@TestPurpose Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
+ #@TestPreamble none
+ #@TestStep Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
+ #@TestStep keep the default ds-cfg-certificate-subject-attribute-type which is ds-certificate-subject-dn
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+
+ <testcase name="'Security: client_auth: setup - fingerprint_mapper'">
+
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+
+ <message>
+ '---- Configure the SASL EXTERNAL mechanism -----'
+ </message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
+ 'attributeName' : 'ds-cfg-certificate-mapper-dn',
+ 'newAttributeValue' : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
+ 'changetype' : 'replace' }
+ </call>
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+
+<!---
+#@TestMarker Subject DN mapping to default user attribut
+#@TestName Mapping on ds-certificated-subject-dn attribute
+#@TestIssue
+#@TestPurpose Use the Subject DN to User Attribute certificate mapper
+#@TestPurpose Map the subject of a client certificate and a specified attribute in user entries
+#@TestPurpose The mapping will be done on the default attribut ds-certificate-subject-dn
+#@TestStep Two users entries are used to validate this mapper
+#@TestStep USER_1_DN contains an attribute ds-certifcated-subject-dn with the subject of the USER_1_CERT client certificate
+#@TestStep USER_2_DN contains an attribute ds-certificate-subject-dn with an invalid value
+#@TestStep The certificate mapping will work only with the USER_1_CERT client certificate
+#@TestPreamble none
+#@TestPostamble none
+#@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+ <testcase name="'Security: client_auth: subject dn mapping on ds-certificate-subject-dn'">
+ <sequence>
+ <script>
+
+ USER_1_CERT="client-cert-1"
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+
+ USER_2_CERT="client-cert-2"
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ STOREPASS="password"
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
+ </script>
+ <call function="'testCase_Preamble'"/>
+
+ <message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>
+ <message>'----- ds-certificate-subject-dn is the subject of the certificate %s '% USER_1_CERT</message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'ds-certificate-subject-dn',
+ 'newAttributeValue' : USER_1_DN,
+ 'changetype' : 'add' }
+ </call>
+
+
+
+ <message> '----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_2_DN</message>
+ <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>
+
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'ds-certificate-subject-dn',
+ 'newAttributeValue' : 'uid=bad-certificate',
+ 'changetype' : 'add' }
+ </call>
+
+
+
+ <!-- Check mapping is working -->
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- No bound expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <!-- Restore initial users configuration -->
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'ds-certificate-subject-dn',
+ 'newAttributeValue' : USER_1_DN,
+ 'changetype' : 'delete'}
+ </call>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'ds-certificate-subject-dn',
+ 'newAttributeValue' : 'uid=bad-certificate',
+ 'changetype' : 'delete'}
+ </call>
+
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+<!---
+#@TestMarker Subject DN mapping to the user attribute's description
+#@TestName Mapping on the attribute description
+#@TestIssue
+#@TestPurpose Use the Subject DN to User Attribute certificate mapper
+#@TestPurpose Map the subject of a client certificate and a specified attribute in user entries
+#@TestPurpose The mapping will be done on the attribute description
+#@TestStep Two users entries are used to validate this mapper
+#@TestStep USER_1_DN doesn't contains attribute description
+#@TestStep USER_2_DN contains an attribute description with the USER_2_CERT client certificate
+#@TestPreamble none
+#@TestPostamble none
+#@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+ <testcase name="'Security: client_auth: subject dn mapping on attribut description'">
+ <sequence>
+ <script>
+ USER_1_CERT="client-cert-1"
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+
+ USER_2_CERT="client-cert-2"
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ KEYPASS="servercert"
+ STOREPASS="password"
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
+
+ </script>
+
+ <call function="'testCase_Preamble'"/>
+
+ <message>'----- Configure the mapping to be done on the attribute description' </message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
+ 'attributeName' : 'ds-cfg-certificate-subject-attribute-type',
+ 'newAttributeValue' : 'description',
+ 'changetype' : 'replace' }
+ </call>
+
+ <message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : 'bad_cert',
+ 'changetype' : 'add' }
+ </call>
+
+
+ <message> '----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_2_DN</message>
+ <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : USER_2_DN,
+ 'changetype' : 'add' }
+ </call>
+
+
+
+
+ <!-- Check mapping is working -->
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- No mapping expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <!-- bound as USER_2_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+
+ <!-- No mapping expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <!-- bound as USER_2_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+
+ <!-- Restore initial users configuration -->
+
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : 'bad_cert',
+ 'changetype' : 'delete'}
+ </call>
+
+
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : USER_2_DN,
+ 'changetype' : 'delete'}
+ </call>
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+</sequence>
+</function>
+
+</stax>
+
diff --git a/opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml b/opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml
new file mode 100755
index 0000000..57b805c
--- /dev/null
+++ b/opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml
@@ -0,0 +1,264 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE stax SYSTEM "../../../stax.dtd">
+<!--
+ ! CDDL HEADER START
+ !
+ ! The contents of this file are subject to the terms of the
+ ! Common Development and Distribution License, Version 1.0 only
+ ! (the "License"). You may not use this file except in compliance
+ ! with the License.
+ !
+ ! You can obtain a copy of the license at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! When distributing Covered Code, include this CDDL HEADER in each
+ ! file and include the License file at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ ! add the following below this CDDL HEADER, with the fields enclosed
+ ! by brackets "[]" replaced with your own identifying information:
+ ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CDDL HEADER END
+ !
+ ! Portions Copyright 2006-2007 Sun Microsystems, Inc.
+ ! -->
+<stax>
+
+<defaultcall function="subject_attribute_mapper"/>
+<function name="subject_attribute_mapper" scope="local">
+
+<sequence>
+
+ <!--- Test Case : setup -->
+ <!---
+ #@TestMarker Setup Tests
+ #@TestName Set the SASL EXTERNAL mechanism to Subject attribute to User Attribute
+ #@TestIssue
+ #@TestPurpose Set the SASL EXTERNAL mechanism to Subject attribute to User Attribute
+ #@TestPreamble none
+ #@TestStep Map attributes from the certificate subject to attributes in user entries
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+
+ <testcase name="'Security: client_auth: setup - subject_attribute_mapper'">
+
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+
+ <message>
+ '---- Configure the SASL EXTERNAL mechanism with Subject Attribute to User Attribute mapper -----'
+ </message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
+ 'attributeName' : 'ds-cfg-certificate-mapper-dn',
+ 'newAttributeValue' : 'cn=Subject Attribute to User Attribute,cn=Certificate Mappers,cn=config',
+ 'changetype' : 'replace' }
+ </call>
+
+
+ <message>
+ '---- Configure the Subject Attribute to User Attribute mapper -----'
+ </message>
+ <script>
+ listAttr = []
+ listAttr.append('cn=ds-cfg-certificate-subject-attribute-mapping:cn:cn')
+ listAttr.append('cn=ds-cfg-certificate-subject-attribute-mapping:e:mail')
+ </script>
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+
+<!---
+ #@TestMarker Subject Attributes mapping to user attribute
+ #@TestName Use only one attribute mapping
+ #@TestIssue
+ #@TestPurpose Map attributes from the certificate subject to attributes in user entries
+ #@TestStep the subject certificate is defined with the format : uid=client-cert-1,SUFFIX
+ #@TestStep The mapping will be done on the attribute uid from the cerficate subject
+ #@TestStep and the attribute 'description' of the user's entry
+ #@TestPreamble none
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+ <testcase name="'Security: client_auth: subject attribute mapping'">
+ <sequence>
+ <script>
+
+ USER_1_CERT="client-cert-1"
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+
+ USER_2_CERT="client-cert-2"
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ STOREPASS="password"
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
+ </script>
+ <call function="'testCase_Preamble'"/>
+
+ <message>
+ '---- Configure the Subject Attribute to User Attribute mapper -----'
+ </message>
+ <message>'---- Add a new mapping rule from attribute "uid" from certificate subject and attribute "description" of the user entry'</message>
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=Subject Attribute to User Attribute,cn=Certificate Mappers,cn=config',
+ 'attributeName' : 'ds-cfg-certificate-subject-attribute-mapping',
+ 'newAttributeValue' : 'uid:description',
+ 'changetype' : 'replace' }
+ </call>
+
+
+ <message>'----- Configure the attribute description for user %s ---' % USER_1_DN</message>
+ <message>'----- the attribute description will map with the attribute "uid" of the certificate subject'</message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : USER_1_CERT,
+ 'changetype' : 'add' }
+ </call>
+
+
+ <message>'----- Configure the attribute description for user %s ---' % USER_2_DN</message>
+ <message>'----- the attribute description contains invalid value'</message>
+ <message>'----- it will not map with the attribute "uid" of the certificate subject'</message>
+
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : 'bad-certificate',
+ 'changetype' : 'add' }
+ </call>
+
+
+ <!-- Check mapping is working -->
+
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- No mapping expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- No mapping expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+</sequence>
+</function>
+
+</stax>
diff --git a/opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml b/opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml
new file mode 100755
index 0000000..c8ee2d6
--- /dev/null
+++ b/opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml
@@ -0,0 +1,471 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE stax SYSTEM "../../../stax.dtd">
+<!--
+ ! CDDL HEADER START
+ !
+ ! The contents of this file are subject to the terms of the
+ ! Common Development and Distribution License, Version 1.0 only
+ ! (the "License"). You may not use this file except in compliance
+ ! with the License.
+ !
+ ! You can obtain a copy of the license at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! When distributing Covered Code, include this CDDL HEADER in each
+ ! file and include the License file at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ ! add the following below this CDDL HEADER, with the fields enclosed
+ ! by brackets "[]" replaced with your own identifying information:
+ ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CDDL HEADER END
+ !
+ ! Portions Copyright 2006-2007 Sun Microsystems, Inc.
+ ! -->
+<stax>
+
+<defaultcall function="subject_dn_mapper"/>
+<function name="subject_dn_mapper" scope="local">
+
+<sequence>
+
+ <!--- Test Case : setup -->
+ <!---
+ #@TestMarker Setup Tests
+ #@TestName Set the SASL EXTERNAL mechanism to Subject DN to User Attribute
+ #@TestIssue
+ #@TestPurpose Set the SASL EXTERNAL mechanism to Subject DN to User Attribute
+ #@TestPreamble none
+ #@TestStep Set the SASL EXTERNAL mechanism to Subject DN to User Attribute
+ #@TestStep keep the default ds-cfg-certificate-subject-attribute-type which is ds-certificate-subject-dn
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+
+ <testcase name="'Security: client_auth: setup - Subject_dn_mapper'">
+
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+
+ <message>
+ '---- Configure the SASL EXTERNAL mechanism -----'
+ </message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
+ 'attributeName' : 'ds-cfg-certificate-mapper-dn',
+ 'newAttributeValue' : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
+ 'changetype' : 'replace' }
+ </call>
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+
+<!---
+#@TestMarker Subject DN mapping to default user attribut
+#@TestName Mapping on ds-certificated-subject-dn attribute
+#@TestIssue
+#@TestPurpose Use the Subject DN to User Attribute certificate mapper
+#@TestPurpose Map the subject of a client certificate and a specified attribute in user entries
+#@TestPurpose The mapping will be done on the default attribut ds-certificate-subject-dn
+#@TestStep Two users entries are used to validate this mapper
+#@TestStep USER_1_DN contains an attribute ds-certifcated-subject-dn with the subject of the USER_1_CERT client certificate
+#@TestStep USER_2_DN contains an attribute ds-certificate-subject-dn with an invalid value
+#@TestStep The certificate mapping will work only with the USER_1_CERT client certificate
+#@TestPreamble none
+#@TestPostamble none
+#@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+ <testcase name="'Security: client_auth: subject dn mapping on ds-certificate-subject-dn'">
+ <sequence>
+ <script>
+
+ USER_1_CERT="client-cert-1"
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+
+ USER_2_CERT="client-cert-2"
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ STOREPASS="password"
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
+ </script>
+ <call function="'testCase_Preamble'"/>
+
+ <message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>
+ <message>'----- ds-certificate-subject-dn is the subject of the certificate %s '% USER_1_CERT</message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'ds-certificate-subject-dn',
+ 'newAttributeValue' : USER_1_DN,
+ 'changetype' : 'add' }
+ </call>
+
+
+
+ <message> '----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_2_DN</message>
+ <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>
+
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'ds-certificate-subject-dn',
+ 'newAttributeValue' : 'uid=bad-certificate',
+ 'changetype' : 'add' }
+ </call>
+
+
+
+ <!-- Check mapping is working -->
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- No bound expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <!-- Restore initial users configuration -->
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'ds-certificate-subject-dn',
+ 'newAttributeValue' : USER_1_DN,
+ 'changetype' : 'delete'}
+ </call>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'ds-certificate-subject-dn',
+ 'newAttributeValue' : 'uid=bad-certificate',
+ 'changetype' : 'delete'}
+ </call>
+
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+<!---
+#@TestMarker Subject DN mapping to the user attribute's description
+#@TestName Mapping on the attribute description
+#@TestIssue
+#@TestPurpose Use the Subject DN to User Attribute certificate mapper
+#@TestPurpose Map the subject of a client certificate and a specified attribute in user entries
+#@TestPurpose The mapping will be done on the attribute description
+#@TestStep Two users entries are used to validate this mapper
+#@TestStep USER_1_DN doesn't contains attribute description
+#@TestStep USER_2_DN contains an attribute description with the USER_2_CERT client certificate
+#@TestPreamble none
+#@TestPostamble none
+#@TestResult Success if OpenDS returns 0 for all operations
+ -->
+
+ <testcase name="'Security: client_auth: subject dn mapping on attribut description'">
+ <sequence>
+ <script>
+ USER_1_CERT="client-cert-1"
+ USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
+
+ USER_2_CERT="client-cert-2"
+ USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
+ KEYPASS="servercert"
+ STOREPASS="password"
+ CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
+ CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
+
+ </script>
+
+ <call function="'testCase_Preamble'"/>
+
+ <message>'----- Configure the mapping to be done on the attribute description' </message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
+ 'attributeName' : 'ds-cfg-certificate-subject-attribute-type',
+ 'newAttributeValue' : 'description',
+ 'changetype' : 'replace' }
+ </call>
+
+ <message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : 'bad_cert',
+ 'changetype' : 'add' }
+ </call>
+
+
+ <message> '----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_2_DN</message>
+ <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : USER_2_DN,
+ 'changetype' : 'add' }
+ </call>
+
+
+
+
+ <!-- Check mapping is working -->
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- No mapping expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <!-- bound as USER_2_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+
+ <!-- No mapping expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <!-- bound as USER_2_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+
+ <!-- Restore initial users configuration -->
+
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : 'bad_cert',
+ 'changetype' : 'delete'}
+ </call>
+
+
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : USER_2_DN,
+ 'changetype' : 'delete'}
+ </call>
+
+
+ <call function="'testCase_Postamble'"/>
+ </sequence>
+ </testcase>
+
+</sequence>
+</function>
+
+</stax>
+
--
Gitblit v1.10.0