s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bo...

author Stefan Metzmacher <metze@samba.org>

Tue, 13 Feb 2024 14:50:14 +0000 (15:50 +0100)

committer Andrew Bartlett <abartlet@samba.org>

Tue, 23 Apr 2024 23:50:34 +0000 (23:50 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 13 Feb 2024 14:50:14 +0000 (15:50 +0100)
committer Andrew Bartlett <abartlet@samba.org>
Tue, 23 Apr 2024 23:50:34 +0000 (23:50 +0000)
diff --git a/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls b/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls

index 963076d5d3388090546c4c6b70a95596136eb1f2..24b9b94a4284bebc78ac8c75f6245ca7e3036080 100644 (file)
--- a/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
+++ b/selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
@@ -1,6 +1,21 @@
  #
  ## We assert all "ldap server require strong auth" combinations
  #
-^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_without_tls_channel_bindings
  ^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc    # ldap server require strong auth = yes
-^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc     # ldap server require strong auth = yes
+# fl2003dc has ldap server require strong auth = yes
+# and correct channel bindings are required for TLS
+^samba4.ldb.simple.ldaps.*SASL-BIND.*ldap_testing:tls_channel_bindings=no.*fl2003dc
+# ad_dc_ntvfs and fl2008r2dc have
+# ldap server require strong auth = allow_sasl_without_tls_channel_bindings
+# it means correct channel bindings are required, if the client indicated
+# explicit (even null) channel bindings are provided
+#
+# The following are in expectedfail_heimdal for now, as MIT
+# behaves differently:
+#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+#^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=yes.*ldap_testing:forced_channel_binding=wRoNg
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*ldap_testing:channel_bound=no.*ldap_testing:forced_channel_binding=wRoNg
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=disabled.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
diff --git a/selftest/expectedfail_heimdal b/selftest/expectedfail_heimdal

new file mode 100644 (file)

index 0000000..6415a6e
--- /dev/null
+++ b/selftest/expectedfail_heimdal
@@ -0,0 +1,12 @@
+# ad_dc_ntvfs and fl2008r2dc have
+# ldap server require strong auth = allow_sasl_without_tls_channel_bindings
+# it means correct channel bindings are required, if the client indicated
+# explicit (even null) channel bindings are provided
+#
+# Note currently only embedded_heimdal supports
+# GSS_C_CHANNEL_BOUND_FLAG as client.
+# See also:
+# https://github.com/heimdal/heimdal/pull/1234
+# https://github.com/krb5/krb5/pull/1329
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*ad_dc_ntvfs
+^samba4.ldb.simple.ldaps.with.SASL-BIND.*use-kerberos=required.*ldap_testing:channel_bound=yes.*ldap_testing:tls_channel_bindings=no.*fl2008r2dc
diff --git a/selftest/wscript b/selftest/wscript

index daf497d5e62d48c04762708387862edea71fc62c..b8faf6dbc84f2d1a2ef42be7ed658220c5ede15c 100644 (file)
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -274,6 +274,10 @@ def cmd_testonly(opt):
          env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
                              "knownfail_heimdal_kdc"
  
+    if CONFIG_SET(opt, 'USING_EMBEDDED_HEIMDAL'):
+        env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
+                            "expectedfail_heimdal"
+
      if CONFIG_GET(opt, 'SIZEOF_VOID_P') == 4:
          env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/knownfail-32bit"
          env.OPTIONS += " --default-ldb-backend=tdb --exclude=${srcdir}/selftest/skip-32bit"
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py

index 7d971090199ded4b85cb1bdb2bd8d45a22bc8cc8..6410e3d1a8a4de274e3874db64695d87d9b75a78 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -163,19 +163,44 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
          '--use-kerberos=required --option=clientldapsaslwrapping=plain',
          '--use-kerberos=required --client-protection=sign',
          '--use-kerberos=required --client-protection=encrypt',
+        '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes"',
+        '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no"',
+        '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=required --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
          '--use-kerberos=disabled --option=clientldapsaslwrapping=plain',
          '--use-kerberos=disabled --client-protection=sign --option=ntlmssp_client:ldap_style_send_seal=no',
          '--use-kerberos=disabled --client-protection=sign',
          '--use-kerberos=disabled --client-protection=encrypt',
+        '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes"',
+        '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no"',
+        '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=disabled --client-protection=sign --option="ldap_testing:channel_bound=no" --option="ldap_testing:forced_channel_binding=wRoNg"',
      ]
  
      for auth_option in auth_options:
          options = '-U"$USERNAME%$PASSWORD"' + ' ' + auth_option
          plantestsuite("samba4.ldb.simple.ldap with SASL-BIND %s(%s)" % (options, env),
                        env, "%s/test_ldb_simple.sh ldap $SERVER %s" % (bbdir, options))
-    options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check"'
-    plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
-                  env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+
+    auth_options = [
+        '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=no"  --option="ldap_testing:tls_channel_bindings=no"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=no"  --option="ldap_testing:tls_channel_bindings=yes"',
+        '--use-kerberos=required --option="ldap_testing:channel_bound=no"  --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=yes"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:tls_channel_bindings=no"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=yes" --option="ldap_testing:forced_channel_binding=wRoNg"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=no"  --option="ldap_testing:tls_channel_bindings=no"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=no"  --option="ldap_testing:tls_channel_bindings=yes"',
+        '--use-kerberos=disabled --option="ldap_testing:channel_bound=no"  --option="ldap_testing:forced_channel_binding=wRoNg"',
+    ]
+    for auth_option in auth_options:
+        options = '-U"$USERNAME%$PASSWORD" --option="tlsverifypeer=no_check" ' + auth_option
+        plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
+                      env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
+
  
  envraw = "fl2008r2dc"
  env = "%s:local" % envraw
author	Stefan Metzmacher <metze@samba.org>
	Tue, 13 Feb 2024 14:50:14 +0000 (15:50 +0100)
committer	Andrew Bartlett <abartlet@samba.org>
	Tue, 23 Apr 2024 23:50:34 +0000 (23:50 +0000)
selftest/expectedfail.d/samba4.ldb.simple.ldap-tls		patch \| blob \| history
selftest/expectedfail_heimdal	[new file with mode: 0644]	patch \| blob
selftest/wscript		patch \| blob \| history
source4/selftest/tests.py		patch \| blob \| history