diff options
| -rw-r--r-- | server.go | 7 | ||||
| -rw-r--r-- | server_test.go | 84 |
2 files changed, 59 insertions, 32 deletions
@@ -331,16 +331,17 @@ handler: case ApplicationExtendedRequest: var tlsConn *tls.Conn if n := len(req.Children); n == 1 || n == 2 { - if name := ber.DecodeString(req.Children[0].Data.Bytes()); name == oidStartTLS { + name := ber.DecodeString(req.Children[0].Data.Bytes()) + if name == oidStartTLS && server.TLSConfig != nil { tlsConn = tls.Server(conn, server.TLSConfig) } } - var ldapResultCode LDAPResultCode + var ldapResultCode LDAPResultCode = LDAPResultOperationsError if tlsConn == nil { // Wasn't an upgrade. if server.EnforceTLS { ldapResultCode = LDAPResultProtocolError - } else { + } else if server.TLSConfig != nil { ldapResultCode = HandleExtendedRequest(req, boundDN, server.ExtendedFns, conn) } } else { diff --git a/server_test.go b/server_test.go index 5df97a2..3ae15d4 100644 --- a/server_test.go +++ b/server_test.go @@ -176,20 +176,24 @@ func (c *selfSignedCert) ServerTLSConfig() *tls.Config { } } -func TestStartTLS(t *testing.T) { - if runtime.GOOS == "darwin" { - defer func() { - if t.Failed() { - t.Logf(`NOTE: this test won't pass with the built-in Mac ldap utilities. +func macOsIfFailedWarning(t *testing.T) { + if t.Failed() { + t.Logf(`NOTE: this test won't pass with the built-in Mac ldap utilities. Work around this by using brew install openldap, and running the test as PATH=/usr/local/opt/openldap/bin:$PATH go test. This test uses environment variables that are respected by OpenLDAP, but the Mac utilities don't let you override security settings through environment variables; they expect certificates to be added to the system keychain, which is very heavy-handed for a test like this. `) - } - }() } + +} + +func TestStartTLS(t *testing.T) { + if runtime.GOOS == "darwin" { + defer macOsIfFailedWarning(t) + } + cert := newSelfSignedCert() defer cert.cleanup() @@ -230,6 +234,46 @@ which is very heavy-handed for a test like this. } } +func TestStartTLSWithoutTLSConfigDoesNotPanic(t *testing.T) { + if runtime.GOOS == "darwin" { + defer macOsIfFailedWarning(t) + } + + s := NewServer() + defer s.Close() + s.Bind = BindAnonOK + s.Search = SearchSimple + + ln, addr := mustListen() + go func() { + if err := s.Serve(ln); err != nil { + t.Errorf("s.Serve failed: %s", err.Error()) + } + }() + + done := make(chan struct{}) + go func() { + cmd := exec.Command("env", + "LDAPTLS_REQCERT=allow", + "ldapsearch", "-H", "ldap://"+addr, "-ZZ", "-d", "-1", "-x", "-b", "o=testers,c=test") + out, err := cmd.CombinedOutput() + if err == nil { + t.Error(err) + } + + if strings.Contains(string(out), "# numEntries: 3") || strings.Contains(string(out), "result: 0 Success") { + t.Errorf("search did succeed:\n%s", out) + } + + close(done) + }() + + select { + case <-done: + case <-time.After(timeout): + t.Error("ldapsearch command timed out") + } +} func TestEnforcedTLSWithoutTLSConfig(t *testing.T) { s := NewServer() defer s.Close() @@ -257,18 +301,9 @@ func TestEnforcedTLSWithoutTLSConfig(t *testing.T) { } func TestEnforcedTLS(t *testing.T) { if runtime.GOOS == "darwin" { - defer func() { - if t.Failed() { - t.Logf(`NOTE: this test won't pass with the built-in Mac ldap utilities. -Work around this by using brew install openldap, and running the test as PATH=/usr/local/opt/openldap/bin:$PATH go test. - -This test uses environment variables that are respected by OpenLDAP, but the Mac utilities don't let you override -security settings through environment variables; they expect certificates to be added to the system keychain, -which is very heavy-handed for a test like this. -`) - } - }() + defer macOsIfFailedWarning(t) } + cert := newSelfSignedCert() defer cert.cleanup() @@ -312,18 +347,9 @@ which is very heavy-handed for a test like this. func TestEnforcedTLSFail(t *testing.T) { if runtime.GOOS == "darwin" { - defer func() { - if t.Failed() { - t.Logf(`NOTE: this test won't pass with the built-in Mac ldap utilities. -Work around this by using brew install openldap, and running the test as PATH=/usr/local/opt/openldap/bin:$PATH go test. - -This test uses environment variables that are respected by OpenLDAP, but the Mac utilities don't let you override -security settings through environment variables; they expect certificates to be added to the system keychain, -which is very heavy-handed for a test like this. -`) - } - }() + defer macOsIfFailedWarning(t) } + cert := newSelfSignedCert() defer cert.cleanup() |