From 30d3f741a947f11b0c16dc408bb2ee0ef97b4a39 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter_e@gmx.net>
Date: Fri, 8 Sep 2017 10:52:08 -0400
Subject: [PATCH 3/3] Add tests for ldapsearchfilter functionality

---
 src/test/ldap/data.ldif     | 13 +++++++++++++
 src/test/ldap/t/001_auth.pl | 36 +++++++++++++++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/src/test/ldap/data.ldif b/src/test/ldap/data.ldif
index b30604e1f0..8d82c284b1 100644
--- a/src/test/ldap/data.ldif
+++ b/src/test/ldap/data.ldif
@@ -17,3 +17,16 @@ uidNumber: 101
 gidNumber: 100
 homeDirectory: /home/test1
 mail: test1@example.net
+
+dn: uid=test2,dc=example,dc=net
+objectClass: inetOrgPerson
+objectClass: posixAccount
+uid: test2
+sn: Lastname
+givenName: Firstname
+cn: Second Test User
+displayName: Second Test User
+uidNumber: 102
+gidNumber: 100
+homeDirectory: /home/test2
+mail: test2@example.net
diff --git a/src/test/ldap/t/001_auth.pl b/src/test/ldap/t/001_auth.pl
index d8be2de88f..b6da6bfa18 100644
--- a/src/test/ldap/t/001_auth.pl
+++ b/src/test/ldap/t/001_auth.pl
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 use TestLib;
 use PostgresNode;
-use Test::More tests => 9;
+use Test::More tests => 14;
 
 my ($slapd, $ldap_bin_dir, $ldap_schema_dir);
 
@@ -86,6 +86,7 @@ note "loading LDAP data";
 
 system_or_bail 'ldapadd', '-x', '-y', $ldap_pwfile, '-f', 'data.ldif';
 system_or_bail 'ldappasswd', '-x', '-y', $ldap_pwfile, '-s', 'secret1', 'uid=test1,dc=example,dc=net';
+system_or_bail 'ldappasswd', '-x', '-y', $ldap_pwfile, '-s', 'secret2', 'uid=test2,dc=example,dc=net';
 
 note "setting up PostgreSQL instance";
 
@@ -95,6 +96,7 @@ $node->start;
 
 $node->safe_psql('postgres', 'CREATE USER test0;');
 $node->safe_psql('postgres', 'CREATE USER test1;');
+$node->safe_psql('postgres', 'CREATE USER "test2@example.net";');
 
 note "running tests";
 
@@ -141,3 +143,35 @@ test_access($node, 'test0', 2, 'search+bind with LDAP URL authentication fails i
 test_access($node, 'test1', 2, 'search+bind with LDAP URL authentication fails with wrong password');
 $ENV{"PGPASSWORD"} = 'secret1';
 test_access($node, 'test1', 0, 'search+bind with LDAP URL authentication succeeds');
+
+note "search filters";
+
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf('pg_hba.conf', qq{local all all ldap ldapserver=$ldap_server ldapport=$ldap_port ldapbasedn="$ldap_basedn" ldapsearchfilter="(|(uid=\$username)(mail=\$username))"});
+$node->reload;
+
+$ENV{"PGPASSWORD"} = 'secret1';
+test_access($node, 'test1', 0, 'search filter finds by uid');
+$ENV{"PGPASSWORD"} = 'secret2';
+test_access($node, 'test2@example.net', 0, 'search filter finds by mail');
+
+note "search filters in LDAP URLs";
+
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf('pg_hba.conf', qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn??sub?(|(uid=\$username)(mail=\$username))"});
+$node->reload;
+
+$ENV{"PGPASSWORD"} = 'secret1';
+test_access($node, 'test1', 0, 'search filter finds by uid');
+$ENV{"PGPASSWORD"} = 'secret2';
+test_access($node, 'test2@example.net', 0, 'search filter finds by mail');
+
+# This is not documented: You can combine ldapurl and other ldap*
+# settings.  ldapurl is always parsed first, then the other settings
+# override.  It might be useful in a case like this.
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf('pg_hba.conf', qq{local all all ldap ldapurl="$ldap_url/$ldap_basedn??sub" ldapsearchfilter="(|(uid=\$username)(mail=\$username))"});
+$node->reload;
+
+$ENV{"PGPASSWORD"} = 'secret1';
+test_access($node, 'test1', 0, 'combined LDAP URL and search filter');
-- 
2.13.5