def test_services(topology): """ Test and assert that a simple service account can be bound to and created. These are really useful in simple tests. """ ous = OrganizationalUnits(topology.standalone, DEFAULT_SUFFIX) services = ServiceAccounts(topology.standalone, DEFAULT_SUFFIX) # Create the OU for them. ous.create(properties={ 'ou': 'Services', 'description': 'Computer Service accounts which request DS bind', }) # Now, we can create the services from here. service = services.create(properties={ 'cn': 'testbind', 'userPassword': '******' }) conn = service.bind('Password1') conn.unbind_s()
def test_basic_feature(topology_st): """Check basic SASL functionality for PLAIN mechanism :id: 75ddc6fa-aa5a-4025-9c71-1abad20c91fc :setup: Standalone instance :steps: 1. Stop the instance 2. Clean up confdir from previous cert and key files 3. Create RSA files: CA, key and cert 4. Start the instance 5. Create RSA entry 6. Set nsslapd-secureport to 636 and nsslapd-security to 'on' 7. Restart the instance 8. Create a user 9. Check we can bind 10. Check that PLAIN is listed in supported mechs 11. Set up Plain SASL credentials 12. Try to open a connection without TLS 13. Try to open a connection with TLS 14. Try to open a connection with a wrong password :expectedresults: 1. The instance should stop 2. Confdir should be clean 3. RSA files should be created 4. The instance should start 5. RSA entry should be created 6. nsslapd-secureport and nsslapd-security should be set successfully 7. The instance should be restarted 8. User should be created 9. Bind should be successful 10. PLAIN should be listed in supported mechs 11. Plain SASL should be successfully set 12. AUTH_UNKNOWN exception should be raised 13. The connection should open 14. INVALID_CREDENTIALS exception should be raised """ standalone = topology_st.standalone standalone.enable_tls() # Create a user sas = ServiceAccounts(standalone, DEFAULT_SUFFIX) sas._basedn = DEFAULT_SUFFIX sa = sas.create(properties={ 'cn': 'testaccount', 'userPassword': '******' }) # Check we can bind. This will raise exceptions if it fails. sa.bind('password') # Check that PLAIN is listed in supported mechns. assert (standalone.rootdse.supports_sasl_plain()) # The sasl parameters don't change, so set them up now. # Do we need the sasl map dn:? auth_tokens = PlainSASL("dn:%s" % sa.dn, 'password') # Check that it fails without TLS with pytest.raises(ldap.AUTH_UNKNOWN): conn = sa.sasl_bind(uri=standalone.get_ldap_uri(), saslmethod='PLAIN', sasltoken=auth_tokens, connOnly=True) # We *have* to use REQCERT NEVER here because python ldap fails cert verification for .... some reason that even # I can not solve. I think it's leaking state across connections in start_tls_s? # Check that it works with TLS conn = sa.sasl_bind(uri=standalone.get_ldaps_uri(), saslmethod='PLAIN', sasltoken=auth_tokens, connOnly=True) conn.close() # Check that it correct fails our bind if we don't have the password. auth_tokens = PlainSASL("dn:%s" % sa.dn, 'password-wrong') with pytest.raises(ldap.INVALID_CREDENTIALS): conn = sa.sasl_bind(uri=standalone.get_ldaps_uri(), saslmethod='PLAIN', sasltoken=auth_tokens, connOnly=True)