Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
openldap2
0231-ITS-9468-Added-test-case-for-proxy-re-bind...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0231-ITS-9468-Added-test-case-for-proxy-re-binding-anonym.patch of Package openldap2
From 430ca1b323d92a4ec02bbeda0acb556467751ae6 Mon Sep 17 00:00:00 2001 From: Tero Saarni <tero.saarni@est.tech> Date: Wed, 24 Feb 2021 18:24:31 +0200 Subject: [PATCH 231/238] ITS#9468 Added test case for proxy re-binding anonymously --- tests/data/regressions/its9468/its9468 | 421 ++++++++++++++++++ .../data/regressions/its9468/slapd-proxy.conf | 81 ++++ .../regressions/its9468/slapd-remote.conf | 50 +++ 3 files changed, 552 insertions(+) create mode 100755 tests/data/regressions/its9468/its9468 create mode 100644 tests/data/regressions/its9468/slapd-proxy.conf create mode 100644 tests/data/regressions/its9468/slapd-remote.conf diff --git a/tests/data/regressions/its9468/its9468 b/tests/data/regressions/its9468/its9468 new file mode 100755 index 000000000..f79b48687 --- /dev/null +++ b/tests/data/regressions/its9468/its9468 @@ -0,0 +1,421 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2021 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +ITS=9468 +ITSDIR=$DATADIR/regressions/its$ITS + +if test $BACKLDAP = "ldapno" ; then + echo "LDAP backend not available, test skipped" + exit 0 +fi +if test $RWM = "rwmno" ; then + echo "rwm (rewrite/remap) overlay not available, test skipped" + exit 0 +fi + +mkdir -p $TESTDIR $DBDIR1 $DBDIR2 + +echo "This test checks back-ldap connection retry behavior when the connection" +echo "to remote LDAP server is disconnected due to:" +echo " - remote server disconnecting the proxy connection" +echo " - proxy disconnecting the remote server connection due to timeout/ttl" + +# +# Start slapd that acts as a remote LDAP server that will be proxied +# +echo "Running slapadd to build database for the remote slapd server..." +. $CONFFILTER $BACKEND < $ITSDIR/slapd-remote.conf > $CONF1 +$SLAPADD -f $CONF1 -l $LDIFORDERED +RC=$? +if test $RC != 0 ; then + echo "slapadd failed ($RC)!" + exit $RC +fi + +echo "Starting remote slapd server on TCP/IP port $PORT1..." +$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 & +SERVERPID=$! +if test $WAIT != 0 ; then + echo SERVERPID $SERVERPID + read foo +fi + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \ + -D $MANAGERDN \ + -w $PASSWD \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP0 seconds for slapd to start..." + sleep $SLEEP0 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $SERVERPID + exit $RC +fi + +# +# Start slapd that will proxy for the remote server +# +echo "Starting slapd proxy on TCP/IP port $PORT2..." +. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy.conf > $CONF2 +$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 & +PROXYPID=$! +if test $WAIT != 0 ; then + echo PROXYPID $PROXYPID + read foo +fi +KILLPIDS="$KILLPIDS $PROXYPID" + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITORDN" -H $URI2 \ + -D "cn=Manager,dc=local,dc=com" \ + -w $PASSWD \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP0 seconds for slapd to start..." + sleep $SLEEP0 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +# Create fifo that is used to pass searches from the test case to ldapsearch without +# disconnecting the client -> proxy connection +rm -f $TESTDIR/ldapsearch.fifo +mkfifo $TESTDIR/ldapsearch.fifo + +############################################################################# +# +# Test 1: Check that proxy WILL NOT try to re-establish connection and rebind +# after server has disconnected the connection towards proxy. +# +# Proxy config is +# - rebind-as-user no +# - no idle-timeout of conn-ttl set +# + +echo "Test 1" + +# Start ldapsearch on background and have it read search filters from fifo, +# so that single client connection will persist over many searches +echo "Make the proxy to connect the remote LDAP server..." +$LDAPSEARCH -b "dc=no-rebind,dc=no-timeout,$BASEDN" \ + -D "cn=Barbara Jensen,dc=no-rebind,dc=no-timeout,$BASEDN" \ + -w "bjensen" \ + -H $URI2 \ + -f $TESTDIR/ldapsearch.fifo > $TESTOUT 2>&1 & +LDAPSEARCHPID=$! +KILLPIDS="$KILLPIDS $LDAPSEARCHPID" + +# Open fifo as file descriptor +exec 3>$TESTDIR/ldapsearch.fifo + +# Trigger LDAP connections towards the proxy by executing a search +echo 'objectclass=*' >&3 +# Wait for ldapsearch process on the background to catch up reading the fifo +sleep 2 + +# Check the number of bind operations that proxy has executed so far +NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \ + -H $URI2 \ + -D "cn=Manager,dc=local,dc=com" \ + -w $PASSWD \ + -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \ + tee -a $TESTOUT | \ + sed -n 's/^olmDbOperation: \(.*\)/\1/p'` + +# Restart the remote server to invalidate TCP connection between proxy and remote +echo "Killing and re-starting remote slapd server on TCP/IP port $PORT1..." +kill -HUP $SERVERPID +sleep 2 + +# When forking slapd on background, close filehandle 3 to avoid leaving fifo hanging uncloseable +$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 3>&- & +SERVERPID=$! +KILLPIDS="$KILLPIDS $SERVERPID" + +echo "Using ldapsearch to check that remote slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \ + -D $MANAGERDN \ + -w $PASSWD \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP0 seconds for slapd to start..." + sleep $SLEEP0 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit $RC +fi + +echo "Use ldapsearch to trigger proxy retry logic" +echo 'objectclass=*' >&3 +# Wait for ldapsearch process on the background to catch up reading the fifo +sleep 2 + +# Check how many binds have been executed after retry +NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \ + -H $URI2 \ + -D "cn=Manager,dc=local,dc=com" \ + -w $PASSWD \ + -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \ + tee -a $TESTOUT | \ + sed -n 's/^olmDbOperation: \(.*\)/\1/p'` + +echo "Checking if proxy tried to re-bind to the remote server" +if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then + echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit 1 +fi + +echo "Checking ldapsearch status" +exec 3>&- +wait $LDAPSEARCHPID +RC=$? +if test $RC != 52 ; then + echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit 1 +fi + +############################################################################# +# +# Test 2: Check that proxy WILL re-establish connection and rebind after +# remote server has disconnected the connection towards proxy. +# +# Proxy config is +# - rebind-as-user yes +# - no idle-timeout or conn-ttl set +# + +echo "Test 2" + +echo "Make the proxy to connect the remote LDAP server..." +$LDAPSEARCH -b "dc=rebind,dc=no-timeout,$BASEDN" \ + -D "cn=Barbara Jensen,dc=rebind,dc=no-timeout,$BASEDN" \ + -w "bjensen" \ + -H $URI2 \ + -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 & +LDAPSEARCHPID=$! +KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID" + +exec 3>$TESTDIR/ldapsearch.fifo + +echo 'objectclass=*' >&3 +sleep 2 + +echo "Killing and re-starting remote slapd server on TCP/IP port $PORT1..." +kill -HUP $SERVERPID +sleep 2 + +$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 3>&- & +SERVERPID=$! +KILLPIDS="$KILLPIDS $SERVERPID" + +echo "Using ldapsearch to check that remote slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \ + -D $MANAGERDN \ + -w $PASSWD \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP0 seconds for slapd to start..." + sleep $SLEEP0 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit $RC +fi + +echo "Use ldapsearch to trigger proxy retry logic" +echo 'objectclass=*' >&3 +sleep 2 + +echo "Checking ldapsearch status" +exec 3>&- +wait $LDAPSEARCHPID +RC=$? + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit $RC +fi + +############################################################################# +# +# Test 3: Check that proxy WILL NOT re-establish connection and rebind after +# it disconnected the connection after idle-timeout or conn-ttl +# +# Proxy config is +# - rebind-as-user no +# - no idle-timeout or conn-ttl set +# + +echo "Test 3" + +echo "Make the proxy to connect the remote LDAP server..." +$LDAPSEARCH -b "dc=no-rebind,dc=timeout,$BASEDN" \ + -D "cn=Barbara Jensen,dc=no-rebind,dc=timeout,$BASEDN" \ + -w "bjensen" \ + -H $URI2 \ + -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 & +LDAPSEARCHPID=$! +KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID" + +exec 3>$TESTDIR/ldapsearch.fifo + +echo 'objectclass=*' >&3 +# Wait for proxy->remote server timeout to expire +sleep 4 + +NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \ + -H $URI2 \ + -D "cn=Manager,dc=local,dc=com" \ + -w $PASSWD \ + -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \ + tee -a $TESTOUT | \ + sed -n 's/^olmDbOperation: \(.*\)/\1/p'` + +echo "Use ldapsearch to trigger proxy retry logic" +echo 'objectclass=*' >&3 +sleep 2 + +NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \ + -H $URI2 \ + -D "cn=Manager,dc=local,dc=com" \ + -w $PASSWD \ + -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \ + tee -a $TESTOUT | \ + sed -n 's/^olmDbOperation: \(.*\)/\1/p'` + +echo "Checking if proxy tried to re-bind to the remote server" +if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then + echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit 1 +fi + +echo "Checking ldapsearch status" +exec 3>&- +wait $LDAPSEARCHPID +RC=$? +if test $RC != 52 ; then + echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit 1 +fi + +############################################################################# +# +# Test 4: Check that proxy WILL NOT re-establish connection and rebind after +# it disconnected the connection after idle-timeout or conn-ttl +# +# Proxy config is +# - rebind-as-user yes +# - no idle-timeout or conn-ttl set +# + +echo "Test 4" + +echo "Make the proxy to connect the remote LDAP server..." +$LDAPSEARCH -b "dc=rebind,dc=timeout,$BASEDN" \ + -D "cn=Barbara Jensen,dc=rebind,dc=timeout,$BASEDN" \ + -w "bjensen" \ + -H $URI2 \ + -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 & +LDAPSEARCHPID=$! +KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID" + +exec 3>$TESTDIR/ldapsearch.fifo + +echo 'objectclass=*' >&3 +# Wait for proxy->remote server timeout to expire +sleep 4 + +NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \ + -H $URI2 \ + -D "cn=Manager,dc=local,dc=com" \ + -w $PASSWD \ + -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \ + tee -a $TESTOUT | \ + sed -n 's/^olmDbOperation: \(.*\)/\1/p'` + +echo "Use ldapsearch to trigger proxy retry logic" +echo 'objectclass=*' >&3 +sleep 2 + +NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \ + -H $URI2 \ + -D "cn=Manager,dc=local,dc=com" \ + -w $PASSWD \ + -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \ + tee -a $TESTOUT | \ + sed -n 's/^olmDbOperation: \(.*\)/\1/p'` + +echo "Checking if proxy tried to re-bind to the remote server" +if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then + echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit 1 +fi + +echo "Checking ldapsearch status" +exec 3>&- +wait $LDAPSEARCHPID +RC=$? +if test $RC != 52 ; then + echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit 1 +fi + + +test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0 \ No newline at end of file diff --git a/tests/data/regressions/its9468/slapd-proxy.conf b/tests/data/regressions/its9468/slapd-proxy.conf new file mode 100644 index 000000000..a2bd893c8 --- /dev/null +++ b/tests/data/regressions/its9468/slapd-proxy.conf @@ -0,0 +1,81 @@ +# provider slapd config -- for testing +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2021 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +include @SCHEMADIR@/core.schema +include @SCHEMADIR@/cosine.schema +include @SCHEMADIR@/inetorgperson.schema +include @SCHEMADIR@/openldap.schema +include @SCHEMADIR@/nis.schema +pidfile @TESTDIR@/slapd.m.pid +argsfile @TESTDIR@/slapd.m.args + +####################################################################### +# database definitions +####################################################################### + +#mod#modulepath ../servers/slapd/back-@BACKEND@/:../servers/slapd/overlays +#mod#moduleload back_@BACKEND@.la +#ldapmod#modulepath ../servers/slapd/back-ldap/ +#ldapmod#moduleload back_ldap.la +#rwmmod#modulepath ../servers/slapd/overlays/ +#rwmmod#moduleload rwm.la +#monitormod#modulepath ../servers/slapd/back-monitor/ +#monitormod#moduleload back_monitor.la + +database @BACKEND@ +suffix "dc=local,dc=com" +rootdn "cn=Manager,dc=local,dc=com" +rootpw "secret" +#~null~#directory @TESTDIR@/db.2.a + +# proxy with default settings, used for test where remote server will disconnect the proxy connection +database ldap +uri "@URI1@" +suffix "dc=no-rebind,dc=no-timeout,dc=example,dc=com" +monitoring yes +rebind-as-user no +overlay rwm +rwm-suffixmassage "dc=no-rebind,dc=no-timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com" + +# proxy with rebind-as-user set, used for test where remote server will disconnect the proxy connection +database ldap +uri "@URI1@" +suffix "dc=rebind,dc=no-timeout,dc=example,dc=com" +monitoring yes +rebind-as-user yes +overlay rwm +rwm-suffixmassage "dc=rebind,dc=no-timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com" + +# proxy with idle-timeout, used for test where proxy will disconnect the remote server connection +database ldap +uri "@URI1@" +suffix "dc=no-rebind,dc=timeout,dc=example,dc=com" +monitoring yes +rebind-as-user no +idle-timeout 1 +overlay rwm +rwm-suffixmassage "dc=no-rebind,dc=timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com" + +# proxy with rebind-as-user and idle-timeout, used for test where proxy will disconnect the remote server connection +database ldap +uri "@URI1@" +suffix "dc=rebind,dc=timeout,dc=example,dc=com" +monitoring yes +rebind-as-user yes +idle-timeout 1 +overlay rwm +rwm-suffixmassage "dc=rebind,dc=timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com" + +database monitor \ No newline at end of file diff --git a/tests/data/regressions/its9468/slapd-remote.conf b/tests/data/regressions/its9468/slapd-remote.conf new file mode 100644 index 000000000..71fb1cb36 --- /dev/null +++ b/tests/data/regressions/its9468/slapd-remote.conf @@ -0,0 +1,50 @@ +# stand-alone slapd config -- for testing (with indexing) +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2021 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +include @SCHEMADIR@/core.schema +include @SCHEMADIR@/cosine.schema +include @SCHEMADIR@/inetorgperson.schema +include @SCHEMADIR@/openldap.schema +include @SCHEMADIR@/nis.schema +include @DATADIR@/test.schema + +# +pidfile @TESTDIR@/slapd.1.pid +argsfile @TESTDIR@/slapd.1.args + +# disable anonymous bind in order to catch ITS#9468 +disallow bind_anon + +#mod#modulepath ../servers/slapd/back-@BACKEND@/ +#mod#moduleload back_@BACKEND@.la + +####################################################################### +# database definitions +####################################################################### + +database @BACKEND@ +suffix "dc=example,dc=com" +rootdn "cn=Manager,dc=example,dc=com" +rootpw secret +monitoring on +#null#bind on +#~null~#directory @TESTDIR@/db.1.a +#indexdb#index objectClass eq +#indexdb#index cn,sn,uid pres,eq,sub +#mdb#maxsize 33554432 +#ndb#dbname db_1 +#ndb#include @DATADIR@/ndb.conf + +database monitor \ No newline at end of file -- 2.32.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor