def _write_aci_production(topology_m2, mod_type=None):
assert mod_type is not None
ACI_TARGET = "(targetattr= \"uid\")(target=\"ldap:///uid=*,%s\")" % PRODUCTION_DN
ACI_ALLOW = "(version 3.0; acl \"write production entries\"; allow (write)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_m2.ms["supplier1"], SUFFIX)
suffix.set('aci', ACI_BODY, mod_type)
def _write_aci_staging(topology_m2, mod_type=None):
assert mod_type is not None
ACI_TARGET = "(targetattr= \"uid\")(target=\"ldap:///uid=*,%s\")" % STAGING_DN
ACI_ALLOW = "(version 3.0; acl \"write staging entries\"; allow (write)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_m2.ms["master1"], SUFFIX)
suffix.set('aci', ACI_BODY, mod_type)
def _moddn_aci_from_production_to_staging(topology_m2, mod_type=None):
assert mod_type is not None
ACI_TARGET = "(target_from = \"ldap:///%s\") (target_to = \"ldap:///%s\")" % (
PRODUCTION_DN, STAGING_DN)
ACI_ALLOW = "(version 3.0; acl \"MODDN from production to staging\"; allow (moddn)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_m2.ms["supplier1"], SUFFIX)
suffix.set('aci', ACI_BODY, mod_type)
_write_aci_production(topology_m2, mod_type=mod_type)
def test_local_password_policy(topo, _add_user):
"""Regression test for bz1044164 part 1.
:id: d6f4a7fa-473b-11ea-8766-8c16451d917b
:setup: Standalone
:steps:
1. Add a User as Password Admin
2. Create a password admin user entry
3. Add an aci to allow this user all rights
4. Configure password admin
5. Create local password policy and enable passwordmustchange
6. Add another generic user but do not include the password (userpassword)
7. Use admin user to perform a password update on generic user
8. We don't need this ACI anymore. Delete it
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
# Add a User as Password Admin
# Create a password admin user entry
user = _create_user(topo, 'pwadm_admin_1', None)
user.replace('userpassword', 'Secret123')
domian = Domain(topo.standalone, DEFAULT_SUFFIX)
# Add an aci to allow this user all rights
domian.set(
"aci", f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow password admin to write user '
f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
# Configure password admin
# Create local password policy and enable passwordmustchange
Config(topo.standalone).replace_many(('passwordAdminDN', user.dn),
('passwordMustChange', 'off'),
('nsslapd-pwpolicy-local', 'on'))
# Add another generic user but do not include the password (userpassword)
# Use admin user to perform a password update on generic user
real_user = UserAccount(topo.standalone,
f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret123')
UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace(
'userpassword', 'hello')
# We don't need this ACI anymore. Delete it
domian.remove(
"aci", f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow password admin to write user '
f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
def _moddn_aci_staging_to_production(topology_m2, mod_type=None,
target_from=STAGING_DN, target_to=PRODUCTION_DN):
assert mod_type is not None
ACI_TARGET_FROM = ""
ACI_TARGET_TO = ""
if target_from:
ACI_TARGET_FROM = "(target_from = \"ldap:///%s\")" % (target_from)
if target_to:
ACI_TARGET_TO = "(target_to = \"ldap:///%s\")" % (target_to)
ACI_ALLOW = "(version 3.0; acl \"MODDN from staging to production\"; allow (moddn)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET_FROM + ACI_TARGET_TO + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_m2.ms["supplier1"], SUFFIX)
suffix.set('aci', ACI_BODY, mod_type)
_write_aci_staging(topology_m2, mod_type=mod_type)
def test_changes(topology):
"""Test the changes counter behaviour after making some changes
to the replicated suffix
"""
topology.supplier.log.info("\n\n##########\n### CHANGES\n##########")
ents = topology.supplier.agreement.list(suffix=SUFFIX,
consumer_host=topology.consumer.host,
consumer_port=topology.consumer.port)
assert len(ents) == 1
value = topology.supplier.agreement.changes(agmnt_dn=ents[0].dn)
topology.supplier.log.info("\ntest_changes: %d changes\n" % value)
assert value > 0
# Do an update
TEST_STRING = 'test_string'
supplier_domain = Domain(topology.supplier, SUFFIX)
consumer_domain = Domain(topology.consumer, SUFFIX)
supplier_domain.set('description', TEST_STRING)
# The update has been replicated
loop = 0
while loop <= 10:
if consumer_domain.present('description', TEST_STRING):
break
time.sleep(1)
loop += 1
assert loop <= 10
# Give a little time to update a change number on supplier
time.sleep(2)
# Check change number
newvalue = topology.supplier.agreement.changes(agmnt_dn=ents[0].dn)
topology.supplier.log.info("\ntest_changes: %d changes\n" % newvalue)
assert (value + 1) == newvalue
def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.set('aci', None)
for i in aci_list:
domain.add("aci", i)
def test_multi_deny_aci(topo, aci_setup):
"""Test that mutliple deny rules work, and that they the cache properly
stores the result
:id: 294c366d-850e-459e-b5a0-3cc828ec3aca
:setup: Standalone Instance
:steps:
1. Add aci_list_A aci's and verify two searches on the same connection
behave the same
2. Add aci_list_B aci's and verify search fails as expected
:expectedresults:
1. Both searches do not return any entries
2. Seaches do not return any entries
"""
if DEBUGGING:
# Maybe add aci logging?
pass
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
for run in range(2):
topo.standalone.log.info("Pass " + str(run + 1))
# Test ACI List A
topo.standalone.log.info("Testing two searches behave the same...")
topo.standalone.simple_bind_s(DN_DM, PASSWORD)
suffix.set('aci', aci_list_A, ldap.MOD_REPLACE)
time.sleep(1)
topo.standalone.simple_bind_s(BIND_DN, PASSWORD)
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER)
if entries and entries[0]:
topo.standalone.log.fatal(
"Incorrectly got an entry returned from search 1")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER)
if entries and entries[0]:
topo.standalone.log.fatal(
"Incorrectly got an entry returned from search 2")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER2)
if entries is None or len(entries) == 0:
topo.standalone.log.fatal("Failed to get entry as good user")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER2)
if entries is None or len(entries) == 0:
topo.standalone.log.fatal("Failed to get entry as good user")
assert False
# Bind a different user who has rights
topo.standalone.simple_bind_s(BIND_DN2, PASSWORD)
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER2)
if entries is None or len(entries) == 0:
topo.standalone.log.fatal("Failed to get entry as good user")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER2)
if entries is None or len(entries) == 0:
topo.standalone.log.fatal("Failed to get entry as good user (2)")
assert False
if run > 0:
# Second pass
topo.standalone.restart()
# Reset ACI's and do the second test
topo.standalone.log.info(
"Testing search does not return any entries...")
topo.standalone.simple_bind_s(DN_DM, PASSWORD)
suffix.set('aci', aci_list_B, ldap.MOD_REPLACE)
time.sleep(1)
topo.standalone.simple_bind_s(BIND_DN, PASSWORD)
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER)
if entries and entries[0]:
topo.standalone.log.fatal(
"Incorrectly got an entry returned from search 1")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER)
if entries and entries[0]:
topo.standalone.log.fatal(
"Incorrectly got an entry returned from search 2")
assert False
if run > 0:
# Second pass
topo.standalone.restart()
# Bind as different user who has rights
topo.standalone.simple_bind_s(BIND_DN2, PASSWORD)
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER2)
if entries is None or len(entries) == 0:
topo.standalone.log.fatal("Failed to get entry as good user")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER2)
if entries is None or len(entries) == 0:
topo.standalone.log.fatal("Failed to get entry as good user (2)")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER)
if entries and entries[0]:
topo.standalone.log.fatal(
"Incorrectly got an entry returned from search 1")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER)
if entries and entries[0]:
topo.standalone.log.fatal(
"Incorrectly got an entry returned from search 2")
assert False
# back to user 1
topo.standalone.simple_bind_s(BIND_DN, PASSWORD)
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER2)
if entries is None or len(entries) == 0:
topo.standalone.log.fatal("Failed to get entry as user1")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER2)
if entries is None or len(entries) == 0:
topo.standalone.log.fatal("Failed to get entry as user1 (2)")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER)
if entries and entries[0]:
topo.standalone.log.fatal(
"Incorrectly got an entry returned from search 1")
assert False
entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
SRCH_FILTER)
if entries and entries[0]:
topo.standalone.log.fatal(
"Incorrectly got an entry returned from search 2")
assert False
topo.standalone.log.info("Test PASSED")
def test_targattrfilters_keyword(topo):
"""
Testing the targattrfilters keyword that allows access control based on the value
of the attributes being added (or deleted))
"Bug #979515 - ACLs inoperative in some search scenarios [rhel-6.5]"
"Bug #979516 is a clone for DS8.2 on RHEL5.9"
"Bug #979514 is a clone for RHEL6.4 zStream errata"
:id:23f9e9d0-7aaa-11e8-b16b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.set('aci', None)
ou = OrganizationalUnit(topo.standalone, 'ou=bug979515,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'bug979515'})
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target="ldap:///ou=bug979515,{}") '
'(targetattr= "uid") ( version 3.0; acl "read other subscriber"; allow (compare, read, search) '
'userdn="ldap:///uid=*,ou=bug979515,{}" ; )'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX))
properties = {
'uid': 'acientryusr1',
'cn': 'acientryusr1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'acientryusr1'
}
user = UserAccount(topo.standalone, 'cn=acientryusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('telephoneNumber', '99972566596')
user.set('mail', '*****@*****.**')
user.set("userPassword", "password")
properties = {
'uid': 'newaciphoneusr1',
'cn': 'newaciphoneusr1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'newaciphoneusr1'
}
user = UserAccount(topo.standalone, 'cn=newaciphoneusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('telephoneNumber', '99972566596')
user.set('mail', '*****@*****.**')
conn = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
user = UserAccount(conn, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
with pytest.raises(IndexError):
user.get_attr_vals('mail')
user.get_attr_vals('telephoneNumber')
user.get_attr_vals('cn')
user = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
user.get_attr_vals('mail')
user.get_attr_vals('telephoneNumber')
user.get_attr_vals('cn')
def test_admin_group_to_modify_password(topo, _add_user):
"""Regression test for bz1044164 part 2.
:id: 12e09446-52da-11ea-aa11-8c16451d917b
:setup: Standalone
:steps:
1. Create unique members of admin group
2. Create admin group with unique members
3. Edit ACIs for admin group
4. Add group as password admin
5. Test password admin group to modify password of another admin user
6. Use admin user to perform a password update on Directory Manager user
7. Test password admin group for local password policy
8. Add top level container
9. Add user
10. Create local policy configuration entry
11. Adding admin group for local policy
12. Change user's password by admin user. Break the local policy rule
13. Test password admin group for global password policy
14. Add top level container
15. Change user's password by admin user. Break the global policy rule
16. Add new user in password admin group
17. Modify ordinary user's password
18. Modify user DN using modrdn of a user in password admin group
19. Test assigning invalid value to password admin attribute
20. Try to add more than one Password Admin attribute to config file
21. Use admin group setup from previous testcases, but delete ACI from that
22. Try to change user's password by admin user
23. Restore ACI
24. Edit ACIs for admin group
25. Delete a user from password admin group
26. Change users password by ex-admin user
27. Remove group from password admin configuration
28. Change admins
29. Change user's password by ex-admin user
30. Change admin user's password by ex-admin user
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Fail(ldap.INSUFFICIENT_ACCESS)
7. Success
8. Success
9. Success
10. Success
11. Success
12. Success
13. Success
14. Success
15. Success
16. Success
17. Success
18. Success
19. Fail
20. Fail
21. Success
22. Success
23. Success
24. Success
25. Success
26. Success
27. Success
28. Success
29. Fail
30. Fail
"""
# create unique members of admin group
admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={
'cn': 'pwadm_group_adm',
'description': 'pwadm_group_adm',
'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}',
f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}']
})
# Edit ACIs for admin group
Domain(topo.standalone,
f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)')
# Add group as password admin
Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn)
# Test password admin group to modify password of another admin user
change_password_of_user(topo, [
('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],
f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}')
# Use admin user to perform a password update on Directory Manager user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],
f'{DN_DM},{DEFAULT_SUFFIX}')
# Add top level container
ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'})
# Change user's password by admin user. Break the global policy rule
# Add new user in password admin group
user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol')
user.replace('userpassword', 'Secret123')
# Create local policy configuration entry
_create_pwp(topo, ou.dn)
# Set parameter for pwp
for para_meter, op_op in [
('passwordLockout', 'on'),
('passwordMaxFailure', '4'),
('passwordLockoutDuration', '10'),
('passwordResetFailureCount', '100'),
('passwordMinLength', '8'),
('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]:
change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op)
# Set ACI
OrganizationalUnit(topo.standalone,
ou.dn).set('aci',
f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow passwords admin to write user '
f'passwords";allow (write)'
f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Change password with new admin
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn)
# Set global parameter
Config(topo.standalone).replace_many(
('passwordTrackUpdateTime', 'on'),
('passwordGraceLimit', '4'),
('passwordHistory', 'on'),
('passwordInHistory', '4'))
# Test password admin group for global password policy
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Adding admin group for local policy
grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')
grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')
# Modify ordinary user's password
change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Modify user DN using modrdn of a user in password admin group
UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new')
# Remove admin
grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')
# Add Admin
grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}')
# Test the group pwp again
with pytest.raises(ldap.INVALID_CREDENTIALS):
change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
with pytest.raises(ldap.INVALID_SYNTAX):
Config(topo.standalone).replace('passwordAdminDN', "Invalid")
# Test assigning invalid value to password admin attribute
# Try to add more than one Password Admin attribute to config file
with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
Config(topo.standalone).replace('passwordAdminDN',
[f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}',
f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}'])
# Use admin group setup from previous, but delete ACI from that
people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")
people.remove('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)'
f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Try to change user's password by admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Restore ACI
people.set('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Edit ACIs for admin group
people.add('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to add user '
f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret')
real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret')
# Test new aci
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={
'uid': 'ok',
'cn': 'ok',
'sn': 'ok',
'uidNumber': '1000',
'gidNumber': 'ok',
'homeDirectory': '/home/ok'})
UserAccounts(topo.standalone, DEFAULT_SUFFIX).list()
real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret123')
# Test new aci which has new rights
for uid, cn, password in [
('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='),
('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]:
UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={
'uid': uid,
'cn': cn,
'sn': cn,
'uidNumber': '1000',
'gidNumber': '1001',
'homeDirectory': f'/home/{uid}',
'userpassword': password})
# Remove ACI
Domain(topo.standalone,
f"ou=People,{DEFAULT_SUFFIX}").remove('aci',
f'(targetattr ="userpassword")'
f'(version 3.0;acl '
f'"Allow passwords admin to add user '
f'passwords";allow '
f'(add)(groupdn = '
f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Delete a user from password admin group
grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')
grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')
# Change users password by ex-admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Set aci for only user
people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")
people.remove('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
people.set('aci',
f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin '
f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)')
# Remove group from password admin configuration
Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}")
# Change user's password by ex-admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],
f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')
