Merge pull request #1997 from dexidp/rewrite-ldap-tests

Rewrite LDAP tests to use a single server instance
5 years ago · 95d8a0cccb
8 changed files with 554 additions and 611 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -54,6 +54,9 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v2

+      - name: Start services
+        run: docker-compose -f docker-compose.test.yaml up -d
+
      - name: Test
        run: make testall
        env:
@ -68,7 +71,9 @@ jobs:
          DEX_POSTGRES_HOST: localhost
          DEX_POSTGRES_PORT: ${{ job.services.postgres.ports[5432] }}
          DEX_ETCD_ENDPOINTS: http://localhost:${{ job.services.etcd.ports[2379] }}
-          DEX_LDAP_TESTS: 1
+          DEX_LDAP_HOST: localhost
+          DEX_LDAP_PORT: 389
+          DEX_LDAP_TLS_PORT: 636
          DEX_KEYSTONE_URL: http://localhost:${{ job.services.keystone.ports[5000] }}
          DEX_KEYSTONE_ADMIN_URL: http://localhost:${{ job.services.keystone.ports[35357] }}
          DEX_KEYSTONE_ADMIN_USER: demo
--- a/connector/ldap/ldap_test.go
+++ b/connector/ldap/ldap_test.go
@ -5,20 +5,14 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"path/filepath"
 	"testing"
-	"time"

 	"github.com/kylelemons/godebug/pretty"
 	"github.com/sirupsen/logrus"
-	"github.com/testcontainers/testcontainers-go"
-	"github.com/testcontainers/testcontainers-go/wait"

 	"github.com/dexidp/dex/connector"
 )

-const envVar = "DEX_LDAP_TESTS"
-
 // connectionMethod indicates how the test should connect to the LDAP server.
 type connectionMethod int32

@ -47,29 +41,8 @@ type subtest struct {
 }

 func TestQuery(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-
-dn: cn=john,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: john
-mail: johndoe@example.com
-userpassword: bar
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestQuery,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
@ -81,7 +54,7 @@ userpassword: bar
 			username: "jane",
 			password: "foo",
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestQuery,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
@ -92,7 +65,7 @@ userpassword: bar
 			username: "john",
 			password: "bar",
 			want: connector.Identity{
-				UserID:        "cn=john,ou=People,dc=example,dc=org",
+				UserID:        "cn=john,ou=People,ou=TestQuery,dc=example,dc=org",
 				Username:      "john",
 				Email:         "johndoe@example.com",
 				EmailVerified: true,
@ -112,32 +85,12 @@ userpassword: bar
 		},
 	}

-	runTests(t, schema, connectLDAP, c, tests)
+	runTests(t, connectLDAP, c, tests)
 }

 func TestQueryWithEmailSuffix(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-
-dn: cn=john,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: john
-userpassword: bar
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestQueryWithEmailSuffix,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailSuffix = "test.example.com"
 	c.UserSearch.IDAttr = "DN"
@ -149,7 +102,7 @@ userpassword: bar
 			username: "jane",
 			password: "foo",
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestQueryWithEmailSuffix,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "jane@test.example.com",
 				EmailVerified: true,
@ -160,7 +113,7 @@ userpassword: bar
 			username: "john",
 			password: "bar",
 			want: connector.Identity{
-				UserID:        "cn=john,ou=People,dc=example,dc=org",
+				UserID:        "cn=john,ou=People,ou=TestQueryWithEmailSuffix,dc=example,dc=org",
 				Username:      "john",
 				Email:         "john@test.example.com",
 				EmailVerified: true,
@ -168,53 +121,12 @@ userpassword: bar
 		},
 	}

-	runTests(t, schema, connectLDAP, c, tests)
+	runTests(t, connectLDAP, c, tests)
 }

 func TestUserFilter(t *testing.T) {
-	schema := `
-dn: ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Seattle
-
-dn: ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Portland
-
-dn: ou=People,ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: ou=People,ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,ou=Seattle,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-
-dn: cn=jane,ou=People,ou=Portland,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoefromportland@example.com
-userpassword: baz
-
-dn: cn=john,ou=People,ou=Seattle,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: john
-mail: johndoe@example.com
-userpassword: bar
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=TestUserFilter,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
@ -227,7 +139,7 @@ userpassword: bar
 			username: "jane",
 			password: "foo",
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,ou=Seattle,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=Seattle,ou=TestUserFilter,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
@ -238,7 +150,7 @@ userpassword: bar
 			username: "john",
 			password: "bar",
 			want: connector.Identity{
-				UserID:        "cn=john,ou=People,ou=Seattle,dc=example,dc=org",
+				UserID:        "cn=john,ou=People,ou=Seattle,ou=TestUserFilter,dc=example,dc=org",
 				Username:      "john",
 				Email:         "johndoe@example.com",
 				EmailVerified: true,
@ -258,55 +170,17 @@ userpassword: bar
 		},
 	}

-	runTests(t, schema, connectLDAP, c, tests)
+	runTests(t, connectLDAP, c, tests)
 }

 func TestGroupQuery(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-
-dn: cn=john,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: john
-mail: johndoe@example.com
-userpassword: bar
-
-# Group definitions.
-
-dn: ou=Groups,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Groups
-
-dn: cn=admins,ou=Groups,dc=example,dc=org
-objectClass: groupOfNames
-cn: admins
-member: cn=john,ou=People,dc=example,dc=org
-member: cn=jane,ou=People,dc=example,dc=org
-
-dn: cn=developers,ou=Groups,dc=example,dc=org
-objectClass: groupOfNames
-cn: developers
-member: cn=jane,ou=People,dc=example,dc=org
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestGroupQuery,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
 	c.UserSearch.Username = "cn"
-	c.GroupSearch.BaseDN = "ou=Groups,dc=example,dc=org"
+	c.GroupSearch.BaseDN = "ou=Groups,ou=TestGroupQuery,dc=example,dc=org"
 	c.GroupSearch.UserMatchers = []UserMatcher{
 		{
 			UserAttr:  "DN",
@ -322,7 +196,7 @@ member: cn=jane,ou=People,dc=example,dc=org
 			password: "foo",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestGroupQuery,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
@ -335,7 +209,7 @@ member: cn=jane,ou=People,dc=example,dc=org
 			password: "bar",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=john,ou=People,dc=example,dc=org",
+				UserID:        "cn=john,ou=People,ou=TestGroupQuery,dc=example,dc=org",
 				Username:      "john",
 				Email:         "johndoe@example.com",
 				EmailVerified: true,
@ -344,66 +218,17 @@ member: cn=jane,ou=People,dc=example,dc=org
 		},
 	}

-	runTests(t, schema, connectLDAP, c, tests)
+	runTests(t, connectLDAP, c, tests)
 }

 func TestGroupsOnUserEntity(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-# Groups are enumerated as part of the user entity instead of the members being
-# a list on the group entity.
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-departmentNumber: 1000
-departmentNumber: 1001
-
-dn: cn=john,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: john
-mail: johndoe@example.com
-userpassword: bar
-departmentNumber: 1000
-departmentNumber: 1002
-
-# Group definitions. Notice that they don't have any "member" field.
-
-dn: ou=Groups,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Groups
-
-dn: cn=admins,ou=Groups,dc=example,dc=org
-objectClass: posixGroup
-cn: admins
-gidNumber: 1000
-
-dn: cn=developers,ou=Groups,dc=example,dc=org
-objectClass: posixGroup
-cn: developers
-gidNumber: 1001
-
-dn: cn=designers,ou=Groups,dc=example,dc=org
-objectClass: posixGroup
-cn: designers
-gidNumber: 1002
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestGroupsOnUserEntity,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
 	c.UserSearch.Username = "cn"
-	c.GroupSearch.BaseDN = "ou=Groups,dc=example,dc=org"
+	c.GroupSearch.BaseDN = "ou=Groups,ou=TestGroupsOnUserEntity,dc=example,dc=org"
 	c.GroupSearch.UserMatchers = []UserMatcher{
 		{
 			UserAttr:  "departmentNumber",
@ -418,7 +243,7 @@ gidNumber: 1002
 			password: "foo",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestGroupsOnUserEntity,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
@ -431,7 +256,7 @@ gidNumber: 1002
 			password: "bar",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=john,ou=People,dc=example,dc=org",
+				UserID:        "cn=john,ou=People,ou=TestGroupsOnUserEntity,dc=example,dc=org",
 				Username:      "john",
 				Email:         "johndoe@example.com",
 				EmailVerified: true,
@ -439,72 +264,17 @@ gidNumber: 1002
 			},
 		},
 	}
-	runTests(t, schema, connectLDAP, c, tests)
+	runTests(t, connectLDAP, c, tests)
 }

 func TestGroupFilter(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-
-dn: cn=john,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: john
-mail: johndoe@example.com
-userpassword: bar
-
-# Group definitions.
-
-dn: ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Seattle
-
-dn: ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Portland
-
-dn: ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Groups
-
-dn: ou=Groups,ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Groups
-
-dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org
-objectClass: groupOfNames
-cn: qa
-member: cn=john,ou=People,dc=example,dc=org
-
-dn: cn=admins,ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: groupOfNames
-cn: admins
-member: cn=john,ou=People,dc=example,dc=org
-member: cn=jane,ou=People,dc=example,dc=org
-
-dn: cn=developers,ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: groupOfNames
-cn: developers
-member: cn=jane,ou=People,dc=example,dc=org
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestGroupFilter,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
 	c.UserSearch.Username = "cn"
-	c.GroupSearch.BaseDN = "dc=example,dc=org"
+	c.GroupSearch.BaseDN = "ou=TestGroupFilter,dc=example,dc=org"
 	c.GroupSearch.UserMatchers = []UserMatcher{
 		{
 			UserAttr:  "DN",
@ -521,7 +291,7 @@ member: cn=jane,ou=People,dc=example,dc=org
 			password: "foo",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestGroupFilter,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
@ -534,7 +304,7 @@ member: cn=jane,ou=People,dc=example,dc=org
 			password: "bar",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=john,ou=People,dc=example,dc=org",
+				UserID:        "cn=john,ou=People,ou=TestGroupFilter,dc=example,dc=org",
 				Username:      "john",
 				Email:         "johndoe@example.com",
 				EmailVerified: true,
@ -543,94 +313,17 @@ member: cn=jane,ou=People,dc=example,dc=org
 		},
 	}

-	runTests(t, schema, connectLDAP, c, tests)
+	runTests(t, connectLDAP, c, tests)
 }

 func TestGroupToUserMatchers(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-uid: janedoe
-mail: janedoe@example.com
-userpassword: foo
-
-dn: cn=john,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: john
-uid: johndoe
-mail: johndoe@example.com
-userpassword: bar
-
-# Group definitions.
-
-dn: ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Seattle
-
-dn: ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Portland
-
-dn: ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Groups
-
-dn: ou=UnixGroups,ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: UnixGroups
-
-dn: ou=Groups,ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Groups
-
-dn: ou=UnixGroups,ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: UnixGroups
-
-dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org
-objectClass: groupOfNames
-cn: qa
-member: cn=john,ou=People,dc=example,dc=org
-
-dn: cn=logger,ou=UnixGroups,ou=Portland,dc=example,dc=org
-objectClass: posixGroup
-gidNumber: 1000
-cn: logger
-memberUid: johndoe
-
-dn: cn=admins,ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: groupOfNames
-cn: admins
-member: cn=john,ou=People,dc=example,dc=org
-member: cn=jane,ou=People,dc=example,dc=org
-
-dn: cn=developers,ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: groupOfNames
-cn: developers
-member: cn=jane,ou=People,dc=example,dc=org
-
-dn: cn=frontend,ou=UnixGroups,ou=Seattle,dc=example,dc=org
-objectClass: posixGroup
-gidNumber: 1001
-cn: frontend
-memberUid: janedoe
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
 	c.UserSearch.Username = "cn"
-	c.GroupSearch.BaseDN = "dc=example,dc=org"
+	c.GroupSearch.BaseDN = "ou=TestGroupToUserMatchers,dc=example,dc=org"
 	c.GroupSearch.UserMatchers = []UserMatcher{
 		{
 			UserAttr:  "DN",
@ -651,7 +344,7 @@ memberUid: janedoe
 			password: "foo",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
@ -664,84 +357,29 @@ memberUid: janedoe
 			password: "bar",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=john,ou=People,dc=example,dc=org",
+				UserID:        "cn=john,ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org",
 				Username:      "john",
 				Email:         "johndoe@example.com",
 				EmailVerified: true,
-				Groups:        []string{"qa", "admins", "logger"},
+				Groups:        []string{"admins", "qa", "logger"},
 			},
 		},
 	}

-	runTests(t, schema, connectLDAP, c, tests)
+	runTests(t, connectLDAP, c, tests)
 }

 // Test deprecated group to user matching implementation
 // which was left for backward compatibility.
 // See "Config.GroupSearch.UserMatchers" comments for the details
 func TestDeprecatedGroupToUserMatcher(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-
-dn: cn=john,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: john
-mail: johndoe@example.com
-userpassword: bar
-
-# Group definitions.
-
-dn: ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Seattle
-
-dn: ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Portland
-
-dn: ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Groups
-
-dn: ou=Groups,ou=Portland,dc=example,dc=org
-objectClass: organizationalUnit
-ou: Groups
-
-dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org
-objectClass: groupOfNames
-cn: qa
-member: cn=john,ou=People,dc=example,dc=org
-
-dn: cn=admins,ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: groupOfNames
-cn: admins
-member: cn=john,ou=People,dc=example,dc=org
-member: cn=jane,ou=People,dc=example,dc=org
-
-dn: cn=developers,ou=Groups,ou=Seattle,dc=example,dc=org
-objectClass: groupOfNames
-cn: developers
-member: cn=jane,ou=People,dc=example,dc=org
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
 	c.UserSearch.Username = "cn"
-	c.GroupSearch.BaseDN = "dc=example,dc=org"
+	c.GroupSearch.BaseDN = "ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org"
 	c.GroupSearch.UserAttr = "DN"
 	c.GroupSearch.GroupAttr = "member"
 	c.GroupSearch.NameAttr = "cn"
@ -754,7 +392,7 @@ member: cn=jane,ou=People,dc=example,dc=org
 			password: "foo",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
@ -767,7 +405,7 @@ member: cn=jane,ou=People,dc=example,dc=org
 			password: "bar",
 			groups:   true,
 			want: connector.Identity{
-				UserID:        "cn=john,ou=People,dc=example,dc=org",
+				UserID:        "cn=john,ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org",
 				Username:      "john",
 				Email:         "johndoe@example.com",
 				EmailVerified: true,
@ -776,25 +414,12 @@ member: cn=jane,ou=People,dc=example,dc=org
 		},
 	}

-	runTests(t, schema, connectLDAP, c, tests)
+	runTests(t, connectLDAP, c, tests)
 }

 func TestStartTLS(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestStartTLS,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
@ -806,32 +431,19 @@ userpassword: foo
 			username: "jane",
 			password: "foo",
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestStartTLS,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
 			},
 		},
 	}
-	runTests(t, schema, connectStartTLS, c, tests)
+	runTests(t, connectStartTLS, c, tests)
 }

 func TestInsecureSkipVerify(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestInsecureSkipVerify,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
@ -843,32 +455,19 @@ userpassword: foo
 			username: "jane",
 			password: "foo",
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestInsecureSkipVerify,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
 			},
 		},
 	}
-	runTests(t, schema, connectInsecureSkipVerify, c, tests)
+	runTests(t, connectInsecureSkipVerify, c, tests)
 }

 func TestLDAPS(t *testing.T) {
-	schema := `
-dn: ou=People,dc=example,dc=org
-objectClass: organizationalUnit
-ou: People
-
-dn: cn=jane,ou=People,dc=example,dc=org
-objectClass: person
-objectClass: inetOrgPerson
-sn: doe
-cn: jane
-mail: janedoe@example.com
-userpassword: foo
-`
 	c := &Config{}
-	c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+	c.UserSearch.BaseDN = "ou=People,ou=TestLDAPS,dc=example,dc=org"
 	c.UserSearch.NameAttr = "cn"
 	c.UserSearch.EmailAttr = "mail"
 	c.UserSearch.IDAttr = "DN"
@ -880,14 +479,14 @@ userpassword: foo
 			username: "jane",
 			password: "foo",
 			want: connector.Identity{
-				UserID:        "cn=jane,ou=People,dc=example,dc=org",
+				UserID:        "cn=jane,ou=People,ou=TestLDAPS,dc=example,dc=org",
 				Username:      "jane",
 				Email:         "janedoe@example.com",
 				EmailVerified: true,
 			},
 		},
 	}
-	runTests(t, schema, connectLDAPS, c, tests)
+	runTests(t, connectLDAPS, c, tests)
 }

 func TestUsernamePrompt(t *testing.T) {
@ -915,89 +514,18 @@ func TestUsernamePrompt(t *testing.T) {
 	}
 }

-// runTests runs a set of tests against an LDAP schema. It does this by
-// setting up an OpenLDAP server and injecting the provided scheme.
-//
-// The tests require Docker.
-//
-// The DEX_LDAP_TESTS must be set to "1"
-func runTests(t *testing.T, schema string, connMethod connectionMethod, config *Config, tests []subtest) {
-	if os.Getenv(envVar) != "1" {
-		t.Skipf("%s not set. Skipping test (run 'export %s=1' to run tests)", envVar, envVar)
-	}
-
-	wd, err := os.Getwd()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	tempDir, err := ioutil.TempDir("", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(tempDir)
-
-	schemaPath := filepath.Join(tempDir, "schema.ldif")
-	if err := ioutil.WriteFile(schemaPath, []byte(schema), 0777); err != nil {
-		t.Fatal(err)
-	}
-
-	req := testcontainers.ContainerRequest{
-		Image:        "osixia/openldap:1.3.0",
-		ExposedPorts: []string{"389/tcp", "636/tcp"},
-		Cmd:          []string{"--copy-service"},
-		Env: map[string]string{
-			"LDAP_BASE_DN":           "dc=example,dc=org",
-			"LDAP_TLS":               "true",
-			"LDAP_TLS_VERIFY_CLIENT": "try",
-		},
-		BindMounts: map[string]string{
-			filepath.Join(wd, "testdata", "certs"): "/container/service/slapd/assets/certs",
-			schemaPath:                             "/container/service/slapd/assets/config/bootstrap/ldif/99-schema.ldif",
-		},
-		WaitingFor: wait.ForAll(
-			wait.ForLog("slapd starting").WithOccurrence(3).WithStartupTimeout(time.Minute),
-			wait.ForListeningPort("389/tcp"),
-			wait.ForListeningPort("636/tcp"),
-		),
-	}
-
-	ctx := context.Background()
-
-	slapd, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
-		ContainerRequest: req,
-		Started:          true,
-	})
-	if err != nil {
-		if slapd != nil {
-			logs, err := slapd.Logs(ctx)
-			if err == nil {
-				defer logs.Close()
-
-				logLines, err := ioutil.ReadAll(logs)
-				if err != nil {
-					t.Log(string(logLines))
-				}
-			}
-		}
-
-		t.Fatal(err)
-	}
-	defer slapd.Terminate(ctx)
-
-	ip, err := slapd.Host(ctx)
-	if err != nil {
-		t.Fatal(err)
-	}
-	port, err := slapd.MappedPort(ctx, "389")
-	if err != nil {
-		t.Fatal(err)
-	}
-	tlsPort, err := slapd.MappedPort(ctx, "636")
-	if err != nil {
-		t.Fatal(err)
+func getenv(key, defaultVal string) string {
+	if val := os.Getenv(key); val != "" {
+		return val
 	}
+	return defaultVal
+}

+// runTests runs a set of tests against an LDAP schema.
+//
+// The tests require LDAP to be runnning.
+// You can use the provided docker-compose file to setup an LDAP server.
+func runTests(t *testing.T, connMethod connectionMethod, config *Config, tests []subtest) {
 	// Shallow copy.
 	c := *config

@ -1005,17 +533,17 @@ func runTests(t *testing.T, schema string, connMethod connectionMethod, config *
 	// group search configuration.
 	switch connMethod {
 	case connectStartTLS:
-		c.Host = fmt.Sprintf("%s:%s", ip, port.Port())
+		c.Host = fmt.Sprintf("%s:%s", getenv("DEX_LDAP_HOST", "localhost"), getenv("DEX_LDAP_PORT", "389"))
 		c.RootCA = "testdata/certs/ca.crt"
 		c.StartTLS = true
 	case connectLDAPS:
-		c.Host = fmt.Sprintf("%s:%s", ip, tlsPort.Port())
+		c.Host = fmt.Sprintf("%s:%s", getenv("DEX_LDAP_HOST", "localhost"), getenv("DEX_LDAP_TLS_PORT", "636"))
 		c.RootCA = "testdata/certs/ca.crt"
 	case connectInsecureSkipVerify:
-		c.Host = fmt.Sprintf("%s:%s", ip, tlsPort.Port())
+		c.Host = fmt.Sprintf("%s:%s", getenv("DEX_LDAP_HOST", "localhost"), getenv("DEX_LDAP_TLS_PORT", "636"))
 		c.InsecureSkipVerify = true
 	case connectLDAP:
-		c.Host = fmt.Sprintf("%s:%s", ip, port.Port())
+		c.Host = fmt.Sprintf("%s:%s", getenv("DEX_LDAP_HOST", "localhost"), getenv("DEX_LDAP_PORT", "389"))
 		c.InsecureNoSSL = true
 	}

--- a/connector/ldap/testdata/schema.ldif
+++ b/connector/ldap/testdata/schema.ldif
@ -0,0 +1,447 @@
+dn: ou=TestQuery,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestQuery
+
+dn: ou=People,ou=TestQuery,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestQuery,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=john,ou=People,ou=TestQuery,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+mail: johndoe@example.com
+userpassword: bar
+
+########################################################################
+
+dn: ou=TestQueryWithEmailSuffix,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestQueryWithEmailSuffix
+
+dn: ou=People,ou=TestQueryWithEmailSuffix,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestQueryWithEmailSuffix,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=john,ou=People,ou=TestQueryWithEmailSuffix,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+userpassword: bar
+
+########################################################################
+
+dn: ou=TestUserFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestUserFilter
+
+dn: ou=Seattle,ou=TestUserFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Seattle
+
+dn: ou=Portland,ou=TestUserFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Portland
+
+dn: ou=People,ou=Seattle,ou=TestUserFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=People,ou=Portland,ou=TestUserFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=Seattle,ou=TestUserFilter,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=jane,ou=People,ou=Portland,ou=TestUserFilter,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoefromportland@example.com
+userpassword: baz
+
+dn: cn=john,ou=People,ou=Seattle,ou=TestUserFilter,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+mail: johndoe@example.com
+userpassword: bar
+
+########################################################################
+
+dn: ou=TestGroupQuery,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestGroupQuery
+
+dn: ou=People,ou=TestGroupQuery,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestGroupQuery,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=john,ou=People,ou=TestGroupQuery,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+mail: johndoe@example.com
+userpassword: bar
+
+# Group definitions.
+
+dn: ou=Groups,ou=TestGroupQuery,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=admins,ou=Groups,ou=TestGroupQuery,dc=example,dc=org
+objectClass: groupOfNames
+cn: admins
+member: cn=john,ou=People,ou=TestGroupQuery,dc=example,dc=org
+member: cn=jane,ou=People,ou=TestGroupQuery,dc=example,dc=org
+
+dn: cn=developers,ou=Groups,ou=TestGroupQuery,dc=example,dc=org
+objectClass: groupOfNames
+cn: developers
+member: cn=jane,ou=People,ou=TestGroupQuery,dc=example,dc=org
+
+########################################################################
+
+dn: ou=TestGroupsOnUserEntity,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestGroupsOnUserEntity
+
+dn: ou=People,ou=TestGroupsOnUserEntity,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+# Groups are enumerated as part of the user entity instead of the members being
+# a list on the group entity.
+
+dn: cn=jane,ou=People,ou=TestGroupsOnUserEntity,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+departmentNumber: 1000
+departmentNumber: 1001
+
+dn: cn=john,ou=People,ou=TestGroupsOnUserEntity,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+mail: johndoe@example.com
+userpassword: bar
+departmentNumber: 1000
+departmentNumber: 1002
+
+# Group definitions. Notice that they don't have any "member" field.
+
+dn: ou=Groups,ou=TestGroupsOnUserEntity,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=admins,ou=Groups,ou=TestGroupsOnUserEntity,dc=example,dc=org
+objectClass: posixGroup
+cn: admins
+gidNumber: 1000
+
+dn: cn=developers,ou=Groups,ou=TestGroupsOnUserEntity,dc=example,dc=org
+objectClass: posixGroup
+cn: developers
+gidNumber: 1001
+
+dn: cn=designers,ou=Groups,ou=TestGroupsOnUserEntity,dc=example,dc=org
+objectClass: posixGroup
+cn: designers
+gidNumber: 1002
+
+########################################################################
+
+dn: ou=TestGroupFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestGroupFilter
+
+dn: ou=People,ou=TestGroupFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestGroupFilter,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=john,ou=People,ou=TestGroupFilter,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+mail: johndoe@example.com
+userpassword: bar
+
+# Group definitions.
+
+dn: ou=Seattle,ou=TestGroupFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Seattle
+
+dn: ou=Portland,ou=TestGroupFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Portland
+
+dn: ou=Groups,ou=Seattle,ou=TestGroupFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: ou=Groups,ou=Portland,ou=TestGroupFilter,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=qa,ou=Groups,ou=Portland,ou=TestGroupFilter,dc=example,dc=org
+objectClass: groupOfNames
+cn: qa
+member: cn=john,ou=People,ou=TestGroupFilter,dc=example,dc=org
+
+dn: cn=admins,ou=Groups,ou=Seattle,ou=TestGroupFilter,dc=example,dc=org
+objectClass: groupOfNames
+cn: admins
+member: cn=john,ou=People,ou=TestGroupFilter,dc=example,dc=org
+member: cn=jane,ou=People,ou=TestGroupFilter,dc=example,dc=org
+
+dn: cn=developers,ou=Groups,ou=Seattle,ou=TestGroupFilter,dc=example,dc=org
+objectClass: groupOfNames
+cn: developers
+member: cn=jane,ou=People,ou=TestGroupFilter,dc=example,dc=org
+
+########################################################################
+
+dn: ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestGroupToUserMatchers
+
+dn: ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+uid: janedoe
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=john,ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+uid: johndoe
+mail: johndoe@example.com
+userpassword: bar
+
+# Group definitions.
+
+dn: ou=Seattle,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Seattle
+
+dn: ou=Portland,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Portland
+
+dn: ou=Groups,ou=Seattle,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: ou=UnixGroups,ou=Seattle,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: organizationalUnit
+ou: UnixGroups
+
+dn: ou=Groups,ou=Portland,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: ou=UnixGroups,ou=Portland,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: organizationalUnit
+ou: UnixGroups
+
+dn: cn=qa,ou=Groups,ou=Portland,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: groupOfNames
+cn: qa
+member: cn=john,ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org
+
+dn: cn=logger,ou=UnixGroups,ou=Portland,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: posixGroup
+gidNumber: 1000
+cn: logger
+memberUid: johndoe
+
+dn: cn=admins,ou=Groups,ou=Seattle,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: groupOfNames
+cn: admins
+member: cn=john,ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org
+member: cn=jane,ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org
+
+dn: cn=developers,ou=Groups,ou=Seattle,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: groupOfNames
+cn: developers
+member: cn=jane,ou=People,ou=TestGroupToUserMatchers,dc=example,dc=org
+
+dn: cn=frontend,ou=UnixGroups,ou=Seattle,ou=TestGroupToUserMatchers,dc=example,dc=org
+objectClass: posixGroup
+gidNumber: 1001
+cn: frontend
+memberUid: janedoe
+
+########################################################################
+
+dn: ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestDeprecatedGroupToUserMatcher
+
+dn: ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=john,ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+mail: johndoe@example.com
+userpassword: bar
+
+# Group definitions.
+
+dn: ou=Seattle,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Seattle
+
+dn: ou=Portland,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Portland
+
+dn: ou=Groups,ou=Seattle,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: ou=Groups,ou=Portland,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=qa,ou=Groups,ou=Portland,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: groupOfNames
+cn: qa
+member: cn=john,ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+
+dn: cn=admins,ou=Groups,ou=Seattle,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: groupOfNames
+cn: admins
+member: cn=john,ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+member: cn=jane,ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+
+dn: cn=developers,ou=Groups,ou=Seattle,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+objectClass: groupOfNames
+cn: developers
+member: cn=jane,ou=People,ou=TestDeprecatedGroupToUserMatcher,dc=example,dc=org
+
+########################################################################
+
+dn: ou=TestStartTLS,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestStartTLS
+
+dn: ou=People,ou=TestStartTLS,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestStartTLS,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+########################################################################
+
+dn: ou=TestInsecureSkipVerify,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestInsecureSkipVerify
+
+dn: ou=People,ou=TestInsecureSkipVerify,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestInsecureSkipVerify,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+########################################################################
+
+dn: ou=TestLDAPS,dc=example,dc=org
+objectClass: organizationalUnit
+ou: TestLDAPS
+
+dn: ou=People,ou=TestLDAPS,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=TestLDAPS,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
--- a/docker-compose.override.yaml.dist
+++ b/docker-compose.override.yaml.dist
@ -12,3 +12,8 @@ services:
    etcd:
        ports:
            - "127.0.0.1:2379:2379"
+
+    ldap:
+        ports:
+            - "127.0.0.1:389:389"
+            - "127.0.0.1:636:636"
--- a/docker-compose.test.yaml
+++ b/docker-compose.test.yaml
@ -0,0 +1,18 @@
+version: "3.8"
+
+services:
+    ldap:
+        image: osixia/openldap:1.4.0
+        # Copying is required because the entrypoint modifies the *.ldif files.
+        # For verbose output, use:  command: ["--copy-service", "--loglevel", "debug"]
+        command: ["--copy-service"]
+        environment:
+            LDAP_BASE_DN: "dc=example,dc=org"
+            LDAP_TLS: "true"
+            LDAP_TLS_VERIFY_CLIENT: try
+        ports:
+            - 389:389
+            - 636:636
+        volumes:
+            - ./connector/ldap/testdata/certs:/container/service/slapd/assets/certs
+            - ./connector/ldap/testdata/schema.ldif:/container/service/slapd/assets/config/bootstrap/ldif/99-schema.ldif
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -32,3 +32,16 @@ services:

    # For testing the Kubernetes storage backend we suggest https://kind.sigs.k8s.io/:
    # kind create cluster
+
+    ldap:
+        image: osixia/openldap:1.4.0
+        # Copying is required because the entrypoint modifies the *.ldif files.
+        # For verbose output, use:  command: ["--copy-service", "--loglevel", "debug"]
+        command: ["--copy-service"]
+        environment:
+            LDAP_BASE_DN: "dc=example,dc=org"
+            LDAP_TLS: "true"
+            LDAP_TLS_VERIFY_CLIENT: try
+        volumes:
+            - ./connector/ldap/testdata/certs:/container/service/slapd/assets/certs
+            - ./connector/ldap/testdata/schema.ldif:/container/service/slapd/assets/config/bootstrap/ldif/99-schema.ldif
--- a/go.mod
+++ b/go.mod
@ -4,13 +4,13 @@ go 1.15

 require (
 	github.com/AppsFlyer/go-sundheit v0.3.1
-	github.com/Microsoft/hcsshim v0.8.14 // indirect
 	github.com/beevik/etree v1.1.0
 	github.com/coreos/go-oidc/v3 v3.0.0
 	github.com/dexidp/dex/api/v2 v2.0.0
 	github.com/felixge/httpsnoop v1.0.1
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-sql-driver/mysql v1.5.0
+	github.com/gogo/protobuf v1.3.1 // indirect
 	github.com/golang/protobuf v1.3.2
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
@ -20,17 +20,19 @@ require (
 	github.com/mattermost/xml-roundtrip-validator v0.0.0-20201219040909-8fd2afad43d1
 	github.com/mattn/go-sqlite3 v1.14.6
 	github.com/oklog/run v1.1.0
+	github.com/onsi/ginkgo v1.8.0 // indirect
+	github.com/onsi/gomega v1.5.0 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.4.0
 	github.com/russellhaering/goxmldsig v1.1.0
 	github.com/sirupsen/logrus v1.7.0
 	github.com/spf13/cobra v1.1.3
 	github.com/stretchr/testify v1.7.0
-	github.com/testcontainers/testcontainers-go v0.0.9
 	go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
 	golang.org/x/net v0.0.0-20201224014010-6772e930b67b
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3 // indirect
 	google.golang.org/api v0.15.0
 	google.golang.org/grpc v1.26.0
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
--- a/go.sum
+++ b/go.sum
@ -15,17 +15,9 @@ cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiy
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/AppsFlyer/go-sundheit v0.3.1 h1:Zqnr3wV3WQmXonc234k9XZAoV2KHUHw3osR5k2iHQZE=
 github.com/AppsFlyer/go-sundheit v0.3.1/go.mod h1:iZ8zWMS7idcvmqewf5mEymWWgoOiG/0WD4+aeh+heX4=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Microsoft/go-winio v0.4.11 h1:zoIOcVf0xPN1tnMVbTtEdI+P8OofVk3NObnwOQ6nK2Q=
-github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
-github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331 h1:3YnB7Hpmh1lPecPE8doMOtYCrMdrpedZOvxfuNES/Vk=
-github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
-github.com/Microsoft/hcsshim v0.8.14 h1:lbPVK25c1cu5xTLITwpUcxoA9vKrKErASPYygvouJns=
-github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@ -42,26 +34,14 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
-github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa h1:OaNxuTZr7kxeODyLWsRMC+OD03aFUH+mW6r2d+MWa5Y=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
-github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM=
-github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
-github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
-github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
-github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
-github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
 github.com/coreos/bbolt v1.3.2 h1:wZwiHHUieZCquLkDL0B8UhzreNWsPHooDAG3q34zk0s=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible h1:8F3hqu9fGYLBifCmRCJsicFqDx/D68Rt3q1JMazcgBQ=
@ -74,11 +54,9 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f h1:lBNOc5arjvs8E5mO2tbpBpLoyyu8B6e44T7hJy6potg=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -87,16 +65,6 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible h1:dvc1KSkIYTVjZgHf/CTC2diTYC8PzhaA5sFISRfNVrE=
-github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v0.7.3-0.20190506211059-b20a14b54661 h1:ZuxGvIvF01nfc/G9RJ5Q7Va1zQE2WJyG18Zv3DqCEf4=
-github.com/docker/docker v0.7.3-0.20190506211059-b20a14b54661/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
-github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk=
-github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 h1:qk/FSDDxo05wdJH28W+p5yivv7LuLYLRXPPD8KQCtZs=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@ -115,15 +83,10 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-redis/redis v6.15.6+incompatible h1:H9evprGPLI8+ci7fxQx6WNZHJSb7be8FqJQRhdQZ5Sg=
-github.com/go-redis/redis v6.15.6+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
-github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
@ -160,10 +123,8 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+
 github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
-github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
@ -216,8 +177,6 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@ -254,8 +213,6 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c h1:nXxl5PrvVm2L/wCy8dQu6DMTwH4oIuGN8GJDAlqDdVE=
-github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
 github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
@ -268,15 +225,6 @@ github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/gomega v1.3.0/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ=
-github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
-github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v0.1.1 h1:GlxAyO6x8rfZYN9Tt0Kti5a/cP41iuiO2yYT0IJGY8Y=
-github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@ -301,7 +249,6 @@ github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.9.1 h1:KOMtN28tlbam3/7ZKEYKHhKoJZYYj3gMH4uc62x7X7U=
 github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
-github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@ -314,12 +261,9 @@ github.com/russellhaering/goxmldsig v1.1.0 h1:lK/zeJie2sqG52ZAlPNn1oBBqsIsEKypUU
 github.com/russellhaering/goxmldsig v1.1.0/go.mod h1:QK8GhXPB3+AfuCrfo0oRISa9NfzeCpWmxeGnqEpDF9o=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
@ -354,13 +298,10 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/testcontainers/testcontainers-go v0.0.9 h1:mwvFz+FkuQMqQ9oLkG4cVzPsZTRmrCo2NcaerJNaptA=
-github.com/testcontainers/testcontainers-go v0.0.9/go.mod h1:0Qe9qqjNZgxHzzdHPWwmQ2D49FFO7920hLdJ4yUJXJI=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 h1:LnC5Kc/wtumK+WB441p7ynQJzVuNRJiqddSIE3IlSEQ=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
@ -422,8 +363,6 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200505041828-1ed23360d12c h1:zJ0mtu4jCalhKg6Oaukv6iIkb+cOvDrajDH9DH46Q4M=
 golang.org/x/net v0.0.0-20200505041828-1ed23360d12c/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b h1:iFwSg7t5GZmB/Q5TjiEAsdoLDrdJRC1RiF2WhuV29Qw=
@ -449,7 +388,6 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181228144115-9a3f9b0469bb/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -459,10 +397,7 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -482,8 +417,6 @@ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20180810170437-e96c4e24768d/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -528,7 +461,6 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a h1:Ob5/580gVHBJZgXnff1cZDbG+xLtMVE5mDRTe+nIsX4=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@ -561,17 +493,10 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools v0.0.0-20181223230014-1083505acf35 h1:zpdCK+REwbk+rqjJmHhiCN6iBIigrZ39glqSF0P3KF0=
-gotest.tools v0.0.0-20181223230014-1083505acf35/go.mod h1:R//lfYlUuTOTfblYI3lGoAAAebUdzjvbmQsuB7Ykd90=
-gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=