s4:selftest: also test samba4.ldb.simple.ldaps with ldap_testing:tls_channel_bindings=no

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls b/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
new file mode 100644 (file)
index 0000000..16bef97
--- /dev/null
+++ b/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
@@ -0,0 +1,16 @@
+#
+## We assert all "ldap server require strong auth" combinations
+#
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_without_tls_channel_bindings
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc    # ldap server require strong auth = yes
+^samba4.ldb.simple.ldaps.*SASL-BIND.*ldap_testing:tls_channel_bindings=no.*fl2003dc # ldap server require strong auth = yes
+# These are supposed to fail as we want to verify the "tls verify peer"
+# restrictions. Note that fl2008r2dc uses a self-signed certificate
+# with does not have a crl file.
+#
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\(
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\(
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\(
+^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\(
+^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\(
+^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc

diff --git a/selftest/knownfail b/selftest/knownfail
index a89616c1dbe554b559d3cf87951a8f986a59c86a..dda157ac24f63fb1653207d0942a50f536da614d 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -308,22 +308,6 @@
 #
 ^samba4.ldap.sort.python.+UnicodeSortTests
 #
-## We assert all "ldap server require strong auth" combinations
-#
-^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
-^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc    # ldap server require strong auth = yes
-^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc     # ldap server require strong auth = yes
-# These are supposed to fail as we want to verify the "tls verify peer"
-# restrictions. Note that fl2008r2dc uses a self-signed certificate
-# with does not have a crl file.
-#
-^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\(
-^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\(
-^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\(
-^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\(
-^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\(
-^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc
-#
 # we don't allow auth_level_connect anymore...
 #
 ^samba3.blackbox.rpcclient.*ncacn_np.*with.*connect.*rpcclient # we don't allow auth_level_connect anymore

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 7e37c1f4e4cc9181ffbdeab38f3e1d8491b331e2..2fe707a8a28843323ce040bf1e0951aa42369b81 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -148,7 +148,11 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
         options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option
         plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env),
                       env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
-    options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"'
+    base_options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"'
+    options = base_options
+    plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
+                  env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+    options += ' --option="ldap_testing:tls_channel_bindings=no"'
     plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
                   env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))