def test_once_TPR_reset_old_passwd_invalid(topo, _add_user,
set_global_TPR_policies):
""" Verify that once a password has been reset it cannot be reused
:id: f3ea4f00-e89c-11eb-b81d-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe1 with appropriate password
3. Configure the Global Password policies enable passwordMustChange
4. Trigger TPR by resetting the user jdoe1 password above
5. Attempt to login with the old password
6. Login as jdoe1 with the correct password and update the new password
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Fail(ldap.CONSTRAINT_VIOLATION)
6. Success
"""
new_password = '******'
log.info('Creating user jdoe1 with appropriate password')
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
user1.replace('userpassword', new_password)
log.info(
'Making sure the Global Policy passwordTPRDelayValidFrom is short')
config = Config(topo.standalone)
config.replace_many(
('passwordLockout', 'off'),
('passwordMaxFailure', '3'),
('passwordLegacyPolicy', 'off'),
('passwordTPRDelayValidFrom', '-1'),
('nsslapd-pwpolicy-local', 'on'),
)
log.info(' Attempting to bind as {} with the old password {}'.format(
user1, USER1_PASS))
time.sleep(.5)
with pytest.raises(ldap.INVALID_CREDENTIALS):
user1.bind(USER1_PASS)
log.info('Login as jdoe1 with the correct reset password')
time.sleep(.5)
user1.rebind(new_password)
def test_pwd_reset(topology_st, create_user):
"""Test new password policy attribute "pwdReset"
:id: 03db357b-4800-411e-a36e-28a534293004
:customerscenario: True
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Reset user's password
3. Check that the pwdReset attribute is set to TRUE
4. Bind as the user and change its password
5. Check that pwdReset is now set to FALSE
6. Reset password policy configuration
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
# Set password policy config
topology_st.standalone.config.replace('passwordMustChange', 'on')
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
time.sleep(.5)
# Check that pwdReset is TRUE
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Bind as user and change its own password
our_user.rebind(PASSWORD)
our_user.replace('userpassword', PASSWORD)
time.sleep(.5)
# Check that pwdReset is FALSE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'FALSE'
# Reset password policy config
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
def test_reset_pwd_before_passwordTPRDelayValidFrom(topo, _add_user,
set_global_TPR_policies):
""" Verify that user cannot reset pwd
before passwordTPRDelayValidFrom value elapses
:id: 22987082-e8ae-11eb-a992-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies disable passwordTPRDelayValidFrom to -1
4. Trigger TPR by resetting the user jdoe1 password above
5. Attempt to bind and rebind immediately
6. Set passwordTPRDelayValidFrom - 5secs elapses and bind rebind before 5 secs elapses
6. Wait for the passwordTPRDelayValidFrom value to elapse and try to reset passwd
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Fail(ldap.LDAP_CONSTRAINT_VIOLATION)
7. Success
"""
user2 = UserAccount(topo.standalone,
f'uid=jdoe2,ou=People,{DEFAULT_SUFFIX}')
log.info('Creating user {} with appropriate password'.format(user2))
log.info('Disabling TPR policy passwordTPRDelayValidFrom')
topo.standalone.config.replace_many(('passwordMustChange', 'on'),
('passwordTPRDelayValidFrom', '10'))
log.info('Triggering TPR and binding immediately after')
user2.replace('userpassword', 'new_password')
time.sleep(.5)
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
user2.bind('new_password')
time.sleep(.5)
topo.standalone.config.replace_many(('passwordMustChange', 'on'),
('passwordTPRDelayValidFrom', '-1'))
log.info(
'Triggering TPR and binding immediately after with passwordTPRDelayValidFrom set to -1'
)
user2.replace('userpassword', 'new_password1')
time.sleep(.5)
user2.rebind('new_password1')
def test_global_tpr_delayExpireAt_1(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRDelayExpireAt
Test that a TPR password is not valid after reset time +
passwordTPRDelayExpireAt
:id: b98def32-4e30-49fd-893b-8f959ba72b98
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRDelayExpireAt=6s
3. Create a account user
5. Reset the password
6. Wait for passwordTPRDelayExpireAt=6s + 2s (safety)
7. Bind with valid password should fail with ldap.CONSTRAINT_VIOLATION
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
ExpireAt = 6
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordTPRMaxUse', str(-1))
topology_st.standalone.config.replace('passwordTPRDelayValidFrom', str(-1))
topology_st.standalone.config.replace('passwordTPRDelayExpireAt',
str(ExpireAt))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
now = time.mktime(time.gmtime())
log.info("compare pwdTPRExpireAt (%s) vs now (%s)" %
(our_user.get_attr_val_utf8('pwdTPRExpireAt'), time.gmtime()))
assert (gentime_to_posix_time(
our_user.get_attr_val_utf8('pwdTPRExpireAt'))) >= (now + ExpireAt - 2)
# wait for pwdTPRExpireAt
time.sleep(ExpireAt + 2)
# Bind as user with valid password but too late
# for pwdTPRExpireAt
# and do simple search
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
our_user.rebind(PASSWORD)
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_delayValidFrom_2(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRDelayValidFrom
Test that a TPR password is valid after reset time +
passwordTPRDelayValidFrom
:id: 8fa9f6f7-9be2-47c0-bf92-d9fe78ddbc34
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRDelayValidFrom=6s
3. Create a account user
5. Reset the password
6. Wait for passwordTPRDelayValidFrom=6s
7. Bind with valid password, reset password
to allow further searches
8. Check bound user can search attribute ('uid')
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
ValidFrom = 6
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordTPRDelayValidFrom',
str(ValidFrom))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
now = time.mktime(time.gmtime())
log.info("compare pwdTPRValidFrom (%s) vs now (%s)" %
(our_user.get_attr_val_utf8('pwdTPRValidFrom'), time.gmtime()))
assert (gentime_to_posix_time(
our_user.get_attr_val_utf8('pwdTPRValidFrom'))) >= (now + ValidFrom -
2)
# wait for pwdTPRValidFrom
time.sleep(ValidFrom + 1)
# Bind as user with valid password, reset the password
# and do simple search
our_user.rebind(PASSWORD)
our_user.reset_password(TEST_USER_PWD)
our_user.rebind(TEST_USER_PWD)
assert our_user.get_attr_val_utf8('uid')
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_delayValidFrom_1(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRDelayValidFrom
Test that a TPR password is not valid before reset time +
passwordTPRDelayValidFrom
:id: 8420a348-e765-43ec-82c7-7f75cb4bf913
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRDelayValidFrom=10s
3. Create a account user
5. Reset the password
6. Check that Validity is not reached yet
pwdTPRValidFrom >= now + passwordTPRDelayValidFrom - 2 (safety)
7. Bind with valid password, Fails because of CONSTRAINT_VIOLATION
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
ValidFrom = 10
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordTPRDelayValidFrom',
str(ValidFrom))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
now = time.mktime(time.gmtime())
log.info("compare pwdTPRValidFrom (%s) vs now (%s)" %
(our_user.get_attr_val_utf8('pwdTPRValidFrom'), time.gmtime()))
assert (gentime_to_posix_time(
our_user.get_attr_val_utf8('pwdTPRValidFrom'))) >= (now + ValidFrom -
2)
# Bind as user with valid password
# But too early compare to ValidFrom
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
our_user.rebind(PASSWORD)
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_maxuse_1(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRMaxUse
Test that after passwordTPRMaxUse failures to bind
additional bind with valid password are failing with CONSTRAINT_VIOLATION
:id: d1b38436-806c-4671-8ccf-c8fdad21f034
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRMaxUse=5
3. Set passwordMaxFailure to a higher value to not disturb the test
4. Bind with a wrong password passwordTPRMaxUse times and check INVALID_CREDENTIALS
5. Check that passwordTPRRetryCount got to the limit (5)
6. Bind with a wrong password (CONSTRAINT_VIOLATION)
and check passwordTPRRetryCount overpass the limit by 1 (6)
7. Bind with a valid password 5 times and check CONSTRAINT_VIOLATION
and check passwordTPRRetryCount overpass the limit by 1 (6)
8. Reset password policy configuration
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
try_tpr_failure = 5
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordMaxFailure',
str(try_tpr_failure + 20))
topology_st.standalone.config.replace('passwordTPRMaxUse',
str(try_tpr_failure))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
time.sleep(.5)
# look up to passwordTPRMaxUse with failing
# bind to check that the limits of TPR are enforced
for i in range(try_tpr_failure):
# Bind as user with a wrong password
with pytest.raises(ldap.INVALID_CREDENTIALS):
our_user.rebind('wrong password')
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(i + 1)
log.info(
"%dth failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(i + 1, i + 1))
# Now the #failures reached passwordTPRMaxUse
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(try_tpr_failure)
log.info("last failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(try_tpr_failure))
# Bind as user with wrong password --> ldap.CONSTRAINT_VIOLATION
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
our_user.rebind("wrong password")
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(
try_tpr_failure + 1)
log.info("failing bind (CONSTRAINT_VIOLATION) => pwdTPRUseCount = %d" %
(try_tpr_failure + i))
# Now check that all next attempts with correct password are all in LDAP_CONSTRAINT_VIOLATION
# and passwordTPRRetryCount remains unchanged
# account is now similar to locked
for i in range(10):
# Bind as user with valid password
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
our_user.rebind(PASSWORD)
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
# pwdTPRUseCount keeps increasing
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(
try_tpr_failure + i + 2)
log.info(
"Rejected bind (CONSTRAINT_VIOLATION) => pwdTPRUseCount = %d" %
(try_tpr_failure + i + 2))
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_maxuse_3(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRMaxUse
Test that after less than passwordTPRMaxUse failures to bind
A bind with valid password is successfull but passwordMustChange
does not allow to do a search.
Changing the password allows to do a search
:id: 7fd0301a-781e-4db8-a4bd-7b44e0f04bb6
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRMaxUse=5
3. Set passwordMaxFailure to a higher value to not disturb the test
4. Bind with a wrong password less then passwordTPRMaxUse times and check INVALID_CREDENTIALS
5. Bind with the valid password and check SRCH fail (ldap.UNWILLING_TO_PERFORM)
because of passwordMustChange
6. check passwordTPRRetryCount reset to 0
7. Bindd with valid password and reset the password
8. Check we can bind again and SRCH succeeds
9. Reset password policy configuration
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
"""
try_tpr_failure = 5
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordMaxFailure',
str(try_tpr_failure + 20))
topology_st.standalone.config.replace('passwordTPRMaxUse',
str(try_tpr_failure))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Do less than passwordTPRMaxUse failing bind
try_tpr_failure = try_tpr_failure - 2
for i in range(try_tpr_failure):
# Bind as user with a wrong password
with pytest.raises(ldap.INVALID_CREDENTIALS):
our_user.rebind('wrong password')
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(i + 1)
log.info(
"%dth failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(i + 1, i + 1))
# Now the #failures has not reached passwordTPRMaxUse
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(try_tpr_failure)
log.info("last failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(try_tpr_failure))
# Bind as user with valid password
our_user.rebind(PASSWORD)
time.sleep(.5)
# We can not do anything else that reset password
users = UserAccounts(topology_st.standalone, OU_PEOPLE, rdn=None)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
user = users.get(TEST_USER_NAME)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is FALSE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(
try_tpr_failure + 1)
# Now reset the password and check we can do fully use the account
our_user.rebind(PASSWORD)
our_user.reset_password(TEST_USER_PWD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
our_user.rebind(TEST_USER_PWD)
time.sleep(.5)
user = users.get(TEST_USER_NAME)
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_maxuse_2(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRMaxUse
Test that after less than passwordTPRMaxUse failures to bind
additional bind with valid password are successfull
:id: bd18bf8e-f3c3-4612-9009-500cf558317e
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRMaxUse=5
3. Set passwordMaxFailure to a higher value to not disturb the test
4. Bind with a wrong password less than passwordTPRMaxUse times and check INVALID_CREDENTIALS
7. Bind successfully with a valid password 10 times
and check passwordTPRRetryCount returns to 0
8. Reset password policy configuration
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
try_tpr_failure = 5
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordMaxFailure',
str(try_tpr_failure + 20))
topology_st.standalone.config.replace('passwordTPRMaxUse',
str(try_tpr_failure))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
time.sleep(.5)
# Do less than passwordTPRMaxUse failing bind
try_tpr_failure = try_tpr_failure - 2
for i in range(try_tpr_failure):
# Bind as user with a wrong password
with pytest.raises(ldap.INVALID_CREDENTIALS):
our_user.rebind('wrong password')
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(i + 1)
log.info(
"%dth failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(i + 1, i + 1))
# Now the #failures has not reached passwordTPRMaxUse
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(try_tpr_failure)
log.info("last failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(try_tpr_failure))
our_user.rebind(PASSWORD)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Now check that all next attempts with correct password are successfull
# and passwordTPRRetryCount reset to 0
for i in range(10):
# Bind as user with valid password
our_user.rebind(PASSWORD)
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is FALSE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'FALSE'
#pdb.set_trace()
assert not our_user.present('pwdTPRUseCount')
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_delayExpireAt_2(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRDelayExpireAt
Test that a TPR password is valid before reset time +
passwordTPRDelayExpireAt
:id: 9df320de-ebf6-4ed0-a619-51b1a05a560c
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRDelayExpireAt=6s
3. Create a account user
5. Reset the password
6. Wait for 1s
7. Bind with valid password should succeeds
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
ExpireAt = 6
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordTPRMaxUse', str(-1))
topology_st.standalone.config.replace('passwordTPRDelayValidFrom', str(-1))
topology_st.standalone.config.replace('passwordTPRDelayExpireAt',
str(ExpireAt))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
now = time.mktime(time.gmtime())
log.info("compare pwdTPRExpireAt (%s) vs now (%s)" %
(our_user.get_attr_val_utf8('pwdTPRExpireAt'), time.gmtime()))
assert (gentime_to_posix_time(
our_user.get_attr_val_utf8('pwdTPRExpireAt'))) >= (now + ExpireAt - 2)
# wait for 1s
time.sleep(1)
# Bind as user with valid password, reset the password
# and do simple search
our_user.rebind(PASSWORD)
our_user.reset_password(TEST_USER_PWD)
time.sleep(.5)
our_user.rebind(TEST_USER_PWD)
assert our_user.get_attr_val_utf8('uid')
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_user_resets_pwd_TPR_attrs_reset(topo, _add_user,
set_global_TPR_policies):
"""Test once password is reset attributes are set to FALSE
:id: 6614068a-ee7d-11eb-b1a3-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies and set passwordMustChange on
4. Trigger TPR by resetting the user jdoe1 password above
5. Reset the users password ‘userpassword’
6. Check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are RESET
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
log.info('Logging current time')
start_time = time.mktime(time.gmtime())
log.info(
'Verifying the Global policy are set and attributes are all set to "None"'
)
for tpr_attrib in [
'pwdTPRReset', 'pwdTPRUseCount', 'pwdTPRValidFrom',
'pwdTPRExpireAt'
]:
assert user1.get_attr_val_utf8(tpr_attrib) is None
config = Config(topo.standalone)
config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'),
('passwordTPRDelayExpireAt', '1800'),
('passwordTPRDelayValidFrom', '1'))
assert user1.get_attr_val_utf8('pwdTPRReset') is None
log.info(
'Triggering TPR check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are set'
)
user1.replace('userpassword', 'new_password')
time.sleep(3)
assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert user1.get_attr_val_utf8('pwdTPRUseCount') == '0'
assert gentime_to_posix_time(
user1.get_attr_val_utf8('pwdTPRValidFrom')) > start_time
assert gentime_to_posix_time(
user1.get_attr_val_utf8('pwdTPRExpireAt')) > start_time
conn = user1.rebind('new_password')
user1.replace('userpassword', 'extra_new_pass')
log.info(
'Checking that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are reset to None'
)
time.sleep(3)
assert user1.get_attr_val_utf8('pwdTPRReset') is None
assert user1.get_attr_val_utf8('pwdTPRUseCount') is None
assert (user1.get_attr_val_utf8('pwdTPRValidFrom')) is None
assert (user1.get_attr_val_utf8('pwdTPRExpireAt')) is None
log.info('Verified that attributes are reset after password is reset')
