def create_test_ou(instance, ou=None, suffix=None):
"""
Creates a new Organizational Unit for testing.
It tries to create a ou that doesn't already exist by using a different
ID each time. However, if it is provided with an existing ou/suffix it
will fail to create a new ou and it will raise an LDAP error.
Returns an OrganizationalUnit object.
"""
global test_ou_id
if ou is None:
ou = "TestOU_" + str(test_ou_id)
test_ou_id += 1
if suffix is None:
suffix = DEFAULT_SUFFIX
dn = ou + "," + suffix
dn = "ou=" + ou + "," + suffix
properties = {
'ou': ou,
}
ou = OrganizationalUnit(instance, dn)
ou.create(properties=properties)
return ou
def test_renaming_target_entry(topo, _add_user, aci_of_user):
"""Test for renaming target entry
:id: 6be1d33a-7932-11e8-9115-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Create a test user entry
3. Create a new ou entry with an aci
4. Make sure uid=$MYUID has the access
5. Rename ou=OU0 to ou=OU1
6. Create another ou=OU2
7. Move ou=OU1 under ou=OU2
8. Make sure uid=$MYUID still has the access
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
6. Operation should succeed
7. Operation should succeed
8. Operation should succeed
"""
properties = {
'uid': 'TRAC340_MODRDN',
'cn': 'TRAC340_MODRDN',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'TRAC340_MODRDN'
}
user = UserAccount(topo.standalone,
'cn=TRAC340_MODRDN,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
ou = OrganizationalUnit(topo.standalone,
'ou=OU0,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU0'})
ou.set(
'aci',
'(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'
.format(TRAC340_MODRDN))
conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
# Test for renaming target entry
OrganizationalUnits(topo.standalone,
DEFAULT_SUFFIX).get('OU0').rename("ou=OU1")
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
ou = OrganizationalUnit(topo.standalone,
'ou=OU2,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU2'})
# Test for renaming target entry
OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU1').rename(
"ou=OU1", newsuperior=OU2_OU_MODRDN)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
def _populate_suffix(instance, suffixname):
o = Organization(instance, 'o={}'.format(suffixname))
o.create(properties={
'o': suffixname,
'description': 'test'
})
ou = OrganizationalUnit(instance, 'ou=people,o={}'.format(suffixname))
ou.create(properties={
'ou': 'people'
})
def _add_user(request, topo):
ou = OrganizationalUnit(topo.standalone,
'ou=Product Development,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
ou = OrganizationalUnit(topo.standalone,
'ou=Accounting,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Accounting'})
groups = Group(topo.standalone, DYNAMIC_MODRDN)
group_properties = {
"cn": "Test DYNAMIC_MODRDN Group 70",
"objectclass": ["top", 'groupofURLs'],
'memberURL': 'ldap:///{}??base?(cn=*)'.format(USER_WITH_ACI_DELADD)
}
groups.create(properties=group_properties)
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
'cn=Jeff Vedder,ou=Product Development,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'Sam Carter',
'cn': 'Sam Carter',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'SamCarter',
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
'cn=Sam Carter,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
def fin():
for DN in [
USER_DELADD, USER_WITH_ACI_DELADD, DYNAMIC_MODRDN,
CONTAINER_2_DELADD, CONTAINER_1_DELADD
]:
UserAccount(topo.standalone, DN).delete()
request.addfinalizer(fin)
def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user,
cleanup_tree):
"""
Modify Test 6 Allow write access to target with wildcards
:id:825fe884-7abf-11e8-8541-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting', 'Human Resources']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting',
'Kirsten Vaughan, ou=Human Resources'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow write access to target with wildcards
ua = UserAccount(conn, KIRSTENVAUGHAN)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write access to target with wildcards
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree,
request):
"""Modify Test 7 Allow write access to userdnattr
:id: 86b418f6-7abf-11e8-ae28-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(
DEFAULT_SUFFIX, request.node.name)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
UserAccount(topo.standalone,
USER_WITH_ACI_DELADD).add('manager', USER_WITH_ACI_DELADD)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write access to userdnattr
ua = UserAccount(conn, USER_DELADD)
ua.add('uid', 'scoobie')
assert ua.get_attr_val('uid')
ua.add('uid', 'jvedder')
assert ua.get_attr_val('uid')
def test_ticket50234(topology_st):
"""
The fix for ticket 50234
The test sequence is:
- create more than 10 entries with objectclass organizational units ou=org{}
- add an Account in one of them, eg below ou=org5
- do searches with search base ou=org5 and search filter "objectclass=organizationalunit"
- a subtree search should return 1 entry, the base entry
- a onelevel search should return no entry
"""
log.info(
'Testing Ticket 50234 - onelvel search returns not matching entry')
for i in range(1, 15):
ou = OrganizationalUnit(topology_st.standalone,
"ou=Org{},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Org'.format(i)})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': '******'
}
user = UserAccount(topology_st.standalone,
"cn=Jeff Vedder,ou=org5,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# in a subtree search the entry used as search base matches the filter and shoul be returned
ent = topology_st.standalone.getEntry("ou=org5,{}".format(DEFAULT_SUFFIX),
ldap.SCOPE_SUBTREE,
"(objectclass=organizationalunit)")
# in a onelevel search the only child is an useraccount which does not match the filter
# no entry should be returned, which would cause getEntry to raise an exception we need to handle
found = 1
try:
ent = topology_st.standalone.getEntry(
"ou=org5,{}".format(DEFAULT_SUFFIX), ldap.SCOPE_ONELEVEL,
"(objectclass=organizationalunit)")
except ldap.NO_SUCH_OBJECT:
found = 0
assert (found == 0)
def create_base_orgunit(instance, basedn):
"""Create the base org unit object for a org unit"""
orgunit = OrganizationalUnit(instance, dn=basedn)
# Explode the dn to get the first bit.
avas = dn.str2dn(basedn)
ou_ava = avas[0][0][1]
orgunit.create(
properties={
# I think in python 2 this forces unicode return ...
'ou': ou_ava,
'description': basedn,
})
return orgunit
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree):
"""
Modify Test 14 allow userdnattr = owner to modify entry
:id:aa302090-7abf-11e8-811a-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'intranet', 'ou': 'groups'})
grp.set('owner', USER_WITH_ACI_DELADD)
ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# allow userdnattr = owner to modify entry
ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com')
ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com")
assert ua.get_attr_val('uniquemember')
def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree):
"""
Modify Test 8 Allow selfwrite access to anyone
:id:8b3becf0-7abf-11e8-ac34-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
ACI_BODY = '(target = ldap:///cn=group1,ou=Groups,{})(targetattr = "member")(version 3.0; acl "ACI NAME"; allow (selfwrite) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow selfwrite access to anyone
groups = Groups(conn, DEFAULT_SUFFIX)
groups.list()[0].add_member(USER_DELADD)
group.delete()
def test_aci_with_both_allow_and_deny(topo, aci_of_user, cleanup_tree):
"""
Modify Test 12 aci with both allow and deny
:id:9dcfe902-7abf-11e8-86dc-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; deny (read, search)userdn = "ldap:///{}"; allow (all) userdn = "ldap:///{}" ;)'.format(
USER_WITH_ACI_DELADD, USER_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# aci with both allow and deny, testing allow
assert UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci with both allow and deny, testing deny
with pytest.raises(IndexError):
UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
def test_allow_write_access_to_userdn_all(topo, aci_of_user, cleanup_tree):
"""
Modify Test 3 Allow write access to userdn 'all'
:id:70c58818-7abf-11e8-afa1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///all") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to userdn 'all'
conn = Anonymous(topo.standalone).bind()
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccount(conn, USER_DELADD).add("title", "Architect")
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
UserAccount(conn, USER_DELADD).add("title", "Architect")
assert UserAccount(conn, USER_DELADD).get_attr_val('title')
def test_allow_write_access_to_targetattr_with_multiple_attibutes(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 2 Allow write access to targetattr with multiple attibutes
:id:6b9f05c6-7abf-11e8-9ba1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "telephonenumber || roomnumber")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to targetattr with multiple attibutes
conn = Anonymous(topo.standalone).bind()
ua = UserAccount(conn, USER_DELADD)
ua.add("telephonenumber", "+1 408 555 1212")
assert ua.get_attr_val('telephonenumber')
ua.add("roomnumber", "101")
assert ua.get_attr_val('roomnumber')
def test_allow_write_access_to_userdn_with_wildcards_in_dn(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 4 Allow write access to userdn with wildcards in DN
:id:766c2312-7abf-11e8-b57d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write)(userdn = "ldap:///cn=*, ou=Product Development,{}") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow write access to userdn with wildcards in DN
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
def new_suffixes(topology_st):
"""Add two suffixes with backends, one is a parent
of the another
"""
log.info('Adding suffix:{} and backend: {}'.format(NEW_SUFFIX_1,
NEW_BACKEND_1))
bes = Backends(topology_st.standalone)
bes.create(properties={
'cn': 'NEW_BACKEND_1',
'nsslapd-suffix': NEW_SUFFIX_1,
})
# Create the root objects with their ACI
log.info('Adding ACI to allow our test user to search')
ACI_TARGET = '(targetattr != "userPassword || aci")'
ACI_ALLOW = '(version 3.0; acl "Enable anonymous access";allow (read, search, compare)'
ACI_SUBJECT = '(userdn = "ldap:///anyone");)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
o_1 = Organization(topology_st.standalone, NEW_SUFFIX_1)
o_1.create(properties={
'o': NEW_SUFFIX_1_NAME,
'aci': ACI_BODY,
})
log.info('Adding suffix:{} and backend: {}'.format(NEW_SUFFIX_2,
NEW_BACKEND_2))
be_2 = bes.create(properties={
'cn': 'NEW_BACKEND_2',
'nsslapd-suffix': NEW_SUFFIX_2,
})
# We have to adjust the MT to say that BE_1 is a parent.
mt = be_2.get_mapping_tree()
mt.set_parent(NEW_SUFFIX_1)
ou_2 = OrganizationalUnit(topology_st.standalone, NEW_SUFFIX_2)
ou_2.create(properties={'ou': NEW_SUFFIX_2_NAME})
def test_uniquemember_should_also_be_the_owner(topo, aci_of_user):
"""
Modify Test 10 groupdnattr = \"ldap:///$BASEDN?owner\" if owner is a group, group's
uniquemember should also be the owner
:id:9456b2d4-7abf-11e8-829d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
for i in ['ACLGroupTest']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
ou = OrganizationalUnit(topo.standalone,
"ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'ACLDevelopment'})
ou.set(
'aci', '(targetattr="*")(version 3.0; acl "groupdnattr acl"; '
'allow (all)groupdnattr = "ldap:///{}?owner";)'.format(DEFAULT_SUFFIX))
grp = UniqueGroup(topo.standalone,
"uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
user_props = ({
'sn':
'Borah',
'cn':
'Anuj',
'objectclass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'groupofUniquenames'
],
'userpassword':
PW_DM,
'givenname':
'Anuj',
'ou': ['ACLDevelopment', 'People'],
'roomnumber':
'123',
'uniquemember':
'cn=mandatory member'
})
grp.create(properties=user_props)
grp = UniqueGroup(
topo.standalone,
"uid=2ishani,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
user_props = ({
'sn':
'Borah',
'cn':
'2ishani',
'objectclass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'groupofUniquenames'
],
'userpassword':
PW_DM,
'givenname':
'2ishani',
'ou': ['ACLDevelopment', 'People'],
'roomnumber':
'1234',
'uniquemember':
'cn=mandatory member',
"owner":
"cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
})
grp.create(properties=user_props)
grp = UniqueGroup(topo.standalone,
'cn=group1,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group1', 'ou': 'groups'})
grp.set('uniquemember', [
"cn=group2, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX),
"cn=group3, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
])
grp = UniqueGroup(topo.standalone,
'cn=group3,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group3', 'ou': 'groups'})
grp.set('uniquemember',
["cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)])
grp = UniqueGroup(topo.standalone,
'cn=group4,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group4', 'ou': 'groups'})
grp.set('uniquemember',
["uid=anuj, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)])
#uniquemember should also be the owner
conn = UserAccount(
topo.standalone,
"uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)).bind(PW_DM)
ua = UserAccount(
conn, "uid=2ishani, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
ua.add('roomnumber', '9999')
assert ua.get_attr_val('roomnumber')
for DN in [
"cn=group4,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"cn=group3,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"cn=group1,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"uid=2ishani,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"uid=anuj,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
]:
UserAccount(topo.standalone, DN).delete()
def test_targattrfilters_keyword(topo):
"""
Testing the targattrfilters keyword that allows access control based on the value
of the attributes being added (or deleted))
"Bug #979515 - ACLs inoperative in some search scenarios [rhel-6.5]"
"Bug #979516 is a clone for DS8.2 on RHEL5.9"
"Bug #979514 is a clone for RHEL6.4 zStream errata"
:id:23f9e9d0-7aaa-11e8-b16b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.set('aci', None)
ou = OrganizationalUnit(topo.standalone, 'ou=bug979515,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'bug979515'})
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target="ldap:///ou=bug979515,{}") '
'(targetattr= "uid") ( version 3.0; acl "read other subscriber"; allow (compare, read, search) '
'userdn="ldap:///uid=*,ou=bug979515,{}" ; )'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX))
properties = {
'uid': 'acientryusr1',
'cn': 'acientryusr1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'acientryusr1'
}
user = UserAccount(topo.standalone, 'cn=acientryusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('telephoneNumber', '99972566596')
user.set('mail', '*****@*****.**')
user.set("userPassword", "password")
properties = {
'uid': 'newaciphoneusr1',
'cn': 'newaciphoneusr1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'newaciphoneusr1'
}
user = UserAccount(topo.standalone, 'cn=newaciphoneusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('telephoneNumber', '99972566596')
user.set('mail', '*****@*****.**')
conn = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
user = UserAccount(conn, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
with pytest.raises(IndexError):
user.get_attr_vals('mail')
user.get_attr_vals('telephoneNumber')
user.get_attr_vals('cn')
user = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
user.get_attr_vals('mail')
user.get_attr_vals('telephoneNumber')
user.get_attr_vals('cn')
def test_rename_large_subtree(topology_m2):
"""
A report stated that the following configuration would lead
to an operation failure:
ou=int,ou=account,dc=...
ou=s1,ou=int,ou=account,dc=...
ou=s2,ou=int,ou=account,dc=...
rename ou=s1 to re-parent to ou=account, leaving:
ou=int,ou=account,dc=...
ou=s1,ou=account,dc=...
ou=s2,ou=account,dc=...
The ou=s1 if it has < 100 entries below, is able to be reparented.
If ou=s1 has > 400 entries, it fails.
Other conditions was the presence of referential integrity - so one would
assume that all users under s1 are a member of some group external to this.
:id: 5915c38d-b3c2-4b7c-af76-8a1e002e27f7
:setup: standalone instance
:steps: 1. Enable automember plugin
2. Add UCOUNT users, and ensure they are members of a group.
3. Enable refer-int plugin
4. Move ou=s1 to a new parent
:expectedresults:
1. The plugin is enabled
2. The users are members of the group
3. The plugin is enabled
4. The rename operation of ou=s1 succeeds
"""
st = topology_m2.ms["supplier1"]
m2 = topology_m2.ms["supplier2"]
# Create a default group
gps = Groups(st, DEFAULT_SUFFIX)
# Keep the group so we can get it's DN out.
group = gps.create(properties={'cn': 'default_group'})
_enable_plugins(st, group.dn)
_enable_plugins(m2, group.dn)
# Now unlike normal, we bypass the plural-create method, because we need control
# over the exact DN of the OU to create.
# Create the ou=account
# We don't need to set a DN here because ...
ou_account = OrganisationalUnit(st)
# It's set in the .create step.
ou_account.create(basedn=DEFAULT_SUFFIX, properties={'ou': 'account'})
# create the ou=int,ou=account
ou_int = OrganisationalUnit(st)
ou_int.create(basedn=ou_account.dn, properties={'ou': 'int'})
# Create the ou=s1,ou=int,ou=account
ou_s1 = OrganisationalUnit(st)
ou_s1.create(basedn=ou_int.dn, properties={'ou': 's1'})
# Pause replication
repl = ReplicationManager(DEFAULT_SUFFIX)
repl.disable_to_supplier(m2, [
st,
])
# Create the users 1 -> UCOUNT in ou=s1
nsu = nsUserAccounts(st, basedn=ou_s1.dn, rdn=None)
for i in range(1000, 1000 + UCOUNT):
nsu.create_test_user(uid=i)
# Enable replication
repl.enable_to_supplier(m2, [
st,
])
# Assert they are in the group as we expect
members = group.get_attr_vals_utf8('member')
assert len(members) == UCOUNT
# Wait for replication
repl.wait_for_replication(st, m2, timeout=60)
for i in range(0, 5):
# Move ou=s1 to ou=account as parent. We have to provide the rdn,
# even though it's not changing.
ou_s1.rename('ou=s1', newsuperior=ou_account.dn)
members = group.get_attr_vals_utf8('member')
assert len(members) == UCOUNT
# Check that we really did refer-int properly, and ou=int is not in the members.
for member in members:
assert 'ou=int' not in member
# Now move it back
ou_s1.rename('ou=s1', newsuperior=ou_int.dn)
members = group.get_attr_vals_utf8('member')
assert len(members) == UCOUNT
for member in members:
assert 'ou=int' in member
# Check everythig on the other side is good.
repl.wait_for_replication(st, m2, timeout=60)
group2 = Groups(m2, DEFAULT_SUFFIX).get('default_group')
members = group2.get_attr_vals_utf8('member')
assert len(members) == UCOUNT
for member in members:
assert 'ou=int' in member
def _add_user(request, topo):
for i in ["Product Development", 'Accounting', "Human Resources"]:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': '******'
}
user = UserAccount(topo.standalone,
'cn=Jeff Vedder,{}'.format(CONTAINER_1_DELADD))
user.create(properties=properties)
user.set('secretary', 'cn=Arpitoo Borah, o=Red Hat, c=As')
user.set('mail', '*****@*****.**')
properties = {
'uid': 'Sam Carter',
'cn': 'Sam Carter',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'SamCarter',
'userPassword': '******'
}
user = UserAccount(topo.standalone,
'cn=Sam Carter,{}'.format(CONTAINER_2_DELADD))
user.create(properties=properties)
properties = {
'uid': 'Kirsten Vaughan',
'cn': 'Kirsten Vaughan',
'sn': 'Kirsten Vaughan',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'KirstenVaughan',
'userPassword': '******'
}
user = UserAccount(
topo.standalone,
'cn=Kirsten Vaughan, ou=Human Resources,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'HARRY',
'cn': 'HARRY',
'sn': 'HARRY',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'HARRY',
'userPassword': '******'
}
user = UserAccount(topo.standalone,
'cn=HARRY, ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
def fin():
for DN in [
USER_DELADD, USER_WITH_ACI_DELADD, FRED, HARRY, KIRSTENVAUGHAN,
HUMAN_OU_GLOBAL, CONTAINER_2_DELADD, CONTAINER_1_DELADD
]:
ua = UserAccount(topo.standalone, DN)
try:
ua.delete()
except:
pass
request.addfinalizer(fin)
def _add_user(request, topo):
org = Organization(topo.standalone).create(properties={"o": "acivattr"}, basedn=DEFAULT_SUFFIX)
org.add('aci', '(targetattr="*")(targetfilter="(nsrole=*)")(version 3.0; aci "tester"; '
'allow(all) userdn="ldap:///cn=enguser1,ou=eng,o=acivattr,{}";)'.format(DEFAULT_SUFFIX))
ou = OrganizationalUnit(topo.standalone, "ou=eng,o=acivattr,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'eng'})
ou = OrganizationalUnit(topo.standalone, "ou=sales,o=acivattr,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'sales'})
roles = FilteredRoles(topo.standalone, DNBASE)
roles.create(properties={'cn':'FILTERROLEENGROLE', 'nsRoleFilter':'cn=eng*'})
roles.create(properties={'cn': 'FILTERROLESALESROLE', 'nsRoleFilter': 'cn=sales*'})
nsContainer(topo.standalone,
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(
properties={'cn': 'cosTemplates'})
properties = {'employeeType': 'EngType', 'cn':'"cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com'}
CosTemplate(topo.standalone,'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",'
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX)).\
create(properties=properties)
properties = {'employeeType': 'SalesType', 'cn': '"cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com'}
CosTemplate(topo.standalone,
'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,'
'o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(properties=properties)
properties = {
'cosTemplateDn': 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX),
'cosAttribute': 'employeeType', 'cosSpecifier': 'nsrole', 'cn': 'cosClassicGenerateEmployeeTypeUsingnsrole'}
CosClassicDefinition(topo.standalone,
'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(
properties=properties)
properties = {
'uid': 'salesuser1',
'cn': 'salesuser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'salesuser1',
'userPassword': PW_DM
}
user = UserAccount(topo.standalone, 'cn=salesuser1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'salesmanager1',
'cn': 'salesmanager1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'salesmanager1',
'userPassword': PW_DM,
}
user = UserAccount(topo.standalone, 'cn=salesmanager1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'enguser1',
'cn': 'enguser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'enguser1',
'userPassword': PW_DM
}
user = UserAccount(topo.standalone, 'cn=enguser1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'engmanager1',
'cn': 'engmanager1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'engmanager1',
'userPassword': PW_DM
}
user = UserAccount(topo.standalone, 'cn=engmanager1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
def fin():
for DN in [ENG_USER,SALES_UESER,ENG_MANAGER,SALES_MANAGER,FILTERROLESALESROLE,FILTERROLEENGROLE,ENG_OU,SALES_OU,
'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",'
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com',
'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",'
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX), 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX),
'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX), DNBASE]:
UserAccount(topo.standalone, DN).delete()
request.addfinalizer(fin)
def add_ou_entry(topo, name, myparent):
ou_dn = 'ou={},{}'.format(name, myparent)
ou = OrganizationalUnit(topo.standalone, dn=ou_dn)
assert ou.create(properties={'ou': name})
log.info('Organisation {} created for ou :{} .'.format(name, ou_dn))
def test_filterrole(topo):
"""Test Filter Role
:id: 8ada4064-786b-11e8-8634-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search nsconsole role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Organization(topo.standalone).create(properties={"o": "acivattr"},
basedn=DEFAULT_SUFFIX)
properties = {
'ou': 'eng',
}
ou_ou = OrganizationalUnit(topo.standalone,
"ou=eng,o=acivattr,{}".format(DEFAULT_SUFFIX))
ou_ou.create(properties=properties)
properties = {'ou': 'sales'}
ou_ou = OrganizationalUnit(topo.standalone,
"ou=sales,o=acivattr,{}".format(DEFAULT_SUFFIX))
ou_ou.create(properties=properties)
roles = FilteredRoles(topo.standalone, DNBASE)
roles.create(properties={
'cn': 'FILTERROLEENGROLE',
'nsRoleFilter': 'cn=eng*'
})
roles.create(properties={
'cn': 'FILTERROLESALESROLE',
'nsRoleFilter': 'cn=sales*'
})
properties = {
'uid': 'salesuser1',
'cn': 'salesuser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'salesuser1',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
'cn=salesuser1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'salesmanager1',
'cn': 'salesmanager1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'salesmanager1',
'userPassword': PW_DM,
}
user = UserAccount(
topo.standalone,
'cn=salesmanager1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'enguser1',
'cn': 'enguser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'enguser1',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
'cn=enguser1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'engmanager1',
'cn': 'engmanager1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'engmanager1',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
'cn=engmanager1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
# user with cn=sales* will automatically memeber of nsfilterrole
# cn=filterrolesalesrole,o=acivattr,dc=example,dc=com
assert UserAccount(topo.standalone,
'cn=salesuser1,ou=sales,o=acivattr,dc=example,dc=com').\
get_attr_val_utf8('nsrole') == 'cn=filterrolesalesrole,o=acivattr,dc=example,dc=com'
# same goes to SALES_MANAGER
assert UserAccount(topo.standalone, SALES_MANAGER).get_attr_val_utf8(
'nsrole') == 'cn=filterrolesalesrole,o=acivattr,dc=example,dc=com'
# user with cn=eng* will automatically memeber of nsfilterrole
# cn=filterroleengrole,o=acivattr,dc=example,dc=com
assert UserAccount(topo.standalone, 'cn=enguser1,ou=eng,o=acivattr,dc=example,dc=com').\
get_attr_val_utf8('nsrole') == 'cn=filterroleengrole,o=acivattr,dc=example,dc=com'
# same goes to ENG_MANAGER
assert UserAccount(topo.standalone, ENG_MANAGER).get_attr_val_utf8(
'nsrole') == 'cn=filterroleengrole,o=acivattr,dc=example,dc=com'
for dn_dn in [
ENG_USER, SALES_UESER, ENG_MANAGER, SALES_MANAGER,
FILTERROLESALESROLE, FILTERROLEENGROLE, ENG_OU, SALES_OU, DNBASE
]:
UserAccount(topo.standalone, dn_dn).delete()
