Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch away from using an external LDAP server that sometimes goes down, #7522

Merged
merged 9 commits into from
Oct 22, 2019

Conversation

ncabatoff
Copy link
Collaborator

to a local (docker) LDAP server. The schema and data changes too, unfortunately.

to a local (docker) LDAP server.  The schema and data changes too,
unfortunately.
Attempt to convert TestIdentityStore_Integ_GroupAliases to use the
docker ldap server, but it's not working yet.  The first obstacle was
that it expects a user to exist in two external group: Scientists and
Italians.  There are no users in the new ldap server's data who belong
to two ldap groups.

One thing Becca was saying she hoped the docker ldap server would allow
us is to make changes to the LDAP data.  So I decided to modify the test
such that it first sees a user in a single LDAP group, then once we add
the user to a second group, upon re-logging in we see them in that
identity group as well.

This proved not to be so easy.  I got

  LDAP Result Code 8 "Strong Auth Required": modifications require authentication

Some googling suggested this would be fixed if we used TLS.  This was
a bit of an adventure since they use a self-signed cert, but eventually
I got that working, at least in the context of a test: I wasn't able to
get the LDAP backend itself to be happy with that, which is why
PrepareTestContainer now returns two ldaputil.ConfigEntry structs.

Anyway, that turned out not to be the right fix, or possible just
insufficient.  I'm still getting the same error, but now I think it's
because the admin user hasn't been granted write privs.  I'm not
certain how to do that without building a new docker image, and if that
is required I might revisit which docker image we use.
@chrishoffman chrishoffman added this to the 1.3 milestone Oct 15, 2019
Copy link
Contributor

@tyrannosaurus-becks tyrannosaurus-becks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Couple of notes, but nothing super consequential. Thank you!

builtin/credential/ldap/backend_test.go Outdated Show resolved Hide resolved
"testing"
)

func PrepareTestContainer(t *testing.T, version string) (cleanup func(), cfg *ldaputil.ConfigEntry) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thank you for exporting this. I wonder if at some point we'll even want to move it into the sdk so it can be reused externally in miscellaneous LDAP plugins.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, that makes sense.

helper/testhelpers/ldap/ldaphelper.go Outdated Show resolved Hide resolved
@ncabatoff ncabatoff merged commit c49cb5b into master Oct 22, 2019
@ncabatoff ncabatoff deleted the test-ldap-with-docker branch October 22, 2019 17:37
catsby added a commit that referenced this pull request Oct 24, 2019
* master:
  changelog++
  Update CHANGELOG.md
  Abstract generate-root authentication into the strategy interface (#7698)
  Changelog: clarify enterprise seal migration fix
  changelog++
  Update transit docs to add aes128/p384/p521 information (#7718)
  Show versions that are active when delete_version_after is configured (#7685)
  changelog++
  agent: fix data race on inmemSink's token (#7707)
  Use docker instead of an external LDAP server that sometimes goes down (#7522)
  changelog++
  Fix a nil map pointer in mergeEntity. (#7711)
  changelog++
  TestSysRekey_Verification would fail sometimes when recovery=true (#7710)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants