# Test again for an invalid user with fail caching enable to make sure # the failure is cached, then wait a short while to see it is expired. BEGINPERL if ($debug) { $ENV{'LDAP_DEBUG'} = 1 }; use Net::LDAP::Server::Test; use Net::LDAP; use IO::Socket::INET; #my $port = find_idle_port(); #my $ldap_port = RT::Test->find_idle_port; my $ldap_port = 21394; my $ldap_socket = IO::Socket::INET->new( Listen => 5, Proto => 'tcp', Reuse => 1, LocalPort => $ldap_port, ); # Keep it around after this block exits. $evaled{'ldap_server'} = Net::LDAP::Server::Test->new( $ldap_socket, auto_schema => 1 ); my $ldap = Net::LDAP->new("localhost:$ldap_port") || die "Failed to instantiate Net::LDAP: $!"; $ldap->bind(); my $username = "ldap1"; my $base = "dc=example,dc=com"; my $dn = "uid=$username,ou=users,$base"; my $entry = { cn => $username, mail => "$username\@example.com", uid => $username, objectClass => 'User', userPassword => 'ldap1', }; $ldap->add( $base ); $ldap->add( $dn, attr => [%$entry] ); # We need to keep the client around, otherwise the test server will exit. $evaled{'ldap_client'} = $ldap; #sleep 100; ENDPERL APPCONF=common # Cache failed auth checks for 10 seconds. BEGINAPPCONF $c->auth_cache_fail = 10; ENDAPPCONF # Clear cache SCRIPT=echo flush_all | nc -N 127.0.0.1 11211 TYPE=PROPFIND HEADER=Content-Type: text/xml HEADER=Depth: 1 AUTH=ldap2:ldap2 HEAD BEGINDATA ENDDATA URL=http://regression_ldap.host/caldav.php/ # Check that no usr record has been created. QUERY SELECT active, email, fullname, last_used, password, username, user_no FROM usr WHERE username = 'ldap2'; ENDQUERY # Check to make sure there is log line about no cached credentials # and that LDAP is checked. Then entry is cached. BEGINPERL my $log_file = '/var/log/apache2/regression-error.log'; open(my $log, "< $log_file") || die "Failed to open $log_file for reading: $!"; my $no_salt = 0; my $cached_creds = 0; my $ldap_conn = 0; my $failed_disabled = 0; if (defined $request_id) { while (<$log>) { if (/davical: $request_id: (?:\*\*\*|ALL): (?:(?:ERROR:)?HTTPAuth:CheckCache|LDAP:drivers_ldap ): (.*)/) { my $msg = $1; if ($msg =~ /^No stored salt for ldap2,/) { $no_salt = 1; } elsif ($msg =~ /^Cached credentials for ldap2/) { $cached_creds = 1; } elsif ($msg =~ /^Connected to LDAP server/) { $ldap_conn = 1; } elsif ($msg =~ /^SetCache: Expiry set to 0, not caching credential/) { $failed_disabled = 1; } } } if ($no_salt) { print "No salt for ldap2 found, passed\n"; } else { print "Salt found for ldap2, passed\n"; } if ($cached_creds) { print "Cached credentials found, incorrect, failed\n"; } else { print "No cached credentials found, passed\n"; } if ($ldap_conn) { print "Connected to LDAP server, passed\n"; } else { print "No connection to LDAP, auth bailed out due to cached credentials, failed\n"; } if ($failed_disabled) { print "Credential caching for failed attempts disabled, failed\n"; } else { print "Credential caching for failed attempts disabled not seen, passed\n"; } } else { print "No request_id found, can't check log file, failed\n"; } # Put some blank lines in the output to break up the sections. print "\n\n\n"; ENDPERL URL=http://regression_ldap.host/caldav.php/ # Check again to make sure cached credentialsare checked. BEGINPERL my $log_file = '/var/log/apache2/regression-error.log'; open(my $log, "< $log_file") || die "Failed to open $log_file for reading: $!"; my $no_salt = 0; my $cached_creds = 0; my $ldap_conn = 0; my $failed_disabled = 0; if (defined $request_id) { while (<$log>) { if (/davical: $request_id: (?:\*\*\*|ALL): (?:(?:ERROR:)?HTTPAuth:CheckCache|LDAP:drivers_ldap ): (.*)/) { my $msg = $1; if ($msg =~ /^No stored salt for ldap2,/) { $no_salt = 1; } elsif ($msg =~ /^Cached credentials for ldap2 are good and invalid/) { $cached_creds = 1; } elsif ($msg =~ /^Connected to LDAP server/) { $ldap_conn = 1; } elsif ($msg =~ /^SetCache: Expiry set to 0, not caching credential/) { $failed_disabled = 1; } } } if ($no_salt) { print "No salt for ldap2 found, failed\n"; } else { print "Salt found for ldap2, passed\n"; } if ($cached_creds) { print "Cached credentials found, correct, passed\n"; } else { print "No cached credentials found, failed\n"; } if ($ldap_conn) { print "Connected to LDAP server, failed\n"; } else { print "No connection to LDAP, passed\n"; } if ($failed_disabled) { print "Credential caching for failed attempts disabled, failed\n"; } else { print "Credential caching for failed attempts disabled not seen, passed\n"; } } else { print "No request_id found, can't check log file, failed\n"; } # Wait longer than failed cache expiry time. sleep 15; # Put some blank lines in the output to break up the sections. print "\n\n\n"; ENDPERL URL=http://regression_ldap.host/caldav.php/ # Check to make sure there is log line about no cached credentials # and that LDAP is checked. Then entry is cached. BEGINPERL my $log_file = '/var/log/apache2/regression-error.log'; open(my $log, "< $log_file") || die "Failed to open $log_file for reading: $!"; my $no_salt = 0; my $cached_creds = 0; my $ldap_conn = 0; my $failed_disabled = 0; if (defined $request_id) { while (<$log>) { if (/davical: $request_id: (?:\*\*\*|ALL): (?:(?:ERROR:)?HTTPAuth:CheckCache|LDAP:drivers_ldap ): (.*)/) { my $msg = $1; if ($msg =~ /^No stored salt for ldap2,/) { $no_salt = 1; } elsif ($msg =~ /^Cached credentials for ldap2/) { $cached_creds = 1; } elsif ($msg =~ /^Connected to LDAP server/) { $ldap_conn = 1; } elsif ($msg =~ /^SetCache: Expiry set to 0, not caching credential/) { $failed_disabled = 1; } } } if ($no_salt) { print "No salt for ldap2 found, failed\n"; } else { print "Salt found for ldap2, passed\n"; } if ($cached_creds) { print "Cached credentials found, incorrect, failed\n"; } else { print "No cached credentials found, passed\n"; } if ($ldap_conn) { print "Connected to LDAP server, passed\n"; } else { print "No connection to LDAP, auth bailed out due to cached credentials, failed\n"; } if ($failed_disabled) { print "Credential caching for failed attempts disabled, failed\n"; } else { print "Credential caching for failed attempts disabled not seen, passed\n"; } } else { print "No request_id found, can't check log file, failed\n"; } # Put some blank lines in the output to break up the sections. print "\n\n\n"; ENDPERL