def test_mapping_tree_flipped_components(topology):
inst = topology.standalone
# First create two Backends, without mapping trees.
be1 = create_backend(inst, 'userRootA', 'dc=example,dc=com')
be2 = create_backend(inst, 'userRootB', 'dc=com,dc=example')
# Okay, now we create the mapping trees for these backends, and we *invert* them in the parent config setting
mts = MappingTrees(inst)
mtb = mts.create(
properties={
'cn': 'dc=example,dc=com',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootA',
})
mta = mts.create(
properties={
'cn': 'dc=com,dc=example',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootB',
})
dc_ex = Domain(inst, dn='dc=example,dc=com')
assert dc_ex.exists()
dc_ab = Domain(inst, dn='dc=com,dc=example')
assert dc_ab.exists()
# Restart and check again
inst.restart()
assert dc_ex.exists()
assert dc_ab.exists()
def test_mapping_tree_mixed_length(topology):
inst = topology.standalone
# First create two Backends, without mapping trees.
be1 = create_backend(inst, 'userRootA', 'dc=myserver')
be1 = create_backend(inst, 'userRootB', 'dc=m')
be1 = create_backend(inst, 'userRootC', 'dc=a,dc=b,dc=c,dc=d,dc=e')
be1 = create_backend(inst, 'userRootD', 'dc=example,dc=com')
be1 = create_backend(inst, 'userRootE', 'dc=myldap')
mts = MappingTrees(inst)
mts.create(
properties={
'cn': 'dc=myserver',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootA',
})
mts.create(properties={
'cn': 'dc=m',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootB',
})
mts.create(
properties={
'cn': 'dc=a,dc=b,dc=c,dc=d,dc=e',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootC',
})
mts.create(
properties={
'cn': 'dc=example,dc=com',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootD',
})
mts.create(
properties={
'cn': 'dc=myldap',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootE',
})
dc_a = Domain(inst, dn='dc=myserver')
assert dc_a.exists()
dc_b = Domain(inst, dn='dc=m')
assert dc_b.exists()
dc_c = Domain(inst, dn='dc=a,dc=b,dc=c,dc=d,dc=e')
assert dc_c.exists()
dc_d = Domain(inst, dn='dc=example,dc=com')
assert dc_d.exists()
dc_e = Domain(inst, dn='dc=myldap')
assert dc_e.exists()
inst.restart()
assert dc_a.exists()
assert dc_b.exists()
assert dc_c.exists()
assert dc_d.exists()
assert dc_e.exists()
def test_mapping_tree_inverted(topology):
"""Test the results of an inverted parent suffix definition in the configuration.
For more details see:
https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html
:id: 024c4960-3aac-4d05-bc51-963dfdeb16ca
:setup: Standalone instance (no backends)
:steps:
1. Add two backends without mapping trees.
2. Add the mapping trees with inverted parent-suffix definitions.
3. Attempt to search the definitions
:expectedresults:
1. Success
2. Success
3. The search suceed and can see validly arranged entries.
"""
inst = topology.standalone
# First create two Backends, without mapping trees.
be1 = create_backend(inst, 'userRootA', 'dc=example,dc=com')
be2 = create_backend(inst, 'userRootB', 'dc=straya,dc=example,dc=com')
# Okay, now we create the mapping trees for these backends, and we *invert* them in the parent config setting
mts = MappingTrees(inst)
mtb = mts.create(
properties={
'cn': 'dc=straya,dc=example,dc=com',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootB',
})
mta = mts.create(
properties={
'cn': 'dc=example,dc=com',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootA',
'nsslapd-parent-suffix': 'dc=straya,dc=example,dc=com'
})
dc_ex = Domain(inst, dn='dc=example,dc=com')
assert dc_ex.exists()
dc_st = Domain(inst, dn='dc=straya,dc=example,dc=com')
assert dc_st.exists()
# Restart and check again
inst.restart()
assert dc_ex.exists()
assert dc_st.exists()
def test_mapping_tree_nonexist_parent(topology):
"""Test a backend whos mapping tree definition has a non-existant parent-suffix
For more details see:
https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html
:id: 7a9a09bd-7604-48f7-93cb-abff9e0d0131
:setup: Standalone instance (no backends)
:steps:
1. Add one backend without mapping tree
2. Configure the mapping tree with a non-existant parent suffix
3. Attempt to search the backend
:expectedresults:
1. Success
2. Success
3. The search suceed and can see validly entries.
"""
inst = topology.standalone
be1 = create_backend(inst, 'userRootC', 'dc=test,dc=com')
mts = MappingTrees(inst)
mta = mts.create(
properties={
'cn': 'dc=test,dc=com',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootC',
'nsslapd-parent-suffix': 'dc=com'
})
# In this case the MT is never joined properly to the hierachy because the parent suffix
# doesn't exist. The config is effectively ignored. That means that it can't be searched!
dc_ex = Domain(inst, dn='dc=test,dc=com')
assert dc_ex.exists()
# Restart and check again.
inst.restart()
assert dc_ex.exists()
def test_chaining_paged_search(topology):
""" Check that when the chaining target has anonymous access
disabled that the ping still functions and allows the search
to continue with an appropriate bind user.
:id: 00bf31db-d93b-4224-8e70-86abb2d4cd17
:setup: Two standalones in chaining.
:steps:
1. Configure chaining between the nodes
2. Do a chaining search (w anon allow) to assert it works
3. Configure anon dis allowed on st2
4. Restart both
5. Check search still works
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
st1 = topology.ins["standalone1"]
st2 = topology.ins["standalone2"]
### We setup so that st1 -> st2
# Setup a chaining user on st2 to authenticate to.
sa = ServiceAccounts(st2, DEFAULT_SUFFIX).create(properties = {
'cn': 'sa',
'userPassword': PW
})
# Add a proxy user.
sproxy = ServiceAccounts(st2, DEFAULT_SUFFIX).create(properties = {
'cn': 'proxy',
'userPassword': PW
})
# Add the read and proxy ACI
dc = Domain(st2, DEFAULT_SUFFIX)
dc.add('aci',
f"""(targetattr="objectClass || cn || uid")(version 3.0; acl "Enable sa read"; allow (read, search, compare)(userdn="ldap:///{sa.dn}");)"""
)
# Add the proxy ACI
dc.add('aci',
f"""(targetattr="*")(version 3.0; acl "Enable proxy access"; allow (proxy)(userdn="ldap:///{sproxy.dn}");)"""
)
# Clear all the BE in st1
bes1 = Backends(st1)
for be in bes1.list():
be.delete()
# Setup st1 to chain to st2
chain_plugin_1 = ChainingBackendPlugin(st1)
chain_plugin_1.enable()
# Chain with the proxy user.
chains = ChainingLinks(st1)
chain = chains.create(properties={
'cn': 'demochain',
'nsfarmserverurl': st2.toLDAPURL(),
'nsslapd-suffix': DEFAULT_SUFFIX,
'nsmultiplexorbinddn': sproxy.dn,
'nsmultiplexorcredentials': PW,
'nsCheckLocalACI': 'on',
'nsConnectionLife': '30',
})
mts = MappingTrees(st1)
# Due to a bug in lib389, we need to delete and recreate the mt.
for mt in mts.list():
mt.delete()
mts.ensure_state(properties={
'cn': DEFAULT_SUFFIX,
'nsslapd-state': 'backend',
'nsslapd-backend': 'demochain',
'nsslapd-distribution-plugin': 'libreplication-plugin',
'nsslapd-distribution-funct': 'repl_chain_on_update',
})
# Enable pwpolicy (Not sure if part of the issue).
st1.config.set('passwordIsGlobalPolicy', 'on')
st2.config.set('passwordIsGlobalPolicy', 'on')
# Restart to enable everything.
st1.restart()
# Get a proxy auth connection.
sa1 = ServiceAccount(st1, sa.dn)
sa1_conn = sa1.bind(password=PW)
# Now do a search from st1 -> st2
sa1_dc = Domain(sa1_conn, DEFAULT_SUFFIX)
assert sa1_dc.exists()
# Now on st2 disable anonymous access.
st2.config.set('nsslapd-allow-anonymous-access', 'rootdse')
# Stop st2 to force the connection to be dead.
st2.stop()
# Restart st1 - this means it must re-do the ping/keepalive.
st1.restart()
# do a bind - this should fail, and forces the conn offline.
with pytest.raises(ldap.OPERATIONS_ERROR):
sa1.bind(password=PW)
# Allow time to attach lldb if needed.
# print("🔥🔥🔥")
# time.sleep(45)
# Bring st2 online.
st2.start()
# Wait a bit
time.sleep(5)
# Get a proxy auth connection (again)
sa1_conn = sa1.bind(password=PW)
# Now do a search from st1 -> st2
sa1_dc = Domain(sa1_conn, DEFAULT_SUFFIX)
assert sa1_dc.exists()
