Skip to content
Snippets Groups Projects
Commit d9a21498 authored by Vladimir Homutov's avatar Vladimir Homutov
Browse files

Added tests with multiple LDAP servers.

The directory is distributed on two servers, and search now may return
continuation object for specific users.
parent 86687e28
Branches
Tags
No related merge requests found
...@@ -97,6 +97,14 @@ http { ...@@ -97,6 +97,14 @@ http {
proxy_pass http://backend/; proxy_pass http://backend/;
} }
location /ref1 {
auth_request /auth-ref1;
error_page 401 =200 /login;
proxy_pass http://backend/;
}
location /login { location /login {
proxy_pass http://backend/login; proxy_pass http://backend/login;
...@@ -195,6 +203,24 @@ http { ...@@ -195,6 +203,24 @@ http {
proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local"; proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
proxy_set_header X-Ldap-BindPass "secret"; proxy_set_header X-Ldap-BindPass "secret";
} }
location = /auth-ref1 {
internal;
proxy_pass http://127.0.0.1:8888;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Ldap-URL "ldap://127.0.0.1:8083";
proxy_set_header X-Ldap-BaseDN "ou=Users,dc=test,dc=local";
proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
proxy_set_header X-Ldap-BindPass "secret";
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
}
} }
} }
...@@ -252,6 +278,43 @@ TLSCertificateKeyFile $d/localhost.key ...@@ -252,6 +278,43 @@ TLSCertificateKeyFile $d/localhost.key
EOF EOF
$t->write_file_expand("slapd2.conf", <<"EOF");
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
pidfile $d/slapd2.pid
argsfile $d/slapd2.args
logfile $d/slapd2.log
loglevel 256 64
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous read
database hdb
suffix "ou=Users, dc=test,dc=local"
rootdn "cn=root, ou=Users, dc=test,dc=local"
rootpw secret
directory $d/openldap2-data
index objectClass eq
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile $d/localhost.crt
TLSCertificateFile $d/localhost.crt
TLSCertificateKeyFile $d/localhost.key
# our upstream
referral ldap://127.0.0.1:%%PORT_8083%%/
EOF
$t->write_file_expand("initial.ldif", <<'EOF'); $t->write_file_expand("initial.ldif", <<'EOF');
dn: dc=test,dc=local dn: dc=test,dc=local
...@@ -296,6 +359,37 @@ mail: user3@example.com ...@@ -296,6 +359,37 @@ mail: user3@example.com
description: user3 description: user3
ou: Users ou: Users
dn: ou=more,ou=Users,dc=test,dc=local
objectClass: referral
objectClass: extensibleObject
dc: subtree
ref: ldap://127.0.0.1:%%PORT_8085%%/ou=more,ou=Users,dc=test,dc=local
EOF
$t->write_file_expand("initial2.ldif", <<'EOF');
dn: ou=Users, dc=test,dc=local
ou: Users
description: All people in organisation
objectclass: organizationalunit
dn: ou=more,ou=Users,dc=test,dc=local
dc: test
description: BlaBlaBla
objectClass: dcObject
objectClass: organizationalUnit
dn: cn=user4, ou=more, ou=Users,dc=test,dc=local
objectclass: inetOrgPerson
cn: User number one
sn: u4
uid: user4
userpassword: user4secret
mail: user4@example.com
description: user4
ou: Users
EOF EOF
# -u ldap -g ldap # -u ldap -g ldap
...@@ -309,21 +403,30 @@ $t->has_daemon($SLAPD); ...@@ -309,21 +403,30 @@ $t->has_daemon($SLAPD);
$t->has_daemon($AUTHD); $t->has_daemon($AUTHD);
mkdir("$d/openldap-data"); mkdir("$d/openldap-data");
mkdir("$d/openldap2-data");
my $p3 = port(8083); my $p3 = port(8083);
my $p4 = port(8084); my $p4 = port(8084);
my $p5 = port(8085);
# change '0' to '1' or more to get debug from slapd # change '0' to '1' or more to get debug from slapd
$t->run_daemon($SLAPD, '-d', '0', '-f', "$d/slapd.conf", $t->run_daemon($SLAPD, '-d', '0', '-f', "$d/slapd.conf",
'-h', "ldap://127.0.0.1:$p3 ldaps://127.0.0.1:$p4"); '-h', "ldap://127.0.0.1:$p3 ldaps://127.0.0.1:$p4");
$t->waitforsocket("127.0.0.1:$p3") or die "Can't start slapd"; $t->run_daemon($SLAPD, '-d', '0', '-f', "$d/slapd2.conf",
'-h', "ldap://127.0.0.1:$p5");
$t->waitforsocket("127.0.0.1:$p3") or die "Can't start slapd";
$t->waitforsocket("127.0.0.1:$p5") or die "Can't start slapd2";
system("ldapadd -H ldap://127.0.0.1:$p3 -x -D \"cn=root,dc=test,dc=local\"" system("ldapadd -H ldap://127.0.0.1:$p3 -x -D \"cn=root,dc=test,dc=local\""
. " -f $d/initial.ldif -w secret >> $d/ldif.log 2>&1") == 0 . " -f $d/initial.ldif -w secret >> $d/ldif.log 2>&1") == 0
or die "Can't import initial LDIF\n"; or die "Can't import initial LDIF\n";
system("ldapadd -H ldap://127.0.0.1:$p5 -x -D \"cn=root,ou=Users,dc=test,dc=local\""
. " -f $d/initial2.ldif -w secret >> $d/ldif2.log 2>&1") == 0
or die "Can't import initial2 LDIF\n";
$t->write_file_expand("auth_daemon.sh", <<"EOF"); $t->write_file_expand("auth_daemon.sh", <<"EOF");
AUTHBIN=\$(realpath $AUTHD) AUTHBIN=\$(realpath $AUTHD)
...@@ -336,7 +439,7 @@ $t->run_daemon('/bin/sh', "$d/auth_daemon.sh"); ...@@ -336,7 +439,7 @@ $t->run_daemon('/bin/sh', "$d/auth_daemon.sh");
$t->waitforsocket('127.0.0.1:' . port(8888)) $t->waitforsocket('127.0.0.1:' . port(8888))
or die "Can't start auth daemon"; or die "Can't start auth daemon";
$t->plan(19); $t->plan(21);
$t->run(); $t->run();
...@@ -387,6 +490,18 @@ like(http_get_auth('/nodn', 'user1', 'user1secret'), qr!Internal Server Error!, ...@@ -387,6 +490,18 @@ like(http_get_auth('/nodn', 'user1', 'user1secret'), qr!Internal Server Error!,
like(http_get_auth('/nourl', 'user1', 'user1secret'), qr!LOGIN PAGE!, like(http_get_auth('/nourl', 'user1', 'user1secret'), qr!LOGIN PAGE!,
'url must be set'); 'url must be set');
# LDAP referrals
# user can be found, but bind happens on 1st server, instead of the found
# the behaviour may change with different servers
like(http_get_auth('/ref1', 'user4', 'user4secret'), qr!LOGIN PAGE!,
'server2 user via referral on server1');
# unknown user on referred server, result is empty dn
like(http_get_auth('/ref1', 'userx', 'blah'), qr!LOGIN PAGE!,
'unknown user with referral on server1');
############################################################################### ###############################################################################
sub http_get_auth { sub http_get_auth {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment