def test_groupdnattr_value_is_another_group(topo):
"""
Search Test 42 groupdnattr value is another group test #1
:id: 52299e16-7944-11e8-b471-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. USER_ANUJ should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Organization(topo.standalone).create(properties={"o": "nscpRoot"}, basedn=DEFAULT_SUFFIX)
user = UserAccount(topo.standalone, "cn=dchan,o=nscpRoot,{}".format(DEFAULT_SUFFIX))
user.create(properties={
'uid': 'dchan',
'cn': 'dchan',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'dchan',
'userPassword': PW_DM
})
grp = UniqueGroup(topo.standalone, 'cn=groupx,o=nscpRoot,' + DEFAULT_SUFFIX)
grp.create(properties={
'cn': 'groupx',
'ou': 'groups',
})
grp.set('uniquemember', 'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX))
grp.set('aci', '(targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare) groupdnattr="ldap:///o=nscpRoot?uniquemember?sub";)')
conn = UserAccount(topo.standalone, 'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX),).bind(PW_DM)
# acil will allow ldap:///o=nscpRoot?uniquemember?sub"
assert UserAccount(conn, 'cn=groupx,o=nscpRoot,{}'.format(DEFAULT_SUFFIX)).get_attr_val_utf8('cn') == 'groupx'
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree):
"""
Modify Test 14 allow userdnattr = owner to modify entry
:id:aa302090-7abf-11e8-811a-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'intranet', 'ou': 'groups'})
grp.set('owner', USER_WITH_ACI_DELADD)
ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# allow userdnattr = owner to modify entry
ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com')
ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com")
assert ua.get_attr_val('uniquemember')
def _apply(self):
# Create the base domain object
domain = create_base_domain(self._instance, self._basedn)
domain.add(
'aci',
'(targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators,{BASEDN}");)'
.format(BASEDN=self._basedn))
# Create the OUs
ous = OrganizationalUnits(self._instance, self._basedn)
ous.create(properties={
'ou': 'Groups',
})
ous.create(
properties={
'ou':
'People',
'aci': [
'(targetattr ="userpassword || telephonenumber || facsimiletelephonenumber")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)',
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = "ldap:///cn=Accounting Managers,ou=groups,{BASEDN}");)'
.format(BASEDN=self._basedn),
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Human Resources)")(version 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR Managers,ou=groups,{BASEDN}");)'
.format(BASEDN=self._basedn),
'(targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(version 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Managers,ou=groups,{BASEDN}");)'
.format(BASEDN=self._basedn),
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Product Development)")(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups,{BASEDN}");)'
.format(BASEDN=self._basedn),
]
})
ous.create(
properties={
'ou': 'Special Users',
'description': 'Special Administrative Accounts',
})
# Create the groups.
ugs = UniqueGroups(self._instance, self._basedn)
ugs.create(
properties={
'cn': 'Accounting Managers',
'description': 'People who can manage accounting entries',
'ou': 'groups',
'uniqueMember': self._instance.binddn,
})
ugs.create(
properties={
'cn': 'HR Managers',
'description': 'People who can manage HR entries',
'ou': 'groups',
'uniqueMember': self._instance.binddn,
})
ugs.create(
properties={
'cn': 'QA Managers',
'description': 'People who can manage QA entries',
'ou': 'groups',
'uniqueMember': self._instance.binddn,
})
ugs.create(
properties={
'cn': 'PD Managers',
'description': 'People who can manage engineer entries',
'ou': 'groups',
'uniqueMember': self._instance.binddn,
})
# Create the directory Admin group.
# We can't use the group factory here, as we need a custom DN override.
da_ug = UniqueGroup(self._instance)
da_ug._dn = 'cn=Directory Administrators,%s' % self._basedn
da_ug.create(
properties={
'cn': 'Directory Administrators',
'uniqueMember': self._instance.binddn,
})
def test_uniquemember_should_also_be_the_owner(topo, aci_of_user):
"""
Modify Test 10 groupdnattr = \"ldap:///$BASEDN?owner\" if owner is a group, group's
uniquemember should also be the owner
:id:9456b2d4-7abf-11e8-829d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
for i in ['ACLGroupTest']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
ou = OrganizationalUnit(topo.standalone,
"ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'ACLDevelopment'})
ou.set(
'aci', '(targetattr="*")(version 3.0; acl "groupdnattr acl"; '
'allow (all)groupdnattr = "ldap:///{}?owner";)'.format(DEFAULT_SUFFIX))
grp = UniqueGroup(topo.standalone,
"uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
user_props = ({
'sn':
'Borah',
'cn':
'Anuj',
'objectclass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'groupofUniquenames'
],
'userpassword':
PW_DM,
'givenname':
'Anuj',
'ou': ['ACLDevelopment', 'People'],
'roomnumber':
'123',
'uniquemember':
'cn=mandatory member'
})
grp.create(properties=user_props)
grp = UniqueGroup(
topo.standalone,
"uid=2ishani,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
user_props = ({
'sn':
'Borah',
'cn':
'2ishani',
'objectclass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'groupofUniquenames'
],
'userpassword':
PW_DM,
'givenname':
'2ishani',
'ou': ['ACLDevelopment', 'People'],
'roomnumber':
'1234',
'uniquemember':
'cn=mandatory member',
"owner":
"cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
})
grp.create(properties=user_props)
grp = UniqueGroup(topo.standalone,
'cn=group1,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group1', 'ou': 'groups'})
grp.set('uniquemember', [
"cn=group2, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX),
"cn=group3, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
])
grp = UniqueGroup(topo.standalone,
'cn=group3,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group3', 'ou': 'groups'})
grp.set('uniquemember',
["cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)])
grp = UniqueGroup(topo.standalone,
'cn=group4,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group4', 'ou': 'groups'})
grp.set('uniquemember',
["uid=anuj, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)])
#uniquemember should also be the owner
conn = UserAccount(
topo.standalone,
"uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)).bind(PW_DM)
ua = UserAccount(
conn, "uid=2ishani, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
ua.add('roomnumber', '9999')
assert ua.get_attr_val('roomnumber')
for DN in [
"cn=group4,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"cn=group3,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"cn=group1,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"uid=2ishani,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"uid=anuj,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
]:
UserAccount(topo.standalone, DN).delete()
def test_deny_access_to_group_should_deny_access_to_all_uniquemember(
topo, test_uer, aci_of_user, request):
"""Search Test 38 Deny access to group should deny access to all uniquemember (including chain group)
:id: 56b470e4-7941-11e8-912b-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
grp = UniqueGroup(topo.standalone, 'cn=Nested Group 1,' + DEFAULT_SUFFIX)
grp.create(
properties={
'cn': 'Nested Group 1',
'ou': 'groups',
'uniquemember': "cn=Nested Group 2, {}".format(DEFAULT_SUFFIX)
})
grp = UniqueGroup(topo.standalone, 'cn=Nested Group 2,' + DEFAULT_SUFFIX)
grp.create(
properties={
'cn': 'Nested Group 2',
'ou': 'groups',
'uniquemember': "cn=Nested Group 3, {}".format(DEFAULT_SUFFIX)
})
grp = UniqueGroup(topo.standalone, 'cn=Nested Group 3,' + DEFAULT_SUFFIX)
grp.create(
properties={
'cn': 'Nested Group 3',
'ou': 'groups',
'uniquemember': [USER_ANANDA, USER_ANUJ]
})
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci", '(target = ldap:///{})(targetattr=*)'
'(version 3.0; acl "{}"; deny(read)(groupdn = "ldap:///cn=Nested Group 1, {}"); )'
.format(DEFAULT_SUFFIX, request.node.name, DEFAULT_SUFFIX))
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# deny_access_to_group_should_deny_access_to_all_uniquemember
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# deny_access_to_group_should_deny_access_to_all_uniquemember
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_user(request, topo):
for demo in ['Product Development', 'Accounting', 'Product Testing', 'nestedgroup', 'ACLGroup']:
OrganizationalUnit(topo.standalone, "ou={},{}".format(demo, DEFAULT_SUFFIX)).create(properties={'ou': demo})
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
for demo1 in ['Ted Morris', 'David Miller']:
user.create(properties= {
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
# Add anonymous access aci
ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup')
for demo1 in ['DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL', 'DEEPUSER1_GLOBAL',
'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild']:
uas.create(properties={
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup')
for demo1 in ['c1', 'CHILD1_GLOBAL']:
uas.create(properties={
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=nestedgroup')
for i in [('ALLGROUPS_GLOBAL', GROUPA_GLOBAL), ('GROUPA_GLOBAL', GROUPB_GLOBAL), ('GROUPB_GLOBAL', GROUPC_GLOBAL),
('GROUPC_GLOBAL', GROUPD_GLOBAL), ('GROUPD_GLOBAL', GROUPE_GLOBAL), ('GROUPE_GLOBAL', GROUPF_GLOBAL),
('GROUPF_GLOBAL', GROUPG_GLOBAL), ('GROUPG_GLOBAL', GROUPH_GLOBAL), ('GROUPH_GLOBAL', DEEPUSER_GLOBAL)]:
grp.create(properties={'cn': i[0],
'ou': 'groups',
'uniquemember': i[1]
})
grp = UniqueGroup(topo.standalone, 'cn=BIG_GLOBAL Group,{}'.format(DEFAULT_SUFFIX))
grp.create(properties={'cn': 'BIG_GLOBAL Group',
'ou': 'groups',
'uniquemember': ["uid=Ted Morris,ou=Accounting,{}".format(DEFAULT_SUFFIX),
"uid=David Miller,ou=Accounting,{}".format(DEFAULT_SUFFIX),]
})
def test_admin_group_to_modify_password(topo, _add_user):
"""Regression test for bz1044164 part 2.
:id: 12e09446-52da-11ea-aa11-8c16451d917b
:setup: Standalone
:steps:
1. Create unique members of admin group
2. Create admin group with unique members
3. Edit ACIs for admin group
4. Add group as password admin
5. Test password admin group to modify password of another admin user
6. Use admin user to perform a password update on Directory Manager user
7. Test password admin group for local password policy
8. Add top level container
9. Add user
10. Create local policy configuration entry
11. Adding admin group for local policy
12. Change user's password by admin user. Break the local policy rule
13. Test password admin group for global password policy
14. Add top level container
15. Change user's password by admin user. Break the global policy rule
16. Add new user in password admin group
17. Modify ordinary user's password
18. Modify user DN using modrdn of a user in password admin group
19. Test assigning invalid value to password admin attribute
20. Try to add more than one Password Admin attribute to config file
21. Use admin group setup from previous testcases, but delete ACI from that
22. Try to change user's password by admin user
23. Restore ACI
24. Edit ACIs for admin group
25. Delete a user from password admin group
26. Change users password by ex-admin user
27. Remove group from password admin configuration
28. Change admins
29. Change user's password by ex-admin user
30. Change admin user's password by ex-admin user
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Fail(ldap.INSUFFICIENT_ACCESS)
7. Success
8. Success
9. Success
10. Success
11. Success
12. Success
13. Success
14. Success
15. Success
16. Success
17. Success
18. Success
19. Fail
20. Fail
21. Success
22. Success
23. Success
24. Success
25. Success
26. Success
27. Success
28. Success
29. Fail
30. Fail
"""
# create unique members of admin group
admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={
'cn': 'pwadm_group_adm',
'description': 'pwadm_group_adm',
'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}',
f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}']
})
# Edit ACIs for admin group
Domain(topo.standalone,
f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)')
# Add group as password admin
Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn)
# Test password admin group to modify password of another admin user
change_password_of_user(topo, [
('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],
f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}')
# Use admin user to perform a password update on Directory Manager user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')],
f'{DN_DM},{DEFAULT_SUFFIX}')
# Add top level container
ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'})
# Change user's password by admin user. Break the global policy rule
# Add new user in password admin group
user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol')
user.replace('userpassword', 'Secret123')
# Create local policy configuration entry
_create_pwp(topo, ou.dn)
# Set parameter for pwp
for para_meter, op_op in [
('passwordLockout', 'on'),
('passwordMaxFailure', '4'),
('passwordLockoutDuration', '10'),
('passwordResetFailureCount', '100'),
('passwordMinLength', '8'),
('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]:
change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op)
# Set ACI
OrganizationalUnit(topo.standalone,
ou.dn).set('aci',
f'(targetattr ="userpassword")'
f'(version 3.0;acl "Allow passwords admin to write user '
f'passwords";allow (write)'
f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Change password with new admin
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn)
# Set global parameter
Config(topo.standalone).replace_many(
('passwordTrackUpdateTime', 'on'),
('passwordGraceLimit', '4'),
('passwordHistory', 'on'),
('passwordInHistory', '4'))
# Test password admin group for global password policy
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Adding admin group for local policy
grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')
grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')
# Modify ordinary user's password
change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Modify user DN using modrdn of a user in password admin group
UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new')
# Remove admin
grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}')
# Add Admin
grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}')
# Test the group pwp again
with pytest.raises(ldap.INVALID_CREDENTIALS):
change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
with pytest.raises(ldap.INVALID_SYNTAX):
Config(topo.standalone).replace('passwordAdminDN', "Invalid")
# Test assigning invalid value to password admin attribute
# Try to add more than one Password Admin attribute to config file
with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
Config(topo.standalone).replace('passwordAdminDN',
[f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}',
f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}'])
# Use admin group setup from previous, but delete ACI from that
people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")
people.remove('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)'
f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Try to change user's password by admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Restore ACI
people.set('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Edit ACIs for admin group
people.add('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to add user '
f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret')
real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret')
# Test new aci
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={
'uid': 'ok',
'cn': 'ok',
'sn': 'ok',
'uidNumber': '1000',
'gidNumber': 'ok',
'homeDirectory': '/home/ok'})
UserAccounts(topo.standalone, DEFAULT_SUFFIX).list()
real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')
conn = real_user.bind('Secret123')
# Test new aci which has new rights
for uid, cn, password in [
('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='),
('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]:
UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={
'uid': uid,
'cn': cn,
'sn': cn,
'uidNumber': '1000',
'gidNumber': '1001',
'homeDirectory': f'/home/{uid}',
'userpassword': password})
# Remove ACI
Domain(topo.standalone,
f"ou=People,{DEFAULT_SUFFIX}").remove('aci',
f'(targetattr ="userpassword")'
f'(version 3.0;acl '
f'"Allow passwords admin to add user '
f'passwords";allow '
f'(add)(groupdn = '
f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
# Delete a user from password admin group
grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')
grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}')
# Change users password by ex-admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
# Set aci for only user
people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}")
people.remove('aci',
f'(targetattr ="userpassword")(version 3.0;acl '
f'"Allow passwords admin to write user '
f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)')
people.set('aci',
f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin '
f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)')
# Remove group from password admin configuration
Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}")
# Change user's password by ex-admin user
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],
f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}')
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')],
f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')