Ejemplo n.º 1
0
def test_cannot_add_an_entry_with_attribute_values_we_are_not_allowed_add(
    topo, _add_user, aci_of_user
):
    """
    Testing the targattrfilters keyword that allows access control based on the value of the
    attributes being added (or deleted))
    "Valueacl Test $tet_thistest Test not allowed add an entry"
    :id:0d0effee-7aaa-11e8-b673-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)) ' \
               '&& secretary:(secretary=cn=Meylan, {}), del=title:(|(title=engineer)(title=cool dude)' \
               '(title=scum))")(version 3.0; aci "$tet_thistest"; allow (add) userdn = "ldap:///{}";)'.format(
            DEFAULT_SUFFIX, DEFAULT_SUFFIX)
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
    properties = {
        'uid': 'FRED',
        'cn': 'FRED',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'FRED'
    }
    user = UserAccount(topo.standalone, 'cn=FRED,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)
    user.set('title', ['anuj', 'kumar', 'borah'])
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
    # aci will not allow adding objectclass
    user = UserAccount(conn, USER_WITH_ACI_DELADD)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        user.add("objectclass", "person")
Ejemplo n.º 2
0
def test_csnpurge_large_valueset(topo_m2):
    """Test csn generator test

    :id: 63e2bdb2-0a8f-4660-9465-7b80a9f72a74
    :setup: MMR with 2 masters
    :steps:
        1. Create a test_user
        2. add a large set of values (more than 10)
        3. delete all the values (more than 10)
        4. configure the replica to purge those values (purgedelay=5s)
        5. Waiting for 6 second
        6. do a series of update
    :expectedresults:
        1. Should succeeds
        2. Should succeeds
        3. Should succeeds
        4. Should succeeds
        5. Should succeeds
        6. Should not crash
    """
    m1 = topo_m2.ms["master2"]

    test_user = UserAccount(m1, TEST_ENTRY_DN)
    if test_user.exists():
        log.info('Deleting entry {}'.format(TEST_ENTRY_DN))
        test_user.delete()
    test_user.create(
        properties={
            'uid': TEST_ENTRY_NAME,
            'cn': TEST_ENTRY_NAME,
            'sn': TEST_ENTRY_NAME,
            'userPassword': TEST_ENTRY_NAME,
            'uidNumber': '1000',
            'gidNumber': '2000',
            'homeDirectory': '/home/mmrepl_test',
        })

    # create a large value set so that it is sorted
    for i in range(1, 20):
        test_user.add('description', 'value {}'.format(str(i)))

    # delete all values of the valueset
    for i in range(1, 20):
        test_user.remove('description', 'value {}'.format(str(i)))

    # set purging delay to 5 second and wait more that 5second
    replicas = Replicas(m1)
    replica = replicas.list()[0]
    log.info('nsds5ReplicaPurgeDelay to 5')
    replica.set('nsds5ReplicaPurgeDelay', '5')
    time.sleep(6)

    # add some new values to the valueset containing entries that should be purged
    for i in range(21, 25):
        test_user.add('description', 'value {}'.format(str(i)))
Ejemplo n.º 3
0
def test_password_repl_error(topo_m4, test_entry):
    """Check that error about userpassword replication is properly logged

    :ID: 714130ff-e4f0-4633-9def-c1f4b24abfef
    :feature: Multi master replication
    :setup: Four masters replication setup, a test entry
    :steps: 1. Change userpassword on master 1
            2. Restart the servers to flush the logs
            3. Check the error log for an replication error
    :expectedresults: We don't have a replication error in the error log
    """

    m1 = topo_m4.ms["master1"]
    m2 = topo_m4.ms["master2"]
    TEST_ENTRY_NEW_PASS = '******'.format(TEST_ENTRY_NAME)

    log.info('Clean the error log')
    m2.deleteErrorLogs()

    log.info('Set replication loglevel')
    m2.config.loglevel((ErrorLog.REPLICA, ))

    log.info('Modifying entry {} - change userpassword on master 2'.format(
        TEST_ENTRY_DN))
    test_user_m1 = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
    test_user_m2 = UserAccount(topo_m4.ms["master2"], TEST_ENTRY_DN)
    test_user_m3 = UserAccount(topo_m4.ms["master3"], TEST_ENTRY_DN)
    test_user_m4 = UserAccount(topo_m4.ms["master4"], TEST_ENTRY_DN)

    test_user_m1.set('userpassword', TEST_ENTRY_NEW_PASS)

    log.info('Restart the servers to flush the logs')
    for num in range(1, 5):
        topo_m4.ms["master{}".format(num)].restart(timeout=10)

    m1_conn = test_user_m1.bind(TEST_ENTRY_NEW_PASS)
    m2_conn = test_user_m2.bind(TEST_ENTRY_NEW_PASS)
    m3_conn = test_user_m3.bind(TEST_ENTRY_NEW_PASS)
    m4_conn = test_user_m4.bind(TEST_ENTRY_NEW_PASS)

    log.info('Check the error log for the error with {}'.format(TEST_ENTRY_DN))
    assert not m2.ds_error_log.match(
        '.*can.t add a change for uid={}.*'.format(TEST_ENTRY_NAME))
Ejemplo n.º 4
0
    def test_conflict_attribute_single_valued(self, topology_m2, base_m2):
        """A RDN attribute being signle-valued, checks that after several operations
           MODRDN and MOD_REPL its RDN values are the same on both servers

        :id: c38ae613-5d1e-47cf-b051-c7284e64b817
        :setup: Two supplier replication, test container for entries, enable plugin logging,
                audit log, error log for replica and access log for internal
        :steps:
            1. Create a test entry uid=user_test_1000,...
            2. Pause all replication agreements
            3. On M1 rename it into employeenumber=foo1,...
            4. On M2 rename it into employeenumber=foo2,...
            5. On M1 MOD_REPL employeenumber:foo1
            6. Resume all replication agreements
            7. Check that entry on M1 has employeenumber=foo1
            8. Check that entry on M2 has employeenumber=foo1
            9. Check that entry on M1 and M2 has the same employeenumber values
        :expectedresults:
            1. It should pass
            2. It should pass
            3. It should pass
            4. It should pass
            5. It should pass
            6. It should pass
            7. It should pass
            8. It should pass
            9. It should pass
        """

        M1 = topology_m2.ms["supplier1"]
        M2 = topology_m2.ms["supplier2"]

        # add a test user with a dummy 'uid' extra value because modrdn removes
        # uid that conflict with 'account' objectclass
        test_users_m1 = UserAccounts(M1, base_m2.dn, rdn=None)
        user_1 = test_users_m1.create_test_user(uid=1000)
        user_1.add('objectclass', 'extensibleobject')
        user_1.add('uid', 'dummy')
        test_users_m2 = UserAccount(M2, user_1.dn)

        # Waiting fo the user to be replicated
        for i in range(0, 4):
            time.sleep(1)
            if test_users_m2.exists():
                break
        assert (test_users_m2.exists())

        # Stop replication agreements
        topology_m2.pause_all_replicas()

        # On M1 rename test entry in employeenumber=foo1
        original_dn = user_1.dn
        user_1.rename('employeenumber=foo1')
        time.sleep(1)

        # On M2 rename test entry in employeenumber=foo2
        M2.rename_s(original_dn, 'employeenumber=foo2')
        time.sleep(2)

        # on M1 MOD_REPL uid into foo1
        user_1.replace('employeenumber', 'foo1')

        # resume replication agreements
        topology_m2.resume_all_replicas()
        time.sleep(5)

        # check that on M1, the entry 'employeenumber' has value 'foo1'
        final_dn = re.sub('^.*1000,', 'employeenumber=foo2,', original_dn)
        final_user_m1 = UserAccount(M1, final_dn)
        for val in final_user_m1.get_attr_vals_utf8('employeenumber'):
            log.info("Check %s is on M1" % val)
            assert (val in ['foo1'])

        # check that on M2, the entry 'employeenumber' has values 'foo1'
        final_user_m2 = UserAccount(M2, final_dn)
        for val in final_user_m2.get_attr_vals_utf8('employeenumber'):
            log.info("Check %s is on M2" % val)
            assert (val in ['foo1'])

        # check that the entry have the same uid values
        for val in final_user_m1.get_attr_vals_utf8('employeenumber'):
            log.info("Check M1.uid %s is also on M2" % val)
            assert (val in final_user_m2.get_attr_vals_utf8('employeenumber'))

        for val in final_user_m2.get_attr_vals_utf8('employeenumber'):
            log.info("Check M2.uid %s is also on M1" % val)
            assert (val in final_user_m1.get_attr_vals_utf8('employeenumber'))
def test_repl_agmt_bootstrap_credentials(topo):
    """Test that the agreement bootstrap credentials works if the default
    credentials fail for some reason.

    :id: 38c8095c-d958-415a-b602-74854b7882b3
    :customerscenario: True
    :setup: 2 Master Instances
    :steps:
        1.  Change the bind dn group member passwords
        2.  Verify replication is not working
        3.  Create a new repl manager on master 2 for bootstrapping
        4.  Add bootstrap credentials to agmt on master 1
        5.  Verify replication is now working with bootstrap creds
        6.  Trigger new repl session and default credentials are used first
    :expectedresults:
        1.  Success
        2.  Success
        3.  Success
        4.  Success
        5.  Success
        6.  Success
    """

    # Gather all of our objects for the test
    m1 = topo.ms["master1"]
    m2 = topo.ms["master2"]
    master1_replica = Replicas(m1).get(DEFAULT_SUFFIX)
    master2_replica = Replicas(m2).get(DEFAULT_SUFFIX)
    master2_users = UserAccounts(m2, DEFAULT_SUFFIX)
    m1_agmt = master1_replica.get_agreements().list()[0]
    num_of_original_users = len(master2_users.list())

    # Change the member's passwords which should break replication
    bind_group = Group(m2, dn=BIND_GROUP_DN)
    members = bind_group.list_members()
    for member_dn in members:
        member = UserAccount(m2, dn=member_dn)
        member.replace('userPassword', 'not_right')
    time.sleep(3)
    m1_agmt.pause()
    m1_agmt.resume()

    # Verify replication is not working, a new user should not be replicated
    users = UserAccounts(m1, DEFAULT_SUFFIX)
    test_user = users.ensure_state(properties=TEST_USER_PROPERTIES)
    time.sleep(3)
    assert len(master2_users.list()) == num_of_original_users

    # Create a repl manager on replica
    repl_mgr = BootstrapReplicationManager(m2, dn=BOOTSTRAP_MGR_DN)
    mgr_properties = {
        'uid': 'replication manager',
        'cn': 'replication manager',
        'userPassword': BOOTSTRAP_MGR_PWD,
    }
    repl_mgr.create(properties=mgr_properties)

    # Update master 2 config
    master2_replica.remove_all('nsDS5ReplicaBindDNGroup')
    master2_replica.remove_all('nsDS5ReplicaBindDnGroupCheckInterval')
    master2_replica.replace('nsDS5ReplicaBindDN', BOOTSTRAP_MGR_DN)

    # Add bootstrap credentials to master1 agmt, and restart agmt
    m1_agmt.replace('nsds5ReplicaBootstrapTransportInfo', 'LDAP')
    m1_agmt.replace('nsds5ReplicaBootstrapBindMethod', 'SIMPLE')
    m1_agmt.replace('nsds5ReplicaBootstrapCredentials', BOOTSTRAP_MGR_PWD)
    m1_agmt.replace('nsds5ReplicaBootstrapBindDN', BOOTSTRAP_MGR_DN)
    m1_agmt.pause()
    m1_agmt.resume()

    # Verify replication is working.  The user should have been replicated
    time.sleep(3)
    assert len(master2_users.list()) > num_of_original_users

    # Finally check if the default credentials are used on the next repl
    # session.  Clear out the logs, and disable log buffering.  Then
    # trigger a replication update/session.
    m1_agmt.pause()
    m2.stop()
    m2.deleteLog(m2.accesslog)  # Clear out the logs
    m2.start()
    m2.config.set('nsslapd-accesslog-logbuffering', 'off')
    m1_agmt.resume()
    test_user.delete()
    time.sleep(3)

    # We know if the default credentials are used it will fail (err=49)
    results = m2.ds_access_log.match('.* err=49 .*')
    assert len(results) > 0
Ejemplo n.º 6
0
def test_undefined_in_group_eval_fourteen(topo, test_user, aci_of_user):
    """
        Test with parent keyword that Yields FALSE as description is not present in tested entry

        :id: 5c527218-7841-11e8-8909-8c16451d917b
        :setup: server
        :steps:
            1. Add test entry
            2. Take a count of users using DN_DM
            3. Add test user
            4. add aci
            5. test should fullfil the aci rules
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
            4. Operation should  succeed
            5. Operation should  succeed
    """
    Domain(topo.standalone, DEFAULT_SUFFIX).add(
        "aci",
        '(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)'
    )
    user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
    user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
    conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
    # Test with parent keyword
    user1 = UserAccount(conn, GROUPDNATTRCHILDSCRATCHENTRY_GLOBAL)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        user1.add("sn", "Fred")
    assert UserAccount(conn,
                       DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('cn')
    user.remove("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
Ejemplo n.º 7
0
def test_deny_all_access_with_targetfilter_using_boolean_or_of_two_equality_search(
    topo, test_uer, aci_of_user, request
):
    """Search Test 18 Deny all access with targetfilter using boolean OR of two equality search

    :id: 29cc35fa-793f-11e8-988f-8c16451d917b
    :setup: Standalone Instance
    :steps:
        1. Add Entry
        2. Add ACI
        3. Bind with test USER_ANUJ
        4. Try search
        5. Delete Entry,test USER_ANUJ, ACI
    :expectedresults:
        1. Operation should success
        2. Operation should success
        3. Operation should success
        4. Operation should Fail
        5. Operation should success
    """
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr = "*")'
    '(targetfilter = (|(cn=scarter)(cn=jvaughan)))(version 3.0; acl "{}"; '
    'deny absolute (all) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX, request.node.name))
    UserAccount(topo.standalone, USER_ANANDA).set("cn", "scarter")
    UserAccount(topo.standalone, USER_ANUJ).set("cn", "jvaughan")
    conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
    # aci will deny_all_access_with_targetfilter_using_boolean_or_of_two_equality_search
    user = UserAccount(conn, USER_ANANDA)
    with pytest.raises(IndexError):
        user.get_attr_val_utf8('uid')
    # aci will deny_all_access_with_targetfilter_using_boolean_or_of_two_equality_search
    user = UserAccount(conn, USER_ANUJ)
    with pytest.raises(IndexError):
        user.get_attr_val_utf8('uid')
    # with root no blockage
    assert UserAccount(topo.standalone, USER_ANANDA).get_attr_val_utf8('uid') == 'Ananda Borah'
    # with root no blockage
    assert UserAccount(topo.standalone, USER_ANUJ).get_attr_val_utf8('uid') == 'Anuj Borah'
Ejemplo n.º 8
0
def test_allow_write_access_to_targetattr_with_a_single_attribute(
        topo, aci_of_user, cleanup_tree):
    """Modify Test 1 Allow write access to targetattr with a single attribute

    :id: 620d7b82-7abf-11e8-a4db-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    ACI_BODY = '(targetattr = "title")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

    ou = OrganizationalUnit(topo.standalone,
                            "ou=Product Development,{}".format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'Product Development'})

    properties = {
        'uid': 'Jeff Vedder',
        'cn': 'Jeff Vedder',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'JeffVedder',
        'userPassword': PW_DM
    }
    user = UserAccount(
        topo.standalone,
        "cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    # Allow write access to targetattr with a single attribute
    conn = Anonymous(topo.standalone).bind()
    ua = UserAccount(conn, USER_DELADD)
    ua.add("title", "Architect")
    assert ua.get_attr_val('title')
    ua.remove("title", "Architect")
Ejemplo n.º 9
0
def _add_user(request, topo):
    org = Organization(topo.standalone).create(properties={"o": "acivattr"}, basedn=DEFAULT_SUFFIX)
    org.add('aci', '(targetattr="*")(targetfilter="(nsrole=*)")(version 3.0; aci "tester"; '
                   'allow(all) userdn="ldap:///cn=enguser1,ou=eng,o=acivattr,{}";)'.format(DEFAULT_SUFFIX))

    ou = OrganizationalUnit(topo.standalone, "ou=eng,o=acivattr,{}".format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'eng'})

    ou = OrganizationalUnit(topo.standalone, "ou=sales,o=acivattr,{}".format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'sales'})

    roles = FilterRoles(topo.standalone, DNBASE)
    roles.create(properties={'cn':'FILTERROLEENGROLE', 'nsRoleFilter':'cn=eng*'})
    roles.create(properties={'cn': 'FILTERROLESALESROLE', 'nsRoleFilter': 'cn=sales*'})

    nsContainer(topo.standalone,
                'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(
        properties={'cn': 'cosTemplates'})

    properties = {'employeeType': 'EngType', 'cn':'"cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com'}
    CosTemplate(topo.standalone,'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",'
                                'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX)).\
        create(properties=properties)

    properties = {'employeeType': 'SalesType', 'cn': '"cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com'}
    CosTemplate(topo.standalone,
                'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,'
                'o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(properties=properties)

    properties = {
        'cosTemplateDn': 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX),
        'cosAttribute': 'employeeType', 'cosSpecifier': 'nsrole', 'cn': 'cosClassicGenerateEmployeeTypeUsingnsrole'}
    CosClassicDefinition(topo.standalone,
                         'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(
        properties=properties)

    properties = {
        'uid': 'salesuser1',
        'cn': 'salesuser1',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'salesuser1',
        'userPassword': PW_DM
    }
    user = UserAccount(topo.standalone, 'cn=salesuser1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    properties = {
        'uid': 'salesmanager1',
        'cn': 'salesmanager1',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'salesmanager1',
        'userPassword': PW_DM,
    }
    user = UserAccount(topo.standalone, 'cn=salesmanager1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    properties = {
        'uid': 'enguser1',
        'cn': 'enguser1',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'enguser1',
        'userPassword': PW_DM
    }
    user = UserAccount(topo.standalone, 'cn=enguser1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    properties = {
        'uid': 'engmanager1',
        'cn': 'engmanager1',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'engmanager1',
        'userPassword': PW_DM
    }
    user = UserAccount(topo.standalone, 'cn=engmanager1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    def fin():
        for DN in [ENG_USER,SALES_UESER,ENG_MANAGER,SALES_MANAGER,FILTERROLESALESROLE,FILTERROLEENGROLE,ENG_OU,SALES_OU,
                   'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",'
                   'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com',
                   'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",'
                   'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX), 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX),
                   'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX), DNBASE]:
            UserAccount(topo.standalone, DN).delete()

    request.addfinalizer(fin)
Ejemplo n.º 10
0
def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree,
                                          request):
    """Modify Test 7 Allow write access to userdnattr

    :id: 86b418f6-7abf-11e8-ae28-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    ACI_BODY = '(target = ldap:///{})(targetattr="*")(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(
        DEFAULT_SUFFIX, request.node.name)
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

    for i in ['Product Development', 'Accounting']:
        ou = OrganizationalUnit(topo.standalone,
                                "ou={},{}".format(i, DEFAULT_SUFFIX))
        ou.create(properties={'ou': i})

    for i in [
            'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
    ]:
        properties = {
            'uid': i,
            'cn': i,
            'sn': 'user',
            'uidNumber': '1000',
            'gidNumber': '2000',
            'homeDirectory': '/home/' + i,
            'userPassword': PW_DM
        }
        user = UserAccount(topo.standalone,
                           "cn={},{}".format(i, DEFAULT_SUFFIX))
        user.create(properties=properties)

    UserAccount(topo.standalone,
                USER_WITH_ACI_DELADD).add('manager', USER_WITH_ACI_DELADD)
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
    # Allow write access to userdnattr
    ua = UserAccount(conn, USER_DELADD)
    ua.add('uid', 'scoobie')
    assert ua.get_attr_val('uid')
    ua.add('uid', 'jvedder')
    assert ua.get_attr_val('uid')
Ejemplo n.º 11
0
def test_uniquemember_should_also_be_the_owner(topo, aci_of_user):
    """Modify Test 10 groupdnattr = \"ldap:///$BASEDN?owner\" if owner is a group, group's
    uniquemember should also be the owner

    :id: 9456b2d4-7abf-11e8-829d-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    for i in ['ACLGroupTest']:
        ou = OrganizationalUnit(topo.standalone,
                                "ou={},{}".format(i, DEFAULT_SUFFIX))
        ou.create(properties={'ou': i})

    ou = OrganizationalUnit(topo.standalone,
                            "ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'ACLDevelopment'})
    ou.set(
        'aci', '(targetattr="*")(version 3.0; acl "groupdnattr acl"; '
        'allow (all)groupdnattr = "ldap:///{}?owner";)'.format(DEFAULT_SUFFIX))

    grp = UniqueGroup(topo.standalone,
                      "uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
    user_props = ({
        'sn':
        'Borah',
        'cn':
        'Anuj',
        'objectclass': [
            'top', 'person', 'organizationalPerson', 'inetOrgPerson',
            'groupofUniquenames'
        ],
        'userpassword':
        PW_DM,
        'givenname':
        'Anuj',
        'ou': ['ACLDevelopment', 'People'],
        'roomnumber':
        '123',
        'uniquemember':
        'cn=mandatory member'
    })
    grp.create(properties=user_props)

    grp = UniqueGroup(
        topo.standalone,
        "uid=2ishani,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
    user_props = ({
        'sn':
        'Borah',
        'cn':
        '2ishani',
        'objectclass': [
            'top', 'person', 'organizationalPerson', 'inetOrgPerson',
            'groupofUniquenames'
        ],
        'userpassword':
        PW_DM,
        'givenname':
        '2ishani',
        'ou': ['ACLDevelopment', 'People'],
        'roomnumber':
        '1234',
        'uniquemember':
        'cn=mandatory member',
        "owner":
        "cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
    })
    grp.create(properties=user_props)

    grp = UniqueGroup(topo.standalone,
                      'cn=group1,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
    grp.create(properties={'cn': 'group1', 'ou': 'groups'})
    grp.set('uniquemember', [
        "cn=group2, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX),
        "cn=group3, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
    ])

    grp = UniqueGroup(topo.standalone,
                      'cn=group3,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
    grp.create(properties={'cn': 'group3', 'ou': 'groups'})
    grp.set('uniquemember',
            ["cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)])

    grp = UniqueGroup(topo.standalone,
                      'cn=group4,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
    grp.create(properties={'cn': 'group4', 'ou': 'groups'})
    grp.set('uniquemember',
            ["uid=anuj, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)])

    #uniquemember should also be the owner
    conn = UserAccount(
        topo.standalone,
        "uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)).bind(PW_DM)
    ua = UserAccount(
        conn, "uid=2ishani, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
    ua.add('roomnumber', '9999')
    assert ua.get_attr_val('roomnumber')

    for DN in [
            "cn=group4,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
            "cn=group3,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
            "cn=group1,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
            "uid=2ishani,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
            "uid=anuj,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
            "ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
            "ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
    ]:
        UserAccount(topo.standalone, DN).delete()
Ejemplo n.º 12
0
def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user,
                                                     cleanup_tree):
    """Modify Test 6 Allow write access to target with wildcards

    :id: 825fe884-7abf-11e8-8541-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    ACI_BODY = '(target = ldap:///{})(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'.format(
        DEFAULT_SUFFIX)
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

    for i in ['Product Development', 'Accounting', 'Human Resources']:
        ou = OrganizationalUnit(topo.standalone,
                                "ou={},{}".format(i, DEFAULT_SUFFIX))
        ou.create(properties={'ou': i})

    for i in [
            'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting',
            'Kirsten Vaughan, ou=Human Resources'
    ]:
        properties = {
            'uid': i,
            'cn': i,
            'sn': 'user',
            'uidNumber': '1000',
            'gidNumber': '2000',
            'homeDirectory': '/home/' + i,
            'userPassword': PW_DM
        }
        user = UserAccount(topo.standalone,
                           "cn={},{}".format(i, DEFAULT_SUFFIX))
        user.create(properties=properties)

    conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
    # Allow write access to target with wildcards
    ua = UserAccount(conn, KIRSTENVAUGHAN)
    ua.add("title", "Architect")
    assert ua.get_attr_val('title')
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
    # Allow write access to target with wildcards
    ua = UserAccount(conn, USER_DELADD)
    ua.add("title", "Architect")
    assert ua.get_attr_val('title')
Ejemplo n.º 13
0
def test_replica_backup_and_restore(topo_m4):
    """Test Backup and restore

    :id: 5ad1b85c-e765-11e8-9668-8c16451d917b
    :setup: standalone
    :steps:
        1. Add entries
        2. Take backup db2ldif on supplier1
        3. Delete entries on supplier1
        4. Restore entries ldif2db
        5. Check entries
    :expected results:
        1. Should success
        2. Should success
        3. Should success
        4. Should success
        5. Should success
    """
    # Testing bug #830335: Taking a replica backup and Restore on M1 after deleting few entries from M1 nad M2
    # Make sure to update S1 to avoid useless replication delay
    repl = ReplicationManager(DEFAULT_SUFFIX)
    users = UserAccounts(topo_m4.ms["supplier1"], DEFAULT_SUFFIX)
    for i in range(20, 25):
        users.create_test_user(uid=i)
        time.sleep(1)
    repl.wait_for_replication(topo_m4.ms["supplier1"], topo_m4.ms["supplier2"])
    repl.test_replication(topo_m4.ms["supplier1"], topo_m4.ms["supplier2"], 30)

    # Get a backup
    topo_m4.ms["supplier1"].stop()
    topo_m4.ms["supplier1"].db2ldif(
        bename=DEFAULT_BENAME,
        suffixes=[DEFAULT_SUFFIX],
        excludeSuffixes=[],
        encrypt=False,
        repl_data=True,
        outputfile="/tmp/output_file",
    )

    # Do some updates (that are not in the backup
    # and restore the backup
    topo_m4.ms["supplier1"].start()
    for i in users.list():
        topo_m4.ms["supplier1"].delete_s(i.dn)
    repl.wait_for_replication(topo_m4.ms["supplier1"], topo_m4.ms["supplier2"])
    repl.test_replication(topo_m4.ms["supplier1"], topo_m4.ms["supplier2"], 30)
    # disable the agmt (while server is up) to avoid the DEL get replayed too early
    for agmt in list_agmt_towards(topo_m4, "supplier1"):
        agmt.pause()
    topo_m4.ms["supplier1"].stop()
    topo_m4.ms["supplier1"].ldif2db(
        bename=None,
        excludeSuffixes=None,
        encrypt=False,
        suffixes=[DEFAULT_SUFFIX],
        import_file="/tmp/output_file",
    )
    topo_m4.ms["supplier1"].start()

    # Check that the updates (DEL) are no longer there
    for i in users.list():
        testuser = UserAccount(topo_m4.ms["supplier1"], i.dn)
        assert testuser.exists()

    # Re enable the agmts
    for agmt in list_agmt_towards(topo_m4, "supplier1"):
        agmt.resume()

    # Here the changelog of supplier1 has been cleared.
    # Let's wait the supplier2 resync supplier1 BEFORE doing
    # any update to supplier1.
    # Else (a new update on S1), the others supplier will not update
    # it and the changelog of S1 will not contain the starting points
    # of the others suppliers.
    repl.wait_for_replication(topo_m4.ms["supplier2"], topo_m4.ms["supplier1"])
    repl.wait_for_replication(topo_m4.ms["supplier3"], topo_m4.ms["supplier1"])
    repl.wait_for_replication(topo_m4.ms["supplier4"], topo_m4.ms["supplier1"])

    for i in range(31, 35):
        users.create_test_user(uid=i)
        time.sleep(1)
    repl.wait_for_replication(topo_m4.ms["supplier1"], topo_m4.ms["supplier2"])
    repl.test_replication(topo_m4.ms["supplier1"], topo_m4.ms["supplier2"], 30)
Ejemplo n.º 14
0
def test_targattrfilters_keyword(topo):
    """
    Testing the targattrfilters keyword that allows access control based on the value
    of the attributes being added (or deleted))
    "Bug #979515 - ACLs inoperative in some search scenarios [rhel-6.5]"
    "Bug #979516 is a clone for DS8.2 on RHEL5.9"
    "Bug #979514 is a clone for RHEL6.4 zStream errata"
    :id:23f9e9d0-7aaa-11e8-b16b-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
    domain.set('aci', None)
    ou = OrganizationalUnit(topo.standalone, 'ou=bug979515,{}'.format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'bug979515'})
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target="ldap:///ou=bug979515,{}") '
                '(targetattr= "uid") ( version 3.0; acl "read other subscriber"; allow (compare, read, search) '
                'userdn="ldap:///uid=*,ou=bug979515,{}" ; )'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX))
    properties = {
        'uid': 'acientryusr1',
        'cn': 'acientryusr1',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'acientryusr1'
    }
    user = UserAccount(topo.standalone, 'cn=acientryusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)
    user.set('telephoneNumber', '99972566596')
    user.set('mail', '*****@*****.**')
    user.set("userPassword", "password")

    properties = {
        'uid': 'newaciphoneusr1',
        'cn': 'newaciphoneusr1',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'newaciphoneusr1'
    }
    user = UserAccount(topo.standalone, 'cn=newaciphoneusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)
    user.set('telephoneNumber', '99972566596')
    user.set('mail', '*****@*****.**')
    conn = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
    #  Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
    user = UserAccount(conn, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
    with pytest.raises(IndexError):
        user.get_attr_vals('mail')
        user.get_attr_vals('telephoneNumber')
        user.get_attr_vals('cn')
    user = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
    user.get_attr_vals('mail')
    user.get_attr_vals('telephoneNumber')
    user.get_attr_vals('cn')
Ejemplo n.º 15
0
def test_gecos_directoryString_wins_M2(topo_m2, request):
    """Check that if inital syntax are IA5(M2) and DirectoryString(M1)
    Then directoryString wins when nsSchemaCSN M2 is the greatest

    :id: 2da7f1b1-f86d-4072-a940-ba56d4bc8348
    :setup: Two suppliers replication setup
    :steps:
        1. Create a testuser on M1
        2  Stop M1 and M2
        3  Change gecos def on M2 to be IA5
        4  Start M1 and M2
        5  Update M2 schema so that M2 has greatest nsSchemaCSN
        6  Update testuser on M2 and trigger replication to M1
        7  Update testuser on M2 with gecos directoryString value
        8  Check replication is still working
        9  Check gecos is DirectoryString on M1 and M2
    :expectedresults:
        1. success
        2. success
        3. success
        4. success
        5. success
        6. success
        7. success
        8. success
        9. success

    """

    repl = ReplicationManager(DEFAULT_SUFFIX)
    m1 = topo_m2.ms["supplier1"]
    m2 = topo_m2.ms["supplier2"]

    # create a test user
    testuser_dn = 'uid={},{}'.format('testuser', DEFAULT_SUFFIX)
    testuser = UserAccount(m1, testuser_dn)
    try:
        testuser.create(
            properties={
                'uid': 'testuser',
                'cn': 'testuser',
                'sn': 'testuser',
                'uidNumber': '1000',
                'gidNumber': '2000',
                'homeDirectory': '/home/testuser',
            })
    except ldap.ALREADY_EXISTS:
        pass
    testuser.replace('displayName', 'to trigger replication M1-> M2')
    repl.wait_for_replication(m1, m2)

    # Stop suppliers to update the schema
    m1.stop()
    m2.stop()

    # on M1: gecos is DirectoryString (default)
    # on M2: gecos is IA5
    schema_filename = (m2.schemadir + "/99user.ldif")
    try:
        with open(schema_filename, 'w') as schema_file:
            schema_file.write("dn: cn=schema\n")
            schema_file.write(
                "attributetypes: ( 1.3.6.1.1.1.1.2 NAME " +
                "'gecos' DESC 'The GECOS field; the common name' " +
                "EQUALITY caseIgnoreIA5Match " +
                "SUBSTR caseIgnoreIA5SubstringsMatch " +
                "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 " + "SINGLE-VALUE )\n")
        os.chmod(schema_filename, 0o777)
    except OSError as e:
        log.fatal("Failed to update schema file: " +
                  "{} Error: {}".format(schema_filename, str(e)))

    # start the instances
    m1.start()
    m2.start()

    # Check that gecos is IA5 on M2
    schema = SchemaLegacy(m2)
    attributetypes = schema.query_attributetype('gecos')
    assert attributetypes[0].syntax == "1.3.6.1.4.1.1466.115.121.1.26"

    # update M2 schema to increase its nsschemaCSN
    new_at = "( dummy-oid NAME 'dummy' DESC 'dummy attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2307' )"
    m2.schema.add_schema('attributetypes', ensure_bytes(new_at))

    # update just to trigger replication M2->M1
    # and update of M2 schema
    testuser_m2 = UserAccount(m2, testuser_dn)
    testuser_m2.replace('displayName', 'to trigger replication M2-> M1')

    # Add a gecos UTF value on M1
    testuser.replace('gecos', 'Hélène')

    # Check replication is still working
    testuser.replace('displayName', 'ascii value')
    repl.wait_for_replication(m1, m2)
    assert testuser_m2.exists()
    assert testuser_m2.get_attr_val_utf8('displayName') == 'ascii value'

    # Check that gecos is DirectoryString on M1
    schema = SchemaLegacy(m1)
    attributetypes = schema.query_attributetype('gecos')
    assert attributetypes[0].syntax == "1.3.6.1.4.1.1466.115.121.1.15"

    # Check that gecos is DirectoryString on M2
    schema = SchemaLegacy(m2)
    attributetypes = schema.query_attributetype('gecos')
    assert attributetypes[0].syntax == "1.3.6.1.4.1.1466.115.121.1.15"

    def fin():
        m1.start()
        m2.start()
        testuser.delete()
        m1.schema.del_schema('attributetypes', ensure_bytes(new_at))
        repl.wait_for_replication(m1, m2)

        # on M2 restore a default 99user.ldif
        m2.stop()
        os.remove(m2.schemadir + "/99user.ldif")
        schema_filename = (m2.schemadir + "/99user.ldif")
        try:
            with open(schema_filename, 'w') as schema_file:
                schema_file.write("dn: cn=schema\n")
            os.chmod(schema_filename, 0o777)
        except OSError as e:
            log.fatal("Failed to update schema file: " +
                      "{} Error: {}".format(schema_filename, str(e)))
        m2.start()

    request.addfinalizer(fin)
Ejemplo n.º 16
0
 def __init__(self, topo, value, conn):
     self.topo = topo
     self.value = value
     self.conn = conn
     self.user = UserAccount(self.conn, USER_DELADD)
Ejemplo n.º 17
0
def test_undefined_in_group_eval_eleven(topo, test_user, aci_of_user):
    """
        Aci will not allow access as description is there with the user entry which is not allowed in ACI

        :id: 4cfa28e2-7841-11e8-8117-8c16451d917b
        :setup: server
        :steps:
            1. Add test entry
            2. Take a count of users using DN_DM
            3. Add test user
            4. add aci
            5. test should fullfil the aci rules
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
            4. Operation should  succeed
            5. Operation should  succeed
    """
    Domain(topo.standalone, DEFAULT_SUFFIX).add(
        "aci",
        '(targetattr=*)(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)'
    )
    user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
    user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
    conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
    # Test that not(UNDEFINED(attrval1))
    user1 = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        user1.add("sn", "Fred1")
    assert user.get_attr_val_utf8('cn')
    user.remove("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
Ejemplo n.º 18
0
 def delete(self):
     UserAccount(self.conn, USER_DELADD).remove("title", None)
Ejemplo n.º 19
0
def test_pwd_reset(topology_st, test_user):
    """Test new password policy attribute "pwdReset"

    :id: 03db357b-4800-411e-a36e-28a534293004
    :customerscenario: True
    :setup: Standalone instance
    :steps:
        1. Enable passwordMustChange
        2. Reset user's password
        3. Check that the pwdReset attribute is set to TRUE
        4. Bind as the user and change its password
        5. Check that pwdReset is now set to FALSE
        6. Reset password policy configuration
    :expected results:
        1. Success
        2. Success
        3. Success
        4. Success
        5. Success
        6. Success
    """

    # Set password policy config
    topology_st.standalone.config.replace('passwordMustChange', 'on')
    time.sleep(.5)

    # Reset user's password
    our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
    our_user.replace('userpassword', PASSWORD)
    time.sleep(.5)

    # Check that pwdReset is TRUE
    assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'

    # Bind as user and change its own password
    our_user.rebind(PASSWORD)
    our_user.replace('userpassword', PASSWORD)
    time.sleep(.5)

    # Check that pwdReset is FALSE
    topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
    assert our_user.get_attr_val_utf8('pwdReset') == 'FALSE'

    # Reset password policy config
    topology_st.standalone.config.replace('passwordMustChange', 'off')

    # Reset user's password
    our_user.replace('userpassword', TEST_USER_PWD)
Ejemplo n.º 20
0
 def __init__(self, topo, value):
     self.topo = topo
     self.value = value
     self.user = UserAccount(self.topo.standalone, USER_DELADD)
Ejemplo n.º 21
0
    def test_conflict_attribute_multi_valued(self, topology_m2, base_m2):
        """A RDN attribute being multi-valued, checks that after several operations
           MODRDN and MOD_REPL its RDN values are the same on both servers

        :id: 225b3522-8ed7-4256-96f9-5fab9b7044a5
        :setup: Two supplier replication,
                audit log, error log for replica and access log for internal
        :steps:
            1. Create a test entry uid=user_test_1000,...
            2. Pause all replication agreements
            3. On M1 rename it into uid=foo1,...
            4. On M2 rename it into uid=foo2,...
            5. On M1 MOD_REPL uid:foo1
            6. Resume all replication agreements
            7. Check that entry on M1 has uid=foo1, foo2
            8. Check that entry on M2 has uid=foo1, foo2
            9. Check that entry on M1 and M2 has the same uid values
        :expectedresults:
            1. It should pass
            2. It should pass
            3. It should pass
            4. It should pass
            5. It should pass
            6. It should pass
            7. It should pass
            8. It should pass
            9. It should pass
        """

        M1 = topology_m2.ms["supplier1"]
        M2 = topology_m2.ms["supplier2"]

        # add a test user
        test_users_m1 = UserAccounts(M1, base_m2.dn, rdn=None)
        user_1 = test_users_m1.create_test_user(uid=1000)
        test_users_m2 = UserAccount(M2, user_1.dn)
        # Waiting fo the user to be replicated
        for i in range(0, 4):
            time.sleep(1)
            if test_users_m2.exists():
                break
        assert (test_users_m2.exists())

        # Stop replication agreements
        topology_m2.pause_all_replicas()

        # On M1 rename test entry in uid=foo1
        original_dn = user_1.dn
        user_1.rename('uid=foo1')
        time.sleep(1)

        # On M2 rename test entry in uid=foo2
        M2.rename_s(original_dn, 'uid=foo2')
        time.sleep(2)

        # on M1 MOD_REPL uid into foo1
        user_1.replace('uid', 'foo1')

        # resume replication agreements
        topology_m2.resume_all_replicas()
        time.sleep(5)

        # check that on M1, the entry 'uid' has two values 'foo1' and 'foo2'
        final_dn = re.sub('^.*1000,', 'uid=foo2,', original_dn)
        final_user_m1 = UserAccount(M1, final_dn)
        for val in final_user_m1.get_attr_vals_utf8('uid'):
            log.info("Check %s is on M1" % val)
            assert (val in ['foo1', 'foo2'])

        # check that on M2, the entry 'uid' has two values 'foo1' and 'foo2'
        final_user_m2 = UserAccount(M2, final_dn)
        for val in final_user_m2.get_attr_vals_utf8('uid'):
            log.info("Check %s is on M1" % val)
            assert (val in ['foo1', 'foo2'])

        # check that the entry have the same uid values
        for val in final_user_m1.get_attr_vals_utf8('uid'):
            log.info("Check M1.uid %s is also on M2" % val)
            assert (val in final_user_m2.get_attr_vals_utf8('uid'))

        for val in final_user_m2.get_attr_vals_utf8('uid'):
            log.info("Check M2.uid %s is also on M1" % val)
            assert (val in final_user_m1.get_attr_vals_utf8('uid'))
Ejemplo n.º 22
0
def _add_user(request, topo):
    for i in ["Product Development", 'Accounting', "Human Resources"]:
        ou = OrganizationalUnit(topo.standalone,
                                "ou={},{}".format(i, DEFAULT_SUFFIX))
        ou.create(properties={'ou': i})

    properties = {
        'uid': 'Jeff Vedder',
        'cn': 'Jeff Vedder',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'JeffVedder',
        'userPassword': '******'
    }
    user = UserAccount(topo.standalone,
                       'cn=Jeff Vedder,{}'.format(CONTAINER_1_DELADD))
    user.create(properties=properties)
    user.set('secretary', 'cn=Arpitoo Borah, o=Red Hat, c=As')
    user.set('mail', '*****@*****.**')

    properties = {
        'uid': 'Sam Carter',
        'cn': 'Sam Carter',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'SamCarter',
        'userPassword': '******'
    }
    user = UserAccount(topo.standalone,
                       'cn=Sam Carter,{}'.format(CONTAINER_2_DELADD))
    user.create(properties=properties)

    properties = {
        'uid': 'Kirsten Vaughan',
        'cn': 'Kirsten Vaughan',
        'sn': 'Kirsten Vaughan',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'KirstenVaughan',
        'userPassword': '******'
    }
    user = UserAccount(
        topo.standalone,
        'cn=Kirsten Vaughan, ou=Human Resources,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    properties = {
        'uid': 'HARRY',
        'cn': 'HARRY',
        'sn': 'HARRY',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'HARRY',
        'userPassword': '******'
    }
    user = UserAccount(topo.standalone,
                       'cn=HARRY, ou=Accounting,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    def fin():
        for DN in [
                USER_DELADD, USER_WITH_ACI_DELADD, FRED, HARRY, KIRSTENVAUGHAN,
                HUMAN_OU_GLOBAL, CONTAINER_2_DELADD, CONTAINER_1_DELADD
        ]:
            ua = UserAccount(topo.standalone, DN)
            try:
                ua.delete()
            except:
                pass

    request.addfinalizer(fin)
Ejemplo n.º 23
0
def test_fast_slow_import(topo, _toggle_private_import_mem, _import_clean):
    """With nsslapd-db-private-import-mem: on is faster import.

    :id: 3044331c-9c0e-11ea-ac9f-8c16451d917b
    :setup: Standalone Instance
    :steps:
        1. Let's set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: 0
        2. Measure offline import time duration total_time1
        3. Now nsslapd-db-private-import-mem:off
        4. Measure offline import time duration total_time2
        5. total_time1 < total_time2
        6. Set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: -1
        7. Measure offline import time duration total_time1
        8. Now nsslapd-db-private-import-mem:off
        9. Measure offline import time duration total_time2
        10. total_time1 < total_time2
    :expected results:
        1. Operation successful
        2. Operation successful
        3. Operation successful
        4. Operation successful
        5. Operation successful
        6. Operation successful
        7. Operation successful
        8. Operation successful
        9. Operation successful
        10. Operation successful
    """
    # Let's set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: 0
    config = LDBMConfig(topo.standalone)
    # Measure offline import time duration total_time1
    total_time1 = _import_offline(topo, 1000)
    # Now nsslapd-db-private-import-mem:off
    config.replace('nsslapd-db-private-import-mem', 'off')
    accounts = Accounts(topo.standalone, DEFAULT_SUFFIX)
    for i in accounts.filter('(uid=*)'):
        UserAccount(topo.standalone, i.dn).delete()
    # Measure offline import time duration total_time2
    total_time2 = _import_offline(topo, 1000)
    # total_time1 < total_time2
    log.info("total_time1 = %f" % total_time1)
    log.info("total_time2 = %f" % total_time2)
    assert total_time1 < total_time2

    # Set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: -1
    config.replace_many(
        ('nsslapd-db-private-import-mem', 'on'),
        ('nsslapd-import-cache-autosize', '-1'))
    for i in accounts.filter('(uid=*)'):
        UserAccount(topo.standalone, i.dn).delete()
    # Measure offline import time duration total_time1
    total_time1 = _import_offline(topo, 1000)
    # Now nsslapd-db-private-import-mem:off
    config.replace('nsslapd-db-private-import-mem', 'off')
    for i in accounts.filter('(uid=*)'):
        UserAccount(topo.standalone, i.dn).delete()
    # Measure offline import time duration total_time2
    total_time2 = _import_offline(topo, 1000)
    # total_time1 < total_time2
    log.info("toral_time1 = %f" % total_time1)
    log.info("total_time2 = %f" % total_time2)
    assert total_time1 < total_time2
Ejemplo n.º 24
0
def _add_user(request, topo):
    """
    A Function that will create necessary users delete the created user
    """
    ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
    ou_ou = ous.create(properties={'ou': 'roledntest'})
    ou_ou.set('aci', [
        f'(target="ldap:///{NESTED_ROLE_TESTER}")(targetattr="*") '
        f'(version 3.0; aci "nested role aci"; allow(all)'
        f'roledn = "ldap:///{ROLE2}";)',
        f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
        f'(version 3.0; aci "or role aci"; allow(all) '
        f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
        f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
        f'(version 3.0; aci "anyone role aci"; allow(all) '
        f'roledn = "ldap:///anyone";)',
        f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
        f'(version 3.0; aci "not role aci"; allow(all)'
        f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'
    ])

    nestedroles = NestedRoles(topo.standalone, OU_ROLE)
    for i in [('role2', [ROLE1, ROLE21]), ('role3', [ROLE2, ROLE31])]:
        nestedroles.create(properties={'cn': i[0], 'nsRoleDN': i[1]})

    managedroles = ManagedRoles(topo.standalone, OU_ROLE)
    for i in ['ROLE1', 'ROLE21', 'ROLE31']:
        managedroles.create(properties={'cn': i})

    filterroles = FilterRoles(topo.standalone, OU_ROLE)
    filterroles.create(
        properties={
            'cn': 'filterRole',
            'nsRoleFilter': 'sn=Dr Drake',
            'description': 'filter role tester'
        })

    users = UserAccounts(topo.standalone, OU_ROLE, rdn=None)
    for i in [('STEVE_ROLE', ROLE1, 'Has roles 1, 2 and 3.'),
              ('HARRY_ROLE', ROLE21, 'Has roles 21, 2 and 3.'),
              ('MARY_ROLE', ROLE31, 'Has roles 31 and 3.')]:
        users.create(
            properties={
                'uid': i[0],
                'cn': i[0],
                'sn': 'user',
                'uidNumber': '1000',
                'gidNumber': '2000',
                'homeDirectory': '/home/' + i[0],
                'userPassword': PW_DM,
                'nsRoleDN': i[1],
                'Description': i[2]
            })

    for i in [('JOE_ROLE', 'Has filterRole.'), ('NOROLEUSER', 'Has no roles.'),
              ('SCRACHENTRY', 'Entry to test rights on.'),
              ('all access', 'Everyone has acccess (incl anon).'),
              ('not rule access', 'Only accessible to mary.'),
              ('or rule access',
               'Only to steve and harry but nbot mary or anon'),
              ('nested role tester', 'Only accessible to harry and steve.')]:
        users.create(
            properties={
                'uid': i[0],
                'cn': i[0],
                'sn': 'user',
                'uidNumber': '1000',
                'gidNumber': '2000',
                'homeDirectory': '/home/' + i[0],
                'userPassword': PW_DM,
                'Description': i[1]
            })

    # Setting SN for user JOE
    UserAccount(topo.standalone,
                f'uid=JOE_ROLE,ou=roledntest,{DEFAULT_SUFFIX}').set(
                    'sn', 'Dr Drake')

    def fin():
        """
        It will delete the created users
        """
        for i in users.list() + managedroles.list() + nestedroles.list():
            i.delete()

    request.addfinalizer(fin)
Ejemplo n.º 25
0
def test_basic_with_hub(topo):
    """Check that basic operations work in cascading replication, this includes
    testing plugins that perform internal operatons, and replicated password
    policy state attributes.

    :id: 4ac85552-45bc-477b-89a4-226dfff8c6cc
    :setup: 1 master, 1 hub, 1 consumer
    :steps:
        1. Enable memberOf plugin and set password account lockout settings
        2. Restart the instance
        3. Add a user
        4. Add a group
        5. Test that the replication works
        6. Add the user as a member to the group
        7. Test that the replication works
        8. Issue bad binds to update passwordRetryCount
        9. Test that replicaton works
        10. Check that passwordRetyCount was replicated
    :expectedresults:
        1. Should be a success
        2. Should be a success
        3. Should be a success
        4. Should be a success
        5. Should be a success
        6. Should be a success
        7. Should be a success
        8. Should be a success
        9. Should be a success
        10. Should be a success
    """

    repl_manager = ReplicationManager(DEFAULT_SUFFIX)
    master = topo.ms["master1"]
    consumer = topo.cs["consumer1"]
    hub = topo.hs["hub1"]

    for inst in topo:
        config_memberof(inst)
        inst.config.set('passwordlockout', 'on')
        inst.config.set('passwordlockoutduration', '60')
        inst.config.set('passwordmaxfailure', '3')
        inst.config.set('passwordIsGlobalPolicy', 'on')

    # Create user
    user1 = UserAccount(master, BIND_DN)
    user_props = TEST_USER_PROPERTIES.copy()
    user_props.update({
        'sn': BIND_RDN,
        'cn': BIND_RDN,
        'uid': BIND_RDN,
        'inetUserStatus': '1',
        'objectclass': 'extensibleObject',
        'userpassword': PASSWORD
    })
    user1.create(properties=user_props, basedn=SUFFIX)

    # Create group
    groups = Groups(master, DEFAULT_SUFFIX)
    group = groups.create(properties={'cn': 'group'})

    # Test replication
    repl_manager.test_replication(master, consumer)

    # Trigger memberOf plugin by adding user to group
    group.replace('member', user1.dn)

    # Test replication once more
    repl_manager.test_replication(master, consumer)

    # Issue bad password to update passwordRetryCount
    try:
        master.simple_bind_s(user1.dn, "badpassword")
    except:
        pass

    # Test replication one last time
    master.simple_bind_s(DN_DM, PASSWORD)
    repl_manager.test_replication(master, consumer)

    # Finally check if passwordRetyCount was replicated to the hub and consumer
    user1 = UserAccount(hub, BIND_DN)
    count = user1.get_attr_val_int('passwordRetryCount')
    if count is None:
        log.fatal('PasswordRetyCount was not replicated to hub')
        assert False
    if int(count) != 1:
        log.fatal('PasswordRetyCount has unexpected value: {}'.format(count))
        assert False

    user1 = UserAccount(consumer, BIND_DN)
    count = user1.get_attr_val_int('passwordRetryCount')
    if count is None:
        log.fatal('PasswordRetyCount was not replicated to consumer')
        assert False
    if int(count) != 1:
        log.fatal('PasswordRetyCount has unexpected value: {}'.format(count))
        assert False
def test_multiple_scopes(topo):
    """Specify memberOf works when multiple include scopes are defined

    :id: fbcd70cc-c83d-4c79-bd5b-2d8f017545ae
    :setup: Standalone Instance
    :steps:
        1. Set multiple include scopes
        2. Test members added to both scopes are correctly updated
        3. Test user outside of scope was not updated
        4. Set exclude scope
        5. Move user into excluded subtree and check the membership is correct
    :expectedresults:
        1. Success
        2. Success
        3. Success
        4. Success
        5. Success
    """

    inst = topo.standalone

    # configure plugin
    memberof = MemberOfPlugin(inst)
    memberof.enable()
    memberof.add('memberOfEntryScope', SUBTREE_1)
    memberof.add('memberOfEntryScope', SUBTREE_2)
    inst.restart()

    # Add setup entries
    add_container(inst, SUFFIX, 'sub1')
    add_container(inst, SUFFIX, 'sub2')
    add_container(inst, SUFFIX, 'sub3')
    add_member_and_group(inst, 'm1', 'g1', SUBTREE_1)
    add_member_and_group(inst, 'm2', 'g2', SUBTREE_2)
    add_member_and_group(inst, 'm3', 'g3', SUBTREE_3)

    # Check users 1 and 2 were correctly updated
    check_membership(inst, f'uid=test_m1,{SUBTREE_1}', f'cn=g1,{SUBTREE_1}',
                     True)
    check_membership(inst, f'uid=test_m2,{SUBTREE_2}', f'cn=g2,{SUBTREE_2}',
                     True)

    # Check that user3, which is out of scope, was not updated
    check_membership(inst, f'uid=test_m3,{SUBTREE_3}', f'cn=g1,{SUBTREE_1}',
                     False)
    check_membership(inst, f'uid=test_m3,{SUBTREE_3}', f'cn=g2,{SUBTREE_2}',
                     False)
    check_membership(inst, f'uid=test_m3,{SUBTREE_3}', f'cn=g3,{SUBTREE_3}',
                     False)

    # Set exclude scope
    EXCLUDED_SUBTREE = 'cn=exclude,%s' % SUFFIX
    EXCLUDED_USER = f"uid=test_m1,{EXCLUDED_SUBTREE}"
    INCLUDED_USER = f"uid=test_m1,{SUBTREE_1}"
    GROUP_DN = f'cn=g1,{SUBTREE_1}'

    add_container(inst, SUFFIX, 'exclude')
    memberof.add('memberOfEntryScopeExcludeSubtree', EXCLUDED_SUBTREE)

    # Move user to excluded scope
    user = UserAccount(topo.standalone, dn=INCLUDED_USER)
    user.rename("uid=test_m1", newsuperior=EXCLUDED_SUBTREE)

    # Check memberOf and group are cleaned up
    check_membership(inst, EXCLUDED_USER, GROUP_DN, False)
    group = Group(topo.standalone, dn=GROUP_DN)
    assert not group.present("member", EXCLUDED_USER)
    assert not group.present("member", INCLUDED_USER)
Ejemplo n.º 27
0
def test_urp_trigger_substring_search(topo_m2):
    """Test that a ADD of a entry with a '*' in its DN, triggers
    an internal search with a escaped DN

    :id: 9869bb39-419f-42c3-a44b-c93eb0b77667
    :customerscenario: True
    :setup: MMR with 2 masters
    :steps:
        1. enable internal operation loggging for plugins
        2. Create on M1 a test_user with a '*' in its DN
        3. Check the test_user is replicated
        4. Check in access logs that the internal search does not contain '*'
    :expectedresults:
        1. Should succeeds
        2. Should succeeds
        3. Should succeeds
        4. Should succeeds
    """
    m1 = topo_m2.ms["master1"]
    m2 = topo_m2.ms["master2"]

    # Enable loggging of internal operation logging to capture URP intop
    log.info('Set nsslapd-plugin-logging to on')
    for inst in (m1, m2):
        inst.config.loglevel([AccessLog.DEFAULT, AccessLog.INTERNAL],
                             service='access')
        inst.config.set('nsslapd-plugin-logging', 'on')
        inst.restart()

    # add a user with a DN containing '*'
    test_asterisk_uid = 'asterisk_*_in_value'
    test_asterisk_dn = 'uid={},{}'.format(test_asterisk_uid, DEFAULT_SUFFIX)

    test_user = UserAccount(m1, test_asterisk_dn)
    if test_user.exists():
        log.info('Deleting entry {}'.format(test_asterisk_dn))
        test_user.delete()
    test_user.create(
        properties={
            'uid': test_asterisk_uid,
            'cn': test_asterisk_uid,
            'sn': test_asterisk_uid,
            'userPassword': test_asterisk_uid,
            'uidNumber': '1000',
            'gidNumber': '2000',
            'homeDirectory': '/home/asterisk',
        })

    # check that the ADD was replicated on M2
    test_user_m2 = UserAccount(m2, test_asterisk_dn)
    for i in range(1, 5):
        if test_user_m2.exists():
            break
        else:
            log.info('Entry not yet replicated on M2, wait a bit')
            time.sleep(2)

    # check that M2 access logs does not "(&(objectclass=nstombstone)(nscpentrydn=uid=asterisk_*_in_value,dc=example,dc=com))"
    log.info('Check that on M2, URP as not triggered such internal search')
    pattern = ".*\(Internal\).*SRCH.*\(&\(objectclass=nstombstone\)\(nscpentrydn=uid=asterisk_\*_in_value,dc=example,dc=com.*"
    found = m2.ds_access_log.match(pattern)
    log.info("found line: %s" % found)
    assert not found
Ejemplo n.º 28
0
def test_gecos_mixed_definition_topo(topo_m2, request):
    """Check that replication is still working if schema contains
       definitions that does not conform with a replicated entry

    :id: d5940e71-d18a-4b71-aaf7-b9185361fffe
    :setup: Two suppliers replication setup
    :steps:
        1. Create a testuser on M1
        2  Stop M1 and M2
        3  Change gecos def on M2 to be IA5
        4  Update testuser with gecos directoryString value
        5  Check replication is still working
    :expectedresults:
        1. success
        2. success
        3. success
        4. success
        5. success

    """

    repl = ReplicationManager(DEFAULT_SUFFIX)
    m1 = topo_m2.ms["supplier1"]
    m2 = topo_m2.ms["supplier2"]

    # create a test user
    testuser_dn = 'uid={},{}'.format('testuser', DEFAULT_SUFFIX)
    testuser = UserAccount(m1, testuser_dn)
    try:
        testuser.create(
            properties={
                'uid': 'testuser',
                'cn': 'testuser',
                'sn': 'testuser',
                'uidNumber': '1000',
                'gidNumber': '2000',
                'homeDirectory': '/home/testuser',
            })
    except ldap.ALREADY_EXISTS:
        pass
    repl.wait_for_replication(m1, m2)

    # Stop suppliers to update the schema
    m1.stop()
    m2.stop()

    # on M1: gecos is DirectoryString (default)
    # on M2: gecos is IA5
    schema_filename = (m2.schemadir + "/99user.ldif")
    try:
        with open(schema_filename, 'w') as schema_file:
            schema_file.write("dn: cn=schema\n")
            schema_file.write(
                "attributetypes: ( 1.3.6.1.1.1.1.2 NAME " +
                "'gecos' DESC 'The GECOS field; the common name' " +
                "EQUALITY caseIgnoreIA5Match " +
                "SUBSTR caseIgnoreIA5SubstringsMatch " +
                "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 " + "SINGLE-VALUE )\n")
        os.chmod(schema_filename, 0o777)
    except OSError as e:
        log.fatal("Failed to update schema file: " +
                  "{} Error: {}".format(schema_filename, str(e)))

    # start the instances
    m1.start()
    m2.start()

    # Check that gecos is IA5 on M2
    schema = SchemaLegacy(m2)
    attributetypes = schema.query_attributetype('gecos')
    assert attributetypes[0].syntax == "1.3.6.1.4.1.1466.115.121.1.26"

    # Add a gecos UTF value on M1
    testuser.replace('gecos', 'Hélène')

    # Check replication is still working
    testuser.replace('displayName', 'ascii value')
    repl.wait_for_replication(m1, m2)
    testuser_m2 = UserAccount(m2, testuser_dn)
    assert testuser_m2.exists()
    assert testuser_m2.get_attr_val_utf8('displayName') == 'ascii value'

    def fin():
        m1.start()
        m2.start()
        testuser.delete()
        repl.wait_for_replication(m1, m2)

        # on M2 restore a default 99user.ldif
        m2.stop()
        os.remove(m2.schemadir + "/99user.ldif")
        schema_filename = (m2.schemadir + "/99user.ldif")
        try:
            with open(schema_filename, 'w') as schema_file:
                schema_file.write("dn: cn=schema\n")
            os.chmod(schema_filename, 0o777)
        except OSError as e:
            log.fatal("Failed to update schema file: " +
                      "{} Error: {}".format(schema_filename, str(e)))
        m2.start()
        m1.start()

    request.addfinalizer(fin)
Ejemplo n.º 29
0
def test_managedrole(topo):
    '''
        :id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
        :setup: server
        :steps:
            1. Add test entry
            2. Add ACI
            3. Search managed role entries
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
    '''
    # Create Managed role entry
    roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
    role = roles.create(properties={"cn": 'ROLE1'})

    # Create user and Assign the role to the entry
    uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
    uas.create(
        properties={
            'uid': 'Fail',
            'cn': 'Fail',
            'sn': 'user',
            'uidNumber': '1000',
            'gidNumber': '2000',
            'homeDirectory': '/home/' + 'Fail',
            'nsRoleDN': role.dn,
            'userPassword': PW_DM
        })

    # Create user and do not Assign any role to the entry
    uas.create(
        properties={
            'uid': 'Success',
            'cn': 'Success',
            'sn': 'user',
            'uidNumber': '1000',
            'gidNumber': '2000',
            'homeDirectory': '/home/' + 'Success',
            'userPassword': PW_DM
        })

    # Assert that Manage role entry is created and its searchable
    assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \
           == 'cn=ROLE1,dc=example,dc=com'

    # Set an aci that will deny  ROLE1 manage role
    Domain(topo.standalone, DEFAULT_SUFFIX).\
        add('aci', '(targetattr=*)(version 3.0; aci "role aci";'
                   ' deny(all) roledn="ldap:///{}";)'.format(role.dn),)

    # Crate a connection with cn=Fail which is member of ROLE1
    conn = UserAccount(topo.standalone,
                       "uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
    # Access denied to ROLE1 members
    assert not ManagedRoles(conn, DEFAULT_SUFFIX).list()

    # Now create a connection with cn=Success which is not a member of ROLE1
    conn = UserAccount(topo.standalone,
                       "uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
    # Access allowed here
    assert ManagedRoles(conn, DEFAULT_SUFFIX).list()

    for i in uas.list():
        i.delete()

    for i in roles.list():
        i.delete()
Ejemplo n.º 30
0
def test_denied_by_multiple_filters(topo, _add_user, aci_of_user):
    """
    Testing the targattrfilters keyword that allows access control based on the value of the
    attributes being added (or deleted))
    "Valueacl Test $tet_thistest Denied by multiple filters."
    :id:034c6c62-7aaa-11e8-8634-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    ACI_BODY = '(targattrfilters = "add=title:(title=architect) && secretary:' \
               '(secretary=cn=Meylan,{}), del=title:(title=architect) && secretary:' \
               '(secretary=cn=Meylan,{})")(version 3.0; acl "$tet_thistest"; allow (write) ' \
               '(userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX)
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
    # aci will allow title some attribute only
    user = UserAccount(conn, USER_DELADD)
    user.add("title", "architect")
    assert user.get_attr_val('title')
    user.add("secretary", "cn=Meylan,dc=example,dc=com")
    assert user.get_attr_val('secretary')
    # aci will allow title some attribute only
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        user.add("secretary", "cn=Grenoble,dc=example,dc=com")