From c6ab3084df3abb5f1af1d2efc09799b9b00ce052 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Tomulik?= <ptomulik@meil.pw.edu.pl>
Date: Fri, 3 Jul 2020 12:50:40 +0200
Subject: [PATCH 1/2] fix some ext/ldap/tests

---
 ext/ldap/tests/connect.inc               |  3 ++-
 ext/ldap/tests/ldap_sasl_bind_basic.phpt | 13 ++++++++++++-
 ext/ldap/tests/ldap_sasl_bind_error.phpt | 21 ++++++++++++++++-----
 3 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/ext/ldap/tests/connect.inc b/ext/ldap/tests/connect.inc
index de41cca63c3..101895c33d7 100644
--- a/ext/ldap/tests/connect.inc
+++ b/ext/ldap/tests/connect.inc
@@ -9,8 +9,9 @@ $host			= getenv("LDAP_TEST_HOST")	?: "localhost";
 $port			= getenv("LDAP_TEST_PORT")	?: 389;
 $base			= getenv("LDAP_TEST_BASE")	?: "dc=my-domain,dc=com";
 $user			= getenv("LDAP_TEST_USER")	?: "cn=Manager,$base";
-$sasl_user		= getenv("LDAP_TEST_SASL_USER")	?: "Manager";
 $passwd			= getenv("LDAP_TEST_PASSWD")	?: "secret";
+$sasl_user      = getenv("LDAP_TEST_SASL_USER") ?: "userA";
+$sasl_passwd    = getenv("LDAP_TEST_SASL_PASSWD")   ?: "oops";
 $protocol_version	= getenv("LDAP_TEST_OPT_PROTOCOL_VERSION")	?: 3;
 $skip_on_bind_failure	= getenv("LDAP_TEST_SKIP_BIND_FAILURE") ?: true;
 
diff --git a/ext/ldap/tests/ldap_sasl_bind_basic.phpt b/ext/ldap/tests/ldap_sasl_bind_basic.phpt
index 49c2f24a670..d85cd73a5c0 100644
--- a/ext/ldap/tests/ldap_sasl_bind_basic.phpt
+++ b/ext/ldap/tests/ldap_sasl_bind_basic.phpt
@@ -17,11 +17,22 @@ Patrick Allaert <patrickallaert@php.net>
 <?php
 require "connect.inc";
 
+$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
+insert_dummy_data($link, $base);
+ldap_unbind($link);
+
 $link = ldap_connect($host, $port);
 ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
-var_dump(ldap_sasl_bind($link, null, $passwd, 'DIGEST-MD5', 'realm', $sasl_user));
+var_dump(ldap_sasl_bind($link, null, $sasl_passwd, 'DIGEST-MD5', 'realm', $sasl_user));
 ?>
 ===DONE===
+--CLEAN--
+<?php
+include "connect.inc";
+
+$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
+remove_dummy_data($link, $base);
+?>
 --EXPECT--
 bool(true)
 ===DONE===
diff --git a/ext/ldap/tests/ldap_sasl_bind_error.phpt b/ext/ldap/tests/ldap_sasl_bind_error.phpt
index 180066bb2c4..8e2e5e1d130 100644
--- a/ext/ldap/tests/ldap_sasl_bind_error.phpt
+++ b/ext/ldap/tests/ldap_sasl_bind_error.phpt
@@ -11,6 +11,10 @@ Patrick Allaert <patrickallaert@php.net>
 <?php
 require "connect.inc";
 
+$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
+insert_dummy_data($link, $base);
+ldap_unbind($link);
+
 $link = ldap_connect($host, $port);
 ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
 
@@ -18,20 +22,27 @@ ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
 var_dump(ldap_sasl_bind());
 
 // Invalid DN
-var_dump(ldap_sasl_bind($link, "Invalid DN", $passwd, 'DIGEST-MD5', 'realm', $sasl_user));
+var_dump(ldap_sasl_bind($link, "Invalid DN", $sasl_passwd, 'DIGEST-MD5', 'realm', $sasl_user));
 
 // Invalid user
-var_dump(ldap_sasl_bind($link, null, "ThisIsNotCorrect$passwd", 'DIGEST-MD5', "realm", "invalid$sasl_user"));
+var_dump(ldap_sasl_bind($link, null, "ThisIsNotCorrect$sasl_passwd", 'DIGEST-MD5', "realm", "invalid$sasl_user"));
 
 // Invalid password
-var_dump(ldap_sasl_bind($link, null, "ThisIsNotCorrect$passwd", 'DIGEST-MD5', "realm", $sasl_user));
+var_dump(ldap_sasl_bind($link, null, "ThisIsNotCorrect$sasl_passwd", 'DIGEST-MD5', "realm", $sasl_user));
 
-var_dump(ldap_sasl_bind($link, null, $passwd, 'DIGEST-MD5', "realm", "Manager", "test"));
+var_dump(ldap_sasl_bind($link, null, $sasl_passwd, 'DIGEST-MD5', "realm", "Manager", "test"));
 
 // Invalid DN syntax
-var_dump(ldap_sasl_bind($link, "unexistingProperty=weirdValue,$user", $passwd));
+var_dump(ldap_sasl_bind($link, "unexistingProperty=weirdValue,$user", $sasl_passwd));
 ?>
 ===DONE===
+--CLEAN--
+<?php
+include "connect.inc";
+
+$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
+remove_dummy_data($link, $base);
+?>
 --EXPECTF--
 Warning: ldap_sasl_bind() expects at least 1 parameter, 0 given in %s on line %d
 bool(false)

From b291c926937fdcf3635a8aa3b83571f591c8c022 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Tomulik?= <ptomulik@meil.pw.edu.pl>
Date: Fri, 3 Jul 2020 12:49:25 +0200
Subject: [PATCH 2/2] enable ext/ldap/tests on azure

---
 azure/apt.yml            |   4 +-
 azure/setup-slapd.sh     | 169 +++++++++++++++++++++++++++++++++++++++
 azure/setup.yml          |   4 +
 ext/ldap/tests/CONFLICTS |   1 +
 4 files changed, 177 insertions(+), 1 deletion(-)
 create mode 100755 azure/setup-slapd.sh
 create mode 100644 ext/ldap/tests/CONFLICTS

diff --git a/azure/apt.yml b/azure/apt.yml
index 2beb625f620..8e51d806296 100644
--- a/azure/apt.yml
+++ b/azure/apt.yml
@@ -7,6 +7,9 @@ steps:
       sudo apt install bison \
                        re2c \
                        locales \
+                       ldap-utils \
+                       openssl \
+                       slapd \
                        language-pack-de \
                        re2c \
                        libgmp-dev \
@@ -29,7 +32,6 @@ steps:
                        libpq-dev \
                        libreadline-dev \
                        libldap2-dev \
-                       libsasl2-dev \
                        libsodium-dev \
                        libargon2-0-dev \
                        postgresql \
diff --git a/azure/setup-slapd.sh b/azure/setup-slapd.sh
new file mode 100755
index 00000000000..72a509f7e07
--- /dev/null
+++ b/azure/setup-slapd.sh
@@ -0,0 +1,169 @@
+#!/bin/sh
+set -ev
+
+# Create TLS certificate
+sudo mkdir -p /etc/ldap/ssl
+
+alt_names() {
+  (
+      (
+        (hostname && hostname -a && hostname -A && hostname -f) |
+        xargs -n 1 |
+        sort -u |
+        sed -e 's/\(\S\+\)/DNS:\1/g'
+      ) && (
+        (hostname -i && hostname -I && echo "127.0.0.1 ::1") |
+        xargs -n 1 |
+        sort -u |
+        sed -e 's/\(\S\+\)/IP:\1/g'
+      )
+  ) | paste -d, -s
+}
+
+sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \
+  -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \
+  -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \
+  -addext "subjectAltName = `alt_names`"
+
+sudo chown -R openldap:openldap /etc/ldap/ssl
+
+# Display the TLS certificate (should be world readable)
+openssl x509 -noout -text -in /etc/ldap/ssl/server.crt
+
+# Point to the certificate generated
+if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then
+  sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf
+  echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf
+fi
+
+# Configure LDAP protocols to serve.
+sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd
+
+# Configure LDAP database.
+DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`;
+
+sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
+
+sudo service slapd restart
+
+sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: $DBDN
+changetype: modify
+replace: olcSuffix
+olcSuffix: dc=my-domain,dc=com
+-
+replace: olcRootDN
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+-
+replace: olcRootPW
+olcRootPW: secret
+
+dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/ssl/server.crt
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ssl/server.crt
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key
+-
+add: olcTLSVerifyClient
+olcTLSVerifyClient: never
+-
+add: olcAuthzRegexp
+olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com
+-
+replace: olcLogLevel
+olcLogLevel: -1
+
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: sssvlv
+-
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+-
+add: olcModuleLoad
+olcModuleLoad: dds
+EOF
+
+sudo service slapd restart
+
+sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: olcOverlay=sssvlv,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcSssVlvConfig
+olcOverlay: sssvlv
+olcSssVlvMax: 10
+olcSssVlvMaxKeys: 5
+
+dn: olcOverlay=ppolicy,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: ppolicy
+### This would clutter our DIT and make tests to fail, while ppolicy does not
+### seem to work as we expect (it does not seem to provide expected controls)
+## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com
+## olcPPolicyHashCleartext: FALSE
+## olcPPolicyUseLockout: TRUE
+
+dn: olcOverlay=dds,$DBDN
+objectClass: olcOverlayConfig
+objectClass: olcDdsConfig
+olcOverlay: dds
+EOF
+
+sudo service slapd restart
+
+sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
+dn: $DBDN
+changetype: modify
+add: olcDbIndex
+olcDbIndex: entryExpireTimestamp eq
+EOF
+
+sudo service slapd restart
+
+ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF
+dn: dc=my-domain,dc=com
+objectClass: top
+objectClass: organization
+objectClass: dcObject
+dc: my-domain
+o: php ldap tests
+
+### This would clutter our DIT and make tests to fail, while ppolicy does not
+### seem to work as we expect (it does not seem to provide expected controls)
+## dn: ou=pwpolicies,dc=my-domain,dc=com
+## objectClass: top
+## objectClass: organizationalUnit
+## ou: pwpolicies
+##
+## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com
+## objectClass: top
+## objectClass: person
+## objectClass: pwdPolicy
+## cn: default
+## sn: default
+## pwdAttribute: userPassword
+## pwdMaxAge: 2592000
+## pwdExpireWarning: 3600
+## #pwdInHistory: 0
+## pwdCheckQuality: 0
+## pwdMaxFailure: 5
+## pwdLockout: TRUE
+## #pwdLockoutDuration: 0
+## #pwdGraceAuthNLimit: 0
+## #pwdFailureCountInterval: 0
+## pwdMustChange: FALSE
+## pwdMinLength: 3
+## pwdAllowUserChange: TRUE
+## pwdSafeModify: FALSE
+EOF
+
+# Verify TLS connection
+
+ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*'
diff --git a/azure/setup.yml b/azure/setup.yml
index dbf7921c47e..523bb3b4014 100644
--- a/azure/setup.yml
+++ b/azure/setup.yml
@@ -3,7 +3,11 @@ steps:
       set -e
       sudo service mysql start
       sudo service postgresql start
+      sudo service slapd start
       mysql -uroot -proot -e "CREATE DATABASE IF NOT EXISTS test"
       sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'postgres';"
       sudo -u postgres psql -c "CREATE DATABASE test;"
     displayName: 'Setup'
+  - script: ./azure/setup-slapd.sh
+    displayName: 'Configure slapd'
+
diff --git a/ext/ldap/tests/CONFLICTS b/ext/ldap/tests/CONFLICTS
new file mode 100644
index 00000000000..c1142c3c5c3
--- /dev/null
+++ b/ext/ldap/tests/CONFLICTS
@@ -0,0 +1 @@
+ldap