#
## We assert all "ldap server require strong auth" combinations
#
-^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_without_tls_channel_bindings
^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes
-^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc # ldap server require strong auth = yes
+# fl2003dc has ldap server require strong auth = yes
+# and correct channel bindings are required for TLS
+^samba4.ldb.simple.ldaps.*SASL-BIND.*ldap_testing:tls_channel_bindings=no.*fl2003dc
+# ad_dc_ntvfs and fl2008r2dc have
+# ldap server require strong auth = allow_sasl_without_tls_channel_bindings
+# it means correct channel bindings are required, if the client indicated
+# explicit (even null) channel bindings are provided
+#
+# The following are in expectedfail_heimdal for now, as MIT
+# behaves differently:
+#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=yes.*ldap_testing:forced_channel_binding=wRoNg
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=no.*ldap_testing:forced_channel_binding=wRoNg
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
--- /dev/null
+# ad_dc_ntvfs and fl2008r2dc have
+# ldap server require strong auth = allow_sasl_without_tls_channel_bindings
+# it means correct channel bindings are required, if the client indicated
+# explicit (even null) channel bindings are provided
+#
+# Note currently only embedded_heimdal supports
+# GSS_C_CHANNEL_BOUND_FLAG as client.
+# See also:
+# https://github.com/heimdal/heimdal/pull/1234
+# https://github.com/krb5/krb5/pull/1329
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
'--use-kerberos=required --option=clientldapsaslwrapping=plain',
'--use-kerberos=required --client-protection=sign',
'--use-kerberos=required --client-protection=encrypt',
+ '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes"',
+ '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no"',
+ '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
'--use-kerberos=disabled --option=clientldapsaslwrapping=plain',
'--use-kerberos=disabled --client-protection=sign --option=ntlmssp_client:ldap_style_send_seal=no',
'--use-kerberos=disabled --client-protection=sign',
'--use-kerberos=disabled --client-protection=encrypt',
+ '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes"',
+ '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no"',
+ '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
]
for auth_option in auth_options:
options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option
plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env),
env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
- options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"'
- plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
- env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+
+ auth_options = [
+ '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=no"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=yes"',
+ '--use-kerberos=required --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=no"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:tls_channel_bindings=yes"',
+ '--use-kerberos=disabled --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
+ ]
+ for auth_option in auth_options:
+ options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check" ' + auth_option
+ plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
+ env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+
envraw = "fl2008r2dc"
env = "%s:local" % envraw