Split out group tests

src/tests/modules/ldap/auth.unlang

@@ -58,14 +58,6 @@ if ("%{pairs:reply:}" == "") {
         test_fail
 }
 
-
-if (LDAP-Group == "foo") {
-        test_pass
-}
-else {
-        test_fail
-}
-
 ldap.post-auth
 
 update {

src/tests/modules/ldap/groups_rfc2307bis.attrs

@@ -0,0 +1,15 @@
+#
+#  Input packet
+#
+User-Name = "john"
+User-Password = "password"
+NAS-IP-Address = 1.2.3.5
+
+#
+#  Expected answer
+#
+Response-Packet-Type == Access-Accept
+Idle-Timeout == 3600
+Session-Timeout == 7200
+Acct-Interim-Interval == 1800
+Framed-IP-Netmask == "255.255.0.0"

src/tests/modules/ldap/groups_rfc2307bis.unlang

@@ -0,0 +1,41 @@
+#
+#  Run the "ldap" module
+#
+ldap
+
+#
+#  Resolve using group name attribute
+#
+if (LDAP-Group == 'foo') {
+        test_pass
+}
+else {
+        test_fail
+}
+
+#
+#  Resolve using group DN
+#
+if (LDAP-Group == 'cn=foo,ou=groups,dc=example,dc=com') {
+        test_pass
+}
+else {
+        test_fail
+}
+
+#
+#  Check we have these values cached
+#
+if (&LDAP-Cached-Membership[*] == 'foo') {
+	test_pass
+}
+else {
+	test_fail
+}
+
+if (&LDAP-Cached-Membership[*] == 'cn=foo,ou=groups,dc=example,dc=com') {
+	test_pass
+}
+else {
+	test_fail
+}

src/tests/modules/ldap/module.conf

@@ -135,8 +135,7 @@ ldap {
 	#
 	user {
 		#  Where to start searching in the tree for users
-		base_dn = 'ou=people,dc=example,dc=com'
-		#base_dn = 'ou=people,${..base_dn}'
+		base_dn = "ou=people,${..base_dn}"
 
 		#  Filter for user objects, should be specific enough
 		#  to identify a single user object.
@@ -199,14 +198,14 @@ ldap {
 	#
 	group {
 		#  Where to start searching in the tree for groups
-		base_dn = 'ou=groups,dc=example,dc=com'
+		base_dn = "ou=groups,${..base_dn}"
 
 		#  Filter for group objects, should match all available
 		#  group objects a user might be a member of.
 		filter = '(objectClass=groupOfNames)'
 
 		# Search scope, may be 'base', 'one', sub' or 'children'
-#		scope = 'sub'
+		scope = 'sub'
 
 		#  Attribute that uniquely identifies a group.
 		#  Is used when converting group DNs to group
@@ -224,7 +223,7 @@ ldap {
 		#  Unless a conversion between group name and group DN is
 		#  needed, there's no requirement for the group objects
 		#  referenced to actually exist.
-#		membership_attribute = 'memberOf'
+		membership_attribute = 'memberOf'
 
 		#  If cacheable_name or cacheable_dn are enabled,
 		#  all group information for the user will be
@@ -240,13 +239,13 @@ ldap {
 		#  the type that matches the format of your check items
 		#  i.e. if your groups are specified as DNs then enable
 		#  cacheable_dn else enable cacheable_name.
-#		cacheable_name = 'no'
-#		cacheable_dn = 'no'
+		cacheable_name = yes
+		cacheable_dn = yes
 
 		#  Override the normal cache attribute (<inst>-LDAP-Group)
 		#  and create a custom attribute.  This can help if multiple
 		#  module instances are used in fail-over.
-#		cache_attribute = 'LDAP-Cached-Membership'
+		cache_attribute = 'LDAP-Cached-Membership'
 	}
 
 	#
@@ -273,7 +272,7 @@ ldap {
 	#
 	client {
 		#   Where to start searching in the tree for clients
-		base_dn = 'ou=people,dc=example,dc=com'
+		base_dn = "ou=clients,${..base_dn}"
 
 		#
 		#  Filter to match client objects