def create_posix_usersgroups(session_multihost):
""" Create posix user and groups """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
for i in range(10):
user_info = {'cn': 'foo%d' % i,
'uid': 'foo%d' % i,
'uidNumber': '1458310%d' % i,
'gidNumber': '14564100'}
if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
krb.add_principal('foo%d' % i, 'user', 'Secret123')
else:
print("Unable to add ldap User %s" % (user_info))
assert False
memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0')
group_info = {'cn': 'ldapusers',
'gidNumber': '14564100',
'uniqueMember': memberdn}
try:
ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info)
except LdapException:
assert False
group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
for i in range(1, 10):
user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i
add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
assert ret == 'Success'
def create_posix_usersgroups(session_multihost):
""" Create posix user and groups """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
for i in range(10):
user_info = {'cn': 'foo%d' % i,
'uid': 'foo%d' % i,
'uidNumber': '1458310%d' % i,
'gidNumber': '14564100'}
if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
krb.add_principal('foo%d' % i, 'user', 'Secret123')
else:
print("Unable to add ldap User %s" % (user_info))
assert False
memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0')
group_info = {'cn': 'ldapusers',
'gidNumber': '14564100',
'uniqueMember': memberdn}
try:
ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info)
except LdapException:
assert False
group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
for i in range(1, 10):
user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i
add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
assert ret == 'Success'
def usr_grp(multihost, obj_info, type):
"""
Add an object, user or group, in the ldap-server
:param dict obj_info: an object(user/group) details
:param str type: Either 'user' or 'group'
:return: None
:exception: LdapException
"""
ldap_uri = f'ldap://{multihost.master[0].sys_hostname}'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST')
if type == 'user':
usr = obj_info.get('uid')
try:
if ldap_inst.posix_user("ou=People", ds_suffix, obj_info):
krb.add_principal(usr, 'user', 'Secret123')
except LdapException:
print(f"Unable to add ldap User {obj_info}")
if type == 'group':
try:
ldap_inst.posix_group("ou=Groups",
ds_suffix,
obj_info,
memberUid=obj_info.get('memberUid'))
except LdapException:
print(f"Unable to add ldap group {obj_info}")
def test_login_fips_weak_crypto(self, multihost):
"""
:title: krb5/fips: verify login fails when weak crypto is presented
:id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00
"""
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
tools.clear_sssd_cache()
user = '******' % domain_name
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST')
user_info = {
'cn': 'cracker',
'uid': 'cracker',
'uidNumber': '19583100',
'gidNumber': '14564100'
}
if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
krb.add_principal('cracker',
'user',
'Secret123',
etype='arcfour-hmac')
else:
pytest.fail("Failed to add user cracker")
user_dn = 'uid=cracker,ou=People,%s' % ds_suffix
group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix
add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
assert ret == 'Success'
tools.clear_sssd_cache()
ldap_host = multihost.master[0].sys_hostname
pcapfile = '/tmp/krb1.pcap'
tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile)
multihost.client[0].run_command(tcpdump_cmd, bg=True)
pkill = 'pkill tcpdump'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
multihost.client[0].run_command(pkill)
tshark_cmd = "tshark -r %s -V -2 -R"\
" 'kerberos.msg_type == 30'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
journalctl_cmd = 'journalctl --no-pager -n 150'
cmd = multihost.client[0].run_command(journalctl_cmd)
check = re.compile(r'KDC has no support for encryption type')
assert check.search(cmd.stdout_text)
else:
pytest.fail("%s Login successfull")
ldap_inst.del_dn(user_dn)
krb.delete_principal('cracker')
rm_pcap_file = 'rm -f %s' % pcapfile
multihost.client[0].run_command(rm_pcap_file)
def setup_kerberos(session_multihost, request):
tools = sssdTools(session_multihost.master[0])
tools.config_etckrb5('EXAMPLE.TEST')
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
krb.krb_setup_new()
def remove_kerberos():
krb.destroy_krb5server()
request.addfinalizer(remove_kerberos)
def setup_kerberos(session_multihost, request):
""" Setup kerberos """
tools = sssdTools(session_multihost.master[0])
tools.config_etckrb5('EXAMPLE.TEST')
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
krb.krb_setup_new()
def remove_kerberos():
""" Remove kerberos instance """
krb.destroy_krb5server()
remove_keytab = 'rm -f /etc/krb5.keytab'
session_multihost.master[0].run_command(remove_keytab)
request.addfinalizer(remove_kerberos)
def setup_kerberos(session_multihost, request):
""" Setup kerberos """
tools = sssdTools(session_multihost.master[0])
tools.config_etckrb5('EXAMPLE.TEST')
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
krb.krb_setup_new()
def remove_kerberos():
""" Remove kerberos instance """
krb.destroy_krb5server()
remove_keytab = 'rm -f /etc/krb5.keytab'
session_multihost.master[0].run_command(remove_keytab)
request.addfinalizer(remove_kerberos)
def create_casesensitive_posix_user(session_multihost):
""" Create a case sensitive posix user """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
username = '******'
user_info = {'cn': username,
'uid': username,
'uidNumber': '24583100',
'gidNumber': '14564100'}
ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info)
krb.add_principal('CAPSUSER-1', 'user', 'Secret123')
def create_casesensitive_posix_user(session_multihost):
""" Create a case sensitive posix user """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
username = '******'
user_info = {'cn': username,
'uid': username,
'uidNumber': '24583100',
'gidNumber': '14564100'}
ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info)
krb.add_principal('CAPSUSER-1', 'user', 'Secret123')
def create_many_user_principals(session_multihost):
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
for i in range(1, 65):
username = "******" % i
krb.add_principal(username, 'user', 'Secret123')
