From 44aa04e26916bd8d16b680db21987ccb1cedbf34 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Fri, 8 Sep 2017 10:52:08 -0400 Subject: [PATCH 2/3] Add tests for ldapsearchfilter functionality --- src/test/ldap/data.ldif | 13 +++++++++++++ src/test/ldap/t/001_auth.pl | 36 +++++++++++++++++++++++++++++++++++- 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/src/test/ldap/data.ldif b/src/test/ldap/data.ldif index b30604e1f0..8d82c284b1 100644 --- a/src/test/ldap/data.ldif +++ b/src/test/ldap/data.ldif @@ -17,3 +17,16 @@ uidNumber: 101 gidNumber: 100 homeDirectory: /home/test1 mail: test1@example.net + +dn: uid=test2,dc=example,dc=net +objectClass: inetOrgPerson +objectClass: posixAccount +uid: test2 +sn: Lastname +givenName: Firstname +cn: Second Test User +displayName: Second Test User +uidNumber: 102 +gidNumber: 100 +homeDirectory: /home/test2 +mail: test2@example.net diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl index af9e34d7cf..eb72b16a0a 100644 --- a/src/test/ldap/t/001_auth.pl +++ b/src/test/ldap/t/001_auth.pl @@ -2,7 +2,7 @@ use warnings; use TestLib; use PostgresNode; -use Test::More tests => 9; +use Test::More tests => 14; my ($slapd, $ldap_bin_dir, $ldap_schema_dir); @@ -82,6 +82,7 @@ END system_or_bail 'ldapadd', '-x', '-y', $ldap_pwfile, '-f', 'data.ldif'; system_or_bail 'ldappasswd', '-x', '-y', $ldap_pwfile, '-s', 'secret1', 'uid=test1,dc=example,dc=net'; +system_or_bail 'ldappasswd', '-x', '-y', $ldap_pwfile, '-s', 'secret2', 'uid=test2,dc=example,dc=net'; note "setting up PostgreSQL instance"; @@ -91,6 +92,7 @@ END $node->safe_psql('postgres', 'CREATE USER test0;'); $node->safe_psql('postgres', 'CREATE USER test1;'); +$node->safe_psql('postgres', 'CREATE USER "test2@example.net";'); note "running tests"; @@ -137,3 +139,35 @@ sub test_access test_access($node, 'test1', 2, 'search+bind with LDAP URL authentication fails with wrong password'); $ENV{"PGPASSWORD"} = 'secret1'; test_access($node, 'test1', 0, 'search+bind with LDAP URL authentication succeeds'); + +note "search filters"; + +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', qq{local all all ldap ldapserver=$ldap_server ldapport=$ldap_port ldapbasedn="$ldap_basedn" ldapsearchfilter="(|(uid=%u)(mail=%u))"}); +$node->reload; + +$ENV{"PGPASSWORD"} = 'secret1'; +test_access($node, 'test1', 0, 'search filter finds by uid'); +$ENV{"PGPASSWORD"} = 'secret2'; +test_access($node, 'test2@example.net', 0, 'search filter finds by mail'); + +note "search filters in LDAP URLs"; + +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn??sub?(|(uid=%25u)(mail=%25u))"}); +$node->reload; + +$ENV{"PGPASSWORD"} = 'secret1'; +test_access($node, 'test1', 0, 'search filter finds by uid'); +$ENV{"PGPASSWORD"} = 'secret2'; +test_access($node, 'test2@example.net', 0, 'search filter finds by mail'); + +# This is not documented: You can combine ldapurl and other ldap* +# settings. ldapurl is always parsed first, then the other settings +# override. It might be useful in a case like this. +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn??sub" ldapsearchfilter="(|(uid=%u)(mail=%u))"}); +$node->reload; + +$ENV{"PGPASSWORD"} = 'secret1'; +test_access($node, 'test1', 0, 'combined LDAP URL and search filter'); -- 2.11.0 (Apple Git-81)