def test_supplementalCredentials_cleartext_pso(self): """Checks that a PSO's cleartext setting can override the domain's""" # create a user that stores plain-text passwords self.add_user(clear_text=True) # check that clear-text is present in the supplementary-credentials self.assert_cleartext(expect_cleartext=True, password=USER_PASS) # create a PSO overriding the plain-text setting & apply it to the user no_plaintext_pso = PasswordSettings("no-plaintext-PSO", self.ldb, precedence=200, store_plaintext=False) self.addCleanup(self.ldb.delete, no_plaintext_pso.dn) userdn = "cn=" + USER_NAME + ",cn=users," + self.base_dn no_plaintext_pso.apply_to(userdn) # set the password to update the cleartext password stored new_password = samba.generate_random_password(32, 32) self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password) # this time cleartext shouldn't be in the supplementary creds self.assert_cleartext(expect_cleartext=False) # unapply PSO, update password, and check we get the cleartext again no_plaintext_pso.unapply(userdn) new_password = samba.generate_random_password(32, 32) self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password) self.assert_cleartext(expect_cleartext=True, password=new_password) # Now update the domain setting and check we no longer get cleartext self.set_store_cleartext(False) new_password = samba.generate_random_password(32, 32) self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password) self.assert_cleartext(expect_cleartext=False) # create a PSO overriding the domain setting & apply it to the user plaintext_pso = PasswordSettings("plaintext-PSO", self.ldb, precedence=100, store_plaintext=True) self.addCleanup(self.ldb.delete, plaintext_pso.dn) plaintext_pso.apply_to(userdn) new_password = samba.generate_random_password(32, 32) self.ldb.setpassword("(sAMAccountName=%s)" % USER_NAME, new_password) self.assert_cleartext(expect_cleartext=True, password=new_password)
def test_pso_basics(self): """Simple tests that a PSO takes effect when applied to a group/user""" # create some PSOs that vary in priority and basic password-len best_pso = PasswordSettings("highest-priority-PSO", self.ldb, precedence=5, password_len=16, history_len=6) medium_pso = PasswordSettings("med-priority-PSO", self.ldb, precedence=15, password_len=10, history_len=4) worst_pso = PasswordSettings("lowest-priority-PSO", self.ldb, precedence=100, complexity=False, password_len=4, history_len=2) # handle PSO clean-up (as they're outside the top-level test OU) self.add_obj_cleanup([worst_pso.dn, medium_pso.dn, best_pso.dn]) # create some groups and apply the PSOs to the groups group1 = self.add_group("Group-1") group2 = self.add_group("Group-2") group3 = self.add_group("Group-3") group4 = self.add_group("Group-4") worst_pso.apply_to(group1) medium_pso.apply_to(group2) best_pso.apply_to(group3) worst_pso.apply_to(group4) # create a user and check the default settings apply to it user = self.add_user("testuser") self.assert_PSO_applied(user, self.pwd_defaults) # add user to a group. Check that the group's PSO applies to the user self.set_attribute(group1, "member", user.dn) self.assert_PSO_applied(user, worst_pso) # add the user to a group with a higher precedence PSO and and check # that now trumps the previous PSO self.set_attribute(group2, "member", user.dn) self.assert_PSO_applied(user, medium_pso) # add the user to the remaining groups. The highest precedence PSO # should now take effect self.set_attribute(group3, "member", user.dn) self.set_attribute(group4, "member", user.dn) self.assert_PSO_applied(user, best_pso) # delete a group membership and check the PSO changes self.set_attribute(group3, "member", user.dn, operation=FLAG_MOD_DELETE) self.assert_PSO_applied(user, medium_pso) # apply the low-precedence PSO directly to the user # (directly applied PSOs should trump higher precedence group PSOs) worst_pso.apply_to(user.dn) self.assert_PSO_applied(user, worst_pso) # remove applying the PSO directly to the user and check PSO changes worst_pso.unapply(user.dn) self.assert_PSO_applied(user, medium_pso) # remove all appliesTo and check we have the default settings again worst_pso.unapply(group1) medium_pso.unapply(group2) worst_pso.unapply(group4) self.assert_PSO_applied(user, self.pwd_defaults)
def test_pso_basics(self): """Simple tests that a PSO takes effect when applied to a group or user""" # create some PSOs that vary in priority and basic password-len best_pso = PasswordSettings("highest-priority-PSO", self.ldb, precedence=5, password_len=16, history_len=6) medium_pso = PasswordSettings("med-priority-PSO", self.ldb, precedence=15, password_len=10, history_len=4) worst_pso = PasswordSettings("lowest-priority-PSO", self.ldb, precedence=100, complexity=False, password_len=4, history_len=2) # handle PSO clean-up (as they're outside the top-level test OU) self.add_obj_cleanup([worst_pso.dn, medium_pso.dn, best_pso.dn]) # create some groups and apply the PSOs to the groups group1 = self.add_group("Group-1") group2 = self.add_group("Group-2") group3 = self.add_group("Group-3") group4 = self.add_group("Group-4") worst_pso.apply_to(group1) medium_pso.apply_to(group2) best_pso.apply_to(group3) worst_pso.apply_to(group4) # create a user and check the default settings apply to it user = self.add_user("testuser") self.assert_PSO_applied(user, self.pwd_defaults) # add user to a group. Check that the group's PSO applies to the user self.set_attribute(group1, "member", user.dn) self.assert_PSO_applied(user, worst_pso) # add the user to a group with a higher precedence PSO and and check # that now trumps the previous PSO self.set_attribute(group2, "member", user.dn) self.assert_PSO_applied(user, medium_pso) # add the user to the remaining groups. The highest precedence PSO # should now take effect self.set_attribute(group3, "member", user.dn) self.set_attribute(group4, "member", user.dn) self.assert_PSO_applied(user, best_pso) # delete a group membership and check the PSO changes self.set_attribute(group3, "member", user.dn, operation=FLAG_MOD_DELETE) self.assert_PSO_applied(user, medium_pso) # apply the low-precedence PSO directly to the user # (directly applied PSOs should trump higher precedence group PSOs) worst_pso.apply_to(user.dn) self.assert_PSO_applied(user, worst_pso) # remove applying the PSO directly to the user and check PSO changes worst_pso.unapply(user.dn) self.assert_PSO_applied(user, medium_pso) # remove all appliesTo and check we have the default settings again worst_pso.unapply(group1) medium_pso.unapply(group2) worst_pso.unapply(group4) self.assert_PSO_applied(user, self.pwd_defaults)