def sssd_conf(inst, basedn, log, args):
schema_type = "rfc2307"
try:
mo_plugin = MemberOfPlugin(inst)
if mo_plugin.status():
schema_type = "rfc2307bis"
except:
schema_type = "unknown - likely access denied to memberof plugin config"
ldap_access_filter = "# ldap_access_filter = (memberOf=<dn>)"
if args.allowed_group:
groups = Groups(inst, basedn)
g_access = groups.get(args.allowed_group)
ldap_access_filter = 'ldap_access_filter = (memberOf=%s)' % g_access.dn
ldap_uri_warning = ""
if inst.ldapuri.startswith("ldapi://"):
ldap_uri_warning = "# ⚠️ WARNING: ldap_uri starts with ldapi:// - you should review this parameter"
# Print a customised sssd.config.
print(
SSSD_CONF_TEMPLATE.format(basedn=basedn,
schema_type=schema_type,
ldap_uri=inst.ldapuri,
ldap_access_filter=ldap_access_filter,
ldap_uri_warning=ldap_uri_warning))
# Print a customised sssd.conf to log for test purpose
log.debug(
SSSD_CONF_TEMPLATE.format(basedn=basedn,
schema_type=schema_type,
ldap_uri=inst.ldapuri,
ldap_access_filter=ldap_access_filter,
ldap_uri_warning=ldap_uri_warning))
def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user):
"""Search Test 6 Deny read access to multiple groupdn's
:id: 8f3ba440-6e11-11e8-8b20-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add_member(USER_ANANDA)
posix_groups = PosixGroups(topo.standalone, DEFAULT_SUFFIX)
posix_group = posix_groups.create(properties={
"cn": "group2",
"description": "testgroup2",
"gidNumber": "2000",
})
posix_group.add_member(USER_ANUJ)
ACI_TARGET = '(targetattr="*")'
ACI_ALLOW = '(version 3.0; acl "All rights for cn=group1,ou=Groups,{}"; deny(read)'.format(
DEFAULT_SUFFIX)
ACI_SUBJECT = 'groupdn="ldap:///cn=group1,ou=Groups,{}||ldap:///cn=group2,ou=Groups,{}";)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
group = groups.get("group1")
group.delete()
posix_groups.get("group2")
posix_group.delete()
def sssd_conf(inst, basedn, log, args):
schema_type = "rfc2307"
try:
mo_plugin = MemberOfPlugin(inst)
if mo_plugin.status():
schema_type = "rfc2307bis"
except:
schema_type = "unknown - likely access denied to memberof plugin config"
ldap_access_filter = None
if args.allowed_group:
groups = Groups(inst, basedn)
g_access = groups.get(args.allowed_group)
ldap_access_filter = '(memberOf=%s)' % g_access.dn
# Print a customised sssd.config.
print(SSSD_CONF_TEMPLATE.format(
basedn=basedn,
schema_type=schema_type,
ldap_uri=inst.ldapuri,
ldap_access_filter=ldap_access_filter,
))
def test_managed_entry_removal(topo):
"""Check that we can't remove managed entry manually
:id: cf9c5be5-97ef-46fc-b199-8346acf4c296
:setup: Standalone Instance
:steps:
1. Enable the plugin
2. Restart the instance
3. Add our org units
4. Set up config entry and template entry for the org units
5. Add an entry that meets the MEP scope
6. Check if a managed group entry was created
7. Try to remove the entry while bound as Admin (non-DM)
8. Remove the entry while bound as DM
9. Check that the managing entry can be deleted too
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Should fail
8. Success
9. Success
"""
inst = topo.standalone
# Add ACI so we can test that non-DM user can't delete managed entry
domain = Domain(inst, DEFAULT_SUFFIX)
ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")"
ACI_TARGETATTR = "(targetattr = *)"
ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) "
ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
domain.add('aci', ACI_BODY)
# stop the plugin, and start it
plugin = ManagedEntriesPlugin(inst)
plugin.disable()
plugin.enable()
# Add our org units
ous = OrganizationalUnits(inst, DEFAULT_SUFFIX)
ou_people = ous.create(properties={'ou': 'managed_people'})
ou_groups = ous.create(properties={'ou': 'managed_groups'})
mep_templates = MEPTemplates(inst, DEFAULT_SUFFIX)
mep_template1 = mep_templates.create(
properties={
'cn':
'MEP template',
'mepRDNAttr':
'cn',
'mepStaticAttr':
'objectclass: groupOfNames|objectclass: extensibleObject'.split(
'|'),
'mepMappedAttr':
'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
})
mep_configs = MEPConfigs(inst)
mep_configs.create(
properties={
'cn': 'config',
'originScope': ou_people.dn,
'originFilter': 'objectclass=posixAccount',
'managedBase': ou_groups.dn,
'managedTemplate': mep_template1.dn
})
inst.restart()
# Add an entry that meets the MEP scope
test_users_m1 = UserAccounts(inst,
DEFAULT_SUFFIX,
rdn='ou={}'.format(ou_people.rdn))
managing_entry = test_users_m1.create_test_user(1001)
managing_entry.reset_password(USER_PASSWORD)
user_bound_conn = managing_entry.bind(USER_PASSWORD)
# Get the managed entry
managed_groups = Groups(inst, ou_groups.dn, rdn=None)
managed_entry = managed_groups.get(managing_entry.rdn)
# Check that the managed entry was created
assert managed_entry.exists()
# Try to remove the entry while bound as Admin (non-DM)
managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None)
managed_entry_user_conn = managed_groups_user_conn.get(managed_entry.rdn)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
managed_entry_user_conn.delete()
assert managed_entry_user_conn.exists()
# Remove the entry while bound as DM
managed_entry.delete()
assert not managed_entry.exists()
# Check that the managing entry can be deleted too
managing_entry.delete()
assert not managing_entry.exists()
def test_usandsconf_dbgen_groups(topology_st, set_log_file_and_ldif):
"""Test ldifgen (formerly dbgen) tool to create ldif with group
:id: 97207413-9a93-4065-a5ec-63aa93801a31
:setup: Standalone instance
:steps:
1. Create DS instance
2. Run ldifgen to generate ldif with group
3. Import generated ldif to database
4. Check it was properly imported
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
LDAP_RESULT = 'adding new entry "cn=myGroup-1,ou=groups,dc=example,dc=com"'
standalone = topology_st.standalone
args = FakeArgs()
args.NAME = 'myGroup'
args.parent = 'ou=groups,dc=example,dc=com'
args.suffix = DEFAULT_SUFFIX
args.number = "1"
args.num_members = "1000"
args.create_members = True
args.member_attr = 'uniquemember'
args.member_parent = 'ou=people,dc=example,dc=com'
args.ldif_file = ldif_file
content_list = [
'Generating LDIF with the following options:',
'NAME={}'.format(args.NAME), 'number={}'.format(args.number),
'suffix={}'.format(args.suffix), 'num-members={}'.format(
args.num_members), 'create-members={}'.format(args.create_members),
'member-parent={}'.format(args.member_parent),
'member-attr={}'.format(args.member_attr),
'ldif-file={}'.format(args.ldif_file), 'Writing LDIF',
'Successfully created LDIF file: {}'.format(args.ldif_file)
]
log.info('Run ldifgen to create group ldif')
dbgen_create_groups(standalone, log, args)
log.info('Check if file exists')
assert os.path.exists(ldif_file)
check_value_in_log_and_reset(content_list)
log.info('Get number of accounts before import')
accounts = Accounts(standalone, DEFAULT_SUFFIX)
count_account = len(accounts.filter('(uid=*)'))
# Groups, COS, Roles and modification ldifs are designed to be used by ldapmodify, not ldif2db
# ldapmodify will complain about already existing parent which causes subprocess to return exit code != 0
with pytest.raises(subprocess.CalledProcessError):
run_ldapmodify_from_file(standalone, ldif_file, LDAP_RESULT)
log.info('Check that accounts are imported')
assert len(accounts.filter('(uid=*)')) > count_account
log.info('Check that group is imported')
groups = Groups(standalone, DEFAULT_SUFFIX)
assert groups.exists(args.NAME + '-1')
new_group = groups.get(args.NAME + '-1')
new_group.present('uniquemember',
'uid=group_entry1-0152,ou=people,dc=example,dc=com')
def test_install_aci(topology_st):
"""Assert our default aci's work as expected."""
# Create some users and groups.
users = nsUserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
groups = PosixGroups(topology_st.standalone, DEFAULT_SUFFIX)
user_basic = users.create(
properties={
'uid': 'basic',
'cn': 'Basic',
'displayName': 'Basic',
'uidNumber': '100000',
'gidNumber': '100000',
'homeDirectory': '/home/basic',
'userPassword': '******',
'legalName': 'Super Secret PII',
})
user_modify = users.create(
properties={
'uid': 'modify',
'cn': 'Modify',
'displayName': 'Modify',
'uidNumber': '100001',
'gidNumber': '100001',
'homeDirectory': '/home/modify',
'userPassword': '******',
'legalName': 'Super Secret PII',
})
user_admin = users.create(
properties={
'uid': 'admin',
'cn': 'Admin',
'displayName': 'Admin',
'uidNumber': '100002',
'gidNumber': '100002',
'homeDirectory': '/home/admin',
'userPassword': '******',
'legalName': 'Super Secret PII',
})
user_pw_reset = users.create(
properties={
'uid': 'pw_reset',
'cn': 'Password Reset',
'displayName': 'Password Reset',
'uidNumber': '100003',
'gidNumber': '100003',
'homeDirectory': '/home/pw_reset',
'userPassword': '******',
'legalName': 'Super Secret PII',
})
# Add users to various permissions.
permissions = Groups(topology_st.standalone,
DEFAULT_SUFFIX,
rdn='ou=permissions')
g_group_admin = permissions.get('group_admin')
g_group_modify = permissions.get('group_modify')
g_user_admin = permissions.get('user_admin')
g_user_modify = permissions.get('user_modify')
g_user_pw_reset = permissions.get('user_passwd_reset')
g_group_admin.add_member(user_admin.dn)
g_user_admin.add_member(user_admin.dn)
g_group_modify.add_member(user_modify.dn)
g_user_modify.add_member(user_modify.dn)
g_user_pw_reset.add_member(user_pw_reset.dn)
# Bind as a user and assert what we can and can not see
c_user_basic = user_basic.bind(password='******')
c_user_modify = user_modify.bind(password='******')
c_user_admin = user_admin.bind(password='******')
c_user_pw_reset = user_pw_reset.bind(password='******')
c_user_basic_users = nsUserAccounts(c_user_basic, DEFAULT_SUFFIX)
c_user_pw_reset_users = nsUserAccounts(c_user_pw_reset, DEFAULT_SUFFIX)
c_user_modify_users = nsUserAccounts(c_user_modify, DEFAULT_SUFFIX)
c_user_admin_users = nsUserAccounts(c_user_admin, DEFAULT_SUFFIX)
# Should be able to see users, but not their legalNames
user_basic_view_demo_user = c_user_basic_users.get('demo_user')
assert user_basic_view_demo_user.get_attr_val_utf8('legalName') is None
assert user_basic_view_demo_user.get_attr_val_utf8('uid') == 'demo_user'
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_basic_view_demo_user.replace('description', 'change value')
user_pw_reset_view_demo_user = c_user_pw_reset_users.get('demo_user')
assert user_pw_reset_view_demo_user.get_attr_val_utf8('legalName') is None
assert user_pw_reset_view_demo_user.get_attr_val_utf8('uid') == 'demo_user'
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_pw_reset_view_demo_user.replace('description', 'change value')
# The user admin and modify should be able to read it.
user_modify_view_demo_user = c_user_modify_users.get('demo_user')
assert user_modify_view_demo_user.get_attr_val_utf8(
'legalName') == 'Demo User Name'
assert user_modify_view_demo_user.get_attr_val_utf8('uid') == 'demo_user'
user_modify_view_demo_user.replace('description', 'change value')
user_admin_view_demo_user = c_user_admin_users.get('demo_user')
assert user_admin_view_demo_user.get_attr_val_utf8(
'legalName') == 'Demo User Name'
assert user_admin_view_demo_user.get_attr_val_utf8('uid') == 'demo_user'
user_admin_view_demo_user.replace('description', 'change value')
# Assert only admin can create:
test_user_properties = {
'uid': 'test_user',
'cn': 'Test User',
'displayName': 'Test User',
'uidNumber': '100005',
'gidNumber': '100005',
'homeDirectory': '/home/test_user',
'legalName': 'Super Secret PII',
}
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
c_user_basic_users.create(properties=test_user_properties)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
c_user_pw_reset_users.create(properties=test_user_properties)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
c_user_modify_users.create(properties=test_user_properties)
test_user = c_user_admin_users.create(properties=test_user_properties)
test_user.delete()
# Assert on pw_reset can unlock/pw
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_basic_view_demo_user.lock()
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_modify_view_demo_user.lock()
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_admin_view_demo_user.lock()
user_pw_reset_view_demo_user.lock()
# Group test
c_user_basic_groups = PosixGroups(c_user_basic, DEFAULT_SUFFIX)
c_user_pw_reset_groups = PosixGroups(c_user_pw_reset, DEFAULT_SUFFIX)
c_user_modify_groups = PosixGroups(c_user_modify, DEFAULT_SUFFIX)
c_user_admin_groups = PosixGroups(c_user_admin, DEFAULT_SUFFIX)
# Assert that members can be read, but only modify/admin can edit.
user_basic_view_demo_group = c_user_basic_groups.get('demo_group')
assert user_basic_view_demo_group.get_attr_val_utf8('cn') == 'demo_group'
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_basic_view_demo_group.add_member(user_basic.dn)
user_pw_reset_view_demo_group = c_user_pw_reset_groups.get('demo_group')
assert user_pw_reset_view_demo_group.get_attr_val_utf8(
'cn') == 'demo_group'
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user_pw_reset_view_demo_group.add_member(user_pw_reset.dn)
user_modify_view_demo_group = c_user_modify_groups.get('demo_group')
assert user_modify_view_demo_group.get_attr_val_utf8('cn') == 'demo_group'
user_modify_view_demo_group.add_member(user_modify.dn)
user_admin_view_demo_group = c_user_admin_groups.get('demo_group')
assert user_admin_view_demo_group.get_attr_val_utf8('cn') == 'demo_group'
user_admin_view_demo_group.add_member(user_admin.dn)
# Assert that only admin can add new group.
group_properties = {'cn': 'test_group', 'gidNumber': '100009'}
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
c_user_basic_groups.create(properties=group_properties)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
c_user_pw_reset_groups.create(properties=group_properties)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
c_user_modify_groups.create(properties=group_properties)
c_user_admin_groups.create(properties=group_properties)
def test_ri_and_mep_cache_corruption(topology_st):
"""Test RI plugin aborts change after MEP plugin fails.
This is really testing the entry cache for corruption
:id: 70d0b96e-b693-4bf7-bbf5-102a66ac5995
:setup: Standalone instance
:steps: 1. Enable and configure mep and ri plugins
2. Add user and add it to a group
3. Disable MEP plugin and remove MEP group
4. Delete user
5. Check that user is still a member of the group
:expectedresults:
1. Success
2. Success
3. Success
4. It fails with NO_SUCH_OBJECT
5. Success
"""
# Add ACI so we can test that non-DM user can't delete managed entry
domain = Domain(topology_st.standalone, DEFAULT_SUFFIX)
ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")"
ACI_TARGETATTR = "(targetattr = *)"
ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) "
ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
domain.add('aci', ACI_BODY)
# Start plugins
topology_st.standalone.config.set('nsslapd-dynamic-plugins', 'on')
mep_plugin = ManagedEntriesPlugin(topology_st.standalone)
mep_plugin.enable()
ri_plugin = ReferentialIntegrityPlugin(topology_st.standalone)
ri_plugin.enable()
# Add our org units
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.create(properties={'ou': 'managed_people'})
ou_groups = ous.create(properties={'ou': 'managed_groups'})
# Configure MEP
mep_templates = MEPTemplates(topology_st.standalone, DEFAULT_SUFFIX)
mep_template1 = mep_templates.create(properties={
'cn': 'MEP template',
'mepRDNAttr': 'cn',
'mepStaticAttr': 'objectclass: groupOfNames|objectclass: extensibleObject'.split('|'),
'mepMappedAttr': 'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
})
mep_configs = MEPConfigs(topology_st.standalone)
mep_configs.create(properties={'cn': 'config',
'originScope': ou_people.dn,
'originFilter': 'objectclass=posixAccount',
'managedBase': ou_groups.dn,
'managedTemplate': mep_template1.dn})
# Add an entry that meets the MEP scope
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX,
rdn='ou={}'.format(ou_people.rdn))
user = users.create(properties={
'uid': 'test-user1',
'cn': 'test-user',
'sn': 'test-user',
'uidNumber': '10011',
'gidNumber': '20011',
'homeDirectory': '/home/test-user1'
})
user.reset_password(USER_PASSWORD)
user_bound_conn = user.bind(USER_PASSWORD)
# Add group
groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
user_group = groups.ensure_state(properties={'cn': 'group', 'member': user.dn})
# Check if a managed group entry was created
mep_group = Group(topology_st.standalone, dn='cn={},{}'.format(user.rdn, ou_groups.dn))
if not mep_group.exists():
log.fatal("MEP group was not created for the user")
assert False
# Test MEP be txn pre op failure does not corrupt entry cache
# Should get the same exception for both rename attempts
# Try to remove the entry while bound as Admin (non-DM)
managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None)
managed_entry_user_conn = managed_groups_user_conn.get(user.rdn)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
managed_entry_user_conn.rename("cn=modrdn group")
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
managed_entry_user_conn.rename("cn=modrdn group")
# Mess with MEP so it fails
mep_plugin.disable()
users_mep_group = UserAccounts(topology_st.standalone, mep_group.dn, rdn=None)
users_mep_group.create_test_user(1001)
mep_plugin.enable()
# Add another group to verify entry cache is not corrupted
test_group = groups.create(properties={'cn': 'test_group'})
# Try to delete user - it fails because managed entry can't be deleted
with pytest.raises(ldap.NOT_ALLOWED_ON_NONLEAF):
user.delete()
# Verify membership is intact
if not user_group.is_member(user.dn):
log.fatal("Member was incorrectly removed from the group!! Or so it seems")
# Restart server and test again in case this was a cache issue
topology_st.standalone.restart()
if user_group.is_member(user.dn):
log.info("The entry cache was corrupted")
assert False
assert False
# Verify test group is still found in entry cache by deleting it
test_group.delete()
# Success
log.info("Test PASSED")
