def test_undefined_in_group_eval_three(topo, test_user, aci_of_user):
"""
This aci will allow access
:id: 04943dcc-7841-11e8-8c46-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
user = Domain(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
# test UNDEFINED in group
user.add("sn", "Fred")
assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry'
user.remove("sn", "Fred")
def test_local_password_policy(topo, _add_user):
"""Regression test for bz1044164 part 1.
:id: d6f4a7fa-473b-11ea-8766-8c16451d917b
:setup: Standalone
:steps:
1. Add a User as Password Admin
2. Create a password admin user entry
3. Add an aci to allow this user all rights
4. Configure password admin
5. Create local password policy and enable passwordmustchange
6. Add another generic user but do not include the password (userpassword)
7. Use admin user to perform a password update on generic user
8. We don't need this ACI anymore. Delete it
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
# Add a User as Password Admin
# Create a password admin user entry
user = _create_user(topo, 'pwadm_admin_1', None)
user.replace('userpassword', 'Secret123')
domian = Domain(topo.standalone, DEFAULT_SUFFIX)
# Add an aci to allow this user all rights
domian.set(
"aci", f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow password admin to write user '
f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
# Configure password admin
# Create local password policy and enable passwordmustchange
Config(topo.standalone).replace_many(('passwordAdminDN', user.dn),
('passwordMustChange', 'off'),
('nsslapd-pwpolicy-local', 'on'))
# Add another generic user but do not include the password (userpassword)
# Use admin user to perform a password update on generic user
real_user = UserAccount(topo.standalone,
f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret123')
UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace(
'userpassword', 'hello')
# We don't need this ACI anymore. Delete it
domian.remove(
"aci", f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow password admin to write user '
f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup):
"""This test checks mode legacy : GER with moddn
:id: 37c1e537-1b5d-4fab-b62a-50cd8c5b3493
:setup: MMR with two suppliers,
M1 - staging DIT
M2 - production DIT
add test accounts in staging DIT
:steps:
1. Disable ACI checks - set nsslapd-moddn-aci: off
2. Add moddn ACI on M1
3. Search for GER controls on M1
4. Check entryLevelRights value for entries
5. Check 'n' is in the entryLevelRights
6. Try MOD with the both ACI
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should pass
5. It should pass
6. It should pass
"""
suffix = Domain(topology_m2.ms["supplier1"], SUFFIX)
topology_m2.ms["supplier1"].log.info("\n\n######## Disable the moddn aci mod ########\n")
_bind_manager(topology_m2)
topology_m2.ms["supplier1"].config.set(CONFIG_MODDN_ACI_ATTR, 'off')
topology_m2.ms["supplier1"].log.info("\n\n######## mode legacy : GER with moddn ########\n")
# being allowed to read/write the RDN attribute use to allow the RDN
ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"uid\")" % (PRODUCTION_DN)
ACI_ALLOW = "(version 3.0; acl \"MODDN production changing the RDN attribute\"; allow (read,search,write)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
# successful MOD with the ACI
_bind_manager(topology_m2)
suffix.add('aci', ACI_BODY)
_bind_normal(topology_m2)
request_ctrl = GetEffectiveRightsControl(criticality=True, authzId=ensure_bytes("dn: " + BIND_DN))
msg_id = topology_m2.ms["supplier1"].search_ext(PRODUCTION_DN,
ldap.SCOPE_SUBTREE,
"objectclass=*",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["supplier1"].result3(msg_id)
# ger={}
value = ''
for dn, attrs in rdata:
topology_m2.ms["supplier1"].log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topology_m2.ms["supplier1"].log.info("######## entryLevelRights: %r" % value)
assert b'n' in value
# successful MOD with the both ACI
_bind_manager(topology_m2)
suffix.remove('aci', ACI_BODY)
def test_admin_group_to_modify_password(topo, _add_user):
"""Regression test for bz1044164 part 2.
:id: 12e09446-52da-11ea-aa11-8c16451d917b
:setup: Standalone
:steps:
1. Create unique members of admin group
2. Create admin group with unique members
3. Edit ACIs for admin group
4. Add group as password admin
5. Test password admin group to modify password of another admin user
6. Use admin user to perform a password update on Directory Manager user
7. Test password admin group for local password policy
8. Add top level container
9. Add user
10. Create local policy configuration entry
11. Adding admin group for local policy
12. Change user's password by admin user. Break the local policy rule
13. Test password admin group for global password policy
14. Add top level container
15. Change user's password by admin user. Break the global policy rule
16. Add new user in password admin group
17. Modify ordinary user's password
18. Modify user DN using modrdn of a user in password admin group
19. Test assigning invalid value to password admin attribute
20. Try to add more than one Password Admin attribute to config file
21. Use admin group setup from previous testcases, but delete ACI from that
22. Try to change user's password by admin user
23. Restore ACI
24. Edit ACIs for admin group
25. Delete a user from password admin group
26. Change users password by ex-admin user
27. Remove group from password admin configuration
28. Change admins
29. Change user's password by ex-admin user
30. Change admin user's password by ex-admin user
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Fail(ldap.INSUFFICIENT_ACCESS)
7. Success
8. Success
9. Success
10. Success
11. Success
12. Success
13. Success
14. Success
15. Success
16. Success
17. Success
18. Success
19. Fail
20. Fail
21. Success
22. Success
23. Success
24. Success
25. Success
26. Success
27. Success
28. Success
29. Fail
30. Fail
"""
# create unique members of admin group
admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={
'cn': 'pwadm_group_adm',
'description': 'pwadm_group_adm',
'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}',
f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}']
})
# Edit ACIs for admin group
Domain(topo.standalone,
f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)')
# Add group as password admin
Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn)
# Test password admin group to modify password of another admin user
change_password_of_user(topo, [
('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],
f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}')
# Use admin user to perform a password update on Directory Manager user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],
f'{DN_DM},{DEFAULT_SUFFIX}')
# Add top level container
ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'})
# Change user's password by admin user. Break the global policy rule
# Add new user in password admin group
user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol')
user.replace('userpassword', 'Secret123')
# Create local policy configuration entry
_create_pwp(topo, ou.dn)
# Set parameter for pwp
for para_meter, op_op in [
('passwordLockout', 'on'),
('passwordMaxFailure', '4'),
('passwordLockoutDuration', '10'),
('passwordResetFailureCount', '100'),
('passwordMinLength', '8'),
('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]:
change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op)
# Set ACI
OrganizationalUnit(topo.standalone,
ou.dn).set('aci',
f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow passwords admin to write user '
f'passwords";allow (write)'
f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Change password with new admin
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn)
# Set global parameter
Config(topo.standalone).replace_many(
('passwordTrackUpdateTime', 'on'),
('passwordGraceLimit', '4'),
('passwordHistory', 'on'),
('passwordInHistory', '4'))
# Test password admin group for global password policy
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Adding admin group for local policy
grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')
grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')
# Modify ordinary user's password
change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Modify user DN using modrdn of a user in password admin group
UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new')
# Remove admin
grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')
# Add Admin
grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}')
# Test the group pwp again
with pytest.raises(ldap.INVALID_CREDENTIALS):
change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
with pytest.raises(ldap.INVALID_SYNTAX):
Config(topo.standalone).replace('passwordAdminDN', "Invalid")
# Test assigning invalid value to password admin attribute
# Try to add more than one Password Admin attribute to config file
with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
Config(topo.standalone).replace('passwordAdminDN',
[f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}',
f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}'])
# Use admin group setup from previous, but delete ACI from that
people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")
people.remove('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)'
f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Try to change user's password by admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Restore ACI
people.set('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Edit ACIs for admin group
people.add('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to add user '
f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret')
real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret')
# Test new aci
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={
'uid': 'ok',
'cn': 'ok',
'sn': 'ok',
'uidNumber': '1000',
'gidNumber': 'ok',
'homeDirectory': '/home/ok'})
UserAccounts(topo.standalone, DEFAULT_SUFFIX).list()
real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret123')
# Test new aci which has new rights
for uid, cn, password in [
('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='),
('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]:
UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={
'uid': uid,
'cn': cn,
'sn': cn,
'uidNumber': '1000',
'gidNumber': '1001',
'homeDirectory': f'/home/{uid}',
'userpassword': password})
# Remove ACI
Domain(topo.standalone,
f"ou=People,{DEFAULT_SUFFIX}").remove('aci',
f'(targetattr ="userpassword")'
f'(version 3.0;acl '
f'"Allow passwords admin to add user '
f'passwords";allow '
f'(add)(groupdn = '
f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Delete a user from password admin group
grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')
grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')
# Change users password by ex-admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Set aci for only user
people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")
people.remove('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
people.set('aci',
f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin '
f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)')
# Remove group from password admin configuration
Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}")
# Change user's password by ex-admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],
f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')
