Re-enable LDAP system tests + Test LDAP StartTLS() + Fixes

auth/ldap/ldap.go

@@ -218,8 +218,9 @@ func (lm *Manager) connect() (*ldap.Conn, error) {
 	}
 
 	// switch to TLS if specified; this needs to have certs in place
-	// TODO: yet to be tested
 	if lm.Config.StartTLS {
+		log.Info("Upgrading to TLS mode")
+		// NOTE: InsecureSkipVerify should be used only for testing
 		err = ldapConn.StartTLS(&tls.Config{InsecureSkipVerify: lm.Config.InsecureSkipVerify})
 		if err != nil {
 			log.Errorf("Failed to initiate TLS with AD server: %v", err)

db/ldap.go

@@ -38,18 +38,39 @@ func getLdapConfiguration(stateDrv types.StateDriver) (*types.LdapConfiguration,
 // UpdateLdapConfiguration updates the existing LDAP configuration with the new configuration given.
 // params:
 //  ldapConfiguration: representation of the LDAP configuration to be updated to data store
+//  existingPassword: existing LDAP password (encrypted) from the data store
 // return values:
 //  error: nil on successful update, otherwise anything as returned
 //         by the consecutive function calls or any relevant custom error
-func UpdateLdapConfiguration(ldapConfiguration *types.LdapConfiguration) error {
-	err := DeleteLdapConfiguration()
+func UpdateLdapConfiguration(ldapConfiguration *types.LdapConfiguration, existingPassword string) error {
+	stateDrv, err := state.GetStateDriver()
+	if err != nil {
+		return err
+	}
+
+	_, err = getLdapConfiguration(stateDrv)
 	switch err {
 	case nil:
-		return AddLdapConfiguration(ldapConfiguration)
-	case auth_errors.ErrKeyNotFound:
-		return err
+		// update password
+		if ldapConfiguration.ServiceAccountPassword != existingPassword {
+			ldapConfiguration.ServiceAccountPassword, err = common.Encrypt(ldapConfiguration.ServiceAccountPassword)
+			if err != nil {
+				return fmt.Errorf("Failed to encrypt LDAP service account password: %#v", err)
+			}
+		}
+
+		val, err := json.Marshal(ldapConfiguration)
+		if err != nil {
+			return fmt.Errorf("Failed to marshal LDAP configuration %#v, %#v", ldapConfiguration, err)
+		}
+
+		if err := stateDrv.Write(GetPath(RootLdapConfiguration), val); err != nil {
+			return fmt.Errorf("Failed to update LDAP setting to data store: %#v", err)
+		}
+
+		return nil
 	default:
-		return fmt.Errorf("Failed to delete LDAP configuration from data store : %#v", err)
+		return err
 	}
 
 }

proxy/helpers.go

@@ -72,7 +72,7 @@ func updateLdapConfigurationInfo(ldapConfiguration *types.LdapConfiguration, act
 		ldapConfigurationUpdateObj.InsecureSkipVerify = ldapConfiguration.InsecureSkipVerify
 	}
 
-	err := db.UpdateLdapConfiguration(ldapConfigurationUpdateObj)
+	err := db.UpdateLdapConfiguration(ldapConfigurationUpdateObj, actual.ServiceAccountPassword)
 
 	switch err {
 	case nil:
@@ -86,8 +86,8 @@ func updateLdapConfigurationInfo(ldapConfiguration *types.LdapConfiguration, act
 	case auth_errors.ErrKeyNotFound:
 		return http.StatusNotFound, nil
 	default:
-		log.Debugf("Failed to delete LDAP configuration: %#v", err)
-		return http.StatusInternalServerError, []byte("Failed to delete LDAP setting from the data store")
+		log.Debugf("Failed to update LDAP configuration: %#v", err)
+		return http.StatusInternalServerError, []byte("Failed to update LDAP settings to the data store")
 	}
 
 }
@@ -109,7 +109,7 @@ func updateLdapConfigurationHelper(ldapConfiguration *types.LdapConfiguration) (
 		return http.StatusNotFound, nil
 	default:
 		log.Debugf("Failed to retrieve LDAP configuration: %#v", err)
-		return http.StatusInternalServerError, []byte("Failed to retrieve LDAP setting from the data store")
+		return http.StatusInternalServerError, []byte("Failed to update LDAP settings to the data store")
 	}
 
 }

systemtests/basic_test.go

@@ -15,7 +15,7 @@ const (
 	// XXX: Yuva's dev server
 	ldapServer        = "10.193.231.158"
 	ldapPassword      = "C1ntainer$"
-	ldapAdminPassword = "C1ntainer$!"
+	ldapAdminPassword = "C1ntainer$~"
 
 	// use this when testing unauthenticated endpoints instead of ""
 	noToken = ""
@@ -61,25 +61,40 @@ func (s *systemtestSuite) TestLogin(c *C) {
 
 		s.addLdapConfiguration(c, adToken, ldapConfig)
 
-		// TODO: these tests have been disabled for now because all our
-		//       LDAP logins are failing for some reason.  something
-		//       might be wrong with the AD VM.
+		// try logging in using `service` account
+		loginAs(c, "saccount", ldapPassword)
 
-		// // try logging in using `service` account
-		// loginAs(c, "saccount", ldapPassword)
+		// try logging in using `temp` account; this fails as the user is only associated with primary group
+		// more details can be found here: auth/ldap/ldap.go
+		token, resp, err := login("temp", ldapPassword)
+		c.Assert(token, Equals, "")
+		c.Assert(resp.StatusCode, Equals, 401)
+		c.Assert(err, IsNil)
+
+		// try logging in using `admin` account
+		loginAs(c, "Administrator", ldapAdminPassword)
 
-		// // try logging in using `temp` account; this fails as the user is only associated with primary group
-		// // more details can be found here: auth/ldap/ldap.go
-		// token, resp, err := login("temp", ldapPassword)
-		// c.Assert(token, Equals, "")
-		// c.Assert(resp.StatusCode, Equals, 401)
-		// c.Assert(err, IsNil)
+		// test login using SSL/TLS
+		ldapConfig = `{"port":5678, "start_tls":true, "insecure_skip_verify":true}`
+		s.updateLdapConfiguration(c, adToken, ldapConfig)
 
-		// // try logging in using `admin` account
-		// loginAs(c, "Administrator", ldapAdminPassword)
+		// try logging in using `service` account
+		loginAs(c, "saccount", ldapPassword)
+
+		// try logging in using `temp` account; this fails as the user is only associated with primary group
+		// more details can be found here: auth/ldap/ldap.go
+		token, resp, err = login("temp", ldapPassword)
+		c.Assert(token, Equals, "")
+		c.Assert(resp.StatusCode, Equals, 401)
+		c.Assert(err, IsNil)
+
+		// try logging in using `admin` account
+		loginAs(c, "Administrator", ldapAdminPassword)
 
 		s.deleteLdapConfiguration(c, adToken)
+
 	})
+
 }
 
 // TestVersion tests that /version endpoint responds with something sane.