Example #1
0
    def enable_ssl(self, binduri, tls_port):
        """sets TLS Port and enabled TLS on Directory Server.

        Args:
            binduri (str): LDAP uri to bind with
            tls_port (str): TLS port to be setup

        Returns:
            bool: True if successfully setup TLS port

        Exceptions:
            LdapException
        """
        ldap_obj = LdapOperations(uri=binduri,
                                  binddn=self.dsrootdn,
                                  bindpw=self.dsrootdn_pwd)
        # Enable TLS
        mod_dn1 = 'cn=encryption,cn=config'
        add_tls = [(ldap.MOD_ADD, 'nsTLS1', 'on')]
        (ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls)
        if not return_value:
            raise LdapException('fail to enable TLS, Error:%s' % (ret))
        else:
            print('Enabled nsTLS1=on')

        entry1 = {
            'objectClass': ['top', 'nsEncryptionModule'],
            'cn': 'RSA',
            'nsSSLtoken': 'internal (software)',
            'nsSSLPersonalitySSL': 'Server-Cert-%s' % (self.dsinstance_host),
            'nsSSLActivation': 'on'
        }
        dn1 = 'cn=RSA,cn=encryption,cn=config'
        (ret, return_value) = ldap_obj.add_entry(entry1, dn1)
        if not return_value:
            raise LdapException('fail to set Server-Cert nick:%s' % (ret))
        else:
            print('Enabled Server-Cert nick')

        # Enable security
        mod_dn2 = 'cn=config'
        enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', 'on')]
        (ret, return_value) = ldap_obj.modify_ldap(mod_dn2, enable_security)
        if not return_value:
            raise LdapException('fail to enable nsslapd-security, Error:%s' %
                                (ret))
        else:
            print('Enabled nsslapd-security')

        # set the appropriate TLS port
        mod_dn3 = 'cn=config'
        enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort',
                            str(tls_port))]
        (ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_ssl_port)
        if not return_value:
            raise LdapException('fail to set nsslapd-securePort, Error:%s' %
                                (ret))
        else:
            print('Enabled nsslapd-securePort=%r' % tls_port)
Example #2
0
    def enable_ssl(self, binduri, tls_port):
        """sets TLS Port and enabled TLS on Directory Server.

        Args:
            binduri (str): LDAP uri to bind with
            tls_port (str): TLS port to be setup

        Returns:
            bool: True if successfully setup TLS port

        Exceptions:
            LdapException
        """
        ldap_obj = LdapOperations(uri=binduri,
                                  binddn=self.dsrootdn,
                                  bindpw=self.dsrootdn_pwd)
        # Enable TLS
        mod_dn1 = 'cn=encryption,cn=config'
        add_tls = [(ldap.MOD_ADD, 'nsTLS1', [b'on'])]
        (ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls)
        if not return_value:
            raise LdapException('Failed to enable TLS, Error:%s' % (ret))
        else:
            print('Enabled nsTLS1=on')
        mod_dn2 = 'cn=RSA,cn=encryption,cn=config'
        mod_security = [
            (ldap.MOD_REPLACE, 'nsSSLPersonalitySSL',
             [b'Server-Cert-%s' % ((self.dsinstance_host.encode()))])
        ]
        (ret, return_value) = ldap_obj.modify_ldap(mod_dn2, mod_security)
        if not return_value:
            raise LdapException('Failed to set Server-Cert nick:%s' % (ret))
        else:
            print('Enabled Server-Cert nick')

        # Enable security
        mod_dn3 = 'cn=config'
        enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', [b'on'])]
        (ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_security)
        if not return_value:
            raise LdapException('Failed to enable nsslapd-security, Error:%s' %
                                (ret))
        else:
            print('Enabled nsslapd-security')

        # set the appropriate TLS port
        mod_dn4 = 'cn=config'
        enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort',
                            str(tls_port).encode())]
        (ret, return_value) = ldap_obj.modify_ldap(mod_dn4, enable_ssl_port)
        if not return_value:
            raise LdapException('Failed to set nsslapd-securePort, Error:%s' %
                                (ret))
        else:
            print('Enabled nsslapd-securePort=%r' % tls_port)
Example #3
0
def create_posix_usersgroups(session_multihost):
    """ Create posix user and groups """
    ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
    ds_rootdn = 'cn=Directory Manager'
    ds_rootpw = 'Secret123'
    ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
    krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
    for i in range(10):
        user_info = {'cn': 'foo%d' % i,
                     'uid': 'foo%d' % i,
                     'uidNumber': '1458310%d' % i,
                     'gidNumber': '14564100'}
        if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
            krb.add_principal('foo%d' % i, 'user', 'Secret123')
        else:
            print("Unable to add ldap User %s" % (user_info))
            assert False
    memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0')
    group_info = {'cn': 'ldapusers',
                  'gidNumber': '14564100',
                  'uniqueMember': memberdn}
    try:
        ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info)
    except LdapException:
        assert False
    group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
    for i in range(1, 10):
        user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i
        add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
        (ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
        assert ret == 'Success'
Example #4
0
 def enable_anonymous_search(self, binduri):
     """Enable anonymous search access to basedn
     Args:
         binduri (str): LDAP uri to bind with
     Returns:
         boold: True if ACI is added
     Exceptions:
         LdapException
     """
     ldap_obj = LdapOperations(uri=binduri,
                               binddn=self.dsrootdn,
                               bindpw=self.dsrootdn_pwd)
     # Enable Anonymous access aci
     allow_anonymous = "(targetattr!=\"userPassword || aci\")" \
                       "(version 3.0; acl \"Enable anonymous " \
                       "access\"; allow " \
                       "(read, search, compare) userdn=\"ldap:///anyone\";)"
     add_aci = [(ldap.MOD_ADD, 'aci', [allow_anonymous.encode('utf-8')])]
     (ret, return_value) = ldap_obj.modify_ldap(self.dsinstance_suffix,
                                                add_aci)
     if not return_value:
         raise LdapException("Failed to enable anonymous access aci")
     else:
         print("Enabled Anonymous access "
               "aci to %s" % self.dsinstance_suffix)
Example #5
0
def create_posix_usersgroups(session_multihost):
    """ Create posix user and groups """
    ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
    ds_rootdn = 'cn=Directory Manager'
    ds_rootpw = 'Secret123'
    ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
    krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
    for i in range(10):
        user_info = {'cn': 'foo%d' % i,
                     'uid': 'foo%d' % i,
                     'uidNumber': '1458310%d' % i,
                     'gidNumber': '14564100'}
        if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
            krb.add_principal('foo%d' % i, 'user', 'Secret123')
        else:
            print("Unable to add ldap User %s" % (user_info))
            assert False
    memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0')
    group_info = {'cn': 'ldapusers',
                  'gidNumber': '14564100',
                  'uniqueMember': memberdn}
    try:
        ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info)
    except LdapException:
        assert False
    group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
    for i in range(1, 10):
        user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i
        add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
        (ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
        assert ret == 'Success'
Example #6
0
 def test_login_fips_weak_crypto(self, multihost):
     """
     :title: krb5/fips: verify login fails when weak crypto is presented
     :id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00
     """
     ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
     ds_rootdn = 'cn=Directory Manager'
     ds_rootpw = 'Secret123'
     tools = sssdTools(multihost.client[0])
     domain_name = tools.get_domain_section_name()
     tools.clear_sssd_cache()
     user = '******' % domain_name
     ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
     krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST')
     user_info = {
         'cn': 'cracker',
         'uid': 'cracker',
         'uidNumber': '19583100',
         'gidNumber': '14564100'
     }
     if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
         krb.add_principal('cracker',
                           'user',
                           'Secret123',
                           etype='arcfour-hmac')
     else:
         pytest.fail("Failed to add user cracker")
     user_dn = 'uid=cracker,ou=People,%s' % ds_suffix
     group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix
     add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
     (ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
     assert ret == 'Success'
     tools.clear_sssd_cache()
     ldap_host = multihost.master[0].sys_hostname
     pcapfile = '/tmp/krb1.pcap'
     tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile)
     multihost.client[0].run_command(tcpdump_cmd, bg=True)
     pkill = 'pkill tcpdump'
     client = pexpect_ssh(multihost.client[0].sys_hostname,
                          user,
                          'Secret123',
                          debug=False)
     try:
         client.login()
     except SSHLoginException:
         multihost.client[0].run_command(pkill)
         tshark_cmd = "tshark -r %s -V -2 -R"\
                      " 'kerberos.msg_type == 30'" % pcapfile
         cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
         journalctl_cmd = 'journalctl --no-pager -n 150'
         cmd = multihost.client[0].run_command(journalctl_cmd)
         check = re.compile(r'KDC has no support for encryption type')
         assert check.search(cmd.stdout_text)
     else:
         pytest.fail("%s Login successfull")
     ldap_inst.del_dn(user_dn)
     krb.delete_principal('cracker')
     rm_pcap_file = 'rm -f %s' % pcapfile
     multihost.client[0].run_command(rm_pcap_file)
Example #7
0
 def test_sss_cache_reset(self, multihost, backupsssdconf):
     """
     :title: fix sss_cache to also reset cached timestamp
     :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1902280
     :customerscenario: True
     :id: c310f1b4-e89b-11eb-84ce-845cf3eff344
     :steps:
         1. Make a change to group entry in LDAP
         2. Run 'ssh_cache -E' on clients
         3. Check with 'getent group' on clients to see if correct\
     :expectedresults:
         1. Should succeed
         2. Should succeed
         3. Should succeed
     """
     tools = sssdTools(multihost.client[0])
     domain_name = tools.get_domain_section_name()
     client = sssdTools(multihost.client[0])
     domain_params = {
         'ldap_schema': 'rfc2307bis',
         'ldap_group_member': 'uniquemember',
         'debug_level': '9'
     }
     client.sssd_conf(f'domain/{domain_name}', domain_params)
     multihost.client[0].service_sssd('restart')
     get_ent = multihost.client[0].run_command("getent group "
                                               "ldapusers@example1")
     assert "foo9@example1" in get_ent.stdout_text
     user_dn = 'uid=foo9,ou=People,dc=example,dc=test'
     group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
     ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
     ds_rootdn = 'cn=Directory Manager'
     ds_rootpw = 'Secret123'
     ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
     del_member = [(ldap.MOD_DELETE, 'uniqueMember',
                    user_dn.encode('utf-8'))]
     (ret, _) = ldap_inst.modify_ldap(group_dn, del_member)
     assert ret == 'Success'
     multihost.client[0].run_command("sss_cache -G")
     multihost.client[0].run_command("sss_cache -E")
     get_ent1 = multihost.client[0].run_command("getent group "
                                                "ldapusers@example1")
     assert "foo9@example1" not in get_ent1.stdout_text
     assert get_ent.stdout_text != get_ent1.stdout_text
Example #8
0
 def test_0003_background_refresh(self, multihost):
     """
     :title: netgroup: background refresh task does not refresh
      updated netgroup entries
     :id: b17d904d-0d64-4f4a-bbad-4c7f63e1faf2
     :bugzilla:
      https://bugzilla.redhat.com/show_bug.cgi?id=1779486 (RHEL8.2)
      https://bugzilla.redhat.com/show_bug.cgi?id=1822461 (RHEL7.8)
     """
     multihost.client[0].service_sssd('stop')
     tools = sssdTools(multihost.client[0])
     tools.remove_sss_cache('/var/lib/sss/db')
     section = "domain/%s" % ds_instance_name
     domain_params = {
         'entry_cache_timeout': '30',
         'refresh_expired_interval': '22'
     }
     tools.sssd_conf('domain/%s' % ds_instance_name, domain_params)
     multihost.client[0].service_sssd('restart')
     # getent netgroup_1
     getent_cmd = "getent netgroup netgroup_1"
     multihost.client[0].run_command(getent_cmd)
     shortname = multihost.client[0].sys_hostname.strip().split('.')[0]
     ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
     ds_rootdn = 'cn=Directory Manager'
     ds_rootpw = 'Secret123'
     ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
     netgroup_dn = 'cn=netgroup_1,ou=Netgroups,%s' % (ds_suffix)
     nisNetgroupTriple = "(%s,foo1,%s)" % (shortname, ds_suffix)
     modify_netgroup = [(ldap.MOD_REPLACE, 'nisNetgroupTriple',
                         nisNetgroupTriple.encode('utf-8'))]
     (_, _) = ldap_inst.modify_ldap(netgroup_dn, modify_netgroup)
     time.sleep(40)
     ldb_cmd = 'ldbsearch -H /var/lib/sss/db/cache_%s.ldb'\
               ' -b cn=Netgroups,cn=%s,cn=sysdb' % (ds_instance_name,
                                                    ds_instance_name)
     cmd = multihost.client[0].run_command(ldb_cmd)
     new_entry = "netgroupTriple: (%s,foo1,%s)" % (shortname, ds_suffix)
     tools.sssd_conf('domain/%s' % ds_instance_name,
                     domain_params,
                     action='delete')
     assert new_entry in cmd.stdout_text.strip().split('\n')
Example #9
0
 def test_inactivated_filtered_roles(self, multihost):
     """
     title: Inactivated filtered roles
     :id: 4286dac6-3045-11ec-8fd0-845cf3eff344
     :steps:
         1. Make filter role inactive
         2. User added to the above inactive filtered role
         3. User removed from the above inactive filtered role
         4. Activate filtered role
     :expectedresults:
         1. Should succeed
         2. Should succeed
         3. Should succeed
         4. Should succeed
     """
     clean_sys(multihost)
     client_e = multihost.client[0].ip
     master_e = multihost.master[0].ip
     ldap_uri = f'ldap://{master_e}'
     ds_rootdn = 'cn=Directory Manager'
     ds_rootpw = 'Secret123'
     ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
     user_dn = 'uid=foo3,ou=People,dc=example,dc=test'
     role_dn = "filtered"
     add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))]
     (ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
     assert ret == 'Success'
     manage_user_roles(multihost, "cn=filtered", "lock", "role")
     with pytest.raises(paramiko.ssh_exception.AuthenticationException):
         SSHClient(client_e, username="******", password="******")
     time.sleep(3)
     lock_check(multihost, "foo3")
     # User added to the above inactive filtered role
     clean_sys(multihost)
     with pytest.raises(paramiko.ssh_exception.AuthenticationException):
         SSHClient(client_e, username="******", password="******")
     time.sleep(3)
     lock_check(multihost, "foo4")
     # User removed from the above inactive filtered role
     clean_sys(multihost)
     ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
     user_dn = 'uid=foo3,ou=People,dc=example,dc=test'
     role_dn = "filtered"
     add_member = [(ldap.MOD_DELETE, 'o', role_dn.encode('utf-8'))]
     (ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
     assert ret == 'Success'
     ssh1 = SSHClient(client_e,
                      username="******",
                      password="******")
     ssh1.close()
     time.sleep(3)
     unlock_check(multihost, "foo3")
     # Activate filtered role
     clean_sys(multihost)
     manage_user_roles(multihost, "cn=filtered", "unlock", "role")
     ssh1 = SSHClient(client_e,
                      username="******",
                      password="******")
     ssh1.close()
     time.sleep(3)
     unlock_check(multihost, "foo4")