def test_change_pwd(topology_st, create_user, password_policy,
subtree_pwchange, user_pwchange, exception):
"""Verify that 'passwordChange' attr works as expected
User should have a priority over a subtree.
:id: 2c884432-2ba1-4662-8e5d-2cd49f77e5fa
:parametrized: yes
:setup: Standalone instance, a test user,
password policy entries for a user and a subtree
:steps:
1. Set passwordChange on the user and the subtree
to various combinations
2. Bind as test user
3. Try to change password
4. Clean up - change the password to default while bound as DM
:expectedresults:
1. passwordChange should be successfully set
2. Bind should be successful
3. Subtree/User passwordChange - result, accordingly:
off/on, on/on - success;
on/off, off/off - UNWILLING_TO_PERFORM
4. Operation should be successful
"""
users = UserAccounts(topology_st.standalone, OU_PEOPLE, rdn=None)
user = users.get(TEST_USER_NAME)
log.info('Set passwordChange to "{}" - {}'.format(subtree_pwchange,
OU_PEOPLE))
pwp = PwPolicyManager(topology_st.standalone)
subtree_policy = pwp.get_pwpolicy_entry(OU_PEOPLE)
subtree_policy.set('passwordChange', subtree_pwchange)
time.sleep(1)
log.info('Set passwordChange to "{}" - {}'.format(user_pwchange,
TEST_USER_DN))
pwp2 = PwPolicyManager(topology_st.standalone)
user_policy = pwp2.get_pwpolicy_entry(TEST_USER_DN)
user_policy.set('passwordChange', user_pwchange)
user_policy.set('passwordExp', 'on')
time.sleep(1)
try:
log.info('Bind as user and modify userPassword')
user.rebind(TEST_USER_PWD)
if exception:
with pytest.raises(exception):
user.reset_password('new_pass')
else:
user.reset_password('new_pass')
except ldap.LDAPError as e:
log.error('Failed to change userpassword for {}: error {}'.format(
TEST_USER_DN, e.args[0]['info']))
raise e
finally:
log.info('Bind as DM')
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
user.reset_password(TEST_USER_PWD)
def _get_pw_policy(inst, targetdn, log, use_json=None):
pwp_manager = PwPolicyManager(inst)
policy_type = _get_policy_type(inst, targetdn)
attr_list = pwp_manager.get_attr_list()
if "global" in policy_type.lower():
targetdn = 'cn=config'
attr_list.extend(['passwordIsGlobalPolicy', 'nsslapd-pwpolicy_local'])
attrs = inst.config.get_attrs_vals_utf8(attr_list)
else:
policy = pwp_manager.get_pwpolicy_entry(targetdn)
targetdn = policy.dn
attrs = policy.get_attrs_vals_utf8(attr_list)
if use_json:
print(json.dumps({"type": "entry", "pwp_type": policy_type, "dn": ensure_str(targetdn), "attrs": attrs}))
else:
if "global" in policy_type.lower():
response = "Global Password Policy: cn=config\n------------------------------------\n"
else:
response = "Local {} Policy: {}\n------------------------------------\n".format(policy_type, targetdn)
for key, value in list(attrs.items()):
if len(value) == 0:
value = ""
else:
value = value[0]
response += "{}: {}\n".format(key, value)
print(response)
def change_pwp_parameter(topo, pwp, operation, to_do):
"""
Will change password policy parameter
"""
pwp1 = PwPolicyManager(topo.standalone)
user = pwp1.get_pwpolicy_entry(f'{pwp},{DEFAULT_SUFFIX}')
user.replace(operation, to_do)
def test_entry_has_restrictions(topology_st, password_policy, create_user):
"""Set 'nsslapd-pwpolicy-inherit-global: on' and 'passwordCheckSyntax: on'.
Make sure that syntax rules work, if set them at both: cn=config and
ou=people policy container.
:id: 4bb0f474-17c1-40f7-aab4-4ddc17d019e8
:setup: Standalone instance, test user,
password policy entries for a subtree
:steps:
1. Bind as test user
2. Switch 'nsslapd-pwpolicy-inherit-global: on'
3. Switch 'passwordCheckSyntax: on'
4. Set 'passwordMinLength: 9' to:
cn=config and ou=people policy container
5. Try to add user with a short password (<9)
6. Try to add user with a long password (>9)
7. Cleanup - remove temp users bound as DM
:expectedresults:
1. Bind should be successful
2. nsslapd-pwpolicy-inherit-global should be successfully set
3. passwordCheckSyntax should be successfully set
4. passwordMinLength should be successfully set
5. User should be rejected
6. User should be rejected
7. Operation should be successful
"""
log.info('Set {} to {}'.format(ATTR_INHERIT_GLOBAL, 'on'))
log.info('Set {} to {}'.format(ATTR_CHECK_SYNTAX, 'on'))
topology_st.standalone.config.set(ATTR_INHERIT_GLOBAL, 'on')
topology_st.standalone.config.set(ATTR_CHECK_SYNTAX, 'on')
pwp = PwPolicyManager(topology_st.standalone)
policy = pwp.get_pwpolicy_entry(OU_PEOPLE)
policy.set('passwordMinLength', '9')
# Wait a second for cn=config to apply
time.sleep(1)
check_attr_val(topology_st.standalone, ATTR_INHERIT_GLOBAL, 'on')
check_attr_val(topology_st.standalone, ATTR_CHECK_SYNTAX, 'on')
log.info('Bind as test user')
topology_st.standalone.simple_bind_s(BN, PASSWORD)
users = UserAccounts(topology_st.standalone, OU_PEOPLE, rdn=None)
user_props = TEST_USER_PROPERTIES.copy()
log.info('Try to add user with a short password (<9)')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
user_props.update({'cn': 'test0', 'userpassword': '******'})
user = users.create(properties=user_props)
log.info('Try to add user with a long password (>9)')
user_props.update({'cn': 'test1', 'userpassword': '******'})
user = users.create(properties=user_props)
log.info('Bind as DM user')
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
# Remove test user 1
user.delete()
def set_local_policy(inst, basedn, log, args):
log = log.getChild('set_local_policy')
targetdn = args.DN[0]
pwp_manager = PwPolicyManager(inst)
attrs = _args_to_attrs(args, pwp_manager.arg_to_attr)
pwp_entry = pwp_manager.get_pwpolicy_entry(args.DN[0])
policy_type = _get_policy_type(inst, targetdn)
modlist = []
for attr, value in attrs.items():
modlist.append((attr, value))
if len(modlist) > 0:
pwp_entry.replace_many(*modlist)
else:
raise ValueError("There are no password policies to set")
print('Successfully updated %s' % policy_type.lower())
def _get_pw_policy(inst, targetdn, log, use_json=None):
pwp_manager = PwPolicyManager(inst)
policy_type = _get_policy_type(inst, targetdn)
attr_list = list(pwp_manager.arg_to_attr.values())
if "global" in policy_type.lower():
targetdn = 'cn=config'
policydn = targetdn
basedn = targetdn
attr_list.extend(['passwordisglobalpolicy', 'nsslapd-pwpolicy_local'])
all_attrs = inst.config.get_attrs_vals_utf8(attr_list)
attrs = {k: v for k, v in all_attrs.items() if len(v) > 0}
else:
policy = pwp_manager.get_pwpolicy_entry(targetdn)
basedn = policy.get_basedn()
policydn = policy.dn
all_attrs = policy.get_attrs_vals_utf8(attr_list)
attrs = {k: v for k, v in all_attrs.items() if len(v) > 0}
if use_json:
print(json.dumps({
"dn": ensure_str(policydn),
"targetdn": targetdn,
"type": "entry",
"pwp_type": policy_type,
"basedn": basedn,
"attrs": attrs}, indent=4))
else:
if "global" in policy_type.lower():
response = "Global Password Policy: cn=config\n------------------------------------\n"
else:
response = "Local {} Policy for \"{}\": {}\n------------------------------------\n".format(policy_type, targetdn, policydn)
for key, value in list(attrs.items()):
if len(value) == 0:
value = ""
else:
value = value[0]
response += "{}: {}\n".format(key, value)
print(response)
def test_pwd_min_age(topology_st, create_user, password_policy):
"""If we set passwordMinAge to some value, for example to 10, then it
should not allow the user to change the password within 10 seconds after
his previous change.
:id: 85b98516-8c82-45bd-b9ec-90bd1245e09c
:setup: Standalone instance, a test user,
password policy entries for a user and a subtree
:steps:
1. Set passwordMinAge to 10 on the user pwpolicy entry
2. Set passwordMinAge to 10 on the subtree pwpolicy entry
3. Set passwordMinAge to 10 on the cn=config entry
4. Bind as test user
5. Try to change the password two times in a row
6. Wait 12 seconds
7. Try to change the password
8. Clean up - change the password to default while bound as DM
:expectedresults:
1. passwordMinAge should be successfully set on the user pwpolicy entry
2. passwordMinAge should be successfully set on the subtree pwpolicy entry
3. passwordMinAge should be successfully set on the cn=config entry
4. Bind should be successful
5. The password should be successfully changed
6. 12 seconds have passed
7. Constraint Violation error should be raised
8. Operation should be successful
"""
num_seconds = '10'
users = UserAccounts(topology_st.standalone, OU_PEOPLE, rdn=None)
user = users.get(TEST_USER_NAME)
log.info('Set passwordminage to "{}" - {}'.format(num_seconds, OU_PEOPLE))
pwp = PwPolicyManager(topology_st.standalone)
subtree_policy = pwp.get_pwpolicy_entry(OU_PEOPLE)
subtree_policy.set('passwordminage', num_seconds)
log.info('Set passwordminage to "{}" - {}'.format(num_seconds,
TEST_USER_DN))
user_policy = pwp.get_pwpolicy_entry(TEST_USER_DN)
user_policy.set('passwordminage', num_seconds)
log.info('Set passwordminage to "{}" - {}'.format(num_seconds, DN_CONFIG))
topology_st.standalone.config.set('passwordminage', num_seconds)
time.sleep(1)
log.info('Bind as user and modify userPassword')
user.rebind(TEST_USER_PWD)
user.reset_password('new_pass')
time.sleep(1)
log.info(
'Bind as user and modify userPassword straight away after previous change'
)
user.rebind('new_pass')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
user.reset_password('new_new_pass')
log.info('Wait {} second'.format(int(num_seconds) + 2))
time.sleep(int(num_seconds) + 2)
try:
log.info('Bind as user and modify userPassword')
user.rebind('new_pass')
user.reset_password(TEST_USER_PWD)
except ldap.LDAPError as e:
log.error('Failed to change userpassword for {}: error {}'.format(
TEST_USER_DN, e.args[0]['info']))
raise e
finally:
log.info('Bind as DM')
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
user.reset_password(TEST_USER_PWD)