From 1e3e6cdd4a7def501b7f61a5817582cf3d3d3075 Mon Sep 17 00:00:00 2001 From: Tero Saarni Date: Tue, 9 Feb 2021 17:47:58 +0200 Subject: [PATCH] ITS#9288 crash if back-ldap rebind fails --- tests/data/regressions/its9288/its9288 | 186 ++++++++++++++++++ .../data/regressions/its9288/slapd-proxy.conf | 41 ++++ 2 files changed, 227 insertions(+) create mode 100755 tests/data/regressions/its9288/its9288 create mode 100644 tests/data/regressions/its9288/slapd-proxy.conf diff --git a/tests/data/regressions/its9288/its9288 b/tests/data/regressions/its9288/its9288 new file mode 100755 index 0000000000..2d3d37e37c --- /dev/null +++ b/tests/data/regressions/its9288/its9288 @@ -0,0 +1,186 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2021 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +ITS=9288 +ITSDIR=$DATADIR/regressions/its$ITS + +if test $BACKLDAP = "ldapno" ; then + echo "LDAP backend not available, test skipped" + exit 0 +fi + +mkdir -p $TESTDIR $DBDIR1 $DBDIR2 +cp -r $DATADIR/tls $TESTDIR + +echo "This test checks that back-ldap does not crash when proxy retries " +echo "connection to remote server and the retry fails with an LDAP error." + +# +# Start slapd that acts as a remote LDAP server that will be proxied +# +echo "Running slapadd to build database for the remote slapd server..." +. $CONFFILTER $BACKEND < $CONF > $CONF1 +$SLAPADD -f $CONF1 -l $LDIFORDERED + +RC=$? +if test $RC != 0 ; then + echo "slapadd failed ($RC)!" + exit $RC +fi + + +echo "Starting remote slapd server on TCP/IP port $PORT1..." +$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 & +SERVERPID=$! +if test $WAIT != 0 ; then + echo SERVERPID $SERVERPID + read foo +fi + +sleep $SLEEP0 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP1 seconds for slapd to start..." + sleep $SLEEP1 +done + +# +# Start ldapd that will proxy for the remote server +# +echo "Starting slapd proxy on TCP/IP port $PORT2..." +. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy.conf > $CONF2 +$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 & +PROXYPID=$! +if test $WAIT != 0 ; then + echo PROXYPID $PROXYPID + read foo +fi +KILLPIDS="$KILLPIDS $PROXYPID" + +sleep $SLEEP0 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP1 seconds for slapd to start..." + sleep $SLEEP1 +done + +# +# Test case: +# +# 1. Client establishes connection to proxy and binds +# 2. Proxy establishes connection to remote server and passes through the bind. +# 3. Change the user password on the remote server +# 4. Kill and restart the remote server to invalidate the TCP connection between proxy and remote +# 5. Make a new search from client +# 6. Proxy notices connection is down and retries bind (rebind-as-user) +# 7. Server responds with error: invalid credentials +# 8. Proxy crashes +# + +# Create fifo that is used to pass searches from the test case to ldapsearch without +# disconnecting the client -> proxy connection +rm -f $TESTDIR/ldapsearch.fifo +mkfifo $TESTDIR/ldapsearch.fifo + +# Start ldapsearch on background and have it read search filters from fifo, +# so that single client connection will persist over many searches +echo "Make the proxy to connect the remote LDAP server..." +$LDAPSEARCH -b "$BASEDN" -H $URI2 \ + -D "$BABSDN" -w "bjensen" \ + -f $TESTDIR/ldapsearch.fifo > $TESTOUT 2>&1 & +LDAPSEARCHPID=$! +KILLPIDS="$KILLPIDS $LDAPSEARCHPID" + +# Open fifo as file descriptor +exec 3>$TESTDIR/ldapsearch.fifo + +# Trigger LDAP connections towards the proxy by executing a search +echo 'objectclass=*' >&3 + +echo "Change user's bind password on the remote server in order to make rebind-as-user fail when proxy retries" +$LDAPPASSWD -H $URI1 -D "$MANAGERDN" -w $PASSWD \ + -s "newpass" "$BABSDN" >> $TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldappasswd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS $SERVERPID + exit $RC +fi + +# Restart the remote server to invalidate TCP connection between proxy and remote +echo "Killing and Re-starting remote slapd server on TCP/IP port $PORT1..." +kill -HUP $SERVERPID +wait $SERVERPID + +$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 & +SERVERPID=$! +if test $WAIT != 0 ; then + echo SERVERPID $SERVERPID + read foo +fi +KILLPIDS="$KILLPIDS $SERVERPID" + +sleep $SLEEP0 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting $SLEEP1 seconds for slapd to start..." + sleep $SLEEP1 +done + +echo "Make new ldap search to trigger proxy retry logic" +echo 'objectclass=*' >&3 + +sleep $SLEEP0 +echo "Checking if proxy slapd is still up" +$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 +RC=$? +if test $RC != 0 ; then + echo "slapd crashed!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + exit $RC +fi + +test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0 diff --git a/tests/data/regressions/its9288/slapd-proxy.conf b/tests/data/regressions/its9288/slapd-proxy.conf new file mode 100644 index 0000000000..9d5d90ba7d --- /dev/null +++ b/tests/data/regressions/its9288/slapd-proxy.conf @@ -0,0 +1,41 @@ +# provider slapd config -- for testing +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2021 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +include @SCHEMADIR@/core.schema +include @SCHEMADIR@/cosine.schema +include @SCHEMADIR@/inetorgperson.schema +include @SCHEMADIR@/openldap.schema +include @SCHEMADIR@/nis.schema +pidfile @TESTDIR@/slapd.m.pid +argsfile @TESTDIR@/slapd.m.args + +####################################################################### +# database definitions +####################################################################### + +#mod#modulepath ../servers/slapd/back-@BACKEND@/:../servers/slapd/overlays +#mod#moduleload back_@BACKEND@.la +#ldapmod#modulepath ../servers/slapd/back-ldap/ +#ldapmod#moduleload back_ldap.la +#monitormod#modulepath ../servers/slapd/back-monitor/ +#monitormod#moduleload back_monitor.la + +# Configure proxy +database ldap +uri "@URI1@" +suffix "dc=example,dc=com" +rebind-as-user yes + +database monitor