def test_deeply_nested_groups_aci_allow_two(topo, test_user, aci_of_user):
"""
This aci will not allow search or modify to a user too deep to be detected.
:id: 8d3459c4-7840-11e8-8ed8-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# This aci should not allow search or modify to a user too deep to be detected.
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("sn", "Fred")
assert user.get_attr_val_utf8('uid') == 'scratchEntry'
def test_deeply_nested_groups_aci_allow(topo, test_user, aci_of_user):
"""
Test deeply nested groups (3)
This aci will allow search and modify
:id: 8d338210-7840-11e8-8584-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ['(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL), '(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(GROUPE_GLOBAL)])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# test deeply nested groups
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("sn", "Fred")
user.remove("sn", "Fred")
def test_undefined_in_group_eval_eighteen(topo, test_user, aci_of_user):
"""
Test with parent keyword with not key
:id: 768b9ab0-7841-11e8-87c3-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)'
)
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
# Test with parent keyword with not key
user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
user = UserAccount(conn, CHILD1_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("description", DEEPUSER_GLOBAL)
def test_undefined_in_group_eval_two(topo, test_user, aci_of_user):
"""
This aci will allow access
:id: fcfbcce2-7840-11e8-ba77-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
# This aci should allow access
user.add("sn", "Fred")
assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry'
user.remove("sn", "Fred")
def test_undefined_in_group_eval_fourteen(topo, test_user, aci_of_user):
"""
Test with parent keyword that Yields FALSE as description is not present in tested entry
:id: 5c527218-7841-11e8-8909-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)'
)
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
# Test with parent keyword
user1 = UserAccount(conn, GROUPDNATTRCHILDSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user1.add("sn", "Fred")
assert UserAccount(conn,
DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('cn')
user.remove("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
def test_undefined_in_group_eval_seventeen(topo, test_user, aci_of_user):
"""
Test with the parent keyord that Yields TRUE as description is present in tested entry
:id: 7054d1c0-7841-11e8-8177-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)'
)
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
# Test with the parent keyord
user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
UserAccount(conn, CHILD1_GLOBAL).add("description", DEEPUSER_GLOBAL)
user.remove("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
def test_undefined_in_group_eval_ten(topo, test_user, aci_of_user):
"""
Test the userattr keyword to ensure that it evaluates correctly.
:id: 46c0fb72-7841-11e8-af1d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)'
)
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# Test the userattr keyword
user.add("sn", "Fred")
assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8(
'uid') == 'scratchEntry'
user.remove("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
def test_undefined_in_group_eval_eleven(topo, test_user, aci_of_user):
"""
Aci will not allow access as description is there with the user entry which is not allowed in ACI
:id: 4cfa28e2-7841-11e8-8117-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)'
)
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# Test that not(UNDEFINED(attrval1))
user1 = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user1.add("sn", "Fred1")
assert user.get_attr_val_utf8('cn')
user.remove("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
def test_undefined_in_group_eval_four(topo, test_user, aci_of_user):
"""
This aci will not allow access
:id: 0b03d10e-7841-11e8-9341-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER1_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("sn", "Fred")
assert user.get_attr_val_utf8('uid') == 'scratchEntry'
def test_allowed_add_one_attribute(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of the
attributes being added (or deleted))
"Valueacl Test $tet_thistest Allowed add one attribute (in presence of multiple filters)"
:id:086c7f0c-7aaa-11e8-b69f-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targattrfilters = "add=title:(title=architect) && secretary:(secretary=cn=Meylan, {}), ' \
'del=title:(title=architect) && secretary:(secretary=cn=Meylan, {})")(version 3.0; acl "$tet_thistest"; ' \
'allow (write) (userdn = "ldap:///{}") ;)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX, USER_WITH_ACI_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
user = UserAccount(conn, USER_DELADD)
# aci will allow add ad delete
user.add('title', 'architect')
assert user.get_attr_val('title')
user.remove('title', 'architect')
def test_modify_with_multiple_filters(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the
value of the attributes being added (or deleted))
"Valueacl Test $tet_thistest Allowed by multiple."
:id:fd9d223e-7aa9-11e8-a83b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targattrfilters = "add=title:(title=architect) && secretary:' \
'(secretary=cn=Meylan,{}), del=title:(title=architect) && secretary:' \
'(secretary=cn=Meylan,{})")(version 3.0; acl "$tet_thistest"; allow (write) ' \
'(userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX
)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci will allow title some attribute only
user = UserAccount(conn, USER_DELADD)
user.add("title", "architect")
assert user.get_attr_val('title')
user.add("secretary", "cn=Meylan,dc=example,dc=com")
assert user.get_attr_val('secretary')
def test_we_can_mod_title_as_expected(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the
value of the attributes being added (or deleted))
"Valueacl Test $tet_thistest Test search will work with targattrfilters present."
:id:f8c1ea88-7aa9-11e8-a55c-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target="ldap:///cn=*,ou=Product Development, {}")' \
'(targetfilter="cn=Jeff*")(targetattr="secretary || objectclass || mail")' \
'(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \
'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
# aci will not allow 'title', 'topdog'
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
user = UserAccount(conn, USER_DELADD)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add('title', 'topdog')
def test_allow_to_modify(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of the
attributes being added (or deleted))
Test that I can have secretary in targetattr and title in targattrfilters.
:id:c32e4704-7aa9-11e8-951d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr="secretary")(targattrfilters = "add=title:(|(title=engineer)' \
'(title=cool dude)(title=scum)), del=title:(|(title=engineer)(title=cool dude)' \
'(title=scum))")(version 3.0; aci "$tet_thistest"; allow (write)' \
' userdn = "ldap:///{}";)'.format(USER_WITH_ACI_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
_AddTitleWithRoot(topo, "engineer").add()
_AddTitleWithRoot(topo, "cool dude").add()
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
user = UserAccount(conn, USER_DELADD)
# aci will allow to add 'secretary', "cn=emporte quoi
user.add('secretary', "cn=emporte quoi, {}".format(DEFAULT_SUFFIX))
assert user.get_attr_val('secretary')
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
"""Non-regression test for BUG 326000: MemberURL needs to be normalized
:id: a5d172e6-7db8-11e8-aca7-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ou_ou = OrganizationalUnit(topo.standalone,
"ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
ou_ou.set(
'aci', '(targetattr= *)'
'(version 3.0; acl "tester"; allow(all) '
'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(
DEFAULT_SUFFIX))
groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE')
groups.create(
properties={
"cn":
"DYNGROUP",
"description":
"DYNGROUP",
'objectClass':
'groupOfURLS',
'memberURL':
"ldap:///ou=PEOPLE,{}??sub?"
"(uid=test_user_2)".format(DEFAULT_SUFFIX)
})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]:
user = uas.create_test_user(uid=demo1[0], gid=demo1[0])
user.replace_many(('description', demo1[1]), ('userPassword', PW_DM))
##with normal aci
conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM)
harry = UserAccount(conn, uas.list()[1].dn)
harry.add('sn', 'FRED')
##with abnomal aci
dygrp = Group(topo.standalone, DYNGROUP)
dygrp.remove(
'memberurl',
"ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX))
dygrp.add(
'memberurl',
"ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX))
harry.add('sn', 'Not FRED')
for i in uas.list():
i.delete()
def test_csnpurge_large_valueset(topo_m2):
"""Test csn generator test
:id: 63e2bdb2-0a8f-4660-9465-7b80a9f72a74
:setup: MMR with 2 masters
:steps:
1. Create a test_user
2. add a large set of values (more than 10)
3. delete all the values (more than 10)
4. configure the replica to purge those values (purgedelay=5s)
5. Waiting for 6 second
6. do a series of update
:expectedresults:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
5. Should succeeds
6. Should not crash
"""
m1 = topo_m2.ms["master2"]
test_user = UserAccount(m1, TEST_ENTRY_DN)
if test_user.exists():
log.info('Deleting entry {}'.format(TEST_ENTRY_DN))
test_user.delete()
test_user.create(
properties={
'uid': TEST_ENTRY_NAME,
'cn': TEST_ENTRY_NAME,
'sn': TEST_ENTRY_NAME,
'userPassword': TEST_ENTRY_NAME,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/mmrepl_test',
})
# create a large value set so that it is sorted
for i in range(1, 20):
test_user.add('description', 'value {}'.format(str(i)))
# delete all values of the valueset
for i in range(1, 20):
test_user.remove('description', 'value {}'.format(str(i)))
# set purging delay to 5 second and wait more that 5second
replicas = Replicas(m1)
replica = replicas.list()[0]
log.info('nsds5ReplicaPurgeDelay to 5')
replica.set('nsds5ReplicaPurgeDelay', '5')
time.sleep(6)
# add some new values to the valueset containing entries that should be purged
for i in range(21, 25):
test_user.add('description', 'value {}'.format(str(i)))
def test_modify_entry(topo_m4, create_entry):
"""Check that entries are replicated after modify operation
:id: 36764053-622c-43c2-a132-d7a3ab7d9aaa
:setup: Four masters replication setup, an entry
:steps:
1. Modify the entry on master1 - add attribute
2. Wait for replication to happen
3. Check entry on all other masters
4. Modify the entry on master1 - replace attribute
5. Wait for replication to happen
6. Check entry on all other masters
7. Modify the entry on master1 - delete attribute
8. Wait for replication to happen
9. Check entry on all other masters
:expectedresults:
1. Attribute should be successfully added
2. Some time should pass
3. The change should be present on all masters
4. Attribute should be successfully replaced
5. Some time should pass
6. The change should be present on all masters
7. Attribute should be successfully deleted
8. Some time should pass
9. The change should be present on all masters
"""
log.info('Modifying entry {} - add operation'.format(TEST_ENTRY_DN))
test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
test_user.add('mail', '{}@redhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@redhat.com".format(TEST_ENTRY_NAME) in u.get_attr_vals_utf8(
'mail')
log.info('Modifying entry {} - replace operation'.format(TEST_ENTRY_DN))
test_user.replace('mail', '{}@greenhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@greenhat.com".format(
TEST_ENTRY_NAME) in u.get_attr_vals_utf8('mail')
log.info('Modifying entry {} - delete operation'.format(TEST_ENTRY_DN))
test_user.remove('mail', '{}@greenhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@greenhat.com".format(
TEST_ENTRY_NAME) not in u.get_attr_vals_utf8('mail')
def test_check_repl_M2_to_M1(topology_m2, moddn_setup):
"""Checks that replication is still working M2->M1, using ACCOUNT12
:id: 08ac131d-34b7-443f-aacd-23025bbd7de1
:setup: MMR with two masters,
M1 - staging DIT
M2 - production DIT
add test accounts in staging DIT
:steps:
1. Add an entry in M2
2. Search entry on M1
:expectedresults:
1. It should pass
2. It should pass
"""
topology_m2.ms["master1"].log.info("Bind as %s (M2)" % DN_DM)
topology_m2.ms["master2"].simple_bind_s(DN_DM, PASSWORD)
rdn = "uid=%s12" % NEW_ACCOUNT
dn = "%s,%s" % (rdn, STAGING_DN)
new_account = UserAccount(topology_m2.ms["master2"], dn)
# First wait for the ACCOUNT19 entry being replicated on M2
loop = 0
while loop <= 10:
try:
ent = topology_m2.ms["master2"].getEntry(dn, ldap.SCOPE_BASE,
"(objectclass=*)")
break
except ldap.NO_SUCH_OBJECT:
time.sleep(1)
loop += 1
assert loop <= 10
attribute = 'description'
tested_value = b'Hello world'
topology_m2.ms["master1"].log.info("Update (M2) %s (%s)" % (dn, attribute))
new_account.add(attribute, tested_value)
loop = 0
while loop <= 10:
ent = topology_m2.ms["master1"].getEntry(dn, ldap.SCOPE_BASE,
"(objectclass=*)")
assert ent is not None
if ent.hasAttr(attribute) and (ent.getValue(attribute)
== tested_value):
break
time.sleep(1)
loop += 1
assert loop < 10
topology_m2.ms["master1"].log.info("Update %s (%s) replicated on M1" %
(dn, attribute))
class _AddTitleWithRoot:
def __init__(self, topo, value):
self.topo = topo
self.value = value
self.user = UserAccount(self.topo.standalone, USER_DELADD)
def add(self):
self.user.add("title", self.value)
def delete(self):
self.user.remove("title", self.value)
class _ModTitleArchitectJeffVedder:
def __init__(self, topo, value, conn):
self.topo = topo
self.value = value
self.conn = conn
self.user = UserAccount(self.conn, USER_DELADD)
def add(self):
self.user.add("title", self.value)
def delete(self):
self.user.remove("title", self.value)
def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user,
cleanup_tree):
"""
Modify Test 6 Allow write access to target with wildcards
:id:825fe884-7abf-11e8-8541-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting', 'Human Resources']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting',
'Kirsten Vaughan, ou=Human Resources'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow write access to target with wildcards
ua = UserAccount(conn, KIRSTENVAUGHAN)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write access to target with wildcards
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
def test_many_attrs(topo_m4, create_entry):
"""Check a replication with many attributes (add and delete)
:id: d540b358-f67a-43c6-8df5-7c74b3cb7523
:setup: Four masters replication setup, a test entry
:steps:
1. Add 10 new attributes to the entry
2. Delete few attributes: one from the beginning,
two from the middle and one from the end
3. Check that the changes were replicated in the right order
:expectedresults:
1. The attributes should be successfully added
2. Delete operations should be successful
3. The changes should be replicated in the right order
"""
m1 = topo_m4.ms["master1"]
add_list = ensure_list_bytes(map(lambda x: "test{}".format(x), range(10)))
delete_list = ensure_list_bytes(
map(lambda x: "test{}".format(x), [0, 4, 7, 9]))
test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
log.info('Modifying entry {} - 10 add operations'.format(TEST_ENTRY_DN))
for add_name in add_list:
test_user.add('description', add_name)
log.info(
'Check that everything was properly replicated after an add operation')
entries = get_repl_entries(topo_m4, TEST_ENTRY_NAME, ["description"])
for entry in entries:
assert all(
entry.getValues("description")[i] == add_name
for i, add_name in enumerate(add_list))
log.info('Modifying entry {} - 4 delete operations for {}'.format(
TEST_ENTRY_DN, str(delete_list)))
for delete_name in delete_list:
test_user.remove('description', delete_name)
log.info(
'Check that everything was properly replicated after a delete operation'
)
entries = get_repl_entries(topo_m4, TEST_ENTRY_NAME, ["description"])
for entry in entries:
for i, value in enumerate(entry.getValues("description")):
assert value == [
name for name in add_list if name not in delete_list
][i]
assert value not in delete_list
def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree,
request):
"""Modify Test 7 Allow write access to userdnattr
:id: 86b418f6-7abf-11e8-ae28-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(
DEFAULT_SUFFIX, request.node.name)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
UserAccount(topo.standalone,
USER_WITH_ACI_DELADD).add('manager', USER_WITH_ACI_DELADD)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write access to userdnattr
ua = UserAccount(conn, USER_DELADD)
ua.add('uid', 'scoobie')
assert ua.get_attr_val('uid')
ua.add('uid', 'jvedder')
assert ua.get_attr_val('uid')
def test_allow_write_access_to_targetattr_with_multiple_attibutes(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 2 Allow write access to targetattr with multiple attibutes
:id:6b9f05c6-7abf-11e8-9ba1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "telephonenumber || roomnumber")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to targetattr with multiple attibutes
conn = Anonymous(topo.standalone).bind()
ua = UserAccount(conn, USER_DELADD)
ua.add("telephonenumber", "+1 408 555 1212")
assert ua.get_attr_val('telephonenumber')
ua.add("roomnumber", "101")
assert ua.get_attr_val('roomnumber')
def test_allow_write_access_to_userdn_with_wildcards_in_dn(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 4 Allow write access to userdn with wildcards in DN
:id:766c2312-7abf-11e8-b57d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write)(userdn = "ldap:///cn=*, ou=Product Development,{}") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow write access to userdn with wildcards in DN
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
def test_server_bahaves_properly_with_very_long_attribute_names(topo, clean, aci_of_user):
"""
Make sure the server bahaves properly with very long attribute names. Bug 624453.
:id:b0d31942-7db8-11e8-a833-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
users.create_test_user()
users.list()[0].set('userpassword', PW_DM)
user = UserAccount(topo.standalone, 'uid=test_user_1000,ou=People,{}'.format(DEFAULT_SUFFIX))
with pytest.raises(ldap.INVALID_SYNTAX):
user.add("aci", "a" * 9000)
def test_denied_by_multiple_filters(topo, _add_user, aci_of_user, request):
"""Testing the targattrfilters keyword that allows access control based on the value of the
attributes being added (or deleted))
Denied by multiple filters
:id: 034c6c62-7aaa-11e8-8634-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targattrfilters = "add=title:(title=architect) && secretary:' \
'(secretary=cn=Meylan,{}), del=title:(title=architect) && secretary:' \
'(secretary=cn=Meylan,{})")(version 3.0; acl "{}"; allow (write) ' \
'(userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX, request.node.name)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci will allow title some attribute only
user = UserAccount(conn, USER_DELADD)
user.add("title", "architect")
assert user.get_attr_val('title')
user.add("secretary", "cn=Meylan,dc=example,dc=com")
assert user.get_attr_val('secretary')
# aci will allow title some attribute only
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("secretary", "cn=Grenoble,dc=example,dc=com")
def test_cannot_add_an_entry_with_attribute_values_we_are_not_allowed_add(
topo, _add_user, aci_of_user
):
"""
Testing the targattrfilters keyword that allows access control based on the value of the
attributes being added (or deleted))
"Valueacl Test $tet_thistest Test not allowed add an entry"
:id:0d0effee-7aaa-11e8-b673-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)) ' \
'&& secretary:(secretary=cn=Meylan, {}), del=title:(|(title=engineer)(title=cool dude)' \
'(title=scum))")(version 3.0; aci "$tet_thistest"; allow (add) userdn = "ldap:///{}";)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
properties = {
'uid': 'FRED',
'cn': 'FRED',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'FRED'
}
user = UserAccount(topo.standalone, 'cn=FRED,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('title', ['anuj', 'kumar', 'borah'])
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci will not allow adding objectclass
user = UserAccount(conn, USER_WITH_ACI_DELADD)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("objectclass", "person")
def test_uniquemember_should_also_be_the_owner(topo, aci_of_user):
"""
Modify Test 10 groupdnattr = \"ldap:///$BASEDN?owner\" if owner is a group, group's
uniquemember should also be the owner
:id:9456b2d4-7abf-11e8-829d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
for i in ['ACLGroupTest']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
ou = OrganizationalUnit(topo.standalone,
"ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'ACLDevelopment'})
ou.set(
'aci', '(targetattr="*")(version 3.0; acl "groupdnattr acl"; '
'allow (all)groupdnattr = "ldap:///{}?owner";)'.format(DEFAULT_SUFFIX))
grp = UniqueGroup(topo.standalone,
"uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
user_props = ({
'sn':
'Borah',
'cn':
'Anuj',
'objectclass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'groupofUniquenames'
],
'userpassword':
PW_DM,
'givenname':
'Anuj',
'ou': ['ACLDevelopment', 'People'],
'roomnumber':
'123',
'uniquemember':
'cn=mandatory member'
})
grp.create(properties=user_props)
grp = UniqueGroup(
topo.standalone,
"uid=2ishani,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
user_props = ({
'sn':
'Borah',
'cn':
'2ishani',
'objectclass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'groupofUniquenames'
],
'userpassword':
PW_DM,
'givenname':
'2ishani',
'ou': ['ACLDevelopment', 'People'],
'roomnumber':
'1234',
'uniquemember':
'cn=mandatory member',
"owner":
"cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
})
grp.create(properties=user_props)
grp = UniqueGroup(topo.standalone,
'cn=group1,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group1', 'ou': 'groups'})
grp.set('uniquemember', [
"cn=group2, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX),
"cn=group3, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
])
grp = UniqueGroup(topo.standalone,
'cn=group3,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group3', 'ou': 'groups'})
grp.set('uniquemember',
["cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)])
grp = UniqueGroup(topo.standalone,
'cn=group4,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group4', 'ou': 'groups'})
grp.set('uniquemember',
["uid=anuj, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)])
#uniquemember should also be the owner
conn = UserAccount(
topo.standalone,
"uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)).bind(PW_DM)
ua = UserAccount(
conn, "uid=2ishani, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
ua.add('roomnumber', '9999')
assert ua.get_attr_val('roomnumber')
for DN in [
"cn=group4,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"cn=group3,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"cn=group1,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"uid=2ishani,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"uid=anuj,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
]:
UserAccount(topo.standalone, DN).delete()
def _create_test_entries(topo):
# Changing schema
current_schema = Schema(topo.standalone)
current_schema.add(
'attributetypes',
"( 9.9.8.4 NAME 'emailclass' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
"X-ORIGIN 'RFC 2256' )")
current_schema.add(
'objectclasses',
"( 9.9.8.2 NAME 'mailSchemeUser' DESC 'User Defined ObjectClass' "
"SUP 'top' MUST ( objectclass ) "
"MAY (aci $ emailclass) X-ORIGIN 'RFC 2256' )")
# Creating ous
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
for ou_ou in [
'Çéliné Ändrè',
'Ännheimè',
'Çlose Crèkä',
'Sàn Fråncêscô',
'Netscape Servers',
'COS',
]:
ous.create(properties={'ou': ou_ou})
ous_mail = OrganizationalUnits(topo.standalone, f'ou=COS,{DEFAULT_SUFFIX}')
ous_mail.create(properties={'ou': 'MailSchemeClasses'})
# Creating users
users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for user, org, l_l, telephone, facetele, rn_rn in [
[
'scarter', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '4612'
],
[
'tmorris', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9187', '+1 408 555 8473', '4117'
],
[
'kvaughan', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 5625', ' +1 408 555 3372', '2871'
],
[
'abergin', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 8585', '+1 408 555 7472', '3472'
],
[
'dmiller', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 9423', '+1 408 555 0111', '4135'
],
[
'gfarmer', ['Accounting', 'People'], 'Cupertino',
'+1 408 555 6201', '+1 408 555 8473', '1269'
],
[
'kwinters', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9069', '+1 408 555 1992', '4178'
],
[
'trigden', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9280', '+1 408 555 8473', '3584'
],
[
'cschmith', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 8011', '+1 408 555 4774', '0416'
],
[
'jwallace', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 0319', '+1 408 555 8473', '1033'
],
[
'jwalker', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 1476', '+1 408 555 1992', '3915'
],
[
'tclow', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 8825', '+1 408 555 1992', '4376'
],
[
'rdaugherty', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 1296', '+1 408 555 1992', '0194'
],
[
'jreuter', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 1122', '+1 408 555 8721', '2942'
],
[
'tmason', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 1596', '+1 408 555 9751', '1124'
],
[
'bhall', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '4612'
],
[
'btalbot', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '3532'
],
[
'mward', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1707'
],
[
'bjablons', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '0906'
],
[
'jmcFarla', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '2359'
],
[
'llabonte', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '2854'
],
[
'jcampaig', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '4385'
],
[
'bhal2', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 6067',
'+1 408 555 9751', '2758'
],
[
'alutz', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1327'
],
[
'btalbo2', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1205'
],
[
'achassin', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '0466'
],
[
'hmiller', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '4304'
],
[
'jcampai2', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1377'
],
[
'lulrich', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '0985'
],
[
'mlangdon', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '4471'
],
[
'striplet', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3083'
],
[
'gtriplet', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '4023'
],
[
'jfalena', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1917'
],
[
'speterso', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '3073'
],
[
'ejohnson', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3737'
],
[
'prigden', ['Accounting', 'People'], 'Santa', '+1 408 555 6067',
'+1 408 555 9751', '1271'
],
[
'bwalker', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3529'
],
[
'kjensen', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '1944'
],
[
'mlott', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '0498'
],
[
'cwallace', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 4798', '+1 408 555 9751', '0349'
],
[
'falbers', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '1439'
],
[
'calexand', ['Product Development', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '2884'
],
[
'phunt', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '1183'
],
[
'awhite', ['Product Testing', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '0142'
],
[
'sfarmer', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '0019'
],
[
'jrentz', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '3025'
],
[
'ahall', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '3050'
],
[
'lstockto', ['Product Testing', 'People'], 'Santa Clara',
'+1 408 555 0518', '+1 408 555 4774', '0169'
],
[
'ttully', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 2274', '+1 408 555 0111', '3924'
],
[
'polfield', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '1376'
],
[
'scarte2', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '2013'
],
[
'tkelly', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4295', '+1 408 555 1992', '3107'
],
[
'mmcinnis', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '4818'
],
[
'brigden', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 9655', '+1 408 555 8721', '1643'
],
[
'mtyler', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 9655', '+1 408 555 8721', '2701'
],
[
'rjense2', ['Product Testing', 'People'], 'Sunnyvale',
'+1 408 555 9655', '+1 408 555 8721', '1984'
],
[
'rhunt', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0718'
],
[
'ptyler', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0327'
],
[
'gtyler', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0312'
]
]:
english_named_user(users_people, user, org, l_l, telephone, facetele,
rn_rn)
# Creating Users
users_annahame = UserAccounts(topo.standalone,
f'ou=Ännheimè,{DEFAULT_SUFFIX}',
rdn=None)
users_sanfran = UserAccounts(topo.standalone,
f'ou=Sàn Fråncêscô,{DEFAULT_SUFFIX}',
rdn=None)
users_andre = UserAccounts(topo.standalone,
f'ou=Çéliné Ändrè,{DEFAULT_SUFFIX}',
rdn=None)
users_close = UserAccounts(topo.standalone,
f'ou=Çlose Crèkä,{DEFAULT_SUFFIX}',
rdn=None)
for people, user, cn_cn, ou_ou, des, tele, facetele, be_be, lang in [
[
users_annahame, 'user0', 'Babette Ryndérs', 'Ännheimè',
'This is Babette Ryndérs description', '+1 415 788-4115',
'+1 804 849-2367', 'es', 'Babette Ryndérs'
],
[
users_sanfran, 'user1', 'mÿrty DeCoùrsin', 'Sàn Fråncêscô',
'This is mÿrty DeCoùrsins description', '+1 408 689-8883',
'+1 804 849-2367', 'ie', 'mÿrty DeCoùrsin'
],
[
users_sanfran, 'user3', 'Kéñnon Fùndérbùrg', 'Sàn Fråncêscô',
"This is Kéñnon Fùndérbùrg's description", '+1 408 689-8883',
'+1 804 849-2367', 'it', 'Kéñnon Fùndérbùrg'
],
[
users_sanfran, 'user5', 'Dàsya Cozàrt', 'Sàn Fråncêscô',
"This is Dàsya Cozàrt's description", '+1 408 689-8883',
'+1 804 849-2367', 'be', 'Dàsya Cozàrt'
],
[
users_andre, 'user2', "Rôw O'Connér", 'Çéliné Ändrè',
"This is Rôw O'Connér's description", '+1 408 689-8883',
'+1 804 849-2367', 'it', "Rôw O'Connér"
],
[
users_andre, 'user4', 'Theadora Ebérle', 'Çéliné Ändrè',
"This is Kéñnon Fùndérbùrg's description", '+1 408 689-8883',
'+1 804 849-2367', 'de', 'Theadora Ebérle'
],
[
users_andre, 'user6', 'mÿrv Callânân', 'Çéliné Ändrè',
"This is mÿrv Callânân's description", '+1 408 689-8883',
'+1 804 849-2367', 'fr', 'mÿrv Callânân'
],
[
users_close, 'user7', 'Ñäthan Ovâns', 'Çlose Crèkä',
"This is Ñäthan Ovâns's description", '+1 408 689-8883',
'+1 804 849-2367', 'be', 'Ñäthan Ovâns'
]
]:
non_english_user(people, user, cn_cn, ou_ou, des, tele, facetele,
be_be, lang)
# Creating User Entry
for user, address, pin in [
['Secretary1', '123 Castro St., Mountain View, CA', '99999'],
['Secretary2', '234 Ellis St., Mountain View, CA', '88888'],
['Secretary3', '345 California Av., Mountain View, CA', '77777'],
['Secretary4', '456 Villa St., Mountain View, CA', '66666'],
['Secretary5', '567 University Av., Mountain View, CA', '55555']
]:
user_with_postal_code(users_people, user, address, pin)
# Adding properties to mtyler
mtyler = UserAccount(topo.standalone,
'uid=mtyler, ou=people, dc=example, dc=com')
for value1, value2 in [
('objectclass', ['mailSchemeUser', 'mailRecipient']),
('emailclass', 'vpemail'), ('mailquota', '600'),
('multiLineDescription',
'fromentry This is the special \2a attribute value')
]:
mtyler.add(value1, value2)
# Adding properties to rjense2
rjense2 = UserAccount(topo.standalone,
'uid=rjense2, ou=people, dc=example, dc=com')
for value1, value2 in [('objectclass', ['mailRecipient',
'mailSchemeUser']),
('emailclass', 'vpemail')]:
rjense2.add(value1, value2)
# Creating managed role
ManagedRoles(topo.standalone, DEFAULT_SUFFIX).create(
properties={
'description': 'This is the new managed role configuration',
'cn': 'new managed role'
})
# Creating filter role
filters = FilterRoles(topo.standalone, DEFAULT_SUFFIX)
filters.create(
properties={
'nsRoleFilter': '(uid=*wal*)',
'description': 'this is the new filtered role',
'cn': 'new filtered role'
})
filters.create(
properties={
'nsRoleFilter': '(&(postalCode=77777)(uid=*er*))',
'description': 'This is the new vddr filter role config',
'cn': 'new vaddr filtered role'
})
filters.create(
properties={
'nsRoleFilter': '(&(postalCode=66666)(l=Cupertino))',
'description': 'This is the new vddr filter role config',
'cn': 'another vaddr role'
})