def test_undefined_in_group_eval_nine(topo, test_user, aci_of_user):
"""
Aci will not allow access as Group dn is not allowed so members will not allowed access.
:id: 38c7fbb0-7841-11e8-90aa-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'
.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.replace("sn", "Fred")
assert user.get_attr_val_utf8('uid') == 'scratchEntry'
def test_userpassword_attribute(topo_m2, _delete_after):
"""Modifications of userpassword attribute in an MMR environment were successful
however a error message was displayed in the error logs which was curious.
:id: bdcf0464-a947-11ea-9f0d-8c16451d917b
:setup: MMR with 2 masters
:steps:
1. Add the test user to S1
2. Check that user's has been propogated to Supplier 2
3. modify user's userpassword attribute on supplier 2
4. check the error logs on suppler 1 to make sure the error message is not there
:expected results:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
"""
m1 = topo_m2.ms["master1"]
m2 = topo_m2.ms["master2"]
# Add the test user to S1
user1 = UserAccounts(m1, DEFAULT_SUFFIX, rdn=None).create_test_user(uid=1,
gid=1)
repl_manager = ReplicationManager(DEFAULT_SUFFIX)
repl_manager.wait_for_replication(m1, m2, timeout=100)
# Check that user's has been propogated to Supplier 2
user2 = UserAccount(m2, user1.dn)
assert user2.status()
# modify user's userpassword attribute on supplier 2
user2.replace('userpassword', 'fred1')
repl_manager.wait_for_replication(m1, m2, timeout=100)
assert user1.get_attr_val_utf8('userpassword')
# check the error logs on suppler 1 to make sure the error message is not there
assert not m1.searchErrorsLog("can\'t add a change for uid=")
def test_read_only_consumer(_create_entries):
"""Attempt to modify an entry on read-only consumer.
:id: f97f0fea-38ea-11ea-a617-8c16451d917b
:setup: Master and Consumer
:steps:
1. Add test entry
2. First attempt to modify an attribute that should be visible (mail)
3. Then attempt to modify one that should not be visible (roomnumber)
:expected results:
1. Success
2. Fail(ldap.INSUFFICIENT_ACCESS)
3. Fail(ldap.INSUFFICIENT_ACCESS)
"""
# Add test entry
user_consumer1 = UserAccount(CONSUMER1,
f'uid=scarter,ou=People,{DEFAULT_SUFFIX}')
user_consumer2 = UserAccount(CONSUMER2,
f'uid=scarter,ou=People,{DEFAULT_SUFFIX}')
# First attempt to modify an attribute that should be visible (mail)
for attr, value in [('mail', '*****@*****.**'), ('roomnumber', '123')]:
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_consumer1.replace(attr, value)
# Then attempt to modify one that should not be visible (room number)
for attr, value in [('mail', '*****@*****.**'), ('roomnumber', '123')]:
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_consumer2.replace(attr, value)
def userpw_reset(topology_st, suffix, subtree, userid, nousrs, bindusr, bindpw,
newpasw):
"""Reset user password"""
while (nousrs > 0):
usrrdn = '{}{}'.format(userid, nousrs)
userdn = 'uid={},{},{}'.format(usrrdn, subtree, suffix)
user = UserAccount(topology_st.standalone, dn=userdn)
log.info('Reset user password for user-{}'.format(userdn))
if (bindusr == "DirMgr"):
try:
user.replace('userPassword', newpasw)
except ldap.LDAPError as e:
log.error(
'Unable to reset userPassword for user-{}'.format(userdn))
raise e
elif (bindusr == "RegUsr"):
user_conn = user.bind(bindpw)
try:
user_conn.replace('userPassword', newpasw)
except ldap.LDAPError as e:
log.error(
'Unable to reset userPassword for user-{}'.format(userdn))
raise e
nousrs = nousrs - 1
time.sleep(1)
def _change_password_with_own(topo, user_dn, password, new_password):
"""
Change user password with user self
"""
conn = UserAccount(topo.standalone, user_dn).bind(password)
real_user = UserAccount(conn, user_dn)
real_user.replace('userpassword', new_password)
def test_modify_entry(topo_m4, create_entry):
"""Check that entries are replicated after modify operation
:id: 36764053-622c-43c2-a132-d7a3ab7d9aaa
:setup: Four masters replication setup, an entry
:steps:
1. Modify the entry on master1 - add attribute
2. Wait for replication to happen
3. Check entry on all other masters
4. Modify the entry on master1 - replace attribute
5. Wait for replication to happen
6. Check entry on all other masters
7. Modify the entry on master1 - delete attribute
8. Wait for replication to happen
9. Check entry on all other masters
:expectedresults:
1. Attribute should be successfully added
2. Some time should pass
3. The change should be present on all masters
4. Attribute should be successfully replaced
5. Some time should pass
6. The change should be present on all masters
7. Attribute should be successfully deleted
8. Some time should pass
9. The change should be present on all masters
"""
log.info('Modifying entry {} - add operation'.format(TEST_ENTRY_DN))
test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
test_user.add('mail', '{}@redhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@redhat.com".format(TEST_ENTRY_NAME) in u.get_attr_vals_utf8(
'mail')
log.info('Modifying entry {} - replace operation'.format(TEST_ENTRY_DN))
test_user.replace('mail', '{}@greenhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@greenhat.com".format(
TEST_ENTRY_NAME) in u.get_attr_vals_utf8('mail')
log.info('Modifying entry {} - delete operation'.format(TEST_ENTRY_DN))
test_user.remove('mail', '{}@greenhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@greenhat.com".format(
TEST_ENTRY_NAME) not in u.get_attr_vals_utf8('mail')
def modify_attr(topology_st, base_dn, attr_name, attr_val):
"""Modify attribute value for a given DN"""
log.info('Modify attribute value for a given DN')
try:
entry = UserAccount(topology_st.standalone, dn=base_dn)
entry.replace(attr_name, attr_val)
except ldap.LDAPError as e:
log.error('Failed to replace lastLoginTime attribute for user-{} {}'.format(userdn, e.message['desc']))
assert False
time.sleep(1)
def test_local_TPR_supercedes_global_TPR(topo, _add_user,
set_global_TPR_policies):
""" One Time password with expiration
:id: beb2dac4-e116-11eb-a85e-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user with appropriate password
3. Configure the Global Password policies with passwordTPRMaxUse 5
4. Configure different local password policy for passwordTPRMaxUse 3
5. Trigger TPR by resetting the user password above
6. Attempt an ldap search with an incorrect bind password for user above
7. Repeat as many times as set by attribute passwordTPRMaxUse
8. Should lock the account after value is set in the local passwordTPRMaxUse is reached
9. Try to search with the correct password account will be locked.
:expected results:
1. Success
2. Success
3. Fail(ldap.INSUFFICIENT_ACCESS)
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
user2 = UserAccount(topo.standalone,
f'uid=jdoe2,ou=People,{DEFAULT_SUFFIX}')
log.info('Setting local password Temporary password reset policies')
log.info('Setting Global TPR policy attributes')
Config(topo.standalone).replace('passwordMustChange', 'on')
Config(topo.standalone).replace('passwordTPRMaxUse', '5')
Config(topo.standalone).replace('passwordTPRDelayExpireAt', '600')
Config(topo.standalone).replace('passwordTPRDelayValidFrom', '6')
log.info('Resetting {} password to trigger TPR policy'.format(user1))
user1.replace('userpassword', 'not_allowed_change')
count = 0
while count < 4:
if count == 4:
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
user2.bind('badbadbad')
else:
with pytest.raises(ldap.INVALID_CREDENTIALS):
count += 1
user2.bind('badbadbad')
def test_once_TPR_reset_old_passwd_invalid(topo, _add_user,
set_global_TPR_policies):
""" Verify that once a password has been reset it cannot be reused
:id: f3ea4f00-e89c-11eb-b81d-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe1 with appropriate password
3. Configure the Global Password policies enable passwordMustChange
4. Trigger TPR by resetting the user jdoe1 password above
5. Attempt to login with the old password
6. Login as jdoe1 with the correct password and update the new password
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Fail(ldap.CONSTRAINT_VIOLATION)
6. Success
"""
new_password = '******'
log.info('Creating user jdoe1 with appropriate password')
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
user1.replace('userpassword', new_password)
log.info(
'Making sure the Global Policy passwordTPRDelayValidFrom is short')
config = Config(topo.standalone)
config.replace_many(
('passwordLockout', 'off'),
('passwordMaxFailure', '3'),
('passwordLegacyPolicy', 'off'),
('passwordTPRDelayValidFrom', '-1'),
('nsslapd-pwpolicy-local', 'on'),
)
log.info(' Attempting to bind as {} with the old password {}'.format(
user1, USER1_PASS))
time.sleep(.5)
with pytest.raises(ldap.INVALID_CREDENTIALS):
user1.bind(USER1_PASS)
log.info('Login as jdoe1 with the correct reset password')
time.sleep(.5)
user1.rebind(new_password)
def modusr_attr(topology_st, suffix, subtree, userid, nousrs, attr_name, attr_value):
"""Enable account by replacing cn attribute value, value of modifyTimeStamp changed"""
log.info('Enable account by replacing cn attribute value, value of modifyTimeStamp changed')
while (nousrs > 0):
usrrdn = '{}{}'.format(userid, nousrs)
userdn = 'uid={},{},{}'.format(usrrdn, subtree, suffix)
user = UserAccount(topology_st.standalone, dn=userdn)
try:
user.replace(attr_name, attr_value)
except ldap.LDAPError as e:
log.error('Failed to add/replace {} attribute to-{}, for user-{}'.format(attr_name, attr_value, userdn))
raise e
nousrs = nousrs - 1
time.sleep(1)
def test_reset_pwd_before_passwordTPRDelayValidFrom(topo, _add_user,
set_global_TPR_policies):
""" Verify that user cannot reset pwd
before passwordTPRDelayValidFrom value elapses
:id: 22987082-e8ae-11eb-a992-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies disable passwordTPRDelayValidFrom to -1
4. Trigger TPR by resetting the user jdoe1 password above
5. Attempt to bind and rebind immediately
6. Set passwordTPRDelayValidFrom - 5secs elapses and bind rebind before 5 secs elapses
6. Wait for the passwordTPRDelayValidFrom value to elapse and try to reset passwd
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Fail(ldap.LDAP_CONSTRAINT_VIOLATION)
7. Success
"""
user2 = UserAccount(topo.standalone,
f'uid=jdoe2,ou=People,{DEFAULT_SUFFIX}')
log.info('Creating user {} with appropriate password'.format(user2))
log.info('Disabling TPR policy passwordTPRDelayValidFrom')
topo.standalone.config.replace_many(('passwordMustChange', 'on'),
('passwordTPRDelayValidFrom', '10'))
log.info('Triggering TPR and binding immediately after')
user2.replace('userpassword', 'new_password')
time.sleep(.5)
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
user2.bind('new_password')
time.sleep(.5)
topo.standalone.config.replace_many(('passwordMustChange', 'on'),
('passwordTPRDelayValidFrom', '-1'))
log.info(
'Triggering TPR and binding immediately after with passwordTPRDelayValidFrom set to -1'
)
user2.replace('userpassword', 'new_password1')
time.sleep(.5)
user2.rebind('new_password1')
def test_admin_resets_pwd_TPR_attrs_reset(topo, _add_user,
set_global_TPR_policies):
"""Test When the ‘userpassword’ is updated (update_pw_info) by an administrator
and it exists a TPR policy, then the server flags that the entry has a
TPR password with ‘pwdTPRReset: TRUE’, ‘pwdTPRExpTime’ and ‘pwdTPRUseCount’.
:id: e6a84dc0-f142-11eb-8c96-fa163e1f582c
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies enable
4. Trigger TPR by resetting the user jdoe1 password above
5. Reset the users password ‘userpassword’
6. Check that ‘pwdTPRExpTime’ and ‘pwdTPRUseCount’ are updated
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
log.info('Logging current time')
start_time = time.mktime(time.gmtime())
log.info(
'Verifying the Global policy are set and attributes are all set to "None"'
)
for tpr_attrib in ['pwdTPRReset', 'pwdTPRExpTime', 'pwdTPRUseCount']:
assert user1.get_attr_val_utf8(tpr_attrib) is None
config = Config(topo.standalone)
config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'),
('passwordTPRDelayExpireAt', '1800'),
('passwordTPRDelayValidFrom', '1'))
assert user1.get_attr_val_utf8('pwdTPRExpTime') is None
log.info('Triggering TPR as Admin')
user1.replace('userpassword', 'new_password')
time.sleep(1)
log.info(
'Checking that pwdTPRReset, pwdTPRExpTime, pwdTPRUseCount are reset.')
assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert user1.get_attr_val_utf8('pwdTPRExpTime') is None
assert user1.get_attr_val_utf8('pwdTPRUseCount') is '0'
def add_time_attr(topology_st, suffix, subtree, userid, nousrs, attr_name):
"""Enable account by replacing lastLoginTime/createTimeStamp/ModifyTimeStamp attribute"""
new_attr_val = time.strftime("%Y%m%d%H%M%S", time.gmtime()) + 'Z'
log.info('Enable account by replacing lastLoginTime/createTimeStamp/ModifyTimeStamp attribute')
while (nousrs > 0):
usrrdn = '{}{}'.format(userid, nousrs)
userdn = 'uid={},{},{}'.format(usrrdn, subtree, suffix)
user = UserAccount(topology_st.standalone, dn=userdn)
try:
user.replace(attr_name, new_attr_val)
except ldap.LDAPError as e:
log.error('Failed to add/replace {} attribute to-{}, for user-{}'.format(attr_name, new_attr_val, userdn))
raise e
nousrs = nousrs - 1
time.sleep(1)
time.sleep(1)
def test_mod_see_also_negative(topo, _add_user, user, entry):
"""
Try to set seeAlso on entry with binding specific user, it will Fail
as per the ACI.
:id: 9ea93252-7a01-11e8-a85b-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = UserAccount(topo.standalone, user).bind(PW_DM)
user = UserAccount(conn, entry)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.replace('seeAlso', 'cn=1')
def test_mod_anonseealso_negaive(topo, _add_user, _aci_of_user, entry):
"""
Testing the roledn keyword that do not allows access control
based on the role of the bound user.
:id: d385611a-79f4-11e8-adc8-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = Anonymous(topo.standalone).bind()
user = UserAccount(conn, entry)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.replace('seeAlso', 'cn=1')
def test_pwdReset_by_user_DM(topology_st, create_user):
"""Test new password policy attribute "pwdReset"
:id: 232bc7dc-8cb6-11eb-9791-98fa9ba19b65
:customerscenario: True
:setup:
1. Standalone instance
2. Add a new user with a password
:steps:
1. Enable passwordMustChange
2. Bind as the user and change the password
3. Check that the pwdReset attribute is set to TRUE
4. Bind as the Directory manager and attempt to change the pwdReset to FALSE
5. Check that pwdReset is NOT SET to FALSE
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
log.info('Set password policy passwordMustChange on')
topology_st.standalone.config.replace('passwordMustChange', 'on')
our_user.replace('userpassword', PASSWORD)
time.sleep(5)
# Check that pwdReset is TRUE
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
log.info(
'Binding as the Directory manager and attempt to change the pwdReset to FALSE'
)
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
topology_st.standalone.config.replace('pwdReset', 'FALSE')
log.info('Check that pwdReset is NOT SET to FALSE')
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
log.info('Resetting password for {}'.format(TEST_USER_PWD))
our_user.reset_password(TEST_USER_PWD)
def test_passwordexpirationtime_attribute(topo, _add_user):
"""Regression test for bz1118006.
:id: 867472d2-473c-11ea-b583-8c16451d917b
:setup: Standalone
:steps:
1. Check that the passwordExpirationTime attribute is set to the epoch date
:expected results:
1. Success
"""
Config(topo.standalone).replace('passwordMustChange', 'on')
epoch_date = "19700101000000Z"
time.sleep(1)
user = UserAccount(topo.standalone, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}')
user.replace('userpassword', 'Secret123')
time.sleep(1)
# Check that the passwordExpirationTime attribute is set to the epoch date
assert user.get_attr_val_utf8('passwordExpirationTime') == epoch_date
Config(topo.standalone).replace('passwordMustChange', 'off')
time.sleep(1)
def test_mod_seealso_negative(topo, _add_user, _aci_of_user, user, entry):
"""
Testing the roledn keyword that do not allows access control
based on the role of the bound user.
:id: b2444aa2-79f4-11e8-a2c3-8c16451d917b
:parametrized: yes
:setup: Standalone server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = UserAccount(topo.standalone, user).bind(PW_DM)
user = UserAccount(conn, entry)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.replace('seeAlso', 'cn=1')
def test_read_write_supplier(_create_entries):
"""Attempt to modify an entry on read-write supplier
:id: ff50a8b6-38ea-11ea-870f-8c16451d917b
:setup: Supplier and Consumer
:steps:
1. Add test entry
2. First attempt to modify an attribute that should be visible (mail)
3. Then attempt to modify one that should not be visible (roomnumber)
4. The change to mail should appear on all servers; the change to
room number should only appear on the suppliers INST[0] and INST[1].
:expected results:
1. Success
2. Success
3. Success
4. Success
"""
# Add test entry
user_supplier1 = UserAccount(SUPPLIER1, f'uid=scarter,ou=People,{DEFAULT_SUFFIX}')
# First attempt to modify an attribute that should be visible (mail)
for attr, value in [('mail', '*****@*****.**'), ('roomnumber', '123')]:
user_supplier1.replace(attr, value)
check_all_replicated()
for ins, attr in [(SUPPLIER2, 'mail'),
(SUPPLIER2, 'roomnumber'),
(CONSUMER1, 'mail'),
(CONSUMER2, 'mail')]:
if attr == 'mail':
assert UserAccount(ins,
f'uid=scarter,'
f'ou=People,{DEFAULT_SUFFIX}').get_attr_val_utf8(attr) == \
'*****@*****.**'
elif attr == 'roomnumber':
assert UserAccount(ins,
f'uid=scarter,'
f'ou=People,{DEFAULT_SUFFIX}').get_attr_val_utf8(attr) == '123'
# Attempt to modify one that should not be visible (room number)
for ins in [CONSUMER1, CONSUMER2]:
assert not UserAccount(ins,
f'uid=scarter,ou=People,{DEFAULT_SUFFIX}').get_attr_val('roomnumber')
def test_pwd_reset(topology_st, create_user):
"""Test new password policy attribute "pwdReset"
:id: 03db357b-4800-411e-a36e-28a534293004
:customerscenario: True
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Reset user's password
3. Check that the pwdReset attribute is set to TRUE
4. Bind as the user and change its password
5. Check that pwdReset is now set to FALSE
6. Reset password policy configuration
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
# Set password policy config
topology_st.standalone.config.replace('passwordMustChange', 'on')
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
time.sleep(.5)
# Check that pwdReset is TRUE
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Bind as user and change its own password
our_user.rebind(PASSWORD)
our_user.replace('userpassword', PASSWORD)
time.sleep(.5)
# Check that pwdReset is FALSE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'FALSE'
# Reset password policy config
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
def test_global_tpr_delayExpireAt_1(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRDelayExpireAt
Test that a TPR password is not valid after reset time +
passwordTPRDelayExpireAt
:id: b98def32-4e30-49fd-893b-8f959ba72b98
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRDelayExpireAt=6s
3. Create a account user
5. Reset the password
6. Wait for passwordTPRDelayExpireAt=6s + 2s (safety)
7. Bind with valid password should fail with ldap.CONSTRAINT_VIOLATION
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
ExpireAt = 6
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordTPRMaxUse', str(-1))
topology_st.standalone.config.replace('passwordTPRDelayValidFrom', str(-1))
topology_st.standalone.config.replace('passwordTPRDelayExpireAt',
str(ExpireAt))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
now = time.mktime(time.gmtime())
log.info("compare pwdTPRExpireAt (%s) vs now (%s)" %
(our_user.get_attr_val_utf8('pwdTPRExpireAt'), time.gmtime()))
assert (gentime_to_posix_time(
our_user.get_attr_val_utf8('pwdTPRExpireAt'))) >= (now + ExpireAt - 2)
# wait for pwdTPRExpireAt
time.sleep(ExpireAt + 2)
# Bind as user with valid password but too late
# for pwdTPRExpireAt
# and do simple search
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
our_user.rebind(PASSWORD)
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_delayValidFrom_2(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRDelayValidFrom
Test that a TPR password is valid after reset time +
passwordTPRDelayValidFrom
:id: 8fa9f6f7-9be2-47c0-bf92-d9fe78ddbc34
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRDelayValidFrom=6s
3. Create a account user
5. Reset the password
6. Wait for passwordTPRDelayValidFrom=6s
7. Bind with valid password, reset password
to allow further searches
8. Check bound user can search attribute ('uid')
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
ValidFrom = 6
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordTPRDelayValidFrom',
str(ValidFrom))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
now = time.mktime(time.gmtime())
log.info("compare pwdTPRValidFrom (%s) vs now (%s)" %
(our_user.get_attr_val_utf8('pwdTPRValidFrom'), time.gmtime()))
assert (gentime_to_posix_time(
our_user.get_attr_val_utf8('pwdTPRValidFrom'))) >= (now + ValidFrom -
2)
# wait for pwdTPRValidFrom
time.sleep(ValidFrom + 1)
# Bind as user with valid password, reset the password
# and do simple search
our_user.rebind(PASSWORD)
our_user.reset_password(TEST_USER_PWD)
our_user.rebind(TEST_USER_PWD)
assert our_user.get_attr_val_utf8('uid')
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_delayValidFrom_1(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRDelayValidFrom
Test that a TPR password is not valid before reset time +
passwordTPRDelayValidFrom
:id: 8420a348-e765-43ec-82c7-7f75cb4bf913
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRDelayValidFrom=10s
3. Create a account user
5. Reset the password
6. Check that Validity is not reached yet
pwdTPRValidFrom >= now + passwordTPRDelayValidFrom - 2 (safety)
7. Bind with valid password, Fails because of CONSTRAINT_VIOLATION
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
ValidFrom = 10
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordTPRDelayValidFrom',
str(ValidFrom))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
now = time.mktime(time.gmtime())
log.info("compare pwdTPRValidFrom (%s) vs now (%s)" %
(our_user.get_attr_val_utf8('pwdTPRValidFrom'), time.gmtime()))
assert (gentime_to_posix_time(
our_user.get_attr_val_utf8('pwdTPRValidFrom'))) >= (now + ValidFrom -
2)
# Bind as user with valid password
# But too early compare to ValidFrom
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
our_user.rebind(PASSWORD)
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_maxuse_1(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRMaxUse
Test that after passwordTPRMaxUse failures to bind
additional bind with valid password are failing with CONSTRAINT_VIOLATION
:id: d1b38436-806c-4671-8ccf-c8fdad21f034
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRMaxUse=5
3. Set passwordMaxFailure to a higher value to not disturb the test
4. Bind with a wrong password passwordTPRMaxUse times and check INVALID_CREDENTIALS
5. Check that passwordTPRRetryCount got to the limit (5)
6. Bind with a wrong password (CONSTRAINT_VIOLATION)
and check passwordTPRRetryCount overpass the limit by 1 (6)
7. Bind with a valid password 5 times and check CONSTRAINT_VIOLATION
and check passwordTPRRetryCount overpass the limit by 1 (6)
8. Reset password policy configuration
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
try_tpr_failure = 5
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordMaxFailure',
str(try_tpr_failure + 20))
topology_st.standalone.config.replace('passwordTPRMaxUse',
str(try_tpr_failure))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
time.sleep(.5)
# look up to passwordTPRMaxUse with failing
# bind to check that the limits of TPR are enforced
for i in range(try_tpr_failure):
# Bind as user with a wrong password
with pytest.raises(ldap.INVALID_CREDENTIALS):
our_user.rebind('wrong password')
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(i + 1)
log.info(
"%dth failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(i + 1, i + 1))
# Now the #failures reached passwordTPRMaxUse
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(try_tpr_failure)
log.info("last failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(try_tpr_failure))
# Bind as user with wrong password --> ldap.CONSTRAINT_VIOLATION
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
our_user.rebind("wrong password")
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(
try_tpr_failure + 1)
log.info("failing bind (CONSTRAINT_VIOLATION) => pwdTPRUseCount = %d" %
(try_tpr_failure + i))
# Now check that all next attempts with correct password are all in LDAP_CONSTRAINT_VIOLATION
# and passwordTPRRetryCount remains unchanged
# account is now similar to locked
for i in range(10):
# Bind as user with valid password
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
our_user.rebind(PASSWORD)
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
# pwdTPRUseCount keeps increasing
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(
try_tpr_failure + i + 2)
log.info(
"Rejected bind (CONSTRAINT_VIOLATION) => pwdTPRUseCount = %d" %
(try_tpr_failure + i + 2))
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_maxuse_3(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRMaxUse
Test that after less than passwordTPRMaxUse failures to bind
A bind with valid password is successfull but passwordMustChange
does not allow to do a search.
Changing the password allows to do a search
:id: 7fd0301a-781e-4db8-a4bd-7b44e0f04bb6
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRMaxUse=5
3. Set passwordMaxFailure to a higher value to not disturb the test
4. Bind with a wrong password less then passwordTPRMaxUse times and check INVALID_CREDENTIALS
5. Bind with the valid password and check SRCH fail (ldap.UNWILLING_TO_PERFORM)
because of passwordMustChange
6. check passwordTPRRetryCount reset to 0
7. Bindd with valid password and reset the password
8. Check we can bind again and SRCH succeeds
9. Reset password policy configuration
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
"""
try_tpr_failure = 5
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordMaxFailure',
str(try_tpr_failure + 20))
topology_st.standalone.config.replace('passwordTPRMaxUse',
str(try_tpr_failure))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Do less than passwordTPRMaxUse failing bind
try_tpr_failure = try_tpr_failure - 2
for i in range(try_tpr_failure):
# Bind as user with a wrong password
with pytest.raises(ldap.INVALID_CREDENTIALS):
our_user.rebind('wrong password')
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(i + 1)
log.info(
"%dth failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(i + 1, i + 1))
# Now the #failures has not reached passwordTPRMaxUse
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(try_tpr_failure)
log.info("last failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(try_tpr_failure))
# Bind as user with valid password
our_user.rebind(PASSWORD)
time.sleep(.5)
# We can not do anything else that reset password
users = UserAccounts(topology_st.standalone, OU_PEOPLE, rdn=None)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
user = users.get(TEST_USER_NAME)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is FALSE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(
try_tpr_failure + 1)
# Now reset the password and check we can do fully use the account
our_user.rebind(PASSWORD)
our_user.reset_password(TEST_USER_PWD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
our_user.rebind(TEST_USER_PWD)
time.sleep(.5)
user = users.get(TEST_USER_NAME)
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_maxuse_2(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRMaxUse
Test that after less than passwordTPRMaxUse failures to bind
additional bind with valid password are successfull
:id: bd18bf8e-f3c3-4612-9009-500cf558317e
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRMaxUse=5
3. Set passwordMaxFailure to a higher value to not disturb the test
4. Bind with a wrong password less than passwordTPRMaxUse times and check INVALID_CREDENTIALS
7. Bind successfully with a valid password 10 times
and check passwordTPRRetryCount returns to 0
8. Reset password policy configuration
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
try_tpr_failure = 5
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordMaxFailure',
str(try_tpr_failure + 20))
topology_st.standalone.config.replace('passwordTPRMaxUse',
str(try_tpr_failure))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
time.sleep(.5)
# Do less than passwordTPRMaxUse failing bind
try_tpr_failure = try_tpr_failure - 2
for i in range(try_tpr_failure):
# Bind as user with a wrong password
with pytest.raises(ldap.INVALID_CREDENTIALS):
our_user.rebind('wrong password')
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(i + 1)
log.info(
"%dth failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(i + 1, i + 1))
# Now the #failures has not reached passwordTPRMaxUse
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert our_user.get_attr_val_utf8('pwdTPRUseCount') == str(try_tpr_failure)
log.info("last failing bind (INVALID_CREDENTIALS) => pwdTPRUseCount = %d" %
(try_tpr_failure))
our_user.rebind(PASSWORD)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Now check that all next attempts with correct password are successfull
# and passwordTPRRetryCount reset to 0
for i in range(10):
# Bind as user with valid password
our_user.rebind(PASSWORD)
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
#assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is FALSE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'FALSE'
#pdb.set_trace()
assert not our_user.present('pwdTPRUseCount')
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_global_tpr_delayExpireAt_2(topology_st, test_user, request):
"""Test global TPR policy : passwordTPRDelayExpireAt
Test that a TPR password is valid before reset time +
passwordTPRDelayExpireAt
:id: 9df320de-ebf6-4ed0-a619-51b1a05a560c
:customerscenario: False
:setup: Standalone instance
:steps:
1. Enable passwordMustChange
2. Set passwordTPRDelayExpireAt=6s
3. Create a account user
5. Reset the password
6. Wait for 1s
7. Bind with valid password should succeeds
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
ExpireAt = 6
# Set password policy config, passwordMaxFailure being higher than
# passwordTPRMaxUse so that TPR is enforced first
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'on')
topology_st.standalone.config.replace('passwordTPRMaxUse', str(-1))
topology_st.standalone.config.replace('passwordTPRDelayValidFrom', str(-1))
topology_st.standalone.config.replace('passwordTPRDelayExpireAt',
str(ExpireAt))
time.sleep(.5)
# Reset user's password
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
our_user.replace('userpassword', PASSWORD)
# give time to update the pwp attributes in the entry
time.sleep(.5)
# Check that pwdReset is TRUE
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
# Check that pwdTPRReset is TRUE
assert our_user.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
now = time.mktime(time.gmtime())
log.info("compare pwdTPRExpireAt (%s) vs now (%s)" %
(our_user.get_attr_val_utf8('pwdTPRExpireAt'), time.gmtime()))
assert (gentime_to_posix_time(
our_user.get_attr_val_utf8('pwdTPRExpireAt'))) >= (now + ExpireAt - 2)
# wait for 1s
time.sleep(1)
# Bind as user with valid password, reset the password
# and do simple search
our_user.rebind(PASSWORD)
our_user.reset_password(TEST_USER_PWD)
time.sleep(.5)
our_user.rebind(TEST_USER_PWD)
assert our_user.get_attr_val_utf8('uid')
def fin():
topology_st.standalone.restart()
# Reset password policy config
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
topology_st.standalone.config.replace('passwordMustChange', 'off')
# Reset user's password
our_user.replace('userpassword', TEST_USER_PWD)
request.addfinalizer(fin)
def test_user_resets_pwd_TPR_attrs_reset(topo, _add_user,
set_global_TPR_policies):
"""Test once password is reset attributes are set to FALSE
:id: 6614068a-ee7d-11eb-b1a3-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies and set passwordMustChange on
4. Trigger TPR by resetting the user jdoe1 password above
5. Reset the users password ‘userpassword’
6. Check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are RESET
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
log.info('Logging current time')
start_time = time.mktime(time.gmtime())
log.info(
'Verifying the Global policy are set and attributes are all set to "None"'
)
for tpr_attrib in [
'pwdTPRReset', 'pwdTPRUseCount', 'pwdTPRValidFrom',
'pwdTPRExpireAt'
]:
assert user1.get_attr_val_utf8(tpr_attrib) is None
config = Config(topo.standalone)
config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'),
('passwordTPRDelayExpireAt', '1800'),
('passwordTPRDelayValidFrom', '1'))
assert user1.get_attr_val_utf8('pwdTPRReset') is None
log.info(
'Triggering TPR check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are set'
)
user1.replace('userpassword', 'new_password')
time.sleep(3)
assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert user1.get_attr_val_utf8('pwdTPRUseCount') == '0'
assert gentime_to_posix_time(
user1.get_attr_val_utf8('pwdTPRValidFrom')) > start_time
assert gentime_to_posix_time(
user1.get_attr_val_utf8('pwdTPRExpireAt')) > start_time
conn = user1.rebind('new_password')
user1.replace('userpassword', 'extra_new_pass')
log.info(
'Checking that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are reset to None'
)
time.sleep(3)
assert user1.get_attr_val_utf8('pwdTPRReset') is None
assert user1.get_attr_val_utf8('pwdTPRUseCount') is None
assert (user1.get_attr_val_utf8('pwdTPRValidFrom')) is None
assert (user1.get_attr_val_utf8('pwdTPRExpireAt')) is None
log.info('Verified that attributes are reset after password is reset')
def test_retrocl_exclude_attr_mod(topology_st):
""" Test exclude attribute feature of the retrocl plugin for mod operation
:id: f6bef689-685b-4f86-a98d-f7e6b1fcada3
:setup: Standalone instance
:steps:
1. Enable dynamic plugins
2. Confige retro changelog plugin
3. Add user1 entry
4. Ensure entry attrs are in the changelog
5. Exclude an attr
6. Modify user1 entry
7. Ensure excluded attr is not in the changelog
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
st = topology_st.standalone
log.info('Configure retrocl plugin')
rcl = RetroChangelogPlugin(st)
rcl.disable()
rcl.enable()
rcl.replace('nsslapd-attribute', 'nsuniqueid:targetUniqueId')
log.info('Restarting instance')
try:
st.restart()
except ldap.LDAPError as e:
ldap.error('Failed to restart instance ' + e.args[0]['desc'])
assert False
users = UserAccounts(st, DEFAULT_SUFFIX)
log.info('Adding user1')
try:
user1 = users.create(
properties={
'sn': '1',
'cn': 'user 1',
'uid': 'user1',
'uidNumber': '11',
'gidNumber': '111',
'givenname': 'user1',
'homePhone': '0861234567',
'carLicense': '131D16674',
'mail': '*****@*****.**',
'homeDirectory': '/home/user1',
'userpassword': USER_PW
})
except ldap.ALREADY_EXISTS:
user1 = UserAccount(st, dn=USER1_DN)
except ldap.LDAPError as e:
log.error("Failed to add user1: " + str(e))
log.info(
'Verify homePhone and carLicense attrs are in the changelog changestring'
)
try:
retro_changelog_suffix = DSLdapObjects(st, basedn=RETROCL_SUFFIX)
cllist = retro_changelog_suffix.filter(f'(targetDn={USER1_DN})')
except ldap.LDAPError as e:
log.fatal("Changelog search failed, error: " + str(e))
assert False
assert len(cllist) > 0
if cllist[0].present('changes'):
clstr = str(cllist[0].get_attr_vals_utf8('changes'))
assert ATTR_HOMEPHONE in clstr
assert ATTR_CARLICENSE in clstr
log.info('Excluding attribute ' + ATTR_CARLICENSE)
args = FakeArgs()
args.connections = [
st.host + ':' + str(st.port) + ':' + DN_DM + ':' + PW_DM
]
args.instance = 'standalone1'
args.basedn = None
args.binddn = None
args.starttls = False
args.pwdfile = None
args.bindpw = None
args.prompt = False
args.exclude_attrs = ATTR_CARLICENSE
args.func = retrochangelog_add
dsrc_inst = dsrc_arg_concat(args, None)
inst = connect_instance(dsrc_inst, False, args)
result = args.func(inst, None, log, args)
disconnect_instance(inst)
assert result is None
log.info('Restarting instance')
try:
st.restart()
except ldap.LDAPError as e:
ldap.error('Failed to restart instance ' + e.args[0]['desc'])
assert False
log.info('Modify user1 carLicense attribute')
try:
user1.replace(ATTR_CARLICENSE, "123WX321")
except ldap.LDAPError as e:
log.fatal(
'test_retrocl_exclude_attr_mod: Failed to update user1 attribute: error '
+ e.message['desc'])
assert False
log.info('Verify carLicense attr is not in the changelog changestring')
try:
cllist = retro_changelog_suffix.filter(f'(targetDn={USER1_DN})')
assert len(cllist) > 0
# There will be 2 entries in the changelog for this user, we are only
#interested in the second one, the modify operation.
if cllist[1].present('changes'):
clstr = str(cllist[1].get_attr_vals_utf8('changes'))
assert ATTR_CARLICENSE not in clstr
except ldap.LDAPError as e:
log.fatal("Changelog search failed, error: " + str(e))
assert False
def test_repl_agmt_bootstrap_credentials(topo):
"""Test that the agreement bootstrap credentials works if the default
credentials fail for some reason.
:id: 38c8095c-d958-415a-b602-74854b7882b3
:setup: 2 Master Instances
:steps:
1. Change the bind dn group member passwords
2. Verify replication is not working
3. Create a new repl manager on master 2 for bootstrapping
4. Add bootstrap credentials to agmt on master 1
5. Verify replication is now working with bootstrap creds
6. Trigger new repl session and default credentials are used first
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
# Gather all of our objects for the test
m1 = topo.ms["master1"]
m2 = topo.ms["master2"]
master1_replica = Replicas(m1).get(DEFAULT_SUFFIX)
master2_replica = Replicas(m2).get(DEFAULT_SUFFIX)
master2_users = UserAccounts(m2, DEFAULT_SUFFIX)
m1_agmt = master1_replica.get_agreements().list()[0]
num_of_original_users = len(master2_users.list())
# Change the member's passwords which should break replication
bind_group = Group(m2, dn=BIND_GROUP_DN)
members = bind_group.list_members()
for member_dn in members:
member = UserAccount(m2, dn=member_dn)
member.replace('userPassword', 'not_right')
time.sleep(3)
m1_agmt.pause()
m1_agmt.resume()
# Verify replication is not working, a new user should not be replicated
users = UserAccounts(m1, DEFAULT_SUFFIX)
test_user = users.ensure_state(properties=TEST_USER_PROPERTIES)
time.sleep(3)
assert len(master2_users.list()) == num_of_original_users
# Create a repl manager on replica
repl_mgr = BootstrapReplicationManager(m2, dn=BOOTSTRAP_MGR_DN)
mgr_properties = {
'uid': 'replication manager',
'cn': 'replication manager',
'userPassword': BOOTSTRAP_MGR_PWD,
}
repl_mgr.create(properties=mgr_properties)
# Update master 2 config
master2_replica.remove_all('nsDS5ReplicaBindDNGroup')
master2_replica.remove_all('nsDS5ReplicaBindDnGroupCheckInterval')
master2_replica.replace('nsDS5ReplicaBindDN', BOOTSTRAP_MGR_DN)
# Add bootstrap credentials to master1 agmt, and restart agmt
m1_agmt.replace('nsds5ReplicaBootstrapTransportInfo', 'LDAP')
m1_agmt.replace('nsds5ReplicaBootstrapBindMethod', 'SIMPLE')
m1_agmt.replace('nsds5ReplicaBootstrapCredentials', BOOTSTRAP_MGR_PWD)
m1_agmt.replace('nsds5ReplicaBootstrapBindDN', BOOTSTRAP_MGR_DN)
m1_agmt.pause()
m1_agmt.resume()
# Verify replication is working. The user should have been replicated
time.sleep(3)
assert len(master2_users.list()) > num_of_original_users
# Finally check if the default credentials are used on the next repl
# session. Clear out the logs, and disable log buffering. Then
# trigger a replication update/session.
m1_agmt.pause()
m2.stop()
m2.deleteLog(m2.accesslog) # Clear out the logs
m2.start()
m2.config.set('nsslapd-accesslog-logbuffering', 'off')
m1_agmt.resume()
test_user.delete()
time.sleep(3)
# We know if the default credentials are used it will fail (err=49)
results = m2.ds_access_log.match('.* err=49 .*')
assert len(results) > 0
