Overview

File 0208-ITS-9400-back-ldap-fix-retry-binds.patch of Package openldap2.20172

From 76fea1fa8f4fe3b546596a6b63831cacb33c73aa Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 23 Nov 2020 05:14:30 +0000
Subject: [PATCH] ITS#9400 back-ldap: fix retry binds

Regression from fix for ITS#7403

ITS#9400 back-ldap: fix prev commit

ITS#9400 Added test case for back-ldap retry failure
---
 servers/slapd/back-ldap/bind.c                |   2 +-
 tests/data/regressions/its9400/its9400        | 161 ++++++++++++++++++
 .../its9400/slapd-proxy-idassert.conf         |  45 +++++
 3 files changed, 207 insertions(+), 1 deletion(-)
 create mode 100755 tests/data/regressions/its9400/its9400
 create mode 100644 tests/data/regressions/its9400/slapd-proxy-idassert.conf

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 621cd2c8c..e6a3db144 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2102,7 +2102,7 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok,
 	}
 
 	if ( !( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )) {
-		if ( op->o_tag == LDAP_REQ_BIND ) {
+		if ( op->o_tag == LDAP_REQ_BIND && ( sendok & LDAP_BACK_SENDERR )) {
 			if ( !BER_BVISEMPTY( &ndn )) {
 				dobind = 0;
 				goto done;
diff --git a/tests/data/regressions/its9400/its9400 b/tests/data/regressions/its9400/its9400
new file mode 100755
index 000000000..ae0c5258b
--- /dev/null
+++ b/tests/data/regressions/its9400/its9400
@@ -0,0 +1,161 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+ITS=9400
+ITSDIR=$DATADIR/regressions/its$ITS
+
+if test $BACKLDAP = "ldapno" ; then
+	echo "LDAP backend not available, test skipped"
+	exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1 $DBDIR2
+cp -r $DATADIR/tls $TESTDIR
+
+echo "This test checks that back-ldap does retry binds after the remote LDAP server"
+echo "has abruptly disconnected the (idle) LDAP connection."
+
+#
+# Start slapd that acts as a remote LDAP server that will be proxied
+#
+echo "Running slapadd to build database for the remote slapd server..."
+. $CONFFILTER $BACKEND < $CONF > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+
+RC=$?
+if test $RC != 0 ; then
+        echo "slapadd failed ($RC)!"
+        exit $RC
+fi
+
+
+echo "Starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+    echo SERVERPID $SERVERPID
+    read foo
+fi
+
+
+#
+# Start ldapd that will proxy for the remote server
+#
+echo "Starting slapd proxy on TCP/IP port $PORT2..."
+. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy-idassert.conf > $CONF2
+$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
+PROXYPID=$!
+if test $WAIT != 0 ; then
+    echo PROXYPID $PROXYPID
+    read foo
+fi
+KILLPIDS="$KILLPIDS $PROXYPID"
+
+sleep 1
+
+
+#
+# Successful searches
+#
+
+echo "Using ldapsearch with bind that will be passed through to remote server..."
+$LDAPSEARCH -S "" -b "$BASEDN" \
+        -D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \
+        -H $URI2 \
+        -w "bjensen"  \
+        'objectclass=*' > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+        echo "ldapsearch failed at proxy ($RC)!"
+        test $KILLSERVERS != no && kill -HUP $KILLPIDS
+        exit $RC
+fi
+
+
+echo "Using ldapsearch with idassert-bind..."
+$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret"  \
+        'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+        echo "ldapsearch failed at proxy ($RC)!"
+        test $KILLSERVERS != no && kill -HUP $KILLPIDS
+        exit $RC
+fi
+
+
+#
+# Now kill the remote slapd that is being proxied for.
+# This will invalidate the current TCP connections that proxy has to remote.
+#
+echo "Killing remote server"
+kill $SERVERPID
+sleep 1
+
+echo "Re-starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+    echo SERVERPID $SERVERPID
+    read foo
+fi
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+sleep 2
+
+
+echo "-------------------------------------------------" >> $TESTOUT
+echo "Searches after remote slapd server has restarted:" >> $TESTOUT
+echo "-------------------------------------------------" >> $TESTOUT
+
+#
+# Successful search
+#
+echo "Using ldapsearch with bind that will be passed through to remote server..."
+$LDAPSEARCH -S "" -b "$BASEDN" \
+        -D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \
+        -H $URI2 \
+        -w "bjensen"  \
+        'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+        echo "ldapsearch failed at proxy ($RC)!"
+        test $KILLSERVERS != no && kill -HUP $KILLPIDS
+        exit $RC
+fi
+
+#
+# UNSUCCESFUL SEARCH
+#
+echo "Using ldapsearch with idassert-bind..."
+$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret"  \
+        'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+        echo "ldapsearch failed at proxy ($RC)!"
+        test $KILLSERVERS != no && kill -HUP $KILLPIDS
+        exit $RC
+fi
+
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0
diff --git a/tests/data/regressions/its9400/slapd-proxy-idassert.conf b/tests/data/regressions/its9400/slapd-proxy-idassert.conf
new file mode 100644
index 000000000..b1f3c6626
--- /dev/null
+++ b/tests/data/regressions/its9400/slapd-proxy-idassert.conf
@@ -0,0 +1,45 @@
+# provider slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include		@SCHEMADIR@/core.schema
+include		@SCHEMADIR@/cosine.schema
+include		@SCHEMADIR@/inetorgperson.schema
+include		@SCHEMADIR@/openldap.schema
+include		@SCHEMADIR@/nis.schema
+pidfile		@TESTDIR@/slapd.m.pid
+argsfile	@TESTDIR@/slapd.m.args
+
+#######################################################################
+# database definitions
+#######################################################################
+
+# here the proxy is not only acting as a proxy, but it also has a local database dc=local,dc=com"
+database	@BACKEND@
+suffix		"dc=local,dc=com"
+rootdn		"cn=Manager,dc=local,dc=com"
+rootpw		"secret"
+#~null~#directory	@TESTDIR@/db.2.a
+
+# Configure proxy
+# - normal user binds to "*,dc=example,dc=com" are proxied through to the remote slapd
+# - admin bind to local "cn=Manager,dc=local,dc=com" is overwritten by using idassert-bind
+database	ldap
+uri			"@URI1@"
+suffix		"dc=example,dc=com"
+idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret"
+idassert-authzFrom "dn.exact:cn=Manager,dc=local,dc=com"
+rebind-as-user	yes
+
+database	monitor
-- 
2.24.3 (Apple Git-128)
openSUSE Build Service is sponsored by
Places