def _write_aci_production(topology_m2, mod_type=None): assert mod_type is not None ACI_TARGET = "(targetattr= \"uid\")(target=\"ldap:///uid=*,%s\")" % PRODUCTION_DN ACI_ALLOW = "(version 3.0; acl \"write production entries\"; allow (write)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_m2.ms["supplier1"], SUFFIX) suffix.set('aci', ACI_BODY, mod_type)
def _write_aci_staging(topology_m2, mod_type=None): assert mod_type is not None ACI_TARGET = "(targetattr= \"uid\")(target=\"ldap:///uid=*,%s\")" % STAGING_DN ACI_ALLOW = "(version 3.0; acl \"write staging entries\"; allow (write)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_m2.ms["master1"], SUFFIX) suffix.set('aci', ACI_BODY, mod_type)
def _moddn_aci_from_production_to_staging(topology_m2, mod_type=None): assert mod_type is not None ACI_TARGET = "(target_from = \"ldap:///%s\") (target_to = \"ldap:///%s\")" % ( PRODUCTION_DN, STAGING_DN) ACI_ALLOW = "(version 3.0; acl \"MODDN from production to staging\"; allow (moddn)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_m2.ms["supplier1"], SUFFIX) suffix.set('aci', ACI_BODY, mod_type) _write_aci_production(topology_m2, mod_type=mod_type)
def test_local_password_policy(topo, _add_user): """Regression test for bz1044164 part 1. :id: d6f4a7fa-473b-11ea-8766-8c16451d917b :setup: Standalone :steps: 1. Add a User as Password Admin 2. Create a password admin user entry 3. Add an aci to allow this user all rights 4. Configure password admin 5. Create local password policy and enable passwordmustchange 6. Add another generic user but do not include the password (userpassword) 7. Use admin user to perform a password update on generic user 8. We don't need this ACI anymore. Delete it :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success """ # Add a User as Password Admin # Create a password admin user entry user = _create_user(topo, 'pwadm_admin_1', None) user.replace('userpassword', 'Secret123') domian = Domain(topo.standalone, DEFAULT_SUFFIX) # Add an aci to allow this user all rights domian.set( "aci", f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow password admin to write user ' f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)') # Configure password admin # Create local password policy and enable passwordmustchange Config(topo.standalone).replace_many(('passwordAdminDN', user.dn), ('passwordMustChange', 'off'), ('nsslapd-pwpolicy-local', 'on')) # Add another generic user but do not include the password (userpassword) # Use admin user to perform a password update on generic user real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret123') UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace( 'userpassword', 'hello') # We don't need this ACI anymore. Delete it domian.remove( "aci", f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow password admin to write user ' f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
def _moddn_aci_staging_to_production(topology_m2, mod_type=None, target_from=STAGING_DN, target_to=PRODUCTION_DN): assert mod_type is not None ACI_TARGET_FROM = "" ACI_TARGET_TO = "" if target_from: ACI_TARGET_FROM = "(target_from = \"ldap:///%s\")" % (target_from) if target_to: ACI_TARGET_TO = "(target_to = \"ldap:///%s\")" % (target_to) ACI_ALLOW = "(version 3.0; acl \"MODDN from staging to production\"; allow (moddn)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET_FROM + ACI_TARGET_TO + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_m2.ms["supplier1"], SUFFIX) suffix.set('aci', ACI_BODY, mod_type) _write_aci_staging(topology_m2, mod_type=mod_type)
def test_changes(topology): """Test the changes counter behaviour after making some changes to the replicated suffix """ topology.supplier.log.info("\n\n##########\n### CHANGES\n##########") ents = topology.supplier.agreement.list(suffix=SUFFIX, consumer_host=topology.consumer.host, consumer_port=topology.consumer.port) assert len(ents) == 1 value = topology.supplier.agreement.changes(agmnt_dn=ents[0].dn) topology.supplier.log.info("\ntest_changes: %d changes\n" % value) assert value > 0 # Do an update TEST_STRING = 'test_string' supplier_domain = Domain(topology.supplier, SUFFIX) consumer_domain = Domain(topology.consumer, SUFFIX) supplier_domain.set('description', TEST_STRING) # The update has been replicated loop = 0 while loop <= 10: if consumer_domain.present('description', TEST_STRING): break time.sleep(1) loop += 1 assert loop <= 10 # Give a little time to update a change number on supplier time.sleep(2) # Check change number newvalue = topology.supplier.agreement.changes(agmnt_dn=ents[0].dn) topology.supplier.log.info("\ntest_changes: %d changes\n" % newvalue) assert (value + 1) == newvalue
def finofaci(): domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.set('aci', None) for i in aci_list: domain.add("aci", i)
def test_multi_deny_aci(topo, aci_setup): """Test that mutliple deny rules work, and that they the cache properly stores the result :id: 294c366d-850e-459e-b5a0-3cc828ec3aca :setup: Standalone Instance :steps: 1. Add aci_list_A aci's and verify two searches on the same connection behave the same 2. Add aci_list_B aci's and verify search fails as expected :expectedresults: 1. Both searches do not return any entries 2. Seaches do not return any entries """ if DEBUGGING: # Maybe add aci logging? pass suffix = Domain(topo.standalone, DEFAULT_SUFFIX) for run in range(2): topo.standalone.log.info("Pass " + str(run + 1)) # Test ACI List A topo.standalone.log.info("Testing two searches behave the same...") topo.standalone.simple_bind_s(DN_DM, PASSWORD) suffix.set('aci', aci_list_A, ldap.MOD_REPLACE) time.sleep(1) topo.standalone.simple_bind_s(BIND_DN, PASSWORD) entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) if entries and entries[0]: topo.standalone.log.fatal( "Incorrectly got an entry returned from search 1") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) if entries and entries[0]: topo.standalone.log.fatal( "Incorrectly got an entry returned from search 2") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) if entries is None or len(entries) == 0: topo.standalone.log.fatal("Failed to get entry as good user") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) if entries is None or len(entries) == 0: topo.standalone.log.fatal("Failed to get entry as good user") assert False # Bind a different user who has rights topo.standalone.simple_bind_s(BIND_DN2, PASSWORD) entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) if entries is None or len(entries) == 0: topo.standalone.log.fatal("Failed to get entry as good user") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) if entries is None or len(entries) == 0: topo.standalone.log.fatal("Failed to get entry as good user (2)") assert False if run > 0: # Second pass topo.standalone.restart() # Reset ACI's and do the second test topo.standalone.log.info( "Testing search does not return any entries...") topo.standalone.simple_bind_s(DN_DM, PASSWORD) suffix.set('aci', aci_list_B, ldap.MOD_REPLACE) time.sleep(1) topo.standalone.simple_bind_s(BIND_DN, PASSWORD) entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) if entries and entries[0]: topo.standalone.log.fatal( "Incorrectly got an entry returned from search 1") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) if entries and entries[0]: topo.standalone.log.fatal( "Incorrectly got an entry returned from search 2") assert False if run > 0: # Second pass topo.standalone.restart() # Bind as different user who has rights topo.standalone.simple_bind_s(BIND_DN2, PASSWORD) entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) if entries is None or len(entries) == 0: topo.standalone.log.fatal("Failed to get entry as good user") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) if entries is None or len(entries) == 0: topo.standalone.log.fatal("Failed to get entry as good user (2)") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) if entries and entries[0]: topo.standalone.log.fatal( "Incorrectly got an entry returned from search 1") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) if entries and entries[0]: topo.standalone.log.fatal( "Incorrectly got an entry returned from search 2") assert False # back to user 1 topo.standalone.simple_bind_s(BIND_DN, PASSWORD) entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) if entries is None or len(entries) == 0: topo.standalone.log.fatal("Failed to get entry as user1") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) if entries is None or len(entries) == 0: topo.standalone.log.fatal("Failed to get entry as user1 (2)") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) if entries and entries[0]: topo.standalone.log.fatal( "Incorrectly got an entry returned from search 1") assert False entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) if entries and entries[0]: topo.standalone.log.fatal( "Incorrectly got an entry returned from search 2") assert False topo.standalone.log.info("Test PASSED")
def test_targattrfilters_keyword(topo): """ Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted)) "Bug #979515 - ACLs inoperative in some search scenarios [rhel-6.5]" "Bug #979516 is a clone for DS8.2 on RHEL5.9" "Bug #979514 is a clone for RHEL6.4 zStream errata" :id:23f9e9d0-7aaa-11e8-b16b-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.set('aci', None) ou = OrganizationalUnit(topo.standalone, 'ou=bug979515,{}'.format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'bug979515'}) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target="ldap:///ou=bug979515,{}") ' '(targetattr= "uid") ( version 3.0; acl "read other subscriber"; allow (compare, read, search) ' 'userdn="ldap:///uid=*,ou=bug979515,{}" ; )'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX)) properties = { 'uid': 'acientryusr1', 'cn': 'acientryusr1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'acientryusr1' } user = UserAccount(topo.standalone, 'cn=acientryusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) user.set('telephoneNumber', '99972566596') user.set('mail', '*****@*****.**') user.set("userPassword", "password") properties = { 'uid': 'newaciphoneusr1', 'cn': 'newaciphoneusr1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'newaciphoneusr1' } user = UserAccount(topo.standalone, 'cn=newaciphoneusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) user.set('telephoneNumber', '99972566596') user.set('mail', '*****@*****.**') conn = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX)).bind(PW_DM) # Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted)) user = UserAccount(conn, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX)) with pytest.raises(IndexError): user.get_attr_vals('mail') user.get_attr_vals('telephoneNumber') user.get_attr_vals('cn') user = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX)) user.get_attr_vals('mail') user.get_attr_vals('telephoneNumber') user.get_attr_vals('cn')
def test_admin_group_to_modify_password(topo, _add_user): """Regression test for bz1044164 part 2. :id: 12e09446-52da-11ea-aa11-8c16451d917b :setup: Standalone :steps: 1. Create unique members of admin group 2. Create admin group with unique members 3. Edit ACIs for admin group 4. Add group as password admin 5. Test password admin group to modify password of another admin user 6. Use admin user to perform a password update on Directory Manager user 7. Test password admin group for local password policy 8. Add top level container 9. Add user 10. Create local policy configuration entry 11. Adding admin group for local policy 12. Change user's password by admin user. Break the local policy rule 13. Test password admin group for global password policy 14. Add top level container 15. Change user's password by admin user. Break the global policy rule 16. Add new user in password admin group 17. Modify ordinary user's password 18. Modify user DN using modrdn of a user in password admin group 19. Test assigning invalid value to password admin attribute 20. Try to add more than one Password Admin attribute to config file 21. Use admin group setup from previous testcases, but delete ACI from that 22. Try to change user's password by admin user 23. Restore ACI 24. Edit ACIs for admin group 25. Delete a user from password admin group 26. Change users password by ex-admin user 27. Remove group from password admin configuration 28. Change admins 29. Change user's password by ex-admin user 30. Change admin user's password by ex-admin user :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Fail(ldap.INSUFFICIENT_ACCESS) 7. Success 8. Success 9. Success 10. Success 11. Success 12. Success 13. Success 14. Success 15. Success 16. Success 17. Success 18. Success 19. Fail 20. Fail 21. Success 22. Success 23. Success 24. Success 25. Success 26. Success 27. Success 28. Success 29. Fail 30. Fail """ # create unique members of admin group admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={ 'cn': 'pwadm_group_adm', 'description': 'pwadm_group_adm', 'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}', f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}'] }) # Edit ACIs for admin group Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)') # Add group as password admin Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn) # Test password admin group to modify password of another admin user change_password_of_user(topo, [ ('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')], f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}') # Use admin user to perform a password update on Directory Manager user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')], f'{DN_DM},{DEFAULT_SUFFIX}') # Add top level container ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'}) # Change user's password by admin user. Break the global policy rule # Add new user in password admin group user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol') user.replace('userpassword', 'Secret123') # Create local policy configuration entry _create_pwp(topo, ou.dn) # Set parameter for pwp for para_meter, op_op in [ ('passwordLockout', 'on'), ('passwordMaxFailure', '4'), ('passwordLockoutDuration', '10'), ('passwordResetFailureCount', '100'), ('passwordMinLength', '8'), ('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]: change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op) # Set ACI OrganizationalUnit(topo.standalone, ou.dn).set('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow passwords admin to write user ' f'passwords";allow (write)' f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Change password with new admin change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn) # Set global parameter Config(topo.standalone).replace_many( ('passwordTrackUpdateTime', 'on'), ('passwordGraceLimit', '4'), ('passwordHistory', 'on'), ('passwordInHistory', '4')) # Test password admin group for global password policy change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Adding admin group for local policy grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}') grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}') # Modify ordinary user's password change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Modify user DN using modrdn of a user in password admin group UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new') # Remove admin grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}') # Add Admin grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}') # Test the group pwp again with pytest.raises(ldap.INVALID_CREDENTIALS): change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') with pytest.raises(ldap.INVALID_SYNTAX): Config(topo.standalone).replace('passwordAdminDN', "Invalid") # Test assigning invalid value to password admin attribute # Try to add more than one Password Admin attribute to config file with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): Config(topo.standalone).replace('passwordAdminDN', [f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}', f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}']) # Use admin group setup from previous, but delete ACI from that people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}") people.remove('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)' f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Try to change user's password by admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Restore ACI people.set('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Edit ACIs for admin group people.add('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to add user ' f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret') real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret') # Test new aci with pytest.raises(ldap.INSUFFICIENT_ACCESS): UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={ 'uid': 'ok', 'cn': 'ok', 'sn': 'ok', 'uidNumber': '1000', 'gidNumber': 'ok', 'homeDirectory': '/home/ok'}) UserAccounts(topo.standalone, DEFAULT_SUFFIX).list() real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret123') # Test new aci which has new rights for uid, cn, password in [ ('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='), ('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]: UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={ 'uid': uid, 'cn': cn, 'sn': cn, 'uidNumber': '1000', 'gidNumber': '1001', 'homeDirectory': f'/home/{uid}', 'userpassword': password}) # Remove ACI Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}").remove('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl ' f'"Allow passwords admin to add user ' f'passwords";allow ' f'(add)(groupdn = ' f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Delete a user from password admin group grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}') grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}') # Change users password by ex-admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Set aci for only user people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}") people.remove('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') people.set('aci', f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin ' f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)') # Remove group from password admin configuration Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}") # Change user's password by ex-admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')], f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')