openldap2/0231-ITS-9468-Added-test-case-for-proxy-re-binding-anonym.patch
2024-02-28 21:00:53 +08:00

591 lines
18 KiB
Diff
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 430ca1b323d92a4ec02bbeda0acb556467751ae6 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Wed, 24 Feb 2021 18:24:31 +0200
Subject: [PATCH 231/238] ITS#9468 Added test case for proxy re-binding
anonymously
---
tests/data/regressions/its9468/its9468 | 421 ++++++++++++++++++
.../data/regressions/its9468/slapd-proxy.conf | 81 ++++
.../regressions/its9468/slapd-remote.conf | 50 +++
3 files changed, 552 insertions(+)
create mode 100755 tests/data/regressions/its9468/its9468
create mode 100644 tests/data/regressions/its9468/slapd-proxy.conf
create mode 100644 tests/data/regressions/its9468/slapd-remote.conf
diff --git a/tests/data/regressions/its9468/its9468 b/tests/data/regressions/its9468/its9468
new file mode 100755
index 000000000..f79b48687
--- /dev/null
+++ b/tests/data/regressions/its9468/its9468
@@ -0,0 +1,421 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+ITS=9468
+ITSDIR=$DATADIR/regressions/its$ITS
+
+if test $BACKLDAP = "ldapno" ; then
+ echo "LDAP backend not available, test skipped"
+ exit 0
+fi
+if test $RWM = "rwmno" ; then
+ echo "rwm (rewrite/remap) overlay not available, test skipped"
+ exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1 $DBDIR2
+
+echo "This test checks back-ldap connection retry behavior when the connection"
+echo "to remote LDAP server is disconnected due to:"
+echo " - remote server disconnecting the proxy connection"
+echo " - proxy disconnecting the remote server connection due to timeout/ttl"
+
+#
+# Start slapd that acts as a remote LDAP server that will be proxied
+#
+echo "Running slapadd to build database for the remote slapd server..."
+. $CONFFILTER $BACKEND < $ITSDIR/slapd-remote.conf > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+ echo "slapadd failed ($RC)!"
+ exit $RC
+fi
+
+echo "Starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+ echo SERVERPID $SERVERPID
+ read foo
+fi
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+ -D $MANAGERDN \
+ -w $PASSWD \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP0 seconds for slapd to start..."
+ sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $SERVERPID
+ exit $RC
+fi
+
+#
+# Start slapd that will proxy for the remote server
+#
+echo "Starting slapd proxy on TCP/IP port $PORT2..."
+. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy.conf > $CONF2
+$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
+PROXYPID=$!
+if test $WAIT != 0 ; then
+ echo PROXYPID $PROXYPID
+ read foo
+fi
+KILLPIDS="$KILLPIDS $PROXYPID"
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITORDN" -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP0 seconds for slapd to start..."
+ sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+# Create fifo that is used to pass searches from the test case to ldapsearch without
+# disconnecting the client -> proxy connection
+rm -f $TESTDIR/ldapsearch.fifo
+mkfifo $TESTDIR/ldapsearch.fifo
+
+#############################################################################
+#
+# Test 1: Check that proxy WILL NOT try to re-establish connection and rebind
+# after server has disconnected the connection towards proxy.
+#
+# Proxy config is
+# - rebind-as-user no
+# - no idle-timeout of conn-ttl set
+#
+
+echo "Test 1"
+
+# Start ldapsearch on background and have it read search filters from fifo,
+# so that single client connection will persist over many searches
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=no-rebind,dc=no-timeout,$BASEDN" \
+ -D "cn=Barbara Jensen,dc=no-rebind,dc=no-timeout,$BASEDN" \
+ -w "bjensen" \
+ -H $URI2 \
+ -f $TESTDIR/ldapsearch.fifo > $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$KILLPIDS $LDAPSEARCHPID"
+
+# Open fifo as file descriptor
+exec 3>$TESTDIR/ldapsearch.fifo
+
+# Trigger LDAP connections towards the proxy by executing a search
+echo 'objectclass=*' >&3
+# Wait for ldapsearch process on the background to catch up reading the fifo
+sleep 2
+
+# Check the number of bind operations that proxy has executed so far
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+# Restart the remote server to invalidate TCP connection between proxy and remote
+echo "Killing and re-starting remote slapd server on TCP/IP port $PORT1..."
+kill -HUP $SERVERPID
+sleep 2
+
+# When forking slapd on background, close filehandle 3 to avoid leaving fifo hanging uncloseable
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 3>&- &
+SERVERPID=$!
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+echo "Using ldapsearch to check that remote slapd is running..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+ -D $MANAGERDN \
+ -w $PASSWD \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP0 seconds for slapd to start..."
+ sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit $RC
+fi
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+# Wait for ldapsearch process on the background to catch up reading the fifo
+sleep 2
+
+# Check how many binds have been executed after retry
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+ echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+ echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+#############################################################################
+#
+# Test 2: Check that proxy WILL re-establish connection and rebind after
+# remote server has disconnected the connection towards proxy.
+#
+# Proxy config is
+# - rebind-as-user yes
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 2"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=rebind,dc=no-timeout,$BASEDN" \
+ -D "cn=Barbara Jensen,dc=rebind,dc=no-timeout,$BASEDN" \
+ -w "bjensen" \
+ -H $URI2 \
+ -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+sleep 2
+
+echo "Killing and re-starting remote slapd server on TCP/IP port $PORT1..."
+kill -HUP $SERVERPID
+sleep 2
+
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 3>&- &
+SERVERPID=$!
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+echo "Using ldapsearch to check that remote slapd is running..."
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+ -D $MANAGERDN \
+ -w $PASSWD \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting $SLEEP0 seconds for slapd to start..."
+ sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit $RC
+fi
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit $RC
+fi
+
+#############################################################################
+#
+# Test 3: Check that proxy WILL NOT re-establish connection and rebind after
+# it disconnected the connection after idle-timeout or conn-ttl
+#
+# Proxy config is
+# - rebind-as-user no
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 3"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=no-rebind,dc=timeout,$BASEDN" \
+ -D "cn=Barbara Jensen,dc=no-rebind,dc=timeout,$BASEDN" \
+ -w "bjensen" \
+ -H $URI2 \
+ -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+# Wait for proxy->remote server timeout to expire
+sleep 4
+
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+ echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+ echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+#############################################################################
+#
+# Test 4: Check that proxy WILL NOT re-establish connection and rebind after
+# it disconnected the connection after idle-timeout or conn-ttl
+#
+# Proxy config is
+# - rebind-as-user yes
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 4"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=rebind,dc=timeout,$BASEDN" \
+ -D "cn=Barbara Jensen,dc=rebind,dc=timeout,$BASEDN" \
+ -w "bjensen" \
+ -H $URI2 \
+ -f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+# Wait for proxy->remote server timeout to expire
+sleep 4
+
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+ -H $URI2 \
+ -D "cn=Manager,dc=local,dc=com" \
+ -w $PASSWD \
+ -b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+ tee -a $TESTOUT | \
+ sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+ echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+ echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+ exit 1
+fi
+
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0
\ No newline at end of file
diff --git a/tests/data/regressions/its9468/slapd-proxy.conf b/tests/data/regressions/its9468/slapd-proxy.conf
new file mode 100644
index 000000000..a2bd893c8
--- /dev/null
+++ b/tests/data/regressions/its9468/slapd-proxy.conf
@@ -0,0 +1,81 @@
+# provider slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include @SCHEMADIR@/core.schema
+include @SCHEMADIR@/cosine.schema
+include @SCHEMADIR@/inetorgperson.schema
+include @SCHEMADIR@/openldap.schema
+include @SCHEMADIR@/nis.schema
+pidfile @TESTDIR@/slapd.m.pid
+argsfile @TESTDIR@/slapd.m.args
+
+#######################################################################
+# database definitions
+#######################################################################
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/:../servers/slapd/overlays
+#mod#moduleload back_@BACKEND@.la
+#ldapmod#modulepath ../servers/slapd/back-ldap/
+#ldapmod#moduleload back_ldap.la
+#rwmmod#modulepath ../servers/slapd/overlays/
+#rwmmod#moduleload rwm.la
+#monitormod#modulepath ../servers/slapd/back-monitor/
+#monitormod#moduleload back_monitor.la
+
+database @BACKEND@
+suffix "dc=local,dc=com"
+rootdn "cn=Manager,dc=local,dc=com"
+rootpw "secret"
+#~null~#directory @TESTDIR@/db.2.a
+
+# proxy with default settings, used for test where remote server will disconnect the proxy connection
+database ldap
+uri "@URI1@"
+suffix "dc=no-rebind,dc=no-timeout,dc=example,dc=com"
+monitoring yes
+rebind-as-user no
+overlay rwm
+rwm-suffixmassage "dc=no-rebind,dc=no-timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with rebind-as-user set, used for test where remote server will disconnect the proxy connection
+database ldap
+uri "@URI1@"
+suffix "dc=rebind,dc=no-timeout,dc=example,dc=com"
+monitoring yes
+rebind-as-user yes
+overlay rwm
+rwm-suffixmassage "dc=rebind,dc=no-timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with idle-timeout, used for test where proxy will disconnect the remote server connection
+database ldap
+uri "@URI1@"
+suffix "dc=no-rebind,dc=timeout,dc=example,dc=com"
+monitoring yes
+rebind-as-user no
+idle-timeout 1
+overlay rwm
+rwm-suffixmassage "dc=no-rebind,dc=timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with rebind-as-user and idle-timeout, used for test where proxy will disconnect the remote server connection
+database ldap
+uri "@URI1@"
+suffix "dc=rebind,dc=timeout,dc=example,dc=com"
+monitoring yes
+rebind-as-user yes
+idle-timeout 1
+overlay rwm
+rwm-suffixmassage "dc=rebind,dc=timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+database monitor
\ No newline at end of file
diff --git a/tests/data/regressions/its9468/slapd-remote.conf b/tests/data/regressions/its9468/slapd-remote.conf
new file mode 100644
index 000000000..71fb1cb36
--- /dev/null
+++ b/tests/data/regressions/its9468/slapd-remote.conf
@@ -0,0 +1,50 @@
+# stand-alone slapd config -- for testing (with indexing)
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include @SCHEMADIR@/core.schema
+include @SCHEMADIR@/cosine.schema
+include @SCHEMADIR@/inetorgperson.schema
+include @SCHEMADIR@/openldap.schema
+include @SCHEMADIR@/nis.schema
+include @DATADIR@/test.schema
+
+#
+pidfile @TESTDIR@/slapd.1.pid
+argsfile @TESTDIR@/slapd.1.args
+
+# disable anonymous bind in order to catch ITS#9468
+disallow bind_anon
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
+
+#######################################################################
+# database definitions
+#######################################################################
+
+database @BACKEND@
+suffix "dc=example,dc=com"
+rootdn "cn=Manager,dc=example,dc=com"
+rootpw secret
+monitoring on
+#null#bind on
+#~null~#directory @TESTDIR@/db.1.a
+#indexdb#index objectClass eq
+#indexdb#index cn,sn,uid pres,eq,sub
+#mdb#maxsize 33554432
+#ndb#dbname db_1
+#ndb#include @DATADIR@/ndb.conf
+
+database monitor
\ No newline at end of file
--
2.32.0