Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
openldap2
0208-ITS-9400-back-ldap-fix-retry-binds.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0208-ITS-9400-back-ldap-fix-retry-binds.patch of Package openldap2
From 76fea1fa8f4fe3b546596a6b63831cacb33c73aa Mon Sep 17 00:00:00 2001 From: Howard Chu <hyc@openldap.org> Date: Mon, 23 Nov 2020 05:14:30 +0000 Subject: [PATCH] ITS#9400 back-ldap: fix retry binds Regression from fix for ITS#7403 ITS#9400 back-ldap: fix prev commit ITS#9400 Added test case for back-ldap retry failure --- servers/slapd/back-ldap/bind.c | 2 +- tests/data/regressions/its9400/its9400 | 161 ++++++++++++++++++ .../its9400/slapd-proxy-idassert.conf | 45 +++++ 3 files changed, 207 insertions(+), 1 deletion(-) create mode 100755 tests/data/regressions/its9400/its9400 create mode 100644 tests/data/regressions/its9400/slapd-proxy-idassert.conf diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 621cd2c8c..e6a3db144 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -2102,7 +2102,7 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok, } if ( !( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )) { - if ( op->o_tag == LDAP_REQ_BIND ) { + if ( op->o_tag == LDAP_REQ_BIND && ( sendok & LDAP_BACK_SENDERR )) { if ( !BER_BVISEMPTY( &ndn )) { dobind = 0; goto done; diff --git a/tests/data/regressions/its9400/its9400 b/tests/data/regressions/its9400/its9400 new file mode 100755 index 000000000..ae0c5258b --- /dev/null +++ b/tests/data/regressions/its9400/its9400 @@ -0,0 +1,161 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2020 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +ITS=9400 +ITSDIR=$DATADIR/regressions/its$ITS + +if test $BACKLDAP = "ldapno" ; then + echo "LDAP backend not available, test skipped" + exit 0 +fi + +mkdir -p $TESTDIR $DBDIR1 $DBDIR2 +cp -r $DATADIR/tls $TESTDIR + +echo "This test checks that back-ldap does retry binds after the remote LDAP server" +echo "has abruptly disconnected the (idle) LDAP connection." + +# +# Start slapd that acts as a remote LDAP server that will be proxied +# +echo "Running slapadd to build database for the remote slapd server..." +. $CONFFILTER $BACKEND < $CONF > $CONF1 +$SLAPADD -f $CONF1 -l $LDIFORDERED + +RC=$? +if test $RC != 0 ; then + echo "slapadd failed ($RC)!" + exit $RC +fi + + +echo "Starting remote slapd server on TCP/IP port $PORT1..." +$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 & +SERVERPID=$! +if test $WAIT != 0 ; then + echo SERVERPID $SERVERPID + read foo +fi + + +# +# Start ldapd that will proxy for the remote server +# +echo "Starting slapd proxy on TCP/IP port $PORT2..." +. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy-idassert.conf > $CONF2 +$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 & +PROXYPID=$! +if test $WAIT != 0 ; then + echo PROXYPID $PROXYPID + read foo +fi +KILLPIDS="$KILLPIDS $PROXYPID" + +sleep 1 + + +# +# Successful searches +# + +echo "Using ldapsearch with bind that will be passed through to remote server..." +$LDAPSEARCH -S "" -b "$BASEDN" \ + -D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \ + -H $URI2 \ + -w "bjensen" \ + 'objectclass=*' > $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed at proxy ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + + +echo "Using ldapsearch with idassert-bind..." +$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret" \ + 'objectclass=*' >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed at proxy ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + + +# +# Now kill the remote slapd that is being proxied for. +# This will invalidate the current TCP connections that proxy has to remote. +# +echo "Killing remote server" +kill $SERVERPID +sleep 1 + +echo "Re-starting remote slapd server on TCP/IP port $PORT1..." +$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 & +SERVERPID=$! +if test $WAIT != 0 ; then + echo SERVERPID $SERVERPID + read foo +fi +KILLPIDS="$KILLPIDS $SERVERPID" + +sleep 2 + + +echo "-------------------------------------------------" >> $TESTOUT +echo "Searches after remote slapd server has restarted:" >> $TESTOUT +echo "-------------------------------------------------" >> $TESTOUT + +# +# Successful search +# +echo "Using ldapsearch with bind that will be passed through to remote server..." +$LDAPSEARCH -S "" -b "$BASEDN" \ + -D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \ + -H $URI2 \ + -w "bjensen" \ + 'objectclass=*' >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed at proxy ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +# +# UNSUCCESFUL SEARCH +# +echo "Using ldapsearch with idassert-bind..." +$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret" \ + 'objectclass=*' >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed at proxy ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0 diff --git a/tests/data/regressions/its9400/slapd-proxy-idassert.conf b/tests/data/regressions/its9400/slapd-proxy-idassert.conf new file mode 100644 index 000000000..b1f3c6626 --- /dev/null +++ b/tests/data/regressions/its9400/slapd-proxy-idassert.conf @@ -0,0 +1,45 @@ +# provider slapd config -- for testing +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2020 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +include @SCHEMADIR@/core.schema +include @SCHEMADIR@/cosine.schema +include @SCHEMADIR@/inetorgperson.schema +include @SCHEMADIR@/openldap.schema +include @SCHEMADIR@/nis.schema +pidfile @TESTDIR@/slapd.m.pid +argsfile @TESTDIR@/slapd.m.args + +####################################################################### +# database definitions +####################################################################### + +# here the proxy is not only acting as a proxy, but it also has a local database dc=local,dc=com" +database @BACKEND@ +suffix "dc=local,dc=com" +rootdn "cn=Manager,dc=local,dc=com" +rootpw "secret" +#~null~#directory @TESTDIR@/db.2.a + +# Configure proxy +# - normal user binds to "*,dc=example,dc=com" are proxied through to the remote slapd +# - admin bind to local "cn=Manager,dc=local,dc=com" is overwritten by using idassert-bind +database ldap +uri "@URI1@" +suffix "dc=example,dc=com" +idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret" +idassert-authzFrom "dn.exact:cn=Manager,dc=local,dc=com" +rebind-as-user yes + +database monitor -- 2.24.3 (Apple Git-128)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor