def test_targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_expected_two(
topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of
the attributes being added (or deleted))
Test that we can have targattrfilters and search permissions and that ldapsearch works as expected.
:id:e25d116e-7aa9-11e8-81d8-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr="secretary || objectclass || mail")(targattrfilters = ' \
'"add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; allow ' \
'(write,read,search,compare) (userdn = "ldap:///anyone") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = Anonymous(topo.standalone).bind()
user = UserAccount(conn, USER_DELADD)
#targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_expected
assert user.get_attr_vals('secretary')
assert user.get_attr_vals('mail')
assert user.get_attr_vals('objectclass')
def test_we_can_search_as_expected(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
Test that we can search as expected
:id:e845dbba-7aa9-11e8-8988-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target="ldap:///cn=*,ou=Product Development, {}")' \
'(targetfilter="cn=Jeff*")(targetattr="secretary || objectclass || mail")' \
'(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \
'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = Anonymous(topo.standalone).bind()
# aci will allow secretary , mail , objectclass
user = UserAccount(conn, USER_DELADD)
assert user.get_attr_vals('secretary')
assert user.get_attr_vals('mail')
assert user.get_attr_vals('objectclass')
def test_targattrfilters_keyword(topo):
"""
Testing the targattrfilters keyword that allows access control based on the value
of the attributes being added (or deleted))
"Bug #979515 - ACLs inoperative in some search scenarios [rhel-6.5]"
"Bug #979516 is a clone for DS8.2 on RHEL5.9"
"Bug #979514 is a clone for RHEL6.4 zStream errata"
:id:23f9e9d0-7aaa-11e8-b16b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.set('aci', None)
ou = OrganizationalUnit(topo.standalone, 'ou=bug979515,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'bug979515'})
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target="ldap:///ou=bug979515,{}") '
'(targetattr= "uid") ( version 3.0; acl "read other subscriber"; allow (compare, read, search) '
'userdn="ldap:///uid=*,ou=bug979515,{}" ; )'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX))
properties = {
'uid': 'acientryusr1',
'cn': 'acientryusr1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'acientryusr1'
}
user = UserAccount(topo.standalone, 'cn=acientryusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('telephoneNumber', '99972566596')
user.set('mail', '*****@*****.**')
user.set("userPassword", "password")
properties = {
'uid': 'newaciphoneusr1',
'cn': 'newaciphoneusr1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'newaciphoneusr1'
}
user = UserAccount(topo.standalone, 'cn=newaciphoneusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('telephoneNumber', '99972566596')
user.set('mail', '*****@*****.**')
conn = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
user = UserAccount(conn, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
with pytest.raises(IndexError):
user.get_attr_vals('mail')
user.get_attr_vals('telephoneNumber')
user.get_attr_vals('cn')
user = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
user.get_attr_vals('mail')
user.get_attr_vals('telephoneNumber')
user.get_attr_vals('cn')
