def test_local_TPR_supercedes_global_TPR(topo, _add_user,
set_global_TPR_policies):
""" One Time password with expiration
:id: beb2dac4-e116-11eb-a85e-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user with appropriate password
3. Configure the Global Password policies with passwordTPRMaxUse 5
4. Configure different local password policy for passwordTPRMaxUse 3
5. Trigger TPR by resetting the user password above
6. Attempt an ldap search with an incorrect bind password for user above
7. Repeat as many times as set by attribute passwordTPRMaxUse
8. Should lock the account after value is set in the local passwordTPRMaxUse is reached
9. Try to search with the correct password account will be locked.
:expected results:
1. Success
2. Success
3. Fail(ldap.INSUFFICIENT_ACCESS)
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
user2 = UserAccount(topo.standalone,
f'uid=jdoe2,ou=People,{DEFAULT_SUFFIX}')
log.info('Setting local password Temporary password reset policies')
log.info('Setting Global TPR policy attributes')
Config(topo.standalone).replace('passwordMustChange', 'on')
Config(topo.standalone).replace('passwordTPRMaxUse', '5')
Config(topo.standalone).replace('passwordTPRDelayExpireAt', '600')
Config(topo.standalone).replace('passwordTPRDelayValidFrom', '6')
log.info('Resetting {} password to trigger TPR policy'.format(user1))
user1.replace('userpassword', 'not_allowed_change')
count = 0
while count < 4:
if count == 4:
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
user2.bind('badbadbad')
else:
with pytest.raises(ldap.INVALID_CREDENTIALS):
count += 1
user2.bind('badbadbad')
def validate_syntax_off(topo, request):
config = Config(topo.standalone)
config.replace("nsslapd-syntaxcheck", "off")
def fin():
config.replace("nsslapd-syntaxcheck", "on")
request.addfinalizer(fin)
def test_password_max_failure_should_lockout_password(topo):
"""Regression test for bz834060.
:id: f2064efa-52d9-11ea-8037-8c16451d917b
:setup: Standalone
:steps:
1. passwordMaxFailure should lockout password one sooner
2. Setting passwordLockout to \"on\"
3. Set maximum number of login tries to 3
4. Turn off passwordLegacyPolicy
5. Turn off local password policy, so that global is applied
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
config = Config(topo.standalone)
config.replace_many(
('passwordLockout', 'on'),
('passwordMaxFailure', '3'),
('passwordLegacyPolicy', 'off'),
('nsslapd-pwpolicy-local', 'off'))
user = _create_user(topo, 'tuser', 'ou=people')
user.replace('userpassword', 'password')
for _ in range(2):
with pytest.raises(ldap.INVALID_CREDENTIALS):
user.bind('Invalid')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
user.bind("Invalid")
config.replace('nsslapd-pwpolicy-local', 'on')
def user_config(topo, field_value):
"""
Will set storage schema and create user.
"""
Config(topo.standalone).replace("passwordStorageScheme", field_value)
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user()
user.set('userpassword', 'ItsMeAnuj')
return user
def test_passwordexpirationtime_attribute(topo, _add_user):
"""Regression test for bz1118006.
:id: 867472d2-473c-11ea-b583-8c16451d917b
:setup: Standalone
:steps:
1. Check that the passwordExpirationTime attribute is set to the epoch date
:expected results:
1. Success
"""
Config(topo.standalone).replace('passwordMustChange', 'on')
epoch_date = "19700101000000Z"
time.sleep(1)
user = UserAccount(topo.standalone, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}')
user.replace('userpassword', 'Secret123')
time.sleep(1)
# Check that the passwordExpirationTime attribute is set to the epoch date
assert user.get_attr_val_utf8('passwordExpirationTime') == epoch_date
Config(topo.standalone).replace('passwordMustChange', 'off')
time.sleep(1)
def test_local_password_policy(topo, _add_user):
"""Regression test for bz1044164 part 1.
:id: d6f4a7fa-473b-11ea-8766-8c16451d917b
:setup: Standalone
:steps:
1. Add a User as Password Admin
2. Create a password admin user entry
3. Add an aci to allow this user all rights
4. Configure password admin
5. Create local password policy and enable passwordmustchange
6. Add another generic user but do not include the password (userpassword)
7. Use admin user to perform a password update on generic user
8. We don't need this ACI anymore. Delete it
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
# Add a User as Password Admin
# Create a password admin user entry
user = _create_user(topo, 'pwadm_admin_1', None)
user.replace('userpassword', 'Secret123')
domian = Domain(topo.standalone, DEFAULT_SUFFIX)
# Add an aci to allow this user all rights
domian.set(
"aci", f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow password admin to write user '
f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
# Configure password admin
# Create local password policy and enable passwordmustchange
Config(topo.standalone).replace_many(('passwordAdminDN', user.dn),
('passwordMustChange', 'off'),
('nsslapd-pwpolicy-local', 'on'))
# Add another generic user but do not include the password (userpassword)
# Use admin user to perform a password update on generic user
real_user = UserAccount(topo.standalone,
f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret123')
UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace(
'userpassword', 'hello')
# We don't need this ACI anymore. Delete it
domian.remove(
"aci", f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow password admin to write user '
f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
def test_too_big_password(topo, _fix_password):
"""Test for long long password
:id: 299a3fb4-5a20-11ea-bba8-8c16451d917b
:setup: Standalone
:steps:
1. Setting policy to keep password histories
2. Changing number of password in history to 3
3. Modify password from dby3rs1 to dby3rs2
4. Checking that the passwordhistory attribute has been added
5. Add a password test for long long password
6. Changing number of password in history to 6 and passwordhistory off
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
config = Config(topo.standalone)
# Setting policy to keep password histories
config.replace_many(('passwordchecksyntax', 'off'),
('passwordhistory', 'on'))
assert config.get_attr_val_utf8('passwordinhistory') == '6'
# Changing number of password in history to 3
config.replace('passwordinhistory', '3')
# Modify password from dby3rs1 to dby3rs2
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers2')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers2', 'dbyers1')
# Checking that the passwordhistory attribute has been added
assert UserAccount(
topo.standalone,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}').get_attr_val_utf8(
'passwordhistory')
# Add a password test for long long password
long_pass = 50 * '0123456789' + 'LENGTH=510'
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers2', long_pass)
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
long_pass, long_pass)
_change_password_with_root(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1')
# Changing number of password in history to 6 and passwordhistory off
config.replace_many(('passwordhistory', 'off'), ('passwordinhistory', '6'))
def test_once_TPR_reset_old_passwd_invalid(topo, _add_user,
set_global_TPR_policies):
""" Verify that once a password has been reset it cannot be reused
:id: f3ea4f00-e89c-11eb-b81d-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe1 with appropriate password
3. Configure the Global Password policies enable passwordMustChange
4. Trigger TPR by resetting the user jdoe1 password above
5. Attempt to login with the old password
6. Login as jdoe1 with the correct password and update the new password
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Fail(ldap.CONSTRAINT_VIOLATION)
6. Success
"""
new_password = '******'
log.info('Creating user jdoe1 with appropriate password')
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
user1.replace('userpassword', new_password)
log.info(
'Making sure the Global Policy passwordTPRDelayValidFrom is short')
config = Config(topo.standalone)
config.replace_many(
('passwordLockout', 'off'),
('passwordMaxFailure', '3'),
('passwordLegacyPolicy', 'off'),
('passwordTPRDelayValidFrom', '-1'),
('nsslapd-pwpolicy-local', 'on'),
)
log.info(' Attempting to bind as {} with the old password {}'.format(
user1, USER1_PASS))
time.sleep(.5)
with pytest.raises(ldap.INVALID_CREDENTIALS):
user1.bind(USER1_PASS)
log.info('Login as jdoe1 with the correct reset password')
time.sleep(.5)
user1.rebind(new_password)
def set_global_policy(self, properties):
"""Configure global password policy
:param properties: A dictionary with password policy attributes
:type properties: dict
"""
modlist = []
for attr, value in properties.items():
modlist.append((attr, value))
if len(modlist) > 0:
config = Config(self._instance)
config.replace_many(*modlist)
else:
raise ValueError("There are no password policies to set")
def test_admin_resets_pwd_TPR_attrs_reset(topo, _add_user,
set_global_TPR_policies):
"""Test When the ‘userpassword’ is updated (update_pw_info) by an administrator
and it exists a TPR policy, then the server flags that the entry has a
TPR password with ‘pwdTPRReset: TRUE’, ‘pwdTPRExpTime’ and ‘pwdTPRUseCount’.
:id: e6a84dc0-f142-11eb-8c96-fa163e1f582c
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies enable
4. Trigger TPR by resetting the user jdoe1 password above
5. Reset the users password ‘userpassword’
6. Check that ‘pwdTPRExpTime’ and ‘pwdTPRUseCount’ are updated
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
log.info('Logging current time')
start_time = time.mktime(time.gmtime())
log.info(
'Verifying the Global policy are set and attributes are all set to "None"'
)
for tpr_attrib in ['pwdTPRReset', 'pwdTPRExpTime', 'pwdTPRUseCount']:
assert user1.get_attr_val_utf8(tpr_attrib) is None
config = Config(topo.standalone)
config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'),
('passwordTPRDelayExpireAt', '1800'),
('passwordTPRDelayValidFrom', '1'))
assert user1.get_attr_val_utf8('pwdTPRExpTime') is None
log.info('Triggering TPR as Admin')
user1.replace('userpassword', 'new_password')
time.sleep(1)
log.info(
'Checking that pwdTPRReset, pwdTPRExpTime, pwdTPRUseCount are reset.')
assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert user1.get_attr_val_utf8('pwdTPRExpTime') is None
assert user1.get_attr_val_utf8('pwdTPRUseCount') is '0'
def security_enable(inst, basedn, log, args):
dbpath = inst.get_cert_dir()
tlsdb = NssSsl(dbpath=dbpath)
certs = tlsdb.list_certs()
if len(certs) == 0:
raise ValueError('There are no server certificates in the security ' +
'database, security can not be enabled.')
if len(certs) == 1:
# If there is only cert make sure it is set as the server certificate
RSA(inst).set('nsSSLPersonalitySSL', certs[0][0])
elif args.cert_name is not None:
# A certificate nickname was provided, set it as the server certificate
RSA(inst).set('nsSSLPersonalitySSL', args.cert_name)
# it should now be safe to enable security
Config(inst).set('nsslapd-security', 'on')
def test_implicit_replication_of_password_policy(_create_entries):
"""For bug 800173, we want to cause the implicit replication of password policy
attributes due to failed bind operations
we want to make sure that replication still works despite
the policy attributes being removed from the update leaving an empty
modify operation
:id: 3f4affe8-38eb-11ea-8936-8c16451d917b
:setup: Master and Consumer
:steps:
1. Add a new entry to MASTER1.
2. Try binding user with correct password
3. Try binding user with incorrect password (twice)
4. Make sure user got locked
5. Run total update and verify the same attributes added/modified in the read-only replicas.
:expected results:
1. Success
2. Success
3. FAIL(ldap.INVALID_CREDENTIALS)
4. Success
5. Success
"""
for attribute, value in [("passwordlockout", "on"),
("passwordmaxfailure", "1")]:
Config(MASTER1).set(attribute, value)
user = UserAccounts(MASTER1, DEFAULT_SUFFIX).create_test_user()
user.set("userpassword", "ItsmeAnuj")
check_all_replicated()
assert UserAccount(MASTER2,
user.dn).get_attr_val_utf8("uid") == "test_user_1000"
# Try binding user with correct password
conn = UserAccount(MASTER2, user.dn).bind("ItsmeAnuj")
with pytest.raises(ldap.INVALID_CREDENTIALS):
UserAccount(MASTER1, user.dn).bind("badpass")
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
UserAccount(MASTER1, user.dn).bind("badpass")
# asserting user got locked
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
conn = UserAccount(MASTER1, user.dn).bind("ItsmeAnuj")
check_all_replicated()
# modify user and verify that replication is still working
user.replace("seealso", "cn=seealso")
check_all_replicated()
for instance in (MASTER1, MASTER2):
assert UserAccount(
instance, user.dn).get_attr_val_utf8("seealso") == "cn=seealso"
def test_entryusn_no_duplicates(topology_st, setup):
"""Verify that entryUSN is not duplicated after memberOf operation
:id: 1a7d382d-1214-4d56-b9c2-9c4ed57d1683
:setup: Standalone instance, Groups and Users, USN and memberOf are enabled
:steps:
1. Add a member to group 1
2. Add a member to group 1 and 2
3. Check that entryUSNs are different
4. Check that lastusn before and after a restart are the same
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
inst = topology_st.standalone
config = Config(inst)
config.replace('nsslapd-accesslog-level', '260') # Internal op
config.replace('nsslapd-errorlog-level', '65536')
config.replace('nsslapd-plugin-logging', 'on')
entryusn_list = []
users = setup["users"]
groups = setup["groups"]
groups[0].replace('member', users[0].dn)
entryusn_list.append(users[0].get_attr_val_int('entryusn'))
log.info(f"{users[0].dn}_1: {entryusn_list[-1:]}")
entryusn_list.append(groups[0].get_attr_val_int('entryusn'))
log.info(f"{groups[0].dn}_1: {entryusn_list[-1:]}")
check_entryusn_no_duplicates(entryusn_list)
groups[1].replace('member', [users[0].dn, users[1].dn])
entryusn_list.append(users[0].get_attr_val_int('entryusn'))
log.info(f"{users[0].dn}_2: {entryusn_list[-1:]}")
entryusn_list.append(users[1].get_attr_val_int('entryusn'))
log.info(f"{users[1].dn}_2: {entryusn_list[-1:]}")
entryusn_list.append(groups[1].get_attr_val_int('entryusn'))
log.info(f"{groups[1].dn}_2: {entryusn_list[-1:]}")
check_entryusn_no_duplicates(entryusn_list)
check_lastusn_after_restart(inst)
def test_password_expire_works(topology_st):
"""Regression test for bug624080. If passwordMaxAge is set to a
value and a new user is added, if the passwordMaxAge is changed
to a shorter expiration time and the new users password
is then changed ..... the passwordExpirationTime for the
new user should be changed too. There was a bug in DS 6.2
where the expirationtime remained unchanged.
:id: 1ead6052-4636-11ea-b5af-8c16451d917b
:setup: Standalone
:steps:
1. Set the Global password policy and a passwordMaxAge to 5 days
2. Add the new user
3. Check the users password expiration time now
4. Decrease global passwordMaxAge to 2 days
5. Modify the users password
6. Modify the user one more time to make sur etime has been reset
7. turn off the password policy
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
config = Config(topology_st.standalone)
config.replace_many(('passwordMaxAge', '432000'), ('passwordExp', 'on'))
user = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX,
rdn=None).create_test_user()
user.set('userPassword', 'anuj')
time.sleep(0.5)
expire_time = user.get_attr_val_utf8('passwordExpirationTime')
config.replace('passwordMaxAge', '172800')
user.set('userPassword', 'borah')
time.sleep(0.5)
expire_time2 = user.get_attr_val_utf8('passwordExpirationTime')
config.replace('passwordMaxAge', '604800')
user.set('userPassword', 'anujagaiin')
time.sleep(0.5)
expire_time3 = user.get_attr_val_utf8('passwordExpirationTime')
assert expire_time != expire_time2 != expire_time3
config.replace('passwordExp', 'off')
def test_passwordchange_to_no(topo, _fix_password):
"""Change password fo a user even password even though pw policy is set to no
:id: 16c64ef0-5a20-11ea-a902-8c16451d917b
:setup: Standalone
:steps:
1. Adding an user with uid=dbyers
2. Set Password change to Must Not Change After Reset
3. Setting Password policy to May Not Change Password
4. Try to change password fo a user even password even though pw policy is set to no
5. Set Password change to May Change Password
6. Try to change password fo a user even password
7. Try to change password with invalid credentials. Should see error message.
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
# Adding an user with uid=dbyers
user = f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}'
config = Config(topo.standalone)
# Set Password change to Must Not Change After Reset
config.replace_many(('passwordmustchange', 'off'),
('passwordchange', 'off'))
# Try to change password fo a user even password even though pw policy is set to no
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
_change_password_with_own(topo, user, 'dbyers1', 'AB')
# Set Password change to May Change Password
config.replace('passwordchange', 'on')
_change_password_with_own(topo, user, 'dbyers1', 'dbyers1')
# Try to change password with invalid credentials. Should see error message.
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'AB', 'dbyers1')
def test_check_two_scheme(topo):
"""Check password scheme SHA and CRYPT
:id: 2b677f1e-33a6-11ea-a371-8c16451d917b
:setup: Standalone
:steps:
1. Change password scheme and create user with password.
2. check password scheme is set .
3. Delete user
:expected results:
1. Pass
2. Pass
3. Pass
"""
for schema, value in [("nsslapd-rootpwstoragescheme", "SHA"),
("passwordStorageScheme", "CRYPT")]:
Config(topo.standalone).replace(schema, value)
topo.standalone.restart()
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user()
user.set('userpassword', 'ItsMeAnuj')
assert '{' + f'{"CRYPT".lower()}' + '}' \
in UserAccount(topo.standalone, user.dn).get_attr_val_utf8('userpassword').lower()
user.delete()
def test_pwminage(topo, _fix_password):
"""Test pwminage
:id: 2df7bf32-5a20-11ea-ad23-8c16451d917b
:setup: Standalone
:steps:
1. Get pwminage; should be 0 currently
2. Sets policy to pwminage 3
3. Change current password
4. Try to change password again
5. Try now after 3 secs is up, should work.
:expected results:
1. Success
2. Success
3. Success
4. Fail
5. Success
"""
config = Config(topo.standalone)
# Get pwminage; should be 0 currently
assert config.get_attr_val_utf8('passwordminage') == '0'
# Sets policy to pwminage 3
config.replace('passwordminage', '3')
# Change current password
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers2')
# Try to change password again
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers2', 'dbyers1')
for _ in range(3):
time.sleep(1)
# Try now after 3 secs is up, should work.
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers2', 'dbyers1')
config.replace('passwordminage', '0')
def test_check_pbkdf2_sha256(topo):
"""Check password scheme PBKDF2_SHA256.
:id: 31612e7e-33a6-11ea-a750-8c16451d917b
:setup: Standalone
:steps:
1. Try to delete PBKDF2_SHA256.
2. Should not deleted PBKDF2_SHA256 and server should up.
:expected results:
1. Pass
2. Pass
"""
value = 'PBKDF2_SHA256'
user = user_config(topo, value)
assert '{' + f'{value.lower()}' + '}' in \
UserAccount(topo.standalone, user.dn).get_attr_val_utf8('userpassword').lower()
plg = PBKDF2Plugin(topo.standalone)
plg._protected = False
plg.delete()
topo.standalone.restart()
assert Config(topo.standalone).get_attr_val_utf8(
'passwordStorageScheme') == 'PBKDF2_SHA256'
assert topo.standalone.status()
user.delete()
def test_password_gracelimit_section(topo):
"""Password grace limit section.
:id: d6f4a7fa-473b-11ea-8766-8c16451d917c
:setup: Standalone
:steps:
1. Resets the default password policy
2. Turning on password expiration, passwordMaxAge: 30 and passwordGraceLimit: 7
3. Check users have 7 grace login attempts after their password expires
4. Reset the user passwords to start the clock
5. The the 8th should fail
6. Now try resetting the password before the grace login attempts run out
7. Bind 6 times, and on the 7th change the password
8. Setting passwordMaxAge: 1 and passwordGraceLimit: 7
9. Modify the users passwords to start the clock of zero
10. First 7 good attempts, 8th should fail
11. Setting the passwordMaxAge to 3 seconds once more and the passwordGraceLimit to 0
12. Modify the users passwords to start the clock
13. Users should be blocked automatically after 3 second
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
10. Success
11. Success
12. Success
13. Success
"""
config = Config(topo.standalone)
# Resets the default password policy
config.replace_many(('passwordmincategories', '1'),
('passwordStorageScheme', 'CLEAR'))
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX,
rdn=None).create_test_user()
# Turning on password expiration, passwordMaxAge: 30 and passwordGraceLimit: 7
config.replace_many(('passwordMaxAge', '3'), ('passwordGraceLimit', '7'),
('passwordexp', 'on'), ('passwordwarning', '30'))
# Reset the user passwords to start the clock
# Check users have 7 grace login attempts after their password expires
user.replace('userpassword', '00fr3d1')
for _ in range(3):
time.sleep(1)
user_account = UserAccount(topo.standalone, user.dn)
for _ in range(7):
conn = user_account.bind('00fr3d1')
# The the 8th should fail
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = user_account.bind('00fr3d1')
# Now try resetting the password before the grace login attempts run out
user.replace('userpassword', '00fr3d2')
for _ in range(3):
time.sleep(1)
user_account = UserAccount(topo.standalone, user.dn)
# Bind 6 times, and on the 7th change the password
for _ in range(6):
conn = user_account.bind('00fr3d2')
user.replace('userpassword', '00fr3d1')
for _ in range(3):
time.sleep(1)
for _ in range(7):
conn = user_account.bind('00fr3d1')
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = user_account.bind('00fr3d1')
# Setting passwordMaxAge: 1 and passwordGraceLimit: 7
config.replace_many(('passwordMaxAge', '1'), ('passwordwarning', '1'))
# Modify the users passwords to start the clock of zero
user.replace('userpassword', '00fr3d2')
time.sleep(1)
# First 7 good attempts, 8th should fail
user_account = UserAccount(topo.standalone, user.dn)
for _ in range(7):
conn = user_account.bind('00fr3d2')
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = user_account.bind('00fr3d2')
# Setting the passwordMaxAge to 3 seconds once more and the passwordGraceLimit to 0
config.replace_many(('passwordMaxAge', '3'), ('passwordGraceLimit', '0'))
# Modify the users passwords to start the clock
# Users should be blocked automatically after 3 second
user.replace('userpassword', '00fr3d1')
for _ in range(3):
time.sleep(1)
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = user_account.bind('00fr3d1')
def security_disable(inst, basedn, log, args):
Config(inst).set('nsslapd-security', 'off')
def test_automemscope_and_running_modrdn(topo_m4, _create_entries):
"""
Adding bulk users to non-automem_scope and running modrdn operation
with new superior to automem_scope
:id: bf60f958-be57-11e9-945d-8c16451d917b
:setup: Instance with 4 suppliers
:steps:
1. Running modrdn operation to change the ou to automem_scope
2. Add 3000 user entries to non-automem_scope at topo_m4.ms['supplier1']
3. Run AutomemberRebuildMembershipTask
4. Check the same created in rest suppliers
:expected results:
1. Pass
2. Pass
3. Pass
4. Pass
"""
user_rdn = "long09usr"
automem_scope1 = "ou=Employees,{}".format(DEFAULT_SUFFIX)
automem_scope2 = "cn=NewEmployees,{}".format(DEFAULT_SUFFIX)
grp_container = "cn=replsubGroups,{}".format(DEFAULT_SUFFIX)
default_group1 = "cn=SubDef3,{}".format(DEFAULT_SUFFIX)
default_group2 = "cn=SubDef5,{}".format(DEFAULT_SUFFIX)
OrganizationalUnits(
topo_m4.ms['supplier1'],
DEFAULT_SUFFIX).create(properties={'ou': 'NewEmployees'})
Group(topo_m4.ms['supplier1'],
f'cn=replsubGroups,cn=autoMembersPlugin,{DEFAULT_SUFFIX}').replace(
'autoMemberScope', automem_scope2)
for instance in [
topo_m4.ms['supplier1'], topo_m4.ms['supplier2'],
topo_m4.ms['supplier3'], topo_m4.ms['supplier4']
]:
Config(instance).replace('nsslapd-errorlog-level', '73728')
instance.restart()
# Adding bulk users
for number in range(3000):
create_entry(topo_m4, f'automemusrs{number}', automem_scope1, '3994',
'5695', 'OnDeputation')
try:
for supplier in [
topo_m4.ms['supplier2'], topo_m4.ms['supplier3'],
topo_m4.ms['supplier4']
]:
ReplicationManager(DEFAULT_SUFFIX).wait_for_replication(
topo_m4.ms['supplier1'], supplier, timeout=30000)
for grp, instance in [(default_group2, topo_m4.ms['supplier3']),
("cn=Managers,{}".format(grp_container),
topo_m4.ms['supplier1']),
("cn=Contractors,{}".format(grp_container),
topo_m4.ms['supplier3'])]:
assert not nsAdminGroup(instance, grp).get_attr_vals_utf8('member')
count = 0
for user in nsAdminGroups(topo_m4.ms['supplier3'],
automem_scope1,
rdn=None).list():
topo_m4.ms['supplier1'].rename_s(user.dn,
f'cn=New{user_rdn}{count}',
newsuperior=automem_scope2,
delold=1)
count += 1
for supplier in [
topo_m4.ms['supplier2'], topo_m4.ms['supplier3'],
topo_m4.ms['supplier4']
]:
ReplicationManager(DEFAULT_SUFFIX).wait_for_replication(
topo_m4.ms['supplier1'], supplier, timeout=30000)
AutomemberRebuildMembershipTask(topo_m4.ms['supplier1']).create(
properties={
'basedn': automem_scope2,
'filter': "objectClass=posixAccount"
})
for supplier in [
topo_m4.ms['supplier2'], topo_m4.ms['supplier3'],
topo_m4.ms['supplier4']
]:
ReplicationManager(DEFAULT_SUFFIX).wait_for_replication(
topo_m4.ms['supplier1'], supplier, timeout=30000)
for instance, grp in [(topo_m4.ms['supplier3'], default_group2),
(topo_m4.ms['supplier3'], default_group1)]:
assert len(
nsAdminGroup(instance,
grp).get_attr_vals_utf8('member')) == 3000
for instance, grp in [(topo_m4.ms['supplier1'], 'Managers'),
(topo_m4.ms['supplier3'], 'Contractors'),
(topo_m4.ms['supplier2'], 'Interns'),
(topo_m4.ms['supplier4'], 'Visitors')]:
assert not nsAdminGroup(instance, "cn={},{}".format(
grp, grp_container)).get_attr_vals_utf8('member')
finally:
for scope in [automem_scope1, automem_scope2]:
delete_users_and_wait(topo_m4, scope)
def test_binddn_tracking(topo, _create_inital):
"""Test Managed Entries basic functionality
:id: ea2ddfd4-aaec-11ea-8416-8c16451d917b
:setup: Standalone Instance
:steps:
1. Set nsslapd-plugin-binddn-tracking attribute under cn=config
2. Add user
3. Managed Entry Plugin runs against managed entries upon any update without validating
4. verify creation of User Private Group with its time stamp value
5. Modify the SN attribute which is not mapped with managed entry
6. run ModRDN operation and check the User Private group
7. Check the time stamp of UPG should be changed now
8. Check the creatorsname should be user dn and internalCreatorsname should be plugin name
9. Check if a managed group entry was created
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
"""
config = Config(topo.standalone)
# set nsslapd-plugin-binddn-tracking attribute under cn=config
config.replace('nsslapd-plugin-binddn-tracking', 'on')
# Add user
user = UserAccounts(topo.standalone,
f'cn=Users,{DEFAULT_SUFFIX}',
rdn=None).create_test_user()
assert user.get_attr_val_utf8(
'mepManagedEntry') == f'cn=test_user_1000,cn=Groups,{DEFAULT_SUFFIX}'
entry = Account(topo.standalone,
f'cn=test_user_1000,cn=Groups,{DEFAULT_SUFFIX}')
# Managed Entry Plugin runs against managed entries upon any update without validating
# verify creation of User Private Group with its time stamp value
stamp1 = entry.get_attr_val_utf8('modifyTimestamp')
user.replace('sn', 'NewSN_modified')
stamp2 = entry.get_attr_val_utf8('modifyTimestamp')
# Modify the SN attribute which is not mapped with managed entry
# Check the time stamp of UPG should not be changed
assert stamp1 == stamp2
time.sleep(1)
# run ModRDN operation and check the User Private group
user.rename(new_rdn='uid=UserNewRDN',
newsuperior='cn=Users,dc=example,dc=com')
assert user.get_attr_val_utf8(
'mepManagedEntry') == f'cn=UserNewRDN,cn=Groups,{DEFAULT_SUFFIX}'
entry = Account(topo.standalone,
f'cn=UserNewRDN,cn=Groups,{DEFAULT_SUFFIX}')
stamp3 = entry.get_attr_val_utf8('modifyTimestamp')
# Check the time stamp of UPG should be changed now
assert stamp2 != stamp3
time.sleep(1)
user.replace('gidNumber', '1')
stamp4 = entry.get_attr_val_utf8('modifyTimestamp')
assert stamp4 != stamp3
# Check the creatorsname should be user dn and internalCreatorsname should be plugin name
assert entry.get_attr_val_utf8('creatorsname') == 'cn=directory manager'
assert entry.get_attr_val_utf8(
'internalCreatorsname') == 'cn=Managed Entries,cn=plugins,cn=config'
assert entry.get_attr_val_utf8('modifiersname') == 'cn=directory manager'
user.delete()
config.replace('nsslapd-plugin-binddn-tracking', 'off')
def test_passwordlockout(topo, _fix_password):
"""Test adding admin user diradmin to Directory Administrator group
:id: 3ffcffda-5a20-11ea-a3af-8c16451d917b
:setup: Standalone
:steps:
1. Account Lockout must be cleared on successful password change
2. Adding admin user diradmin
3. Adding admin user diradmin to Directory Administrator group
4. Turn on passwordlockout
5. Sets lockout duration to 30 seconds
6. Sets failure count reset duration to 30 sec
7. Sets max password bind failure count to 3
8. Reset password retry count (to 0)
9. Try to bind with invalid credentials(3 times)
10. Try to bind with valid pw, should give lockout error
11. Reset password using admin login
12. Try to login as the user to check the unlocking of account. Will also change
the password back to original
13. Change to account lockout forever until reset
14. Reset password retry count (to 0)
15. Try to bind with invalid credentials(3 times)
16. Try to bind with valid pw, should give lockout error
17. Reset password using admin login
18. Try to login as the user to check the unlocking of account. Will also change the
password back to original
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Fail
10. Success
11. Success
12. Success
13. Success
14. Success
15. Fail
16. Success
17. Success
18. Success
"""
config = Config(topo.standalone)
# Adding admin user diradmin
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user()
user.replace('userpassword', 'dby3rs2')
admin = _create_user(topo, 'diradmin', 'Anuj Borah', '1002', 'diradmin')
# Adding admin user diradmin to Directory Administrator group
Group(topo.standalone,
f'cn=Directory Administrators,{DEFAULT_SUFFIX}').add(
'uniquemember', admin.dn)
# Turn on passwordlockout
# Sets lockout duration to 30 seconds
# Sets failure count reset duration to 30 sec
# Sets max password bind failure count to 3
# Reset password retry count (to 0)
config.replace_many(
('passwordlockout', 'on'), ('passwordlockoutduration', '30'),
('passwordresetfailurecount', '30'), ('passwordmaxfailure', '3'),
('passwordhistory', 'off'))
user.replace('passwordretrycount', '0')
# Try to bind with invalid credentials(3 times)
for _ in range(3):
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(topo, user.dn, 'Invalid', 'secreter')
# Try to bind with valid pw, should give lockout error
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo, user.dn, 'Invalid', 'secreter')
# Reset password using admin login
conn = admin.bind('diradmin')
UserAccount(conn, user.dn).replace('userpassword', 'dby3rs2')
time.sleep(1)
# Try to login as the user to check the unlocking of account. Will also change
# the password back to original
_change_password_with_own(topo, user.dn, 'dby3rs2', 'secreter')
# Change to account lockout forever until reset
# Reset password retry count (to 0)
config.replace('passwordunlock', 'off')
user.replace('passwordretrycount', '0')
# Try to bind with invalid credentials(3 times)
for _ in range(3):
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(topo, user.dn, 'Invalid', 'secreter')
# Try to bind with valid pw, should give lockout error
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo, user.dn, 'Invalid', 'secreter')
# Reset password using admin login
UserAccount(conn, user.dn).replace('userpassword', 'dby3rs2')
time.sleep(1)
# Try to login as the user to check the unlocking of account. Will also change the
# password back to original
_change_password_with_own(topo, user.dn, 'dby3rs2', 'secreter')
def test_expiration_date(topo, _fix_password):
"""Test check the expiration date is still in the future
:id: 3691739a-5a20-11ea-8712-8c16451d917b
:setup: Standalone
:steps:
1. Password expiration
2. Add a user with a password expiration date
3. Modify their password
4. Check the expiration date is still in the future
5. Modify the password expiration date
6. Check the expiration date is still in the future
7. Change policy so that user can change passwords
8. Deleting user
9. Adding user
10. Set password history ON
11. Modify password Once
12. Try to change the password with same one
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
10. Success
11. Success
12. Fail
"""
# Add a user with a password expiration date
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user()
user.replace_many(('userpassword', 'bind4now'),
('passwordExpirationTime', '20380119031404Z'))
# Modify their password
user.replace('userPassword', 'secreter')
# Check the expiration date is still in the future
assert user.get_attr_val_utf8(
'passwordExpirationTime') == '20380119031404Z'
# Modify the password expiration date
user.replace('passwordExpirationTime', '20380119031405Z')
# Check the expiration date is still in the future
assert user.get_attr_val_utf8(
'passwordExpirationTime') == '20380119031405Z'
config = Config(topo.standalone)
# Change policy so that user can change passwords
config.replace('passwordchange', 'on')
# Deleting user
UserAccount(topo.standalone,
f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}').delete()
# Adding user
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user()
# Set password history ON
config.replace('passwordhistory', 'on')
# Modify password Once
user.replace('userPassword', 'secreter')
time.sleep(1)
assert DEFAULT_PASSWORD_STORAGE_SCHEME in user.get_attr_val_utf8(
'userPassword')
# Try to change the password with same one
for _ in range(3):
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo, user.dn, 'secreter', 'secreter')
user.delete()
def test_invalid_credentials(topo, _fix_password):
"""Test bind again with valid password: We should be locked
:id: 3233ca78-5a20-11ea-8d35-8c16451d917b
:setup: Standalone
:steps:
1. Search if passwordlockout is off
2. Turns on passwordlockout
3. sets lockout duration to 3 seconds
4. Changing pw failure count reset duration to 3 sec and passwordminlength to 10
5. Try to bind with invalid credentials
6. Change password to password lockout forever
7. Try to bind with invalid credentials
8. Now bind again with valid password: We should be locked
9. Delete dby3rs before exiting
10. Reset server
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Fail
6. Success
7. Success
8. Success
9. Success
10. Success
"""
config = Config(topo.standalone)
# Search if passwordlockout is off
assert config.get_attr_val_utf8('passwordlockout') == 'off'
# Turns on passwordlockout
# sets lockout duration to 3 seconds
# Changing pw failure count reset duration to 3 sec and passwordminlength to 10
config.replace_many(
('passwordlockout', 'on'), ('passwordlockoutduration', '3'),
('passwordresetfailurecount', '3'), ('passwordminlength', '10'))
# Try to bind with invalid credentials
for _ in range(3):
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(
topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'Invalid',
'dbyers1')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'Invalid', 'dbyers1')
for _ in range(3):
time.sleep(1)
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers1')
# Change password to password lockout forever
config.replace('passwordunlock', 'off')
# Try to bind with invalid credentials
for _ in range(3):
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(
topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'Invalid',
'dbyers1')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'Invalid', 'dbyers1')
for _ in range(3):
time.sleep(1)
# Now bind again with valid password: We should be locked
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers1')
# Delete dby3rs before exiting
_change_password_with_root(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1')
time.sleep(1)
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers1')
# Reset server
config.replace_many(
('passwordinhistory', '6'), ('passwordlockout', 'off'),
('passwordlockoutduration', '3600'), ('passwordminlength', '6'),
('passwordresetfailurecount', '600'), ('passwordunlock', 'on'))
def test_pwd_update_time_attribute(topo):
"""Regression test for bz834063
:id: ec2b1d4e-52d9-11ea-b13e-8c16451d917b
:setup: Standalone
:steps:
1. Add the attribute passwordTrackUpdateTime to cn=config
2. Add a test entry while passwordTrackUpdateTime is on
3. Check if new attribute pwdUpdateTime added automatically after changing the pwd
4. Modify User pwd
5. check for the pwdupdatetime attribute added to the test entry as passwordTrackUpdateTime is on
6. Set passwordTrackUpdateTime to OFF and modify test entry's pwd
7. Check passwordUpdateTime should not be changed
8. Record last pwdUpdateTime before changing the password
9. Modify Pwd
10. Set passwordTrackUpdateTime to ON and modify test entry's pwd,
check passwordUpdateTime should be changed
11. Try setting Invalid value for passwordTrackUpdateTime
12. Try setting Invalid value for pwdupdatetime
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
10. Success
11. Fail
12. Fail
"""
config = Config(topo.standalone)
# Add the attribute passwordTrackUpdateTime to cn=config
config.replace('passwordTrackUpdateTime', 'on')
# Add a test entry while passwordTrackUpdateTime is on
user = _create_user(topo, 'test_bz834063', None)
user.set('userpassword', 'Unknown')
# Modify User pwd
user.replace('userpassword', 'Unknown1')
# Check if new attribute pwdUpdateTime added automatically after changing the pwd
assert user.get_attr_val_utf8('pwdUpdateTime')
# Set passwordTrackUpdateTime to OFF and modify test entry's pwd
config.replace('passwordTrackUpdateTime', 'off')
# Record last pwdUpdateTime before changing the password
update_time = user.get_attr_val_utf8('pwdUpdateTime')
time.sleep(1)
user.replace('userpassword', 'Unknown')
# Check passwordUpdateTime should not be changed
update_time_again = user.get_attr_val_utf8('pwdUpdateTime')
assert update_time == update_time_again
# Set passwordTrackUpdateTime to ON and modify test entry's pwd,
# check passwordUpdateTime should be changed
time.sleep(1)
config.replace('passwordTrackUpdateTime', 'on')
user.replace('userpassword', 'Unknown')
time.sleep(1)
update_time_1 = user.get_attr_val_utf8('pwdUpdateTime')
assert update_time_again != update_time_1
with pytest.raises(ldap.OPERATIONS_ERROR):
config.replace('passwordTrackUpdateTime', "invalid")
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
config.replace('pwdupdatetime', 'Invalid')
def test_password_check_syntax(topo, _fix_password):
"""Password check syntax
:id: 1e6fcc9e-5a20-11ea-9659-8c16451d917b
:setup: Standalone
:steps:
1. Sets Password check syntax to on
2. Try to change to a password that violates length. Should get error
3. Attempt to Modify password to db which is in error to policy
4. change min pw length to 5
5. Attempt to Modify password to dby3rs which is in error to policy
6. Attempt to Modify password to danny which is in error to policy
7. Attempt to Modify password to byers which is in error to policy
8. Change min pw length to 6
9. Try to change the password
10. Trying to set to a password containing value of sn
11. Sets policy to not check pw syntax
12. Test that when checking syntax is off, you can use small passwords
13. Test that when checking syntax is off, trivial passwords can be used
14. Changing password minimum length from 6 to 10
15. Setting policy to Check Password Syntax again
16. Try to change to a password that violates length
17. Reset Password
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
10. Success
11. Success
12. Success
13. Success
14. Success
15. Success
16. Fail
17. Success
"""
config = Config(topo.standalone)
# Sets Password check syntax to on
config.replace('passwordchecksyntax', 'on')
# Try to change to a password that violates length. Should get error
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers2')
# Attempt to Modify password to db which is in error to policy
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'db')
# change min pw length to 5
config.replace('passwordminlength', '5')
# Attempt to Modify password to dby3rs which is in error to policy
# Attempt to Modify password to danny which is in error to policy
# Attempt to Modify password to byers which is in error to policy
for password in ['dbyers', 'Danny', 'byers']:
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(
topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1',
password)
# Change min pw length to 6
config.replace('passwordminlength', '6')
# Try to change the password
# Trying to set to a password containing value of sn
for password in ['dby3rs1', 'dbyers2', '67Danny89', 'YAByers8']:
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(
topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1',
password)
# Sets policy to not check pw syntax
# Test that when checking syntax is off, you can use small passwords
# Test that when checking syntax is off, trivial passwords can be used
config.replace('passwordchecksyntax', 'off')
for password, new_pass in [('dbyers1', 'db'), ('db', 'dbyers'),
('dbyers', 'dbyers1')]:
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
password, new_pass)
# Changing password minimum length from 6 to 10
# Setting policy to Check Password Syntax again
config.replace_many(('passwordminlength', '10'),
('passwordchecksyntax', 'on'))
# Try to change to a password that violates length
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'db')
UserAccount(topo.standalone,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}').replace(
'userpassword', 'dbyers1')
def test_user_resets_pwd_TPR_attrs_reset(topo, _add_user,
set_global_TPR_policies):
"""Test once password is reset attributes are set to FALSE
:id: 6614068a-ee7d-11eb-b1a3-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies and set passwordMustChange on
4. Trigger TPR by resetting the user jdoe1 password above
5. Reset the users password ‘userpassword’
6. Check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are RESET
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
log.info('Logging current time')
start_time = time.mktime(time.gmtime())
log.info(
'Verifying the Global policy are set and attributes are all set to "None"'
)
for tpr_attrib in [
'pwdTPRReset', 'pwdTPRUseCount', 'pwdTPRValidFrom',
'pwdTPRExpireAt'
]:
assert user1.get_attr_val_utf8(tpr_attrib) is None
config = Config(topo.standalone)
config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'),
('passwordTPRDelayExpireAt', '1800'),
('passwordTPRDelayValidFrom', '1'))
assert user1.get_attr_val_utf8('pwdTPRReset') is None
log.info(
'Triggering TPR check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are set'
)
user1.replace('userpassword', 'new_password')
time.sleep(3)
assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert user1.get_attr_val_utf8('pwdTPRUseCount') == '0'
assert gentime_to_posix_time(
user1.get_attr_val_utf8('pwdTPRValidFrom')) > start_time
assert gentime_to_posix_time(
user1.get_attr_val_utf8('pwdTPRExpireAt')) > start_time
conn = user1.rebind('new_password')
user1.replace('userpassword', 'extra_new_pass')
log.info(
'Checking that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are reset to None'
)
time.sleep(3)
assert user1.get_attr_val_utf8('pwdTPRReset') is None
assert user1.get_attr_val_utf8('pwdTPRUseCount') is None
assert (user1.get_attr_val_utf8('pwdTPRValidFrom')) is None
assert (user1.get_attr_val_utf8('pwdTPRExpireAt')) is None
log.info('Verified that attributes are reset after password is reset')
def test_admin_group_to_modify_password(topo, _add_user):
"""Regression test for bz1044164 part 2.
:id: 12e09446-52da-11ea-aa11-8c16451d917b
:setup: Standalone
:steps:
1. Create unique members of admin group
2. Create admin group with unique members
3. Edit ACIs for admin group
4. Add group as password admin
5. Test password admin group to modify password of another admin user
6. Use admin user to perform a password update on Directory Manager user
7. Test password admin group for local password policy
8. Add top level container
9. Add user
10. Create local policy configuration entry
11. Adding admin group for local policy
12. Change user's password by admin user. Break the local policy rule
13. Test password admin group for global password policy
14. Add top level container
15. Change user's password by admin user. Break the global policy rule
16. Add new user in password admin group
17. Modify ordinary user's password
18. Modify user DN using modrdn of a user in password admin group
19. Test assigning invalid value to password admin attribute
20. Try to add more than one Password Admin attribute to config file
21. Use admin group setup from previous testcases, but delete ACI from that
22. Try to change user's password by admin user
23. Restore ACI
24. Edit ACIs for admin group
25. Delete a user from password admin group
26. Change users password by ex-admin user
27. Remove group from password admin configuration
28. Change admins
29. Change user's password by ex-admin user
30. Change admin user's password by ex-admin user
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Fail(ldap.INSUFFICIENT_ACCESS)
7. Success
8. Success
9. Success
10. Success
11. Success
12. Success
13. Success
14. Success
15. Success
16. Success
17. Success
18. Success
19. Fail
20. Fail
21. Success
22. Success
23. Success
24. Success
25. Success
26. Success
27. Success
28. Success
29. Fail
30. Fail
"""
# create unique members of admin group
admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={
'cn': 'pwadm_group_adm',
'description': 'pwadm_group_adm',
'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}',
f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}']
})
# Edit ACIs for admin group
Domain(topo.standalone,
f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)')
# Add group as password admin
Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn)
# Test password admin group to modify password of another admin user
change_password_of_user(topo, [
('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],
f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}')
# Use admin user to perform a password update on Directory Manager user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],
f'{DN_DM},{DEFAULT_SUFFIX}')
# Add top level container
ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'})
# Change user's password by admin user. Break the global policy rule
# Add new user in password admin group
user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol')
user.replace('userpassword', 'Secret123')
# Create local policy configuration entry
_create_pwp(topo, ou.dn)
# Set parameter for pwp
for para_meter, op_op in [
('passwordLockout', 'on'),
('passwordMaxFailure', '4'),
('passwordLockoutDuration', '10'),
('passwordResetFailureCount', '100'),
('passwordMinLength', '8'),
('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]:
change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op)
# Set ACI
OrganizationalUnit(topo.standalone,
ou.dn).set('aci',
f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow passwords admin to write user '
f'passwords";allow (write)'
f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Change password with new admin
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn)
# Set global parameter
Config(topo.standalone).replace_many(
('passwordTrackUpdateTime', 'on'),
('passwordGraceLimit', '4'),
('passwordHistory', 'on'),
('passwordInHistory', '4'))
# Test password admin group for global password policy
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Adding admin group for local policy
grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')
grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')
# Modify ordinary user's password
change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Modify user DN using modrdn of a user in password admin group
UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new')
# Remove admin
grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')
# Add Admin
grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}')
# Test the group pwp again
with pytest.raises(ldap.INVALID_CREDENTIALS):
change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
with pytest.raises(ldap.INVALID_SYNTAX):
Config(topo.standalone).replace('passwordAdminDN', "Invalid")
# Test assigning invalid value to password admin attribute
# Try to add more than one Password Admin attribute to config file
with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
Config(topo.standalone).replace('passwordAdminDN',
[f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}',
f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}'])
# Use admin group setup from previous, but delete ACI from that
people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")
people.remove('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)'
f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Try to change user's password by admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Restore ACI
people.set('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Edit ACIs for admin group
people.add('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to add user '
f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret')
real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret')
# Test new aci
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={
'uid': 'ok',
'cn': 'ok',
'sn': 'ok',
'uidNumber': '1000',
'gidNumber': 'ok',
'homeDirectory': '/home/ok'})
UserAccounts(topo.standalone, DEFAULT_SUFFIX).list()
real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret123')
# Test new aci which has new rights
for uid, cn, password in [
('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='),
('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]:
UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={
'uid': uid,
'cn': cn,
'sn': cn,
'uidNumber': '1000',
'gidNumber': '1001',
'homeDirectory': f'/home/{uid}',
'userpassword': password})
# Remove ACI
Domain(topo.standalone,
f"ou=People,{DEFAULT_SUFFIX}").remove('aci',
f'(targetattr ="userpassword")'
f'(version 3.0;acl '
f'"Allow passwords admin to add user '
f'passwords";allow '
f'(add)(groupdn = '
f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Delete a user from password admin group
grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')
grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')
# Change users password by ex-admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Set aci for only user
people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")
people.remove('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
people.set('aci',
f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin '
f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)')
# Remove group from password admin configuration
Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}")
# Change user's password by ex-admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],
f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')