def test_0005_getent_homedirectory(self, multihost,
backupsssdconf):
"""
:title: misc: fallback_homedir returns '/'
for empty home directories in passwd file
:id: 69a6b54e-a8eb-4145-8554-c5e666d82276
:customerscenario: True
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1660693
"""
multihost.client[0].service_sssd('restart')
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
user_info = {'cn': 'user_exp4'.encode('utf-8'),
'objectClass': [b'top', b'person',
b'inetOrgPerson',
b'organizationalPerson',
b'posixAccount'],
'sn': 'user_exp'.encode('utf-8'),
'uid': 'user_exp'.encode('utf-8'),
'userPassword': '******'.encode('utf-8'),
'homeDirectory': ' '.encode('utf-8'),
'uidNumber': '121012'.encode('utf-8'),
'gidNumber': '121012'.encode('utf-8'),
'loginShell': '/bin/bash'.encode('utf-8')}
user_dn = 'uid=user_exp4,ou=People,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
cmd_getent = "getent passwd -s sss user_exp4@example1"
cmd = multihost.client[0].run_command(cmd_getent)
ldap_inst.del_dn(user_dn)
assert ":/:" not in cmd.stdout_text
def test_nested_role_inactivated(self, multihost):
"""
title: Nested role has both the above roles and inactivated
:id: 312e42c8-3045-11ec-88d4-845cf3eff344
:steps:
1. Add nasted role and make it inactive
2. Nested role has the managed role
3. Nested role has the filtered role
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
"""
clean_sys(multihost)
client_e = multihost.client[0].ip
master_e = multihost.master[0].ip
ldap_uri = f'ldap://{master_e}'
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
user_info = {
'cn':
'nested'.encode('utf-8'),
'objectClass': [
b'top', b'LdapSubEntry', b'nsRoleDefinition',
b'nsComplexRoleDefinition', b'nsNestedRoleDefinition'
],
'nsRoleDN': [
b'cn=filtered,ou=people,'
b'dc=example,dc=test', b'cn=managed,ou=people,'
b'dc=example,dc=test'
]
}
user_dn = 'cn=nested,ou=People,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
manage_user_roles(multihost, "cn=nested", "lock", "role")
with pytest.raises(paramiko.ssh_exception.AuthenticationException):
SSHClient(client_e, username="******", password="******")
time.sleep(3)
lock_check(multihost, "foo1")
with pytest.raises(paramiko.ssh_exception.AuthenticationException):
SSHClient(client_e, username="******", password="******")
time.sleep(3)
lock_check(multihost, "foo4")
# Nested role has both the above roles and activated
clean_sys(multihost)
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
manage_user_roles(multihost, "cn=nested", "unlock", "role")
ssh1 = SSHClient(client_e,
username="******",
password="******")
ssh1.close()
ssh1 = SSHClient(client_e,
username="******",
password="******")
ssh1.close()
time.sleep(3)
unlock_check(multihost, "foo1")
unlock_check(multihost, "foo4")
def enable_ssl(self, binduri, tls_port):
"""sets TLS Port and enabled TLS on Directory Server.
Args:
binduri (str): LDAP uri to bind with
tls_port (str): TLS port to be setup
Returns:
bool: True if successfully setup TLS port
Exceptions:
LdapException
"""
ldap_obj = LdapOperations(uri=binduri,
binddn=self.dsrootdn,
bindpw=self.dsrootdn_pwd)
# Enable TLS
mod_dn1 = 'cn=encryption,cn=config'
add_tls = [(ldap.MOD_ADD, 'nsTLS1', 'on')]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls)
if not return_value:
raise LdapException('fail to enable TLS, Error:%s' % (ret))
else:
print('Enabled nsTLS1=on')
entry1 = {
'objectClass': ['top', 'nsEncryptionModule'],
'cn': 'RSA',
'nsSSLtoken': 'internal (software)',
'nsSSLPersonalitySSL': 'Server-Cert-%s' % (self.dsinstance_host),
'nsSSLActivation': 'on'
}
dn1 = 'cn=RSA,cn=encryption,cn=config'
(ret, return_value) = ldap_obj.add_entry(entry1, dn1)
if not return_value:
raise LdapException('fail to set Server-Cert nick:%s' % (ret))
else:
print('Enabled Server-Cert nick')
# Enable security
mod_dn2 = 'cn=config'
enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', 'on')]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn2, enable_security)
if not return_value:
raise LdapException('fail to enable nsslapd-security, Error:%s' %
(ret))
else:
print('Enabled nsslapd-security')
# set the appropriate TLS port
mod_dn3 = 'cn=config'
enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort',
str(tls_port))]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_ssl_port)
if not return_value:
raise LdapException('fail to set nsslapd-securePort, Error:%s' %
(ret))
else:
print('Enabled nsslapd-securePort=%r' % tls_port)
def test_two_automount_maps(self, multihost, backupsssdconf):
"""
:title: Automount sssd issue when 2 maps have same key in
different case
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1873715
:id: d28e6eec-ac9f-11eb-b0f5-002b677efe14
:customerscenario: true
:steps:
1. Configure SSSD with autofs, automountMap,
automount, automountInformation
2. Add 2 automount entries in LDAP with
same key ( cn: MIT and cn: mit)
3. We should have the 2 automounts working
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
client = sssdTools(multihost.client[0])
domain_params = {'services': 'nss, pam, autofs'}
client.sssd_conf('sssd', domain_params)
domain_params = {
'ldap_autofs_map_object_class': 'automountMap',
'ldap_autofs_map_name': 'ou',
'ldap_autofs_entry_object_class': 'automount',
'ldap_autofs_entry_key': 'cn',
'ldap_autofs_entry_value': 'automountInformation'
}
client.sssd_conf(f'domain/{domain_name}', domain_params)
multihost.client[0].service_sssd('restart')
share_list = ['/export', '/export1', '/export2']
nfs_server_ip = multihost.master[0].ip
client_ip = multihost.client[0].ip
server = sssdTools(multihost.master[0])
bkup = 'cp -af /etc/exports /etc/exports.backup'
multihost.master[0].run_command(bkup)
server.export_nfs_fs(share_list, client_ip)
search = multihost.master[0].run_command("grep 'fsid=0' "
"/etc/exports")
if search.returncode == 0:
multihost.master[0].run_command("sed -i 's/,fsid=0//g' "
"/etc/exports")
start_nfs = 'systemctl start nfs-server'
multihost.master[0].run_command(start_nfs)
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
for ou_ou in ['auto.master', 'auto.direct', 'auto.home']:
user_info = {
'ou': f'{ou_ou}'.encode('utf-8'),
'objectClass': [b'top', b'automountMap']
}
user_dn = f'ou={ou_ou},dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn': '/-'.encode('utf-8'),
'objectClass': [b'top', b'automount'],
'automountInformation': 'auto.direct'.encode('utf-8')
}
user_dn = 'cn=/-,ou=auto.master,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn': '/home'.encode('utf-8'),
'objectClass': [b'top', b'automount'],
'automountInformation': 'auto.home'.encode('utf-8')
}
user_dn = 'cn=/home,ou=auto.master,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn': 'MIT'.encode('utf-8'),
'objectClass': [b'top', b'automount']
}
user_dn = f'automountinformation={nfs_server_ip}:/export1,' \
f'ou=auto.home,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn': 'mit'.encode('utf-8'),
'objectClass': [b'top', b'automount']
}
user_dn = f'automountinformation={nfs_server_ip}:/export2,' \
f'ou=auto.home,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
multihost.client[0].run_command("systemctl stop sssd ; "
"rm -rf /var/log/sssd/* ; "
"rm -rf /var/lib/sss/db/* ; "
"systemctl start sssd")
multihost.client[0].run_command("systemctl restart autofs")
multihost.client[0].run_command("automount -m")
multihost.master[0].run_command("touch /export1/export1")
multihost.master[0].run_command("touch /export2/export2")
time.sleep(2)
MIT_export = multihost.client[0].run_command("ls /home/MIT")
mit_export = multihost.client[0].run_command("ls /home/mit")
assert 'export1' in MIT_export.stdout_text
assert 'export2' in mit_export.stdout_text
restore = 'cp -af /etc/exports.backup /etc/exports'
multihost.master[0].run_command(restore)
stop_nfs = 'systemctl stop nfs-server'
multihost.master[0].run_command(stop_nfs)
for dn_dn in [
f'automountinformation={nfs_server_ip}:/export1,'
f'ou=auto.home,dc=example,dc=test',
f'automountinformation={nfs_server_ip}:/export2,'
f'ou=auto.home,dc=example,dc=test',
'cn=/-,ou=auto.master,dc=example,dc=test',
'cn=/home,ou=auto.master,dc=example,dc=test',
'ou=auto.master,dc=example,dc=test',
'ou=auto.direct,dc=example,dc=test',
'ou=auto.home,dc=example,dc=test'
]:
multihost.master[0].run_command(f'ldapdelete -x -D '
f'"cn=Directory Manager" '
f'-w Secret123 -H ldap:// {dn_dn}')
def test_0006_getent_group(self, multihost, backupsssdconf,
delete_groups_users):
"""
:title: 'getent group ldapgroupname' doesn't
show any LDAP users or some LDAP users when
'rfc2307bis' schema is used with SSSD
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1817122
:id: dc81bb8e-72c0-11eb-9eae-002b677efe14
:customerscenario: true
:steps:
1. Configure SSSD with id_provider = ldap and
set ldap_schema = rfc2307bis
2. Add necessary users and groups with uniqueMember.
3. Check 'getent group ldapgroupname' output.
:expectedresults:
1. Should succeed
2. Should succeed
3. 'getent group ldapgroupname' should show
all it's member ldapusers.
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
client = sssdTools(multihost.client[0])
domain_params = {
'ldap_schema': 'rfc2307bis',
'ldap_group_member': 'uniquemember'
}
client.sssd_conf(f'domain/{domain_name}', domain_params)
multihost.client[0].service_sssd('restart')
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
user_info = {
'ou': 'Unit1'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'Unit2'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=Unit2,ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'users'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=users,ou=Unit2,ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'posix_groups'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=posix_groups,ou=Unit2,' \
'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'netgroups'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=netgroups,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'services'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=services,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'sudoers'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=sudoers,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
for i in range(1, 9):
user_info = {
'cn': f'user-{i}'.encode('utf-8'),
'objectClass': [b'top', b'posixAccount'],
'uid': f'user-{i}'.encode('utf-8'),
'uidNumber': f'1111{i}'.encode('utf-8'),
'gidNumber': f'1111{i}'.encode('utf-8'),
'homeDirectory': f'/home/user-{i}'.encode('utf-8')
}
user_dn = f'cn=user-{i},ou=users,ou=Unit2,' \
f'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
for i in range(1, 9):
user_info = {
'cn': f'user-{i}'.encode('utf-8'),
'objectClass': [b'top', b'posixGroup'],
'gidNumber': f'1111{i}'.encode('utf-8')
}
user_dn = f'cn=user-{i},ou=posix_groups,' \
f'ou=Unit2,ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn':
'group-1'.encode('utf-8'),
'objectClass': [b'top', b'posixGroup', b'groupOfUniqueNames'],
'gidNumber':
'20001'.encode('utf-8'),
'uniqueMember': [
b'cn=user-1,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-3,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-5,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-7,ou=users,ou=unit2,ou=unit1,dc=example,dc=test'
]
}
user_dn = 'cn=group-1,ou=posix_groups,ou=Unit2,' \
'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn':
'group-2'.encode('utf-8'),
'objectClass': [b'top', b'posixGroup', b'groupOfUniqueNames'],
'gidNumber':
'20002'.encode('utf-8'),
'uniqueMember': [
b'cn=user-2,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-4,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-6,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-8,ou=users,ou=unit2,ou=unit1,dc=example,dc=test'
]
}
user_dn = 'cn=group-2,ou=posix_groups,ou=Unit2,' \
'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
time.sleep(3)
cmd = multihost.client[0].run_command("getent group "
"group-2@example1")
assert "group-2@example1:*:20002:user-2@example1," \
"user-4@example1,user-6@example1," \
"user-8@example1" in cmd.stdout_text