def test_dsidm_config_sssd(topology_st, set_log_file): """ Test dsidm creation of sssd.conf content :id: 77812ba6-b133-40f4-91a7-13309618f24d :setup: Standalone instance :steps: 1. Run dsidm client_config sssd.conf 2. Enable MemberOfPlugin 3. Run dsidm client_config sssd.conf with allowed group :expectedresults: 1. Success 2. Success 3. Success """ standalone = topology_st.standalone sssd_content_list = [ 'Generated by 389 Directory Server - dsidm', 'id_provider = ldap', 'auth_provider = ldap', 'access_provider = ldap', 'chpass_provider = ldap', 'ldap_search_base = ' + DEFAULT_SUFFIX, 'ldap_uri = ' + standalone.ldapuri, 'ldap_user_member_of = memberof', 'ignore_group_members = False', '[sssd]', 'services = nss, pam, ssh, sudo', 'config_file_version = 2', 'domains = ldap', '[nss]', 'homedir_substring = /home' ] schema = 'ldap_schema = rfc2307' args = FakeArgs() args.allowed_group = None log.info('Create sssd.conf content') sssd_conf(standalone, DEFAULT_SUFFIX, log, args) log.info('Check if config creation was successful') check_value_in_log_and_reset(sssd_content_list, check_value=schema) log.info('Now we test allowed_group argument') log.info('Enable MemberOf plugin') plugin = MemberOfPlugin(standalone) plugin.enable() standalone.restart() log.info('Create test group') groups = Groups(standalone, DEFAULT_SUFFIX) test_group = groups.create(properties={ "cn": "new_group", "description": "testgroup" }) log.info('Create sssd.conf content with allowed group') filter_msg = [ 'ldap_access_filter = (memberOf={})'.format(test_group.dn), 'ldap_schema = rfc2307bis' ] args.allowed_group = test_group.rdn sssd_conf(standalone, DEFAULT_SUFFIX, log, args) log.info('Check if config creation was successful') check_value_in_log_and_reset(sssd_content_list, filter_msg)
def display(inst, basedn, log, args): users = nsUserAccounts(inst, basedn) groups = Groups(inst, basedn) schema_type = "rfc2307" try: mo_plugin = MemberOfPlugin(inst) if mo_plugin.status(): schema_type = "rfc2307bis" except: schema_type = "unknown - likely access denied to memberof plugin config" # Get required information print( DISPLAY_TEMPLATE.format( ldap_uri=inst.ldapuri, ldap_dns_uri=basedn_to_ldap_dns_uri(basedn), basedn=basedn, schema_type=schema_type, user_basedn=users._basedn, user_filter=users._get_objectclass_filter(), user_id_filter=users._get_selector_filter('<PARAM>'), group_basedn=groups._basedn, group_filter=groups._get_objectclass_filter(), group_id_filter=groups._get_selector_filter('<PARAM>'), uuid_attr='nsUniqueId', user_rdn=users._filterattrs[0], group_rdn=groups._filterattrs[0], group_member='member', ))
def sssd_conf(inst, basedn, log, args): schema_type = "rfc2307" try: mo_plugin = MemberOfPlugin(inst) if mo_plugin.status(): schema_type = "rfc2307bis" except: schema_type = "unknown - likely access denied to memberof plugin config" ldap_access_filter = "# ldap_access_filter = (memberOf=<dn>)" if args.allowed_group: groups = Groups(inst, basedn) g_access = groups.get(args.allowed_group) ldap_access_filter = 'ldap_access_filter = (memberOf=%s)' % g_access.dn ldap_uri_warning = "" if inst.ldapuri.startswith("ldapi://"): ldap_uri_warning = "# ⚠️ WARNING: ldap_uri starts with ldapi:// - you should review this parameter" # Print a customised sssd.config. print( SSSD_CONF_TEMPLATE.format(basedn=basedn, schema_type=schema_type, ldap_uri=inst.ldapuri, ldap_access_filter=ldap_access_filter, ldap_uri_warning=ldap_uri_warning)) # Print a customised sssd.conf to log for test purpose log.debug( SSSD_CONF_TEMPLATE.format(basedn=basedn, schema_type=schema_type, ldap_uri=inst.ldapuri, ldap_access_filter=ldap_access_filter, ldap_uri_warning=ldap_uri_warning))
def add_group_and_perform_user_operations(topology_st): topo = topology_st.standalone # Add the automember group groups = Groups(topo, DEFAULT_SUFFIX) group = groups.create(properties={'cn': 'group'}) ous = OrganizationalUnits(topo, DEFAULT_SUFFIX) branch1 = ous.create(properties={'ou': 'branch1'}) # Add the automember config entry am_configs = AutoMembershipDefinitions(topo) am_config = am_configs.create(properties={'cn': 'config', 'autoMemberScope': branch1.dn, 'autoMemberFilter': 'objectclass=top', 'autoMemberDefaultGroup': group.dn, 'autoMemberGroupingAttr': 'member:dn'}) # Add a user that should get added to the group users = UserAccounts(topo, DEFAULT_SUFFIX, rdn='ou={}'.format(branch1.rdn)) test_user = users.create_test_user(uid=777) # Check if created user is group member assert test_user.dn in group.list_members() log.info('Renaming user') test_user.rename('uid=new_test_user_777', newsuperior=SUFFIX) log.info('Delete the user') delete_obj(test_user) log.info('Delete automember entry, org. unit and group for the next test') delete_obj(am_config) delete_obj(branch1) delete_obj(group)
def add_a_group_with_users(request, topo): """ Add a group and users, which are members of this group. """ groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None) group = groups.create(properties={'cn': 'test_group'}) users_list = [] users_num = 100 users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) for num in range(users_num): USER_NAME = f'test_{num}' user = users.create( properties={ 'uid': USER_NAME, 'sn': USER_NAME, 'cn': USER_NAME, 'uidNumber': f'{num}', 'gidNumber': f'{num}', 'homeDirectory': f'/home/{USER_NAME}' }) users_list.append(user) group.add_member(user.dn) def fin(): """ Removes group and users. """ # If the server crashed, start it again to do the cleanup if not topo.standalone.status(): topo.standalone.start() for user in users_list: user.delete() group.delete() request.addfinalizer(fin)
def test_newly_added_attribute_nsds5replicatedattributelisttotal( _create_entries, _add_user_clean): """This test case is to test the newly added attribute nsds5replicatedattributelistTotal. :id: 2df5971c-38eb-11ea-9e8e-8c16451d917b :setup: Supplier and Consumer :steps: 1. Enabling memberOf plugin and then adding few groups with member attributes. 2. No memberOf plugin enabled on read only replicas 3. The attributes mentioned in the nsds5replicatedattributelist excluded from incremental updates. :expected results: 1. Success 2. Success 3. Success """ check_all_replicated() user = f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}' for instance in (SUPPLIER1, SUPPLIER2, CONSUMER1, CONSUMER2): g = Groups(instance, DEFAULT_SUFFIX).get('bug739172_01group') assert g.get_attr_val_utf8("member") == user assert UserAccount(instance, user).get_attr_val_utf8("sn") == "test_user_1000" # The attributes mentioned in the nsds5replicatedattributelist # excluded from incremental updates. for instance in (CONSUMER1, CONSUMER2): for value in ("roomnumber", "manager", "telephoneNumber"): assert not UserAccount(instance, user).get_attr_val_utf8(value)
def automember_fixture(topo, request): # Create group groups = [] group_obj = Groups(topo.standalone, DEFAULT_SUFFIX) groups.append(group_obj.create(properties={'cn': 'testgroup'})) groups.append(group_obj.create(properties={'cn': 'testgroup2'})) groups.append(group_obj.create(properties={'cn': 'testgroup3'})) # Create test user user_accts = UserAccounts(topo.standalone, DEFAULT_SUFFIX) user = user_accts.create_test_user() # Create automember definitions and regex rules automember_prop = { 'cn': 'testgroup_definition', 'autoMemberScope': DEFAULT_SUFFIX, 'autoMemberFilter': 'objectclass=posixaccount', 'autoMemberDefaultGroup': groups[0].dn, 'autoMemberGroupingAttr': 'member:dn', } automembers = AutoMembershipDefinitions(topo.standalone) auto_def = automembers.create(properties=automember_prop) auto_def.add_regex_rule("regex1", groups[1].dn, include_regex=['cn=mark.*']) auto_def.add_regex_rule("regex2", groups[2].dn, include_regex=['cn=simon.*']) # Enable plugin automemberplugin = AutoMembershipPlugin(topo.standalone) automemberplugin.enable() topo.standalone.restart() return (user, groups)
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user): """Non-regression test for BUG 326000: MemberURL needs to be normalized :id: a5d172e6-7db8-11e8-aca7-8c16451d917b :setup: Standalone Instance :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ou_ou = OrganizationalUnit(topo.standalone, "ou=PEOPLE,{}".format(DEFAULT_SUFFIX)) ou_ou.set( 'aci', '(targetattr= *)' '(version 3.0; acl "tester"; allow(all) ' 'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format( DEFAULT_SUFFIX)) groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE') groups.create( properties={ "cn": "DYNGROUP", "description": "DYNGROUP", 'objectClass': 'groupOfURLS', 'memberURL': "ldap:///ou=PEOPLE,{}??sub?" "(uid=test_user_2)".format(DEFAULT_SUFFIX) }) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]: user = uas.create_test_user(uid=demo1[0], gid=demo1[0]) user.replace_many(('description', demo1[1]), ('userPassword', PW_DM)) ##with normal aci conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM) harry = UserAccount(conn, uas.list()[1].dn) harry.add('sn', 'FRED') ##with abnomal aci dygrp = Group(topo.standalone, DYNGROUP) dygrp.remove( 'memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX)) dygrp.add( 'memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX)) harry.add('sn', 'Not FRED') for i in uas.list(): i.delete()
def add_group(server, cn, subtree): group = Groups(server, subtree, rdn=None) group.create( properties={ 'cn': "%s" % cn, 'member': ['uid=test_m1,%s' % SUBTREE_1, 'uid=test_m2,%s' % SUBTREE_1], 'description': 'group' })
def test_require_internal_index(topo): """Test nsslapd-ignore-virtual-attrs configuration attribute :id: 22b94f30-59e3-4f27-89a1-c4f4be036f7f :setup: Standalone instance :steps: 1. Set "nsslapd-require-internalop-index" to "on" 2. Enable RI plugin, and configure it to use an attribute that is not indexed 3. Create a user and add it a group 4. Deleting user should be rejected as the RI plugin issues an unindexed internal search :expectedresults: 1. Success 2. Success 3. Success 4. Success """ # Set the config be_insts = Backends(topo.standalone).list() for be in be_insts: if be.get_attr_val_utf8_l('nsslapd-suffix') == DEFAULT_SUFFIX: be.set('nsslapd-require-index', 'off') be.set('nsslapd-require-internalop-index', 'on') # Configure RI plugin rip = ReferentialIntegrityPlugin(topo.standalone) rip.set('referint-membership-attr', 'description') rip.enable() # Create a bunch of users db_cfg = DatabaseConfig(topo.standalone) db_cfg.set([('nsslapd-idlistscanlimit', '100')]) users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for i in range(102, 202): users.create_test_user(uid=i) # Create user and group user = users.create(properties={ 'uid': 'indexuser', 'cn' : 'indexuser', 'sn' : 'user', 'uidNumber' : '1010', 'gidNumber' : '2010', 'homeDirectory' : '/home/indexuser' }) groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={'cn': 'group', 'member': user.dn}) # Restart the server topo.standalone.restart() # Deletion of user should be rejected with pytest.raises(ldap.UNWILLING_TO_PERFORM): user.delete()
def test_users_and_groups(topology): """ Ensure that user and group management works as expected. """ if DEBUGGING: # Add debugging steps(if any)... pass users = UserAccounts(topology.standalone, DEFAULT_SUFFIX) groups = Groups(topology.standalone, DEFAULT_SUFFIX) # No user should exist assert(len(users.list()) == 0) # Create a user users.create(properties=TEST_USER_PROPERTIES) assert(len(users.list()) == 1) testuser = users.get('testuser') # Set password testuser.set('userPassword', 'password') # bind conn = testuser.bind('password') conn.unbind_s() # create group group_properties = { 'cn' : 'group1', 'description' : 'testgroup' } group = groups.create(properties=group_properties) # user shouldn't be a member assert(not group.is_member(testuser.dn)) # add user as member group.add_member(testuser.dn) # check they are a member assert(group.is_member(testuser.dn)) # remove user from group group.remove_member(testuser.dn) # check they are not a member assert(not group.is_member(testuser.dn)) group.delete() testuser.delete() log.info('Test PASSED')
def test_user_compare(topology): """ Testing compare function 1. Testing comparison of two different users. 2. Testing comparison of 'str' object with itself, should raise 'ValueError'. 3. Testing comparison of user with similar user (different object id). 4. Testing comparison of user with group. """ if DEBUGGING: # Add debugging steps(if any)... pass users = UserAccounts(topology.standalone, DEFAULT_SUFFIX) groups = Groups(topology.standalone, DEFAULT_SUFFIX) # Create 1st user user1_properties = { 'uid': 'testuser1', 'cn': 'testuser1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/testuser1' } users.create(properties=user1_properties) testuser1 = users.get('testuser1') # Create 2nd user user2_properties = { 'uid': 'testuser2', 'cn': 'testuser2', 'sn': 'user', 'uidNumber': '1001', 'gidNumber': '2002', 'homeDirectory': '/home/testuser2' } users.create(properties=user2_properties) testuser2 = users.get('testuser2') # create group group_properties = {'cn': 'group1', 'description': 'testgroup'} testuser1_copy = users.get("testuser1") group = groups.create(properties=group_properties) assert (UserAccount.compare(testuser1, testuser2) == False) with pytest.raises(ValueError): UserAccount.compare("test_str_object", "test_str_object") assert (UserAccount.compare(testuser1, testuser1_copy) == True) assert (UserAccount.compare(testuser1, group) == False) log.info("Test PASSED")
def test_betxn_modrdn_memberof_cache_corruption(topology_st): """Test modrdn operations and memberOf be txn post op failures :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5994 :setup: Standalone instance :steps: 1. Enable and configure memberOf plugin 2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer" 3. Create group and user outside of memberOf plugin scope 4. Do modrdn to move group into scope 5. Do modrdn to move group into scope (again) :expectedresults: 1. memberOf plugin plugin should be ON 2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer" should PASS 3. Creating group and user should PASS 4. Modrdn should fail with objectclass violation 5. Second modrdn should also fail with objectclass violation """ peoplebase = 'ou=people,%s' % DEFAULT_SUFFIX memberof = MemberOfPlugin(topology_st.standalone) memberof.enable() memberof.set_autoaddoc('nsContainer') # Bad OC memberof.set('memberOfEntryScope', peoplebase) memberof.set('memberOfAllBackends', 'on') topology_st.standalone.restart() groups = Groups(topology_st.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ 'cn': 'group', }) # Create user and add it to group users = UserAccounts(topology_st.standalone, basedn=DEFAULT_SUFFIX) user = users.ensure_state(properties=TEST_USER_PROPERTIES) if not ds_is_older('1.3.7'): user.remove('objectClass', 'nsMemberOf') group.add_member(user.dn) # Attempt modrdn that should fail, but the original entry should stay in the cache with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): group.rename('cn=group_to_people', newsuperior=peoplebase) # Should fail, but not with NO_SUCH_OBJECT as the original entry should still be in the cache with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): group.rename('cn=group_to_people', newsuperior=peoplebase) # Done log.info('test_betxn_modrdn_memberof: PASSED')
def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user): """Search Test 6 Deny read access to multiple groupdn's :id: 8f3ba440-6e11-11e8-8b20-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add_member(USER_ANANDA) posix_groups = PosixGroups(topo.standalone, DEFAULT_SUFFIX) posix_group = posix_groups.create(properties={ "cn": "group2", "description": "testgroup2", "gidNumber": "2000", }) posix_group.add_member(USER_ANUJ) ACI_TARGET = '(targetattr="*")' ACI_ALLOW = '(version 3.0; acl "All rights for cn=group1,ou=Groups,{}"; deny(read)'.format( DEFAULT_SUFFIX) ACI_SUBJECT = 'groupdn="ldap:///cn=group1,ou=Groups,{}||ldap:///cn=group2,ou=Groups,{}";)'.format( DEFAULT_SUFFIX, DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)')) group = groups.get("group1") group.delete() posix_groups.get("group2") posix_group.delete()
def assert_data_present(inst): # Do we have the backend marker? d = Domain(inst, DEFAULT_SUFFIX) try: desc = d.get_attr_val_utf8('description') if desc == TEST_MARKER: return except: # Just reset everything. pass # Reset the backends bes = Backends(inst) try: be = bes.get(DEFAULT_SUFFIX) be.delete() except: pass be = bes.create(properties={ 'nsslapd-suffix': DEFAULT_SUFFIX, 'cn': 'userRoot', }) be.create_sample_entries('001004002') # Load our data # We can't use dbgen as that relies on local access :( # Add 40,000 groups groups = Groups(inst, DEFAULT_SUFFIX) for i in range(1, GROUP_MAX): rdn = 'group_{0:07d}'.format(i) groups.create(properties={ 'cn': rdn, }) # Add 60,000 users users = nsUserAccounts(inst, DEFAULT_SUFFIX) for i in range(1, USER_MAX): rdn = 'user_{0:07d}'.format(i) users.create( properties={ 'uid': rdn, 'cn': rdn, 'displayName': rdn, 'uidNumber': '%s' % i, 'gidNumber': '%s' % i, 'homeDirectory': '/home/%s' % rdn, 'userPassword': rdn, }) # Add the marker d.replace('description', TEST_MARKER)
def test_scheme_violation_errors_logged(topo_m2): """Check that ERR messages are verbose enough, if a member entry doesn't have the appropriate objectclass to support 'memberof' attribute :id: e2af0aaa-447e-4e85-a5ce-57ae66260d0b :setup: Standalone instance :steps: 1. Enable memberofPlugin and set autoaddoc to nsMemberOf 2. Restart the instance 3. Add a user without nsMemberOf attribute 4. Create a group and add the user to the group 5. Check that user has memberOf attribute 6. Check the error log for ".*oc_check_allowed_sv.*USER_DN.*memberOf.*not allowed.*" and ".*schema violation caught - repair operation.*" patterns :expectedresults: 1. Should be successful 2. Should be successful 3. Should be successful 4. Should be successful 5. User should have the attribute 6. Errors should be logged """ inst = topo_m2.ms["master1"] memberof = MemberOfPlugin(inst) memberof.enable() memberof.set_autoaddoc('nsMemberOf') inst.restart() users = UserAccounts(inst, SUFFIX) user_props = TEST_USER_PROPERTIES.copy() user_props.update({'uid': USER_CN, 'cn': USER_CN, 'sn': USER_CN}) testuser = users.create(properties=user_props) testuser.remove('objectclass', 'nsMemberOf') groups = Groups(inst, SUFFIX) testgroup = groups.create(properties={'cn': GROUP_CN}) testgroup.add('member', testuser.dn) user_memberof_attr = testuser.get_attr_val_utf8('memberof') assert user_memberof_attr log.info('memberOf attr value - {}'.format(user_memberof_attr)) pattern = ".*oc_check_allowed_sv.*{}.*memberOf.*not allowed.*".format( testuser.dn) log.info("pattern = %s" % pattern) assert inst.ds_error_log.match(pattern) pattern = ".*schema violation caught - repair operation.*" assert inst.ds_error_log.match(pattern)
def fin(): """ Deletes entries after the test. """ users1 = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) for dn_dn in users1.list(): dn_dn.delete() groups = Groups(topo.standalone, DEFAULT_SUFFIX) for dn_dn in groups.list(): dn_dn.delete() ou_ou = OrganizationalUnit(topo.standalone, f'ou=Accounting,{DEFAULT_SUFFIX}') ou_ou.delete()
def setup(topology_st, request): """ Enable USN plug-in Enable MEMBEROF plugin Add test entries """ inst = topology_st.standalone log.info("Enable the USN plugin...") plugin = USNPlugin(inst) plugin.enable() log.info("Enable the MEMBEROF plugin...") plugin = MemberOfPlugin(inst) plugin.enable() inst.restart() users_list = [] log.info("Adding test entries...") users = UserAccounts(inst, DEFAULT_SUFFIX) for id in range(USER_NUM): user = users.create_test_user(uid=id) users_list.append(user) groups_list = [] log.info("Adding test groups...") groups = Groups(inst, DEFAULT_SUFFIX) for id in range(GROUP_NUM): group = groups.create(properties={'cn': f'test_group{id}'}) groups_list.append(group) def fin(): for user in users_list: try: user.delete() except ldap.NO_SUCH_OBJECT: pass for group in groups_list: try: group.delete() except ldap.NO_SUCH_OBJECT: pass request.addfinalizer(fin) return {"users": users_list, "groups": groups_list}
def test_attribute_nsds5replicatedattributelisttotal(_create_entries, _add_user_clean): """This test case is to test the newly added attribute nsds5replicatedattributelistTotal. :id: 35de9ff0-38eb-11ea-b420-8c16451d917b :setup: Master and Consumer :steps: 1. Add a new entry to MASTER1. 2. Enabling memberOf plugin and then adding few groups with member attributes. 3. No memberOf plugin enabled in other consumers,ie., the read only replicas won't get incremental updates for the attributes mentioned in the list. 4. Run total update and verify the same attributes added/modified in the read-only replicas. :expected results: 1. Success 2. Success 3. Success 4. Success """ # Run total update and verify the same attributes added/modified in the read-only replicas. user = f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}' for agreement in Agreements(MASTER1).list(): agreement.begin_reinit() agreement.wait_reinit() check_all_replicated() for instance in (MASTER1, MASTER2): assert Groups( MASTER1, DEFAULT_SUFFIX).list()[0].get_attr_val_utf8("member") == user assert UserAccount(instance, user).get_attr_val_utf8("sn") == "test_user_1000" for instance in (CONSUMER1, CONSUMER2): for value in ("memberOf", "manager", "sn"): assert UserAccount(instance, user).get_attr_val_utf8(value)
def _add_user_clean(request): # Enabling memberOf plugin and then adding few groups with member attributes. MemberOfPlugin(MASTER1).enable() for instance in (MASTER1, MASTER2): instance.restart() user1 = UserAccounts(MASTER1, DEFAULT_SUFFIX).create_test_user() for attribute, value in [("displayName", "Anuj Borah"), ("givenName", "aborah"), ("telephoneNumber", "+1 555 999 333"), ("roomnumber", "123"), ("manager", f'uid=dsmith,ou=People,{DEFAULT_SUFFIX}')]: user1.set(attribute, value) grp = Groups(MASTER1, DEFAULT_SUFFIX).create( properties={ "cn": "bug739172_01group", "member": f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}' }) def final_call(): """ Removes User and Group after the test. """ user1.delete() grp.delete() request.addfinalizer(final_call)
def test_group_aci_entry_exists(topo,create_user): """This test case adds the groupdn aci and check ger contains 'vadn' :id: 1d73f715-e4b3-4ed6-a93b-9d529898ca78 :setup: Standalone instance :steps: 1. Create a group. 2. Add the user as member into the group. 3. Apply the ACI which will give the group full rights. 4. Check entryLevelRights value for entries. 5. Check 'vadn' is in the entryLevelRights. :expectedresults: 1. It should pass 2. It should pass 3. It should pass 4. It should pass 5. It should pass """ (test_user,request_ctrl) = create_user log.info('Adding group {}'.format(TEST_GROUP_NAME)) groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None) group_properties = { 'cn': TEST_GROUP_NAME, 'description': 'testgroup'} test_group = groups.create(properties=group_properties) test_group.add_member(test_user.dn) suffix = Domain(topo.standalone, DEFAULT_SUFFIX) ACI_TARGET = '(targetattr="*")' ACI_TARGET_FILTER = '(targetfilter ="(objectClass=person)")' ACI_ALLOW = '(version 3.0; acl "give group1 full rights"; allow (all) ' ACI_SUBJECT = 'groupdn = "ldap:///{}";)'.format(test_group.dn) ACI_BODY = ACI_TARGET + ACI_TARGET_FILTER + ACI_ALLOW + ACI_SUBJECT log.info("Add an ACI granting add access to a user matching the groupdn") suffix.add('aci', ACI_BODY) entries = topo.standalone.search_ext('{}'.format(test_user.dn), ldap.SCOPE_SUBTREE, "objectclass=person", serverctrls=[request_ctrl]) rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(entries) for dn, attrs in rdata: topo.standalone.log.info("dn: %s" % dn) value = attrs['entryLevelRights'][0] topo.standalone.log.info("######## entryLevelRights: %r" % value) assert b'vadn' in value
def test_mul_derive_mult_dn(topology_st): """Test that with multiple cn we derive rdn correctly. :id: 1e1f5483-bfad-4f73-9dfb-aec54d08b268 :setup: standalone instance :steps: 1. Create with multiple cn :expectedresults: 1. Create success """ gps = Groups(topology_st.standalone, DEFAULT_SUFFIX) gp = gps.create(properties={ 'cn': ['test_mul_derive_mult_dn', 'test_mul_derive_single_dn'], }) assert gp.dn.lower( ) == f'cn=test_mul_derive_mult_dn,ou=groups,{DEFAULT_SUFFIX}'.lower() gp.delete()
def test_mul_derive_single_dn(topology_st): """Test that with single cn we derive rdn correctly. :id: f34f271a-ca57-4aa0-905a-b5392ce06c79 :setup: standalone instance :steps: 1. Create with single cn :expectedresults: 1. Create success """ gps = Groups(topology_st.standalone, DEFAULT_SUFFIX) gp = gps.create(properties={ 'cn': ['test_mul_derive_single_dn'], }) assert gp.dn.lower( ) == f'cn=test_mul_derive_single_dn,ou=groups,{DEFAULT_SUFFIX}'.lower() gp.delete()
def test_betxn_memberof(topology_st): """Test PLUGIN_MEMBER_OF plugin :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5993 :setup: Standalone instance and enabled dynamic plugins :steps: 1. Enable and configure memberOf plugin 2. Set memberofgroupattr="member" and memberofAutoAddOC="referral" 3. Add two test groups - group1 and group2 4. Add group2 to group1 5. Add group1 to group2 :expectedresults: 1. memberOf plugin plugin should be ON 2. Set memberofgroupattr="member" and memberofAutoAddOC="referral" should PASS 3. Add operation should PASS 4. Add operation should FAIL 5. Add operation should FAIL """ memberof = MemberOfPlugin(topology_st.standalone) memberof.enable() memberof.set_autoaddoc('referral') topology_st.standalone.restart() groups = Groups(topology_st.standalone, DEFAULT_SUFFIX) group1 = groups.create(properties={'cn': 'group1'}) group2 = groups.create(properties={'cn': 'group2'}) # We may need to mod groups to not have nsMemberOf ... ? if not ds_is_older('1.3.7'): group1.remove('objectClass', 'nsMemberOf') group2.remove('objectClass', 'nsMemberOf') # Add group2 to group1 - it should fail with objectclass violation with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): group1.add_member(group2.dn) # verify entry cache reflects the current/correct state of group1 assert not group1.is_member(group2.dn) # Done log.info('test_betxn_memberof: PASSED')
def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url( topo, test_uer, aci_of_user): """Search Test 27 Deny read access to dynamic group with host:port set on LDAP URL :id: ceb62158-6e12-11e8-8c36-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add('objectClass', 'groupOfURLS') group.set( 'memberURL', "ldap:///localhost:38901/{}??sub?(&(ou=Accounting)(cn=Sam*))".format( DEFAULT_SUFFIX)) group.add_member(USER_ANANDA) ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown" ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format( DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))" assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)')) group.delete()
def add_member_and_group(server, cn, group_cn, subtree): users = UserAccounts(server, subtree, rdn=None) users.create( properties={ 'uid': f'test_{cn}', 'cn': f'test_{cn}', 'sn': f'test_{cn}', 'description': 'member', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/testuser' }) group = Groups(server, subtree, rdn=None) group.create( properties={ 'cn': group_cn, 'member': f'uid=test_{cn},{subtree}', 'description': 'group' })
def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user): """ Test to Allow delete access to != dynamic group :id: 14ffa452-68ed-11e8-a60d-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI that delete access to != dynamic group 3. Delete something using test USER_DELADD 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should not succeed 4. Delete operation for ACI should succeed """ # Create dynamic group groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add("objectclass", "groupOfURLs") group.add( "memberURL", f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))' ) # Set ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})' f'(targetattr=*)(version 3.0; acl "$tet_thistest"; ' f'allow (delete) (groupdn != "ldap:///{group.dn}"); )') # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) user = UserAccount(conn, USER_DELADD) # Perform Allow delete access to != dynamic group with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def automember_fixture(topo, request): # Create group group_obj = Groups(topo.standalone, DEFAULT_SUFFIX) automem_group = group_obj.create(properties={'cn': 'testgroup'}) # Create users users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) NUM_USERS = 1000 for num in range(NUM_USERS): num_ran = int(round(num)) USER_NAME = 'test%05d' % num_ran users.create( properties={ 'uid': USER_NAME, 'sn': USER_NAME, 'cn': USER_NAME, 'uidNumber': '%s' % num_ran, 'gidNumber': '%s' % num_ran, 'homeDirectory': '/home/%s' % USER_NAME, 'mail': '*****@*****.**' % USER_NAME, 'userpassword': '******' % num_ran, }) # Create automember definitions and regex rules automember_prop = { 'cn': 'testgroup_definition', 'autoMemberScope': DEFAULT_SUFFIX, 'autoMemberFilter': 'objectclass=posixaccount', 'autoMemberDefaultGroup': automem_group.dn, 'autoMemberGroupingAttr': 'member:dn', } automembers = AutoMembershipDefinitions(topo.standalone) auto_def = automembers.create(properties=automember_prop) auto_def.add_regex_rule("regex1", automem_group.dn, include_regex=['uid=.*']) # Enable plugin automemberplugin = AutoMembershipPlugin(topo.standalone) automemberplugin.enable() topo.standalone.restart()
def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user, request): """Test to Allow delete access to dynamic group :id: 010a4f20-752a-4173-b763-f520c7a85b82 :setup: server :steps: 1. Add test entry 2. Add ACI that Allow delete privilege to dynamic group 3. Delete something using test USER_DELADD 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should succeed 4. Delete operation for ACI should succeed """ # Create dynamic group groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add("objectclass", "groupOfURLs") group.add( "memberURL", f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))' ) # Set ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})' f'(targetattr="uid")(version 3.0; acl "{request.node.name}"; ' f'allow (delete) (groupdn = "ldap:///{group.dn}"); )') # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Perform Allow delete access to dynamic group UserAccount(conn, USER_DELADD).delete()
def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user): """Search Test 26 Deny read access to a dynamic group :id: c0c5290e-6e12-11e8-a900-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group_properties = {"cn": "group1", "description": "testgroup"} group = groups.create(properties=group_properties) group.add('objectClass', 'groupOfURLS') group.set( 'memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX)) group.add_member(USER_ANANDA) ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown" ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format( DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all 'memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # USER_ANUJ is not a member assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) group.delete()