def test_ssl_transport(tls_client_auth):
"""Test different combinations for nsDS5ReplicaTransportInfo values
:id: 922d16f8-662a-4915-a39e-0aecd7c8e6e2
:setup: Two master replication, enabled TLS client auth
:steps:
1. Set nsDS5ReplicaTransportInfoCheck: SSL or StartTLS or TLS
2. Restart the instance
3. Check that replication works
4. Set nsDS5ReplicaTransportInfoCheck: LDAPS back
:expectedresults:
1. Success
2. Success
3. Replication works
4. Success
"""
m1 = tls_client_auth.ms['master1']
m2 = tls_client_auth.ms['master2']
repl = ReplicationManager(DEFAULT_SUFFIX)
replica_m1 = Replicas(m1).get(DEFAULT_SUFFIX)
replica_m2 = Replicas(m2).get(DEFAULT_SUFFIX)
agmt_m1 = replica_m1.get_agreements().list()[0]
agmt_m2 = replica_m2.get_agreements().list()[0]
if ds_is_older('1.4.0.6'):
check_list = (('TLS', False), )
else:
check_list = (('SSL', True), ('StartTLS', False), ('TLS', False))
for transport, secure_port in check_list:
agmt_m1.replace_many(
('nsDS5ReplicaTransportInfo', transport),
('nsDS5ReplicaPort',
'{}'.format(m2.port if not secure_port else m2.sslport)))
agmt_m2.replace_many(
('nsDS5ReplicaTransportInfo', transport),
('nsDS5ReplicaPort',
'{}'.format(m1.port if not secure_port else m1.sslport)))
repl.test_replication_topology(tls_client_auth)
if ds_is_older('1.4.0.6'):
agmt_m1.replace_many(('nsDS5ReplicaTransportInfo', 'SSL'),
('nsDS5ReplicaPort', str(m2.sslport)))
agmt_m2.replace_many(('nsDS5ReplicaTransportInfo', 'SSL'),
('nsDS5ReplicaPort', str(m1.sslport)))
else:
agmt_m1.replace_many(('nsDS5ReplicaTransportInfo', 'LDAPS'),
('nsDS5ReplicaPort', str(m2.sslport)))
agmt_m2.replace_many(('nsDS5ReplicaTransportInfo', 'LDAPS'),
('nsDS5ReplicaPort', str(m1.sslport)))
repl.test_replication_topology(tls_client_auth)
def fractional_server_to_replica(server, replica):
repl = ReplicationManager(DEFAULT_SUFFIX)
repl.ensure_agreement(server, replica)
replica_server = Replicas(server).get(DEFAULT_SUFFIX)
agmt_server = replica_server.get_agreements().list()[0]
agmt_server.replace_many(
('nsDS5ReplicatedAttributeListTotal', '(objectclass=*) $ EXCLUDE telephoneNumber'),
('nsDS5ReplicatedAttributeList', '(objectclass=*) $ EXCLUDE telephoneNumber'),
('nsds5ReplicaStripAttrs', 'modifiersname modifytimestamp'),
)
def test_healthcheck_replication_replica_not_reachable(topology_m2):
"""Check if HealthCheck returns DSREPLLE0005 code
:id: d452a564-7b82-4c1a-b331-a71abbd82a10
:setup: Replicated topology
:steps:
1. Create a replicated topology
2. On M1, set nsds5replicaport for the replication agreement to an unreachable port on the replica
3. Use HealthCheck without --json option
4. Use HealthCheck with --json option
5. On M1, set nsds5replicaport for the replication agreement to a reachable port number
6. Use HealthCheck without --json option
7. Use HealthCheck with --json option
:expectedresults:
1. Success
2. Success
3. Healthcheck reports DSREPLLE0005 code and related details
4. Healthcheck reports DSREPLLE0005 code and related details
5. Success
6. Healthcheck reports no issue found
7. Healthcheck reports no issue found
"""
RET_CODE = 'DSREPLLE0005'
M1 = topology_m2.ms['supplier1']
M2 = topology_m2.ms['supplier2']
set_changelog_trimming(M1)
log.info(
'Set nsds5replicaport for the replication agreement to an unreachable port'
)
repl = ReplicationManager(DEFAULT_SUFFIX)
repl.wait_for_replication(M1, M2)
replica_m1 = Replicas(M1).get(DEFAULT_SUFFIX)
agmt_m1 = replica_m1.get_agreements().list()[0]
agmt_m1.replace('nsds5replicaport', '4389')
# Should generates updates here to insure that we starts a new replication session
# and really try to connect to the consumer
with suppress(Exception):
repl.wait_for_replication(M1, M2, timeout=5)
run_healthcheck_and_flush_log(topology_m2, M1, RET_CODE, json=False)
run_healthcheck_and_flush_log(topology_m2, M1, RET_CODE, json=True)
log.info(
'Set nsds5replicaport for the replication agreement to a reachable port'
)
agmt_m1.replace('nsDS5ReplicaPort', '{}'.format(M2.port))
repl.wait_for_replication(M1, M2)
run_healthcheck_and_flush_log(topology_m2, M1, CMD_OUTPUT, json=False)
run_healthcheck_and_flush_log(topology_m2, M1, JSON_OUTPUT, json=True)
def test_special_symbol_replica_agreement(topo_i2):
""" Check if agreement starts with "cn=->..." then
after upgrade does it get removed.
:id: 68aa0072-4dd4-4e33-b107-cb383a439125
:setup: two standalone instance
:steps:
1. Create and Enable Replication on standalone2 and role as consumer
2. Create and Enable Replication on standalone1 and role as master
3. Create a Replication agreement starts with "cn=->..."
4. Perform an upgrade operation over the master
5. Check if the agreement is still present or not.
:expectedresults:
1. It should be successful
2. It should be successful
3. It should be successful
4. It should be successful
5. It should be successful
"""
master = topo_i2.ins["standalone1"]
consumer = topo_i2.ins["standalone2"]
consumer.replica.enableReplication(suffix=DEFAULT_SUFFIX,
role=ReplicaRole.CONSUMER,
replicaId=CONSUMER_REPLICAID)
repl = ReplicationManager(DEFAULT_SUFFIX)
repl.create_first_master(master)
properties = {
RA_NAME: '-\\3meTo_{}:{}'.format(consumer.host, str(consumer.port)),
RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]
}
master.agreement.create(suffix=SUFFIX,
host=consumer.host,
port=consumer.port,
properties=properties)
master.agreement.init(SUFFIX, consumer.host, consumer.port)
replica_server = Replicas(master).get(DEFAULT_SUFFIX)
master.upgrade('online')
agmt = replica_server.get_agreements().list()[0]
assert agmt.get_attr_val_utf8('cn') == '-\\3meTo_{}:{}'.format(
consumer.host, str(consumer.port))
def test_plugin_bind_dn_tracking_and_replication(topo_m2):
"""Testing nsslapd-plugin-binddn-tracking does not cause issues around
access control and reconfiguring replication/repl agmt.
:id: dd689d03-69b8-4bf9-a06e-2acd19d5e2c9
:setup: 2 supplier topology
:steps:
1. Turn on plugin binddn tracking
2. Add some users
3. Make an update as a user
4. Make an update to the replica config
5. Make an update to the repliocation agreement
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
m1 = topo_m2.ms["supplier1"]
# Turn on bind dn tracking
m1.config.set('nsslapd-plugin-binddn-tracking', 'on')
# Add two users
users = UserAccounts(m1, DEFAULT_SUFFIX)
user1 = users.create_test_user(uid=1011)
user1.set('userpassword', PASSWORD)
user2 = users.create_test_user(uid=1012)
# Add an aci
acival = '(targetattr ="cn")(version 3.0;acl "Test bind dn tracking"' + \
';allow (all) (userdn = "ldap:///{}");)'.format(user1.dn)
Domain(m1, DEFAULT_SUFFIX).add('aci', acival)
# Bind as user and make an update
user1.rebind(PASSWORD)
user2.set('cn', 'new value')
dm = DirectoryManager(m1)
dm.rebind()
# modify replica
replica = Replicas(m1).get(DEFAULT_SUFFIX)
replica.set(REPL_PROTOCOL_TIMEOUT, "30")
# modify repl agmt
agmt = replica.get_agreements().list()[0]
agmt.set(REPL_PROTOCOL_TIMEOUT, "20")
def topo_tls_ldapi(topo):
"""Enable TLS on both masters and reconfigure both agreements
to use TLS Client auth. Also, setup ldapi and export DB
"""
m1 = topo.ms["master1"]
m2 = topo.ms["master2"]
# Create the certmap before we restart for enable_tls
cm_m1 = CertmapLegacy(m1)
cm_m2 = CertmapLegacy(m2)
# We need to configure the same maps for both ....
certmaps = cm_m1.list()
certmaps['default']['DNComps'] = None
certmaps['default']['CmapLdapAttr'] = 'nsCertSubjectDN'
cm_m1.set(certmaps)
cm_m2.set(certmaps)
[i.enable_tls() for i in topo]
# Create the replication dns
services = ServiceAccounts(m1, DEFAULT_SUFFIX)
repl_m1 = services.get('%s:%s' % (m1.host, m1.sslport))
repl_m1.set('nsCertSubjectDN', m1.get_server_tls_subject())
repl_m2 = services.get('%s:%s' % (m2.host, m2.sslport))
repl_m2.set('nsCertSubjectDN', m2.get_server_tls_subject())
# Check the replication is "done".
repl = ReplicationManager(DEFAULT_SUFFIX)
repl.wait_for_replication(m1, m2)
# Now change the auth type
replica_m1 = Replicas(m1).get(DEFAULT_SUFFIX)
agmt_m1 = replica_m1.get_agreements().list()[0]
agmt_m1.replace_many(
('nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH'),
('nsDS5ReplicaTransportInfo', 'SSL'),
('nsDS5ReplicaPort', '%s' % m2.sslport),
)
agmt_m1.remove_all('nsDS5ReplicaBindDN')
replica_m2 = Replicas(m2).get(DEFAULT_SUFFIX)
agmt_m2 = replica_m2.get_agreements().list()[0]
agmt_m2.replace_many(
('nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH'),
('nsDS5ReplicaTransportInfo', 'SSL'),
('nsDS5ReplicaPort', '%s' % m1.sslport),
)
agmt_m2.remove_all('nsDS5ReplicaBindDN')
log.info("Export LDAPTLS_CACERTDIR env variable for ds-replcheck")
os.environ["LDAPTLS_CACERTDIR"] = m1.get_ssca_dir()
for inst in topo:
inst.config.set('nsslapd-ldapilisten', 'on')
inst.config.set('nsslapd-ldapifilepath', '/var/run/slapd-{}.socket'.format(inst.serverid))
inst.restart()
repl.test_replication(m1, m2)
repl.test_replication(m2, m1)
return topo
def tls_client_auth(topo_m2):
"""Enable TLS on both masters and reconfigure
both agreements to use TLS Client auth
"""
m1 = topo_m2.ms['master1']
m2 = topo_m2.ms['master2']
if ds_is_older('1.4.0.6'):
transport = 'SSL'
else:
transport = 'LDAPS'
# Create the certmap before we restart for enable_tls
cm_m1 = CertmapLegacy(m1)
cm_m2 = CertmapLegacy(m2)
# We need to configure the same maps for both ....
certmaps = cm_m1.list()
certmaps['default']['DNComps'] = None
certmaps['default']['CmapLdapAttr'] = 'nsCertSubjectDN'
cm_m1.set(certmaps)
cm_m2.set(certmaps)
[i.enable_tls() for i in topo_m2]
# Create the replication dns
services = ServiceAccounts(m1, DEFAULT_SUFFIX)
repl_m1 = services.get('%s:%s' % (m1.host, m1.sslport))
repl_m1.set('nsCertSubjectDN', m1.get_server_tls_subject())
repl_m2 = services.get('%s:%s' % (m2.host, m2.sslport))
repl_m2.set('nsCertSubjectDN', m2.get_server_tls_subject())
# Check the replication is "done".
repl = ReplicationManager(DEFAULT_SUFFIX)
repl.wait_for_replication(m1, m2)
# Now change the auth type
replica_m1 = Replicas(m1).get(DEFAULT_SUFFIX)
agmt_m1 = replica_m1.get_agreements().list()[0]
agmt_m1.replace_many(
('nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH'),
('nsDS5ReplicaTransportInfo', transport),
('nsDS5ReplicaPort', str(m2.sslport)),
)
agmt_m1.remove_all('nsDS5ReplicaBindDN')
replica_m2 = Replicas(m2).get(DEFAULT_SUFFIX)
agmt_m2 = replica_m2.get_agreements().list()[0]
agmt_m2.replace_many(
('nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH'),
('nsDS5ReplicaTransportInfo', transport),
('nsDS5ReplicaPort', str(m1.sslport)),
)
agmt_m2.remove_all('nsDS5ReplicaBindDN')
repl.test_replication_topology(topo_m2)
return topo_m2
def test_clean_shutdown_crash(topology_m2):
"""Check that server didn't crash after shutdown when running CleanAllRUV task
:id: c34d0b40-3c3e-4f53-8656-5e4c2a310aaf
:setup: Replication setup with two masters
:steps:
1. Enable TLS on both masters
2. Reconfigure both agreements to use TLS Client auth
3. Stop master2
4. Run the CleanAllRUV task
5. Restart master1
6. Check if master1 didn't crash
7. Restart master1 again
8. Check if master1 didn't crash
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
"""
m1 = topology_m2.ms["master1"]
m2 = topology_m2.ms["master2"]
repl = ReplicationManager(DEFAULT_SUFFIX)
cm_m1 = CertmapLegacy(m1)
cm_m2 = CertmapLegacy(m2)
certmaps = cm_m1.list()
certmaps['default']['DNComps'] = None
certmaps['default']['CmapLdapAttr'] = 'nsCertSubjectDN'
cm_m1.set(certmaps)
cm_m2.set(certmaps)
log.info('Enabling TLS')
[i.enable_tls() for i in topology_m2]
log.info('Creating replication dns')
services = ServiceAccounts(m1, DEFAULT_SUFFIX)
repl_m1 = services.get('%s:%s' % (m1.host, m1.sslport))
repl_m1.set('nsCertSubjectDN', m1.get_server_tls_subject())
repl_m2 = services.get('%s:%s' % (m2.host, m2.sslport))
repl_m2.set('nsCertSubjectDN', m2.get_server_tls_subject())
log.info('Changing auth type')
replica_m1 = Replicas(m1).get(DEFAULT_SUFFIX)
agmt_m1 = replica_m1.get_agreements().list()[0]
agmt_m1.replace_many(
('nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH'),
('nsDS5ReplicaTransportInfo', 'SSL'),
('nsDS5ReplicaPort', '%s' % m2.sslport),
)
agmt_m1.remove_all('nsDS5ReplicaBindDN')
replica_m2 = Replicas(m2).get(DEFAULT_SUFFIX)
agmt_m2 = replica_m2.get_agreements().list()[0]
agmt_m2.replace_many(
('nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH'),
('nsDS5ReplicaTransportInfo', 'SSL'),
('nsDS5ReplicaPort', '%s' % m1.sslport),
)
agmt_m2.remove_all('nsDS5ReplicaBindDN')
log.info('Stopping master2')
m2.stop()
log.info('Run the cleanAllRUV task')
cruv_task = CleanAllRUVTask(m1)
cruv_task.create(
properties={
'replica-id': repl.get_rid(m1),
'replica-base-dn': DEFAULT_SUFFIX,
'replica-force-cleaning': 'no',
'replica-certify-all': 'yes'
})
m1.restart()
log.info('Check if master1 crashed')
assert not m1.detectDisorderlyShutdown()
log.info('Repeat')
m1.restart()
assert not m1.detectDisorderlyShutdown()
def test_repl_agmt_bootstrap_credentials(topo):
"""Test that the agreement bootstrap credentials works if the default
credentials fail for some reason.
:id: 38c8095c-d958-415a-b602-74854b7882b3
:setup: 2 Master Instances
:steps:
1. Change the bind dn group member passwords
2. Verify replication is not working
3. Create a new repl manager on master 2 for bootstrapping
4. Add bootstrap credentials to agmt on master 1
5. Verify replication is now working with bootstrap creds
6. Trigger new repl session and default credentials are used first
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
# Gather all of our objects for the test
m1 = topo.ms["master1"]
m2 = topo.ms["master2"]
master1_replica = Replicas(m1).get(DEFAULT_SUFFIX)
master2_replica = Replicas(m2).get(DEFAULT_SUFFIX)
master2_users = UserAccounts(m2, DEFAULT_SUFFIX)
m1_agmt = master1_replica.get_agreements().list()[0]
num_of_original_users = len(master2_users.list())
# Change the member's passwords which should break replication
bind_group = Group(m2, dn=BIND_GROUP_DN)
members = bind_group.list_members()
for member_dn in members:
member = UserAccount(m2, dn=member_dn)
member.replace('userPassword', 'not_right')
time.sleep(3)
m1_agmt.pause()
m1_agmt.resume()
# Verify replication is not working, a new user should not be replicated
users = UserAccounts(m1, DEFAULT_SUFFIX)
test_user = users.ensure_state(properties=TEST_USER_PROPERTIES)
time.sleep(3)
assert len(master2_users.list()) == num_of_original_users
# Create a repl manager on replica
repl_mgr = BootstrapReplicationManager(m2, dn=BOOTSTRAP_MGR_DN)
mgr_properties = {
'uid': 'replication manager',
'cn': 'replication manager',
'userPassword': BOOTSTRAP_MGR_PWD,
}
repl_mgr.create(properties=mgr_properties)
# Update master 2 config
master2_replica.remove_all('nsDS5ReplicaBindDNGroup')
master2_replica.remove_all('nsDS5ReplicaBindDnGroupCheckInterval')
master2_replica.replace('nsDS5ReplicaBindDN', BOOTSTRAP_MGR_DN)
# Add bootstrap credentials to master1 agmt, and restart agmt
m1_agmt.replace('nsds5ReplicaBootstrapTransportInfo', 'LDAP')
m1_agmt.replace('nsds5ReplicaBootstrapBindMethod', 'SIMPLE')
m1_agmt.replace('nsds5ReplicaBootstrapCredentials', BOOTSTRAP_MGR_PWD)
m1_agmt.replace('nsds5ReplicaBootstrapBindDN', BOOTSTRAP_MGR_DN)
m1_agmt.pause()
m1_agmt.resume()
# Verify replication is working. The user should have been replicated
time.sleep(3)
assert len(master2_users.list()) > num_of_original_users
# Finally check if the default credentials are used on the next repl
# session. Clear out the logs, and disable log buffering. Then
# trigger a replication update/session.
m1_agmt.pause()
m2.stop()
m2.deleteLog(m2.accesslog) # Clear out the logs
m2.start()
m2.config.set('nsslapd-accesslog-logbuffering', 'off')
m1_agmt.resume()
test_user.delete()
time.sleep(3)
# We know if the default credentials are used it will fail (err=49)
results = m2.ds_access_log.match('.* err=49 .*')
assert len(results) > 0
