summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp111
-rw-r--r--ydb/core/security/ldap_auth_provider/ldap_auth_provider_log.h12
-rw-r--r--ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp32
-rw-r--r--ydb/library/services/services.proto1
-rw-r--r--ydb/services/ydb/ydb_ldap_login_ut.cpp28
5 files changed, 108 insertions, 76 deletions
diff --git a/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp b/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp
index 3f206f4a72d..7d4173141fb 100644
--- a/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp
+++ b/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp
@@ -6,6 +6,7 @@
#include <queue>
#include "ldap_auth_provider.h"
#include "ldap_utils.h"
+#include "ldap_auth_provider_log.h"
// This temporary solution
// These lines should be declared outside ldap_compat.h
@@ -172,11 +173,12 @@ private:
int result = 0;
if (Settings.GetScheme() != NKikimrLdap::LDAPS_SCHEME && Settings.GetUseTls().GetEnable()) {
+ LDAP_LOG_D("start TLS");
result = NKikimrLdap::StartTLS(*ld);
if (!NKikimrLdap::IsSuccess(result)) {
+ LDAP_LOG_D("Could not start TLS. " << NKikimrLdap::ErrorToString(result));
TEvLdapAuthProvider::TError error {
- .Message = "Could not start TLS\n" + NKikimrLdap::ErrorToString(result),
- .Retryable = NKikimrLdap::IsRetryableError(result)
+ .Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)
};
// The Unbind operation is not the antithesis of the Bind operation as the name implies.
// Close the LDAP connection, free the resources contained in the LDAP structure
@@ -185,12 +187,13 @@ private:
}
}
+ LDAP_LOG_D("bind: bindDn: " << Settings.GetBindDn());
result = NKikimrLdap::Bind(*ld, Settings.GetBindDn(), Settings.GetBindPassword());
if (!NKikimrLdap::IsSuccess(result)) {
+ LDAP_LOG_D("Could not perform initial LDAP bind for dn " << Settings.GetBindDn() << " on server " + UrisCreator.GetUris() << ". "
+ << NKikimrLdap::ErrorToString(result));
TEvLdapAuthProvider::TError error {
- .Message = "Could not perform initial LDAP bind for dn " + Settings.GetBindDn() + " on server " + UrisCreator.GetUris() + "\n"
- + NKikimrLdap::ErrorToString(result),
- .Retryable = NKikimrLdap::IsRetryableError(result)
+ .Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)
};
// The Unbind operation is not the antithesis of the Bind operation as the name implies.
// Close the LDAP connection, free the resources contained in the LDAP structure
@@ -210,26 +213,27 @@ private:
const TString& caCertificateFile = Settings.GetUseTls().GetCaCertFile();
result = NKikimrLdap::SetOption(*ld, NKikimrLdap::EOption::TLS_CACERTFILE, caCertificateFile.c_str());
if (!NKikimrLdap::IsSuccess(result)) {
+ LDAP_LOG_D("Could not set LDAP ca certificate file \"" << caCertificateFile + "\": " << NKikimrLdap::ErrorToString(result));
NKikimrLdap::Unbind(*ld);
return {{NKikimrLdap::ErrorToStatus(result),
- {.Message = "Could not set LDAP ca certificate file \"" + caCertificateFile + "\": " + NKikimrLdap::ErrorToString(result),
- .Retryable = NKikimrLdap::IsRetryableError(result)}}};
+ {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
}
}
+ LDAP_LOG_D("init: scheme: " << Settings.GetScheme() << ", uris: " << UrisCreator.GetUris() << ", port: " << UrisCreator.GetConfiguredPort());
result = NKikimrLdap::Init(ld, Settings.GetScheme(), UrisCreator.GetUris(), UrisCreator.GetConfiguredPort());
if (!NKikimrLdap::IsSuccess(result)) {
+ LDAP_LOG_D("Could not initialize LDAP connection for uris: " << UrisCreator.GetUris() << ". " << NKikimrLdap::LdapError(*ld));
return {{TEvLdapAuthProvider::EStatus::UNAVAILABLE,
- {.Message = "Could not initialize LDAP connection for uris: " + UrisCreator.GetUris() + ". " + NKikimrLdap::LdapError(*ld),
- .Retryable = false}}};
+ {.Message = ERROR_MESSAGE, .Retryable = false}}};
}
result = NKikimrLdap::SetProtocolVersion(*ld);
if (!NKikimrLdap::IsSuccess(result)) {
NKikimrLdap::Unbind(*ld);
+ LDAP_LOG_D("Could not set LDAP protocol version: " << NKikimrLdap::ErrorToString(result));
return {{NKikimrLdap::ErrorToStatus(result),
- {.Message = "Could not set LDAP protocol version: " + NKikimrLdap::ErrorToString(result),
- .Retryable = NKikimrLdap::IsRetryableError(result)}}};
+ {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
}
if (Settings.GetScheme() == NKikimrLdap::LDAPS_SCHEME || Settings.GetUseTls().GetEnable()) {
@@ -237,9 +241,9 @@ private:
result = NKikimrLdap::SetOption(*ld, NKikimrLdap::EOption::TLS_REQUIRE_CERT, &requireCert);
if (!NKikimrLdap::IsSuccess(result)) {
NKikimrLdap::Unbind(*ld);
+ LDAP_LOG_D("Could not set require certificate option: " << NKikimrLdap::ErrorToString(result));
return {{NKikimrLdap::ErrorToStatus(result),
- {.Message = "Could not set require certificate option: " + NKikimrLdap::ErrorToString(result),
- .Retryable = NKikimrLdap::IsRetryableError(result)}}};
+ {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
}
}
@@ -249,16 +253,18 @@ private:
TAuthenticateUserResponse AuthenticateUser(const TAuthenticateUserRequest& request) {
char* dn = NKikimrLdap::GetDn(*request.Ld, request.Entry);
if (dn == nullptr) {
+ LDAP_LOG_D("Could not get dn for the first entry matching " << FilterCreator.GetFilter(request.Login) << " on server " << UrisCreator.GetUris() << ". "
+ << NKikimrLdap::LdapError(*request.Ld));
return {{TEvLdapAuthProvider::EStatus::UNAUTHORIZED,
- {.Message = "Could not get dn for the first entry matching " + FilterCreator.GetFilter(request.Login) + " on server " + UrisCreator.GetUris() + "\n"
- + NKikimrLdap::LdapError(*request.Ld),
- .Retryable = false}}};
+ {.Message = ERROR_MESSAGE, .Retryable = false}}};
}
TEvLdapAuthProvider::TError error;
+ LDAP_LOG_D("bind: bindDn: " << dn);
int result = NKikimrLdap::Bind(*request.Ld, dn, request.Password);
if (!NKikimrLdap::IsSuccess(result)) {
- error.Message = "LDAP login failed for user " + TString(dn) + " on server " + UrisCreator.GetUris() + "\n"
- + NKikimrLdap::ErrorToString((result));
+ LDAP_LOG_D("LDAP login failed for user " << TString(dn) << " on server " << UrisCreator.GetUris() << ". "
+ << NKikimrLdap::ErrorToString((result)));
+ error.Message = ERROR_MESSAGE;
error.Retryable = NKikimrLdap::IsRetryableError(result);
}
NKikimrLdap::MemFree(dn);
@@ -269,6 +275,10 @@ private:
LDAPMessage* searchMessage = nullptr;
const TString searchFilter = FilterCreator.GetFilter(request.User);
+ LDAP_LOG_D("search: baseDn: " << Settings.GetBaseDn()
+ << ", scope: " << ConvertSearchScopeToString(NKikimrLdap::EScope::SUBTREE)
+ << ", filter: " << searchFilter
+ << ", attributes: " << GetStringOfRequestedAttributes(request.RequestedAttributes));
int result = NKikimrLdap::Search(request.Ld,
Settings.GetBaseDn(),
NKikimrLdap::EScope::SUBTREE,
@@ -278,23 +288,22 @@ private:
&searchMessage);
TSearchUserResponse response;
if (!NKikimrLdap::IsSuccess(result)) {
+ LDAP_LOG_D("Could not search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << ". "
+ << NKikimrLdap::ErrorToString(result));
response.Status = NKikimrLdap::ErrorToStatus(result);
- response.Error = {.Message = "Could not search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + "\n"
- + NKikimrLdap::ErrorToString(result),
- .Retryable = NKikimrLdap::IsRetryableError(result)};
+ response.Error = {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)};
return response;
}
const int countEntries = NKikimrLdap::CountEntries(request.Ld, searchMessage);
if (countEntries != 1) {
if (countEntries == 0) {
- response.Error = {.Message = "LDAP user " + request.User + " does not exist. "
- "LDAP search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + " return no entries",
- .Retryable = false};
+ LDAP_LOG_D("LDAP user " << request.User << " does not exist. "
+ "LDAP search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << " return no entries");
} else {
- response.Error = {.Message = "LDAP user " + request.User + " is not unique. "
- "LDAP search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + " return " + countEntries + " entries",
- .Retryable = false};
+ LDAP_LOG_D("LDAP user " << request.User << " is not unique. "
+ "LDAP search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << " return " << countEntries << " entries");
}
+ response.Error = {.Message = ERROR_MESSAGE, .Retryable = false};
response.Status = TEvLdapAuthProvider::EStatus::UNAUTHORIZED;
NKikimrLdap::MsgFree(searchMessage);
return response;
@@ -306,7 +315,14 @@ private:
std::vector<TString> TryToGetGroupsUseMatchingRuleInChain(LDAP* ld, LDAPMessage* entry) const {
static const TString matchingRuleInChain = "1.2.840.113556.1.4.1941"; // Only Active Directory supports
TStringBuilder filter;
- filter << "(member:" << matchingRuleInChain << ":=" << NKikimrLdap::GetDn(ld, entry) << ')';
+ char* dn = NKikimrLdap::GetDn(ld, entry);
+ filter << "(member:" << matchingRuleInChain << ":=" << dn << ')';
+ NKikimrLdap::MemFree(dn);
+ dn = nullptr;
+ LDAP_LOG_D("search: baseDn: " << Settings.GetBaseDn()
+ << ", scope: " << ConvertSearchScopeToString(NKikimrLdap::EScope::SUBTREE)
+ << ", filter: " << filter
+ << ", attributes: " << GetStringOfRequestedAttributes(NKikimrLdap::noAttributes));
LDAPMessage* searchMessage = nullptr;
int result = NKikimrLdap::Search(ld, Settings.GetBaseDn(), NKikimrLdap::EScope::SUBTREE, filter, NKikimrLdap::noAttributes, 0, &searchMessage);
if (!NKikimrLdap::IsSuccess(result)) {
@@ -320,13 +336,18 @@ private:
std::vector<TString> groups;
groups.reserve(countEntries);
for (LDAPMessage* groupEntry = NKikimrLdap::FirstEntry(ld, searchMessage); groupEntry != nullptr; groupEntry = NKikimrLdap::NextEntry(ld, groupEntry)) {
- groups.push_back(NKikimrLdap::GetDn(ld, groupEntry));
+ dn = NKikimrLdap::GetDn(ld, groupEntry);
+ groups.push_back(dn);
+ NKikimrLdap::MemFree(dn);
+ dn = nullptr;
}
NKikimrLdap::MsgFree(searchMessage);
return groups;
}
void GetNestedGroups(LDAP* ld, std::vector<TString>* groups) {
+ LDAP_LOG_D("Try to get nested groups - tree traversal");
+
std::unordered_set<TString> viewedGroups(groups->cbegin(), groups->cend());
std::queue<TString> queue;
for (const auto& group : *groups) {
@@ -344,6 +365,10 @@ private:
queue.pop();
}
filter << ')';
+ LDAP_LOG_D("search: baseDn: " << Settings.GetBaseDn()
+ << ", scope: " << ConvertSearchScopeToString(NKikimrLdap::EScope::SUBTREE)
+ << ", filter: " << filter
+ << ", attributes: " << GetStringOfRequestedAttributes(RequestedAttributes));
LDAPMessage* searchMessage = nullptr;
int result = NKikimrLdap::Search(ld, Settings.GetBaseDn(), NKikimrLdap::EScope::SUBTREE, filter, RequestedAttributes, 0, &searchMessage);
if (!NKikimrLdap::IsSuccess(result)) {
@@ -392,7 +417,35 @@ private:
return {TEvLdapAuthProvider::EStatus::SUCCESS, {}};
}
+ static TString ConvertSearchScopeToString(const NKikimrLdap::EScope& scope) {
+ switch (scope) {
+ case NKikimrLdap::EScope::BASE:
+ return "base";
+ case NKikimrLdap::EScope::ONE_LEVEL:
+ return "one level";
+ case NKikimrLdap::EScope::SUBTREE:
+ return "subtree";
+ }
+ }
+
+ static TString GetStringOfRequestedAttributes(char** attributes) {
+ if (!attributes) {
+ return "";
+ }
+ TStringBuilder result;
+ char* firstAttribute = *attributes;
+ if (firstAttribute) {
+ result << firstAttribute;
+ for (char* currentAttribute = *(++attributes); currentAttribute != nullptr; currentAttribute = *(++attributes)) {
+ result << ", " << currentAttribute;
+ }
+ }
+ return result;
+ }
+
private:
+ static constexpr const char* ERROR_MESSAGE = "User is unauthorized in LDAP server";
+
const NKikimrProto::TLdapAuthentication Settings;
const TSearchFilterCreator FilterCreator;
const TLdapUrisCreator UrisCreator;
diff --git a/ydb/core/security/ldap_auth_provider/ldap_auth_provider_log.h b/ydb/core/security/ldap_auth_provider/ldap_auth_provider_log.h
new file mode 100644
index 00000000000..2399e89206b
--- /dev/null
+++ b/ydb/core/security/ldap_auth_provider/ldap_auth_provider_log.h
@@ -0,0 +1,12 @@
+#pragma once
+
+#include <ydb/library/actors/core/log.h>
+
+#if defined LDAP_LOG_D || defined LDAP_LOG_W || defined LDAP_LOG_ERROR || defined LDAP_LOG_TRACE
+#error log macro definition clash
+#endif
+
+#define LDAP_LOG_D(stream) LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::LDAP_AUTH_PROVIDER, stream)
+#define LDAP_LOG_TRACE(stream) LOG_TRACE_S(*TlsActivationContext, NKikimrServices::LDAP_AUTH_PROVIDER, stream)
+#define LDAP_LOG_ERROR(stream) LOG_ERROR_S(*TlsActivationContext, NKikimrServices::LDAP_AUTH_PROVIDER, stream)
+#define LDAP_LOG_W(stream) LOG_WARN_S(*TlsActivationContext, NKikimrServices::LDAP_AUTH_PROVIDER, stream)
diff --git a/ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp b/ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp
index 3b6f41026f6..e526717e118 100644
--- a/ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp
+++ b/ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp
@@ -125,6 +125,7 @@ public:
Server.EnableGRpc(GrpcPort);
Server.GetRuntime()->SetLogPriority(NKikimrServices::TICKET_PARSER, NLog::PRI_TRACE);
Server.GetRuntime()->SetLogPriority(NKikimrServices::GRPC_CLIENT, NLog::PRI_TRACE);
+ Server.GetRuntime()->SetLogPriority(NKikimrServices::LDAP_AUTH_PROVIDER, NLog::PRI_TRACE);
}
TTestActorRuntime* GetRuntime() const {
@@ -832,11 +833,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password);
TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
- TStringBuilder expectedErrorMessage;
- expectedErrorMessage << "Could not perform initial LDAP bind for dn cn=invalidRobouser,dc=search,dc=yandex,dc=net on server "
- << (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") << "localhost:"
- << server.GetLdapPort() << "\nInvalid credentials";
- UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage);
+ UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
UNIT_ASSERT(ticketParserResult->Token == nullptr);
ldapServer.Stop();
@@ -855,11 +852,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password);
TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
- TStringBuilder expectedErrorMessage;
- expectedErrorMessage << "Could not perform initial LDAP bind for dn cn=robouser,dc=search,dc=yandex,dc=net on server "
- << (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") << "localhost:"
- << server.GetLdapPort() << "\nInvalid credentials";
- UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage);
+ UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
UNIT_ASSERT(ticketParserResult->Token == nullptr);
ldapServer.Stop();
@@ -894,11 +887,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, removedUserLogin, removedUserPassword);
TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
- const TString expectedErrorMessage = "LDAP user " + removedUserLogin + " does not exist. "
- "LDAP search for filter uid=" + removedUserLogin + " on server " +
- (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") + "localhost:" +
- ToString(server.GetLdapPort()) + " return no entries";
- UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage);
+ UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
ldapServer.Stop();
}
@@ -916,10 +905,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password);
TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
- const TString expectedErrorMessage = "Could not search for filter &(uid=" + login + ")() on server " +
- (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") + "localhost:" +
- ToString(server.GetLdapPort()) + "\nBad search filter";
- UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage);
+ UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
ldapServer.Stop();
}
@@ -1026,11 +1012,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
UNIT_ASSERT(ticketParserResult->Token == nullptr);
- const TString expectedErrorMessage = "LDAP user " + login + " does not exist. "
- "LDAP search for filter uid=" + login + " on server " +
- (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") + "localhost:" +
- ToString(server.GetLdapPort()) + " return no entries";
- UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage);
+ UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
UNIT_ASSERT_EQUAL(ticketParserResult->Error.Retryable, false);
ldapServer.Stop();
@@ -1038,7 +1020,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
Y_UNIT_TEST_SUITE(LdapAuthProviderTest) {
Y_UNIT_TEST(LdapServerIsUnavailable) {
- CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "Could not start TLS\nCan't contact LDAP server", ESecurityConnectionType::START_TLS);
+ CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "User is unauthorized in LDAP server", ESecurityConnectionType::START_TLS);
}
Y_UNIT_TEST(LdapRequestWithEmptyHost) {
diff --git a/ydb/library/services/services.proto b/ydb/library/services/services.proto
index 1693816d730..ef29f8181d1 100644
--- a/ydb/library/services/services.proto
+++ b/ydb/library/services/services.proto
@@ -188,6 +188,7 @@ enum EServiceKikimr {
TOKEN_BUILDER = 450;
TICKET_PARSER = 455;
BLACKBOX_VALIDATOR = 460;
+ LDAP_AUTH_PROVIDER = 2650;
GRPC_CLIENT = 461;
diff --git a/ydb/services/ydb/ydb_ldap_login_ut.cpp b/ydb/services/ydb/ydb_ldap_login_ut.cpp
index 54f132431c7..43043688a09 100644
--- a/ydb/services/ydb/ydb_ldap_login_ut.cpp
+++ b/ydb/services/ydb/ydb_ldap_login_ut.cpp
@@ -210,10 +210,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password});
auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
- TStringBuilder expectedErrorMessage;
- expectedErrorMessage << "Could not perform initial LDAP bind for dn cn=invalidRobouser,dc=search,dc=yandex,dc=net on server "
- << "ldap://localhost:" << loginConnection.GetLdapPort() << "\nInvalid credentials";
- UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage);
+ UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server");
loginConnection.Stop();
ldapServer.Stop();
@@ -231,10 +228,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password});
auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
- TStringBuilder expectedErrorMessage;
- expectedErrorMessage << "Could not perform initial LDAP bind for dn cn=robouser,dc=search,dc=yandex,dc=net on server "
- << "ldap://localhost:" << loginConnection.GetLdapPort() << "\nInvalid credentials";
- UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage);
+ UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server");
loginConnection.Stop();
ldapServer.Stop();
@@ -252,10 +246,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password});
auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
- TStringBuilder expectedErrorMessage;
- expectedErrorMessage << "Could not search for filter &(uid=" << login << ")() on server "
- << "ldap://localhost:" << loginConnection.GetLdapPort() << "\nBad search filter";
- UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage);
+ UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server");
loginConnection.Stop();
ldapServer.Stop();
@@ -278,7 +269,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
}
Y_UNIT_TEST(LdapAuthServerIsUnavailable) {
- CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "Could not start TLS\nCan't contact LDAP server");
+ CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "User is unauthorized in LDAP server");
}
Y_UNIT_TEST(LdapAuthSettingsWithEmptyHosts) {
@@ -325,11 +316,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
auto factory = CreateLoginCredentialsProviderFactory({.User = nonExistentUser + "@ldap", .Password = password});
auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
- TStringBuilder expectedErrorMessage;
- expectedErrorMessage << "LDAP user " << nonExistentUser << " does not exist. LDAP search for filter uid="
- << nonExistentUser << " on server "
- << "ldap://localhost:" << loginConnection.GetLdapPort() << " return no entries";
- UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage);
+ UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server");
loginConnection.Stop();
ldapServer.Stop();
@@ -370,10 +357,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password});
auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
- TStringBuilder expectedErrorMessage;
- expectedErrorMessage << "LDAP login failed for user uid=" << login << ",dc=search,dc=yandex,dc=net on server "
- << "ldap://localhost:" << loginConnection.GetLdapPort() << "\nInvalid credentials";
- UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage);
+ UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server");
loginConnection.Stop();
ldapServer.Stop();