def scenario(self, node="clickhouse1"):
"""Check that multiple LDAP servers can be used to
authenticate users.
"""
self.context.node = self.context.cluster.node(node)
servers = {
"openldap1": {
"host": "openldap1",
"port": "389",
"enable_tls": "no",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
},
"openldap2": {
"host": "openldap2",
"port": "636",
"enable_tls": "yes",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com",
"tls_require_cert": "never",
},
}
users = [{
"server": "openldap1",
"username": "******",
"password": "******",
"login": True
}, {
"server": "openldap2",
"username": "******",
"password": "******",
"login": True
}]
login(servers, *users)
def tls_enable_tls_default_yes(self):
"""Check that the default value for the `enable_tls` is set to `yes`."""
servers = {
"openldap2": {
"host": "openldap2",
"tls_require_cert": "never",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
}
}
users = [{
"server": "openldap2",
"username": "******",
"password": "******",
"login": True
}]
login(servers, *users)
def tls_require_cert_default_demand(self):
"""Check that the default value for the `tls_require_cert` is set to `demand`."""
servers = {
"openldap2": {
"host": "openldap2",
"enable_tls": "yes",
"port": "636",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
}
}
users = [{
"server": "openldap2",
"username": "******",
"password": "******",
"login": True
}]
login(servers, *users)
def plain_text(self):
"""Check that we can perform LDAP user authentication using `plain text` connection protocol.
"""
servers = {
"openldap1": {
"host": "openldap1",
"enable_tls": "no",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
}
}
users = [{
"server": "openldap1",
"username": "******",
"password": "******",
"login": True
}]
login(servers, *users)
def tls_connection(enable_tls, tls_require_cert):
"""Try to login using LDAP user authentication over a TLS connection."""
servers = {
"openldap2": {
"host": "openldap2",
"enable_tls": enable_tls,
"tls_require_cert": tls_require_cert,
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
}
}
users = [{
"server": "openldap2",
"username": "******",
"password": "******",
"login": True
}]
requirements = []
if tls_require_cert == "never":
requirements = [
RQ_SRS_007_LDAP_Configuration_Server_TLSRequireCert_Options_Never(
"1.0")
]
elif tls_require_cert == "allow":
requirements = [
RQ_SRS_007_LDAP_Configuration_Server_TLSRequireCert_Options_Allow(
"1.0")
]
elif tls_require_cert == "try":
requirements = [
RQ_SRS_007_LDAP_Configuration_Server_TLSRequireCert_Options_Try(
"1.0")
]
elif tls_require_cert == "demand":
requirements = [
RQ_SRS_007_LDAP_Configuration_Server_TLSRequireCert_Options_Demand(
"1.0")
]
with Example(name=f"tls_require_cert='{tls_require_cert}'",
requirements=requirements):
login(servers, *users)
def tls_with_custom_port(self):
"""Check that we can perform LDAP user authentication using `TLS` connection protocol
with the server that uses custom port.
"""
servers = {
"openldap4": {
"host": "openldap4",
"port": "6036",
"tls_require_cert": "never",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
}
}
users = [{
"server": "openldap4",
"username": "******",
"password": "******",
"login": True
}]
login(servers, *users)
def tls_cipher_suite(self):
"""Check that `tls_cipher_suite` parameter can be used specify allowed cipher suites."""
servers = {
"openldap4": {
"host": "openldap4",
"port": "6036",
"tls_require_cert": "never",
"tls_cipher_suite":
"SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC",
"tls_minimum_protocol_version": "tls1.2",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
}
}
users = [{
"server": "openldap4",
"username": "******",
"password": "******",
"login": True
}]
login(servers, *users)
def tls_minimum_protocol_version(self, version, exitcode, message):
"""Check that `tls_minimum_protocol_version` parameter can be used specify
to specify the minimum protocol version of SSL/TLS."""
servers = {
"openldap4": {
"host": "openldap4",
"port": "6036",
"tls_require_cert": "never",
"tls_minimum_protocol_version": version,
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
}
}
users = [{
"server": "openldap4",
"username": "******",
"password": "******",
"login": True,
"exitcode": int(exitcode) if exitcode is not None else None,
"message": message
}]
# Note: this code was an attempt to produce a negative case but did not work
# ldap_node = self.context.cluster.node("openldap4")
# ldif = (
# "dn: cn=config\n"
# "changetype: modify\n"
# "replace: olcTLSProtocolMin\n"
# "olcTLSProtocolMin: 3.5"
# )
#
# r = ldap_node.command(
# f"echo -e \"{ldif}\" | ldapmodify -x -H ldaps://localhost:6036 -D \"cn=admin,cn=config\" -w config")
#
# ldap_node.restart()
login(servers, *users)