From 86ab6b4d21e3d003205430267f784c11970db653 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-boundary
 <82989682+hc-github-team-secure-boundary@users.noreply.github.com>
Date: Fri, 22 May 2026 22:55:01 +0530
Subject: [PATCH] chore(e2e): Ensure ldap is ready (#6736) (#6742)

* fix(e2e): Modify ldap cleanup step

* chore(e2e): Parallelize dependency download

# Conflicts:
#	.github/workflows/enos-run.yml

* chore(e2e): Ensure ldap is ready

(cherry picked from commit c94e386f186d845c781bdba5879ba39000a25a81)

# Conflicts:
#	.github/workflows/enos-run.yml
#	testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go

Co-authored-by: Michael Li <michael.li@hashicorp.com>
---
 enos/enos-scenario-e2e-docker-base-plus.hcl   |  1 +
 ...os-scenario-e2e-docker-base-with-vault.hcl |  1 +
 enos/modules/docker_ldap/main.tf              | 26 +++++++++++++++++++
 .../credential_library_vault_ldap_test.go     | 10 ++++---
 4 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/enos/enos-scenario-e2e-docker-base-plus.hcl b/enos/enos-scenario-e2e-docker-base-plus.hcl
index f430165ad0..bb48cc54e0 100644
--- a/enos/enos-scenario-e2e-docker-base-plus.hcl
+++ b/enos/enos-scenario-e2e-docker-base-plus.hcl
@@ -105,6 +105,7 @@ scenario "e2e_docker_base_plus" {
     module = module.test_e2e_docker
     depends_on = [
       step.create_boundary,
+      step.create_ldap_server,
     ]
     variables {
       test_package              = "github.com/hashicorp/boundary/testing/internal/e2e/tests/base_plus"
diff --git a/enos/enos-scenario-e2e-docker-base-with-vault.hcl b/enos/enos-scenario-e2e-docker-base-with-vault.hcl
index 5e4b75f9a4..446de77e1a 100644
--- a/enos/enos-scenario-e2e-docker-base-with-vault.hcl
+++ b/enos/enos-scenario-e2e-docker-base-with-vault.hcl
@@ -130,6 +130,7 @@ scenario "e2e_docker_base_with_vault" {
       step.create_boundary,
       step.create_vault,
       step.create_host,
+      step.create_ldap_server,
     ]
     variables {
       test_package             = "github.com/hashicorp/boundary/testing/internal/e2e/tests/base_with_vault"
diff --git a/enos/modules/docker_ldap/main.tf b/enos/modules/docker_ldap/main.tf
index 4f11cdba79..8cf3e33f40 100644
--- a/enos/modules/docker_ldap/main.tf
+++ b/enos/modules/docker_ldap/main.tf
@@ -98,6 +98,32 @@ resource "enos_local_exec" "create_ldap_group" {
   inline = ["docker exec ${var.container_name} ldapadd -x -H ldap://localhost -D \"${local.admin_dn}\" -w ${local.admin_password} -f /tmp/ldap/group.ldif"]
 }
 
+resource "enos_local_exec" "wait_for_user_entry" {
+  depends_on = [
+    enos_local_exec.create_ldap_user,
+  ]
+
+  inline = [
+    # First verify the user is discoverable the same way Boundary authenticates it.
+    "timeout 20s bash -c 'until docker exec ${var.container_name} ldapsearch -x -H ldap://localhost -D \"${local.admin_dn}\" -w ${local.admin_password} -b \"${local.domain_dn}\" \"(uid=${local.user_name})\" | grep \"numEntries: 1\"; do sleep 2; done'",
+    # Then verify the exact seeded DN exists for Vault static-role operations.
+    "timeout 20s bash -c 'until docker exec ${var.container_name} ldapsearch -x -H ldap://localhost -D \"${local.admin_dn}\" -w ${local.admin_password} -b \"cn=${local.user_name},${local.domain_dn}\" -s base \"(objectClass=*)\" | grep \"numEntries: 1\"; do sleep 2; done'",
+    # Finally verify we can bind as the user using the seeded DN shape.
+    "timeout 20s bash -c 'until docker exec ${var.container_name} ldapwhoami -x -H ldap://localhost -D \"cn=${local.user_name},${local.domain_dn}\" -w ${local.user_password}; do sleep 2; done'"
+  ]
+}
+
+resource "enos_local_exec" "wait_for_group_entry" {
+  depends_on = [
+    enos_local_exec.create_ldap_group,
+  ]
+
+  inline = [
+    # Verify that the group is discoverable
+    "timeout 20s bash -c 'until docker exec ${var.container_name} ldapsearch -x -H ldap://localhost -D \"${local.admin_dn}\" -w ${local.admin_password} -b \"${local.domain_dn}\" \"(cn=${local.group_name})\" | grep \"numEntries: 1\"; do sleep 2; done'"
+  ]
+}
+
 output "address" {
   value = "ldap://${var.container_name}"
 }
diff --git a/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go b/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go
index 205e4bec42..bbedfd7b4c 100644
--- a/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go
+++ b/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go
@@ -84,10 +84,12 @@ func TestApiVaultLdapCredentialLibrary(t *testing.T) {
 		)
 		require.NoError(t, output.Err, string(output.Stderr))
 
-		output = e2e.RunCommand(context.Background(), "vault",
-			e2e.WithArgs("policy", "delete", ldapPolicyName),
-		)
-		require.NoError(t, output.Err, string(output.Stderr))
+		if ldapPolicyName != "" {
+			output = e2e.RunCommand(context.Background(), "vault",
+				e2e.WithArgs("policy", "delete", ldapPolicyName),
+			)
+			require.NoError(t, output.Err, string(output.Stderr))
+		}
 	})
 	require.NoError(t, err)