def test_supplementalCredentials_cleartext_pso(self):
"""Checks that a PSO's cleartext setting can override the domain's"""
# create a user that stores plain-text passwords
self.add_user(clear_text=True)
# check that clear-text is present in the supplementary-credentials
self.assert_cleartext(expect_cleartext=True, password=USER_PASS)
# create a PSO overriding the plain-text setting & apply it to the user
no_plaintext_pso = PasswordSettings("no-plaintext-PSO",
self.ldb,
precedence=200,
store_plaintext=False)
self.addCleanup(self.ldb.delete, no_plaintext_pso.dn)
userdn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
no_plaintext_pso.apply_to(userdn)
# set the password to update the cleartext password stored
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
# this time cleartext shouldn't be in the supplementary creds
self.assert_cleartext(expect_cleartext=False)
# unapply PSO, update password, and check we get the cleartext again
no_plaintext_pso.unapply(userdn)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=True, password=new_password)
# Now update the domain setting and check we no longer get cleartext
self.set_store_cleartext(False)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=False)
# create a PSO overriding the domain setting & apply it to the user
plaintext_pso = PasswordSettings("plaintext-PSO",
self.ldb,
precedence=100,
store_plaintext=True)
self.addCleanup(self.ldb.delete, plaintext_pso.dn)
plaintext_pso.apply_to(userdn)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=True, password=new_password)
def test_supplementalCredentials_cleartext_pso(self):
"""Checks that a PSO's cleartext setting can override the domain's"""
# create a user that stores plain-text passwords
self.add_user(clear_text=True)
# check that clear-text is present in the supplementary-credentials
self.assert_cleartext(expect_cleartext=True, password=USER_PASS)
# create a PSO overriding the plain-text setting & apply it to the user
no_plaintext_pso = PasswordSettings("no-plaintext-PSO", self.ldb,
precedence=200,
store_plaintext=False)
self.addCleanup(self.ldb.delete, no_plaintext_pso.dn)
userdn = "cn=" + USER_NAME + ",cn=users," + self.base_dn
no_plaintext_pso.apply_to(userdn)
# set the password to update the cleartext password stored
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
# this time cleartext shouldn't be in the supplementary creds
self.assert_cleartext(expect_cleartext=False)
# unapply PSO, update password, and check we get the cleartext again
no_plaintext_pso.unapply(userdn)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=True, password=new_password)
# Now update the domain setting and check we no longer get cleartext
self.set_store_cleartext(False)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=False)
# create a PSO overriding the domain setting & apply it to the user
plaintext_pso = PasswordSettings("plaintext-PSO", self.ldb,
precedence=100, store_plaintext=True)
self.addCleanup(self.ldb.delete, plaintext_pso.dn)
plaintext_pso.apply_to(userdn)
new_password = samba.generate_random_password(32, 32)
self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password)
self.assert_cleartext(expect_cleartext=True, password=new_password)
def test_pso_basics(self):
"""Simple tests that a PSO takes effect when applied to a group/user"""
# create some PSOs that vary in priority and basic password-len
best_pso = PasswordSettings("highest-priority-PSO",
self.ldb,
precedence=5,
password_len=16,
history_len=6)
medium_pso = PasswordSettings("med-priority-PSO",
self.ldb,
precedence=15,
password_len=10,
history_len=4)
worst_pso = PasswordSettings("lowest-priority-PSO",
self.ldb,
precedence=100,
complexity=False,
password_len=4,
history_len=2)
# handle PSO clean-up (as they're outside the top-level test OU)
self.add_obj_cleanup([worst_pso.dn, medium_pso.dn, best_pso.dn])
# create some groups and apply the PSOs to the groups
group1 = self.add_group("Group-1")
group2 = self.add_group("Group-2")
group3 = self.add_group("Group-3")
group4 = self.add_group("Group-4")
worst_pso.apply_to(group1)
medium_pso.apply_to(group2)
best_pso.apply_to(group3)
worst_pso.apply_to(group4)
# create a user and check the default settings apply to it
user = self.add_user("testuser")
self.assert_PSO_applied(user, self.pwd_defaults)
# add user to a group. Check that the group's PSO applies to the user
self.set_attribute(group1, "member", user.dn)
self.assert_PSO_applied(user, worst_pso)
# add the user to a group with a higher precedence PSO and and check
# that now trumps the previous PSO
self.set_attribute(group2, "member", user.dn)
self.assert_PSO_applied(user, medium_pso)
# add the user to the remaining groups. The highest precedence PSO
# should now take effect
self.set_attribute(group3, "member", user.dn)
self.set_attribute(group4, "member", user.dn)
self.assert_PSO_applied(user, best_pso)
# delete a group membership and check the PSO changes
self.set_attribute(group3,
"member",
user.dn,
operation=FLAG_MOD_DELETE)
self.assert_PSO_applied(user, medium_pso)
# apply the low-precedence PSO directly to the user
# (directly applied PSOs should trump higher precedence group PSOs)
worst_pso.apply_to(user.dn)
self.assert_PSO_applied(user, worst_pso)
# remove applying the PSO directly to the user and check PSO changes
worst_pso.unapply(user.dn)
self.assert_PSO_applied(user, medium_pso)
# remove all appliesTo and check we have the default settings again
worst_pso.unapply(group1)
medium_pso.unapply(group2)
worst_pso.unapply(group4)
self.assert_PSO_applied(user, self.pwd_defaults)
def test_pso_basics(self):
"""Simple tests that a PSO takes effect when applied to a group or user"""
# create some PSOs that vary in priority and basic password-len
best_pso = PasswordSettings("highest-priority-PSO", self.ldb,
precedence=5, password_len=16,
history_len=6)
medium_pso = PasswordSettings("med-priority-PSO", self.ldb,
precedence=15, password_len=10,
history_len=4)
worst_pso = PasswordSettings("lowest-priority-PSO", self.ldb,
precedence=100, complexity=False,
password_len=4, history_len=2)
# handle PSO clean-up (as they're outside the top-level test OU)
self.add_obj_cleanup([worst_pso.dn, medium_pso.dn, best_pso.dn])
# create some groups and apply the PSOs to the groups
group1 = self.add_group("Group-1")
group2 = self.add_group("Group-2")
group3 = self.add_group("Group-3")
group4 = self.add_group("Group-4")
worst_pso.apply_to(group1)
medium_pso.apply_to(group2)
best_pso.apply_to(group3)
worst_pso.apply_to(group4)
# create a user and check the default settings apply to it
user = self.add_user("testuser")
self.assert_PSO_applied(user, self.pwd_defaults)
# add user to a group. Check that the group's PSO applies to the user
self.set_attribute(group1, "member", user.dn)
self.assert_PSO_applied(user, worst_pso)
# add the user to a group with a higher precedence PSO and and check
# that now trumps the previous PSO
self.set_attribute(group2, "member", user.dn)
self.assert_PSO_applied(user, medium_pso)
# add the user to the remaining groups. The highest precedence PSO
# should now take effect
self.set_attribute(group3, "member", user.dn)
self.set_attribute(group4, "member", user.dn)
self.assert_PSO_applied(user, best_pso)
# delete a group membership and check the PSO changes
self.set_attribute(group3, "member", user.dn, operation=FLAG_MOD_DELETE)
self.assert_PSO_applied(user, medium_pso)
# apply the low-precedence PSO directly to the user
# (directly applied PSOs should trump higher precedence group PSOs)
worst_pso.apply_to(user.dn)
self.assert_PSO_applied(user, worst_pso)
# remove applying the PSO directly to the user and check PSO changes
worst_pso.unapply(user.dn)
self.assert_PSO_applied(user, medium_pso)
# remove all appliesTo and check we have the default settings again
worst_pso.unapply(group1)
medium_pso.unapply(group2)
worst_pso.unapply(group4)
self.assert_PSO_applied(user, self.pwd_defaults)