mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-02 10:12:03 +00:00
8a0e5f822b
When the LDAP response is parsed, the message length is not properly decoded. While it works for LDAP servers encoding it on 1 byte, it does not work for those using a multi-bytes encoding. Among others, Active Directory servers seems to encode messages or elements length on 4 bytes. In this patch, we only handle length of BindResponse messages encoded on 1, 2 or 4 bytes. In theory, it may be encoded on any bytes number less than 127 bytes. But it is useless to make this part too complex. It should be ok this way. This patch should fix the issue #1390. It should be backported to all stable versions. While it should be easy to backport it as far as 2.2, the patch will have to be totally rewritten for lower versions.
97 lines
2.8 KiB
Plaintext
97 lines
2.8 KiB
Plaintext
varnishtest "Health-checks: LDAP health-check"
|
|
#REQUIRE_VERSION=2.2
|
|
#REGTEST_TYPE=slow
|
|
feature ignore_unknown_macro
|
|
|
|
# This scripts tests health-checks for LDAP application, enabled using
|
|
# "option ldap-check" line. A intermediate listener is used to validate
|
|
# the request because it is impossible with VTEST to read and match raw
|
|
# text.
|
|
|
|
server s1 {
|
|
recv 14
|
|
sendhex "300C020101 61 070A01 00 04000400"
|
|
} -start
|
|
|
|
server s2 {
|
|
recv 14
|
|
sendhex "300C020101 60 070A01 00 04000400"
|
|
} -start
|
|
|
|
server s3 {
|
|
recv 14
|
|
sendhex "300C020101 61 070A01 01 04000400"
|
|
} -start
|
|
|
|
server s4 {
|
|
recv 14
|
|
sendhex "308400000010020101 61 84000000070A01"
|
|
delay 0.1
|
|
sendhex "00 04000400"
|
|
} -start
|
|
|
|
syslog S1 -level notice {
|
|
recv
|
|
expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be1/srv succeeded, reason: Layer7 check passed.+info: \"Success\".+check duration: [[:digit:]]+ms, status: 1/1 UP."
|
|
} -start
|
|
|
|
syslog S2 -level notice {
|
|
recv
|
|
expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be2/srv failed, reason: Layer7 invalid response.+info: \"Not LDAPv3 protocol\".+check duration: [[:digit:]]+ms, status: 0/1 DOWN."
|
|
} -start
|
|
|
|
syslog S3 -level notice {
|
|
recv
|
|
expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be3/srv failed, reason: Layer7 wrong status.+code: 1.+info: \"See RFC: http://tools.ietf.org/html/rfc4511#section-4.1.9\".+check duration: [[:digit:]]+ms, status: 0/1 DOWN."
|
|
} -start
|
|
|
|
syslog S4 -level notice {
|
|
recv
|
|
expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be4/srv succeeded, reason: Layer7 check passed.+info: \"Success\".+check duration: [[:digit:]]+ms, status: 1/1 UP."
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
defaults
|
|
mode tcp
|
|
timeout client 1s
|
|
timeout server 1s
|
|
timeout connect 100ms
|
|
|
|
backend be1
|
|
log ${S1_addr}:${S1_port} daemon
|
|
option log-health-checks
|
|
option ldap-check
|
|
server srv ${h1_ldap1_addr}:${h1_ldap1_port} check inter 1s rise 1 fall 1
|
|
|
|
backend be2
|
|
log ${S2_addr}:${S2_port} daemon
|
|
option log-health-checks
|
|
option ldap-check
|
|
server srv ${s2_addr}:${s2_port} check inter 1s rise 1 fall 1
|
|
|
|
backend be3
|
|
log ${S3_addr}:${S3_port} daemon
|
|
option log-health-checks
|
|
option ldap-check
|
|
server srv ${s3_addr}:${s3_port} check inter 1s rise 1 fall 1
|
|
|
|
backend be4
|
|
log ${S4_addr}:${S4_port} daemon
|
|
option log-health-checks
|
|
option ldap-check
|
|
server srv ${s4_addr}:${s4_port} check inter 1s rise 1 fall 1
|
|
|
|
listen ldap1
|
|
bind "fd@${ldap1}"
|
|
tcp-request inspect-delay 100ms
|
|
tcp-request content accept if { req.len eq 14 } { req.payload(0,14) -m bin "300C020101600702010304008000" }
|
|
tcp-request content reject
|
|
server srv ${s1_addr}:${s1_port}
|
|
|
|
} -start
|
|
|
|
syslog S1 -wait
|
|
syslog S2 -wait
|
|
syslog S3 -wait
|
|
syslog S4 -wait
|