From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Fri, 18 Aug 2023 10:00:33 +0000 (+0100)
Subject: ITS#10084 Switch MECH default away from DIGEST-MD5
X-Git-Tag: OPENLDAP_REL_ENG_2_5_18~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7390ca27c8b3e81dee369dd018ac19dee7c8c28;p=thirdparty%2Fopenldap.git

ITS#10084 Switch MECH default away from DIGEST-MD5
---

diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
index 837abfd082..bcd9a4a651 100755
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@@ -15,7 +15,7 @@
 if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" != x"no" ] ; then
 	SASL="sasl"
 	if [ x"$USE_SASL" = x"yes" ] ; then
-		USE_SASL=DIGEST-MD5
+		USE_SASL=SCRAM-SHA-256
 	fi
 	SASL_MECH="\"saslmech=$USE_SASL\""
 else
diff --git a/tests/scripts/lloadd/test006-sasl b/tests/scripts/lloadd/test006-sasl
index c332eb061c..bc101b7d45 100755
--- a/tests/scripts/lloadd/test006-sasl
+++ b/tests/scripts/lloadd/test006-sasl
@@ -22,7 +22,7 @@ if test $WITH_SASL = "yes" ; then
         exit 0
     fi
     if test $USE_SASL = "yes" ; then
-        MECH="DIGEST-MD5"
+        MECH="SCRAM-SHA-256"
     else
         MECH="$USE_SASL"
     fi
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index d0dddfa525..92ecb3e8e1 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -20,7 +20,7 @@ echo "### This test requires the LDAP backend and the rwm overlay."
 echo "### If available, and explicitly requested, it can use SASL bind;"
 echo "### note that SASL must be properly set up, and the requested"
 echo "### mechanism must be available.  Define SLAPD_USE_SASL={yes|<mech>},"
-echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]."
+echo "### with \"yes\" defaulting to SCRAM-SHA-256 to enable SASL authc[/authz]."
 
 if test $BACKLDAP = "ldapno" ; then 
 	echo "LDAP backend not available, test skipped"
@@ -35,7 +35,7 @@ fi
 if test $WITH_SASL = "yes" ; then
 	if test $USE_SASL != "no" ; then
 		if test $USE_SASL = "yes" ; then
-			MECH="DIGEST-MD5"
+			MECH="SCRAM-SHA-256"
 		else
 			MECH="$USE_SASL"
 		fi
diff --git a/tests/scripts/test029-ldapglue b/tests/scripts/test029-ldapglue
index 0bb5dc2ca8..89f3379d0a 100755
--- a/tests/scripts/test029-ldapglue
+++ b/tests/scripts/test029-ldapglue
@@ -20,7 +20,7 @@ echo "### This test requires the ldap backend and glue overlay."
 echo "### If available, and explicitly requested, it can use SASL bind;"
 echo "### note that SASL must be properly set up, and the requested"
 echo "### mechanism must be available.  Define SLAPD_USE_SASL={yes|<mech>},"
-echo "### with \"yes\" defaulting to DIGEST-MD5 to enable SASL authc[/authz]."
+echo "### with \"yes\" defaulting to SCRAM-SHA-256 to enable SASL authc[/authz]."
 
 if test $BACKLDAP = "ldapno" ; then 
 	echo "LDAP backend not available, test skipped"
@@ -30,7 +30,7 @@ fi
 if test $WITH_SASL = "yes" ; then
 	if test $USE_SASL != "no" ; then
 		if test $USE_SASL = "yes" ; then
-			MECH="DIGEST-MD5"
+			MECH="SCRAM-SHA-256"
 		else
 			MECH="$USE_SASL"
 		fi
diff --git a/tests/scripts/test076-authid-rewrite b/tests/scripts/test076-authid-rewrite
index a8d8c7a7a1..b16cbba220 100755
--- a/tests/scripts/test076-authid-rewrite
+++ b/tests/scripts/test076-authid-rewrite
@@ -21,8 +21,15 @@ if test $WITH_SASL = no; then
 	exit 0
 fi
 
+case "$USE_SASL" in
+	""|no|yes)
+		MECH="SCRAM-SHA-256";;
+	*)
+		MECH="$USE_SASL"
+esac
+echo "Using SASL authc[/authz] with mech=$MECH"
+
 CONFDIR=$TESTDIR/slapd.d
-MECH=DIGEST-MD5
 
 mkdir -p $TESTDIR $CONFDIR $DBDIR1