From 56ffba733b6dea553b56fde4daad8d32266de592 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Mon, 13 Dec 2021 10:27:08 -0800 Subject: [PATCH 3/4] ldapmap: test binding with a client cert/key Make sure that ldapmap queries can utilize a client cert. This was already supported before, but it'll be more important with the next patch, so test it explicitly. --- src/test/ldap/t/001_auth.pl | 42 ++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl index 781b1e8c78..6467a6c4af 100644 --- a/src/test/ldap/t/001_auth.pl +++ b/src/test/ldap/t/001_auth.pl @@ -9,7 +9,7 @@ use Test::More; if ($ENV{with_ldap} eq 'yes') { - plan tests => 51; + plan tests => 56; } else { @@ -79,6 +79,7 @@ include postgresuser.schema pidfile $slapd_pidfile logfile $slapd_logfile +loglevel conns filter stats access to * by * read @@ -569,5 +570,44 @@ $node->connect_ok( "$common_connstr dbname=bindpw user=test0", "ldapmap works with bind password"); +note 'LDAP ident mapping with client certificate'; + +# Set up a certificate for the root user. +system_or_bail "openssl", "req", "-new", "-nodes", + "-keyout", "$slapd_certs/root-client.key", + "-out", "$slapd_certs/root-client.csr", + "-subj", "/DC=net/DC=example/CN=Manager"; +system_or_bail "openssl", "x509", "-req", "-in", "$slapd_certs/root-client.csr", + "-CA", "$slapd_certs/ca.crt", "-CAkey", "$slapd_certs/ca.key", + "-CAcreateserial", "-out", "$slapd_certs/root-client.crt"; + +$ENV{'LDAPTLS_CERT'} = "$slapd_certs/root-client.crt"; +$ENV{'LDAPTLS_KEY'} = "$slapd_certs/root-client.key"; + +# Force the use of client certificates from this point onward. +append_to_file( + $slapd_conf, + qq{TLSVerifyClient demand +}); + +restart_slapd($ldaps_url); + +$node->connect_fails( + "$common_connstr dbname=bindpw user=test0", + "ldapmap with bind password fails without client certificate", + log_like => [ + qr/connection authenticated:/, + qr/could not perform initial LDAP bind for ldapbinddn "cn=Manager,dc=example,dc=net" on server ".*": Can't contact LDAP server/, + qr/no match in ldapmap "ldap" for user "test0" authenticated as ".*"/, + ]); + +# The server needs to be restarted to pick up all the above LDAPTLS_* settings +# from the environment. +$node->restart; + +$node->connect_ok( + "$common_connstr dbname=bindpw user=test0", + "ldapmap works with bind certificate"); + note 'LDAP group ident mapping'; # TODO -- 2.25.1