-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathbug554573.py
126 lines (106 loc) · 3.98 KB
/
bug554573.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
from bug_harness import DSAdminHarness as DSAdmin
from dsadmin import Entry
import os
import sys
import time
import ldap
#from ldap.ldapobject import SimpleLDAPObject
#import ldap.sasl
from subprocess import Popen, PIPE
host1 = "NEEDFQDNHERE"
port1 = 1200
secport1 = port1+1
basedn = "dc=example,dc=com"
#os.environ['USE_DBX'] = "1"
srv = DSAdmin.createInstance({
'newrootpw': 'password',
'newhost': host1,
'newport': port1,
'newinst': 'srv',
'newsuffix': basedn,
'verbose': False,
'no_admin': True
})
#del os.environ['USE_DBX']
srv.setupSSL(secport1, os.environ['SECDIR'],
{'nsslapd-security': 'on'})
initfile = ''
if os.environ.has_key('SERVER_ROOT'):
initfile = "%s/slapd-%s/ldif/Example.ldif" % (m1.sroot,m1.inst)
else:
initfile = "%s/share/dirsrv/data/Example.ldif" % os.environ.get('PREFIX', '/usr')
srv.importLDIF(initfile, '', "userRoot", True)
print "create entry to map cert to"
certdn = "cn=%s,cn=config" % host1
ent = Entry(certdn)
ent.setValues("objectclass", "extensibleObject")
srv.add_s(ent)
print "find existing acis"
ents = srv.search_s(basedn, ldap.SCOPE_SUBTREE, "(aci=*)")
print "remove default acis"
mod = [(ldap.MOD_DELETE, "aci", [])]
for ent in ents:
srv.modify_s(ent.dn, mod)
print "add an aci for this user"
mod = [(ldap.MOD_ADD, "aci",
'(targetattr=*)(version 3.0;acl "Test user read-search access"; '
'allow (read, search, compare)(userdn = "ldap:///%s");)' % certdn)]
srv.modify_s(basedn, mod)
print "allow unauthenticated binds"
mod = [(ldap.MOD_REPLACE, "nsslapd-allow-unauthenticated-binds", ['on'])]
srv.modify_s("cn=config", mod)
cacert = os.environ['SECDIR'] + "/cacert.asc"
cert = os.environ['SECDIR'] + "/Server-Cert-cert.pem"
key = os.environ['SECDIR'] + "/Server-Cert-key.pem"
# conn = SimpleLDAPObject("ldap://%s:%d/" % (host1, port1))
# conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert)
# conn.set_option(ldap.OPT_X_TLS_CERTFILE, cert)
# conn.set_option(ldap.OPT_X_TLS_KEYFILE, key)
# conn.start_tls_s()
# conn.sasl_interactive_bind_s("", ldap.sasl.external())
certdb = os.environ['SECDIR'] + "/cert8.db"
pintxt = os.environ['SECDIR'] + "/pin.txt"
certname = "Server-Cert"
filter = "(uid=scarter)"
print "bind as anonymous and search - should return nothing"
binddn = ""
bindpw = ""
cmdargs = ["/usr/lib64/mozldap/ldapsearch", "-h", host1, "-p", str(port1),
"-ZZZ", "-P", certdb, "-N", certname, "-I", pintxt, "-D", binddn,
"-w", bindpw, "-b", basedn, filter]
cmd = Popen(cmdargs, stdout=PIPE)
output = cmd.communicate()[0]
numdns = output.count("\ndn:")
assert numdns == 0
# /usr/lib64/mozldap/ldapsearch -h fqdn -p 1200 -ZZZ -P ~/save/cert8.db -N Server-Cert -I ~/save/pin.txt -s base -b "" "objectclass=*"
print "bind and search - specify the cert DN as the simple bind dn"
binddn = certdn
cmdargs = ["/usr/lib64/mozldap/ldapsearch", "-h", host1, "-p", str(port1),
"-ZZZ", "-P", certdb, "-N", certname, "-I", pintxt, "-D", binddn,
"-w", bindpw, "-b", basedn, filter]
cmd = Popen(cmdargs, stdout=PIPE)
output = cmd.communicate()[0]
numdns = output.count("\ndn:")
assert numdns == 0
print "turn on the force sasl external switch"
mod = [(ldap.MOD_REPLACE, "nsslapd-force-sasl-external", ['on'])]
srv.modify_s("cn=config", mod)
print "bind as anonymous and search - should return 1 entry"
binddn = ""
bindpw = ""
cmdargs = ["/usr/lib64/mozldap/ldapsearch", "-h", host1, "-p", str(port1),
"-ZZZ", "-P", certdb, "-N", certname, "-I", pintxt, "-D", binddn,
"-w", bindpw, "-b", basedn, filter]
cmd = Popen(cmdargs, stdout=PIPE)
output = cmd.communicate()[0]
numdns = output.count("\ndn:")
assert numdns == 1
print "bind and search - specify the cert DN as the simple bind dn"
binddn = certdn
cmdargs = ["/usr/lib64/mozldap/ldapsearch", "-h", host1, "-p", str(port1),
"-ZZZ", "-P", certdb, "-N", certname, "-I", pintxt, "-D", binddn,
"-w", bindpw, "-b", basedn, filter]
cmd = Popen(cmdargs, stdout=PIPE)
output = cmd.communicate()[0]
numdns = output.count("\ndn:")
assert numdns == 1