def create_posix_usersgroups(session_multihost): """ Create posix user and groups """ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') for i in range(10): user_info = {'cn': 'foo%d' % i, 'uid': 'foo%d' % i, 'uidNumber': '1458310%d' % i, 'gidNumber': '14564100'} if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): krb.add_principal('foo%d' % i, 'user', 'Secret123') else: print("Unable to add ldap User %s" % (user_info)) assert False memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') group_info = {'cn': 'ldapusers', 'gidNumber': '14564100', 'uniqueMember': memberdn} try: ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info) except LdapException: assert False group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' for i in range(1, 10): user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) assert ret == 'Success'
def case_sensitive_sudorule(session_multihost, create_casesensitive_posix_user, request): """ Create posix user and groups """ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) ldap_inst.org_unit('sudoers', 'dc=example,dc=test') sudo_ou = 'ou=sudoers,dc=example,dc=test' rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou) rule_dn2 = "%s,%s" % ('cn=morerule', sudo_ou) sudo_options = ["!requiretty", "!authenticate"] try: ldap_inst.add_sudo_rule(rule_dn1, 'ALL', '/usr/bin/less', 'capsuser-1', sudo_options) except LdapException: pytest.fail("Failed to add sudo rule %s" % rule_dn1) try: ldap_inst.add_sudo_rule(rule_dn2, 'ALL', '/usr/bin/more', 'CAPSUSER-1', sudo_options) except LdapException: pytest.fail("Failed to add sudo rule %s" % rule_dn2) def del_sensitive_sudo_rule(): """ Delete sudo rule """ (ret, _) = ldap_inst.del_dn(rule_dn1) assert ret == 'Success' (ret, _) = ldap_inst.del_dn(rule_dn2) assert ret == 'Success' (ret, _) = ldap_inst.del_dn(sudo_ou) assert ret == 'Success' request.addfinalizer(del_sensitive_sudo_rule)
def create_casesensitive_posix_user(session_multihost): """ Create a case sensitive posix user """ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) username = '******' user_info = {'cn': username, 'uid': username, 'uidNumber': '24583100', 'gidNumber': '14564100'} ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info) krb.add_principal('CAPSUSER-1', 'user', 'Secret123')
def create_sudorule(session_multihost, create_casesensitive_posix_user): """ Create posix user and groups """ # pylint: disable=unused-argument _pytest_fixtures = [create_casesensitive_posix_user] ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) ldap_inst.org_unit('sudoers', 'dc=example,dc=test') sudo_ou = 'ou=sudoers,dc=example,dc=test' rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou) rule_dn2 = "%s,%s" % ('cn=morerule', sudo_ou) sudo_options = ["!requiretty", "!authenticate"] try: ldap_inst.add_sudo_rule(rule_dn1, 'ALL', '/usr/bin/less', 'capsuser-1', sudo_options) except LdapException: pytest.fail("Failed to add sudo rule %s" % rule_dn1) try: ldap_inst.add_sudo_rule(rule_dn2, 'ALL', '/usr/bin/more', 'CAPSUSER-1', sudo_options) except LdapException: pytest.fail("Failed to add sudo rule %s" % rule_dn2)
def test_sss_cache_reset(self, multihost, backupsssdconf): """ :title: fix sss_cache to also reset cached timestamp :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1902280 :customerscenario: True :id: c310f1b4-e89b-11eb-84ce-845cf3eff344 :steps: 1. Make a change to group entry in LDAP 2. Run 'ssh_cache -E' on clients 3. Check with 'getent group' on clients to see if correct\ :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() client = sssdTools(multihost.client[0]) domain_params = { 'ldap_schema': 'rfc2307bis', 'ldap_group_member': 'uniquemember', 'debug_level': '9' } client.sssd_conf(f'domain/{domain_name}', domain_params) multihost.client[0].service_sssd('restart') get_ent = multihost.client[0].run_command("getent group " "ldapusers@example1") assert "foo9@example1" in get_ent.stdout_text user_dn = 'uid=foo9,ou=People,dc=example,dc=test' group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) del_member = [(ldap.MOD_DELETE, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, del_member) assert ret == 'Success' multihost.client[0].run_command("sss_cache -G") multihost.client[0].run_command("sss_cache -E") get_ent1 = multihost.client[0].run_command("getent group " "ldapusers@example1") assert "foo9@example1" not in get_ent1.stdout_text assert get_ent.stdout_text != get_ent1.stdout_text
def test_0005_getent_homedirectory(self, multihost, backupsssdconf): """ :title: misc: fallback_homedir returns '/' for empty home directories in passwd file :id: 69a6b54e-a8eb-4145-8554-c5e666d82276 :customerscenario: True :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1660693 """ multihost.client[0].service_sssd('restart') ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) user_info = { 'cn': 'user_exp4'.encode('utf-8'), 'objectClass': [ b'top', b'person', b'inetOrgPerson', b'organizationalPerson', b'posixAccount' ], 'sn': 'user_exp'.encode('utf-8'), 'uid': 'user_exp'.encode('utf-8'), 'userPassword': '******'.encode('utf-8'), 'homeDirectory': ' '.encode('utf-8'), 'uidNumber': '121012'.encode('utf-8'), 'gidNumber': '121012'.encode('utf-8'), 'loginShell': '/bin/bash'.encode('utf-8') } user_dn = 'uid=user_exp4,ou=People,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) cmd_getent = "getent passwd -s sss user_exp4@example1" cmd = multihost.client[0].run_command(cmd_getent) ldap_inst.del_dn(user_dn) assert ":/:" not in cmd.stdout_text
def test_0003_background_refresh(self, multihost): """ :title: netgroup: background refresh task does not refresh updated netgroup entries :id: b17d904d-0d64-4f4a-bbad-4c7f63e1faf2 :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1779486 (RHEL8.2) https://bugzilla.redhat.com/show_bug.cgi?id=1822461 (RHEL7.8) """ multihost.client[0].service_sssd('stop') tools = sssdTools(multihost.client[0]) tools.remove_sss_cache('/var/lib/sss/db') section = "domain/%s" % ds_instance_name domain_params = { 'entry_cache_timeout': '30', 'refresh_expired_interval': '22' } tools.sssd_conf('domain/%s' % ds_instance_name, domain_params) multihost.client[0].service_sssd('restart') # getent netgroup_1 getent_cmd = "getent netgroup netgroup_1" multihost.client[0].run_command(getent_cmd) shortname = multihost.client[0].sys_hostname.strip().split('.')[0] ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) netgroup_dn = 'cn=netgroup_1,ou=Netgroups,%s' % (ds_suffix) nisNetgroupTriple = "(%s,foo1,%s)" % (shortname, ds_suffix) modify_netgroup = [(ldap.MOD_REPLACE, 'nisNetgroupTriple', nisNetgroupTriple.encode('utf-8'))] (_, _) = ldap_inst.modify_ldap(netgroup_dn, modify_netgroup) time.sleep(40) ldb_cmd = 'ldbsearch -H /var/lib/sss/db/cache_%s.ldb'\ ' -b cn=Netgroups,cn=%s,cn=sysdb' % (ds_instance_name, ds_instance_name) cmd = multihost.client[0].run_command(ldb_cmd) new_entry = "netgroupTriple: (%s,foo1,%s)" % (shortname, ds_suffix) tools.sssd_conf('domain/%s' % ds_instance_name, domain_params, action='delete') assert new_entry in cmd.stdout_text.strip().split('\n')
def enable_ssl(self, binduri, tls_port): """sets TLS Port and enabled TLS on Directory Server. Args: binduri (str): LDAP uri to bind with tls_port (str): TLS port to be setup Returns: bool: True if successfully setup TLS port Exceptions: LdapException """ ldap_obj = LdapOperations(uri=binduri, binddn=self.dsrootdn, bindpw=self.dsrootdn_pwd) # Enable TLS mod_dn1 = 'cn=encryption,cn=config' add_tls = [(ldap.MOD_ADD, 'nsTLS1', 'on')] (ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls) if not return_value: raise LdapException('fail to enable TLS, Error:%s' % (ret)) else: print('Enabled nsTLS1=on') entry1 = { 'objectClass': ['top', 'nsEncryptionModule'], 'cn': 'RSA', 'nsSSLtoken': 'internal (software)', 'nsSSLPersonalitySSL': 'Server-Cert-%s' % (self.dsinstance_host), 'nsSSLActivation': 'on' } dn1 = 'cn=RSA,cn=encryption,cn=config' (ret, return_value) = ldap_obj.add_entry(entry1, dn1) if not return_value: raise LdapException('fail to set Server-Cert nick:%s' % (ret)) else: print('Enabled Server-Cert nick') # Enable security mod_dn2 = 'cn=config' enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', 'on')] (ret, return_value) = ldap_obj.modify_ldap(mod_dn2, enable_security) if not return_value: raise LdapException('fail to enable nsslapd-security, Error:%s' % (ret)) else: print('Enabled nsslapd-security') # set the appropriate TLS port mod_dn3 = 'cn=config' enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort', str(tls_port))] (ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_ssl_port) if not return_value: raise LdapException('fail to set nsslapd-securePort, Error:%s' % (ret)) else: print('Enabled nsslapd-securePort=%r' % tls_port)
def test_login_fips_weak_crypto(self, multihost): """ :title: krb5/fips: verify login fails when weak crypto is presented :id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00 """ ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() tools.clear_sssd_cache() user = '******' % domain_name ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST') user_info = { 'cn': 'cracker', 'uid': 'cracker', 'uidNumber': '19583100', 'gidNumber': '14564100' } if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): krb.add_principal('cracker', 'user', 'Secret123', etype='arcfour-hmac') else: pytest.fail("Failed to add user cracker") user_dn = 'uid=cracker,ou=People,%s' % ds_suffix group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) assert ret == 'Success' tools.clear_sssd_cache() ldap_host = multihost.master[0].sys_hostname pcapfile = '/tmp/krb1.pcap' tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile) multihost.client[0].run_command(tcpdump_cmd, bg=True) pkill = 'pkill tcpdump' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: multihost.client[0].run_command(pkill) tshark_cmd = "tshark -r %s -V -2 -R"\ " 'kerberos.msg_type == 30'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) journalctl_cmd = 'journalctl --no-pager -n 150' cmd = multihost.client[0].run_command(journalctl_cmd) check = re.compile(r'KDC has no support for encryption type') assert check.search(cmd.stdout_text) else: pytest.fail("%s Login successfull") ldap_inst.del_dn(user_dn) krb.delete_principal('cracker') rm_pcap_file = 'rm -f %s' % pcapfile multihost.client[0].run_command(rm_pcap_file)
def generic_sudorule(session_multihost, request): """ Create a generic sudo rule """ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) ldap_inst.org_unit('sudoers', 'dc=example,dc=test') sudo_ou = 'ou=sudoers,dc=example,dc=test' rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou) sudo_options = ["!requiretty", "!authenticate"] try: ldap_inst.add_sudo_rule(rule_dn1, 'ALL', '/usr/bin/less', 'foo1', sudo_options) except LdapException: pytest.fail("Failed to add sudo rule %s" % rule_dn1) def del_sudo_rule(): """ Delete sudo rule """ (ret, _) = ldap_inst.del_dn(rule_dn1) assert ret == 'Success' (ret, _) = ldap_inst.del_dn(sudo_ou) assert ret == 'Success' request.addfinalizer(del_sudo_rule)
def enable_ssl(self, binduri, tls_port): """sets TLS Port and enabled TLS on Directory Server. Args: binduri (str): LDAP uri to bind with tls_port (str): TLS port to be setup Returns: bool: True if successfully setup TLS port Exceptions: LdapException """ ldap_obj = LdapOperations(uri=binduri, binddn=self.dsrootdn, bindpw=self.dsrootdn_pwd) # Enable TLS mod_dn1 = 'cn=encryption,cn=config' add_tls = [(ldap.MOD_ADD, 'nsTLS1', [b'on'])] (ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls) if not return_value: raise LdapException('Failed to enable TLS, Error:%s' % (ret)) else: print('Enabled nsTLS1=on') mod_dn2 = 'cn=RSA,cn=encryption,cn=config' mod_security = [ (ldap.MOD_REPLACE, 'nsSSLPersonalitySSL', [b'Server-Cert-%s' % ((self.dsinstance_host.encode()))]) ] (ret, return_value) = ldap_obj.modify_ldap(mod_dn2, mod_security) if not return_value: raise LdapException('Failed to set Server-Cert nick:%s' % (ret)) else: print('Enabled Server-Cert nick') # Enable security mod_dn3 = 'cn=config' enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', [b'on'])] (ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_security) if not return_value: raise LdapException('Failed to enable nsslapd-security, Error:%s' % (ret)) else: print('Enabled nsslapd-security') # set the appropriate TLS port mod_dn4 = 'cn=config' enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort', str(tls_port).encode())] (ret, return_value) = ldap_obj.modify_ldap(mod_dn4, enable_ssl_port) if not return_value: raise LdapException('Failed to set nsslapd-securePort, Error:%s' % (ret)) else: print('Enabled nsslapd-securePort=%r' % tls_port)
def test_two_automount_maps(self, multihost, backupsssdconf): """ :title: Automount sssd issue when 2 maps have same key in different case :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1873715 :id: d28e6eec-ac9f-11eb-b0f5-002b677efe14 :customerscenario: true :steps: 1. Configure SSSD with autofs, automountMap, automount, automountInformation 2. Add 2 automount entries in LDAP with same key ( cn: MIT and cn: mit) 3. We should have the 2 automounts working :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() client = sssdTools(multihost.client[0]) domain_params = {'services': 'nss, pam, autofs'} client.sssd_conf('sssd', domain_params) domain_params = { 'ldap_autofs_map_object_class': 'automountMap', 'ldap_autofs_map_name': 'ou', 'ldap_autofs_entry_object_class': 'automount', 'ldap_autofs_entry_key': 'cn', 'ldap_autofs_entry_value': 'automountInformation' } client.sssd_conf(f'domain/{domain_name}', domain_params) multihost.client[0].service_sssd('restart') share_list = ['/export', '/export1', '/export2'] nfs_server_ip = multihost.master[0].ip client_ip = multihost.client[0].ip server = sssdTools(multihost.master[0]) bkup = 'cp -af /etc/exports /etc/exports.backup' multihost.master[0].run_command(bkup) server.export_nfs_fs(share_list, client_ip) search = multihost.master[0].run_command("grep 'fsid=0' " "/etc/exports") if search.returncode == 0: multihost.master[0].run_command("sed -i 's/,fsid=0//g' " "/etc/exports") start_nfs = 'systemctl start nfs-server' multihost.master[0].run_command(start_nfs) ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) for ou_ou in ['auto.master', 'auto.direct', 'auto.home']: user_info = { 'ou': f'{ou_ou}'.encode('utf-8'), 'objectClass': [b'top', b'automountMap'] } user_dn = f'ou={ou_ou},dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'cn': '/-'.encode('utf-8'), 'objectClass': [b'top', b'automount'], 'automountInformation': 'auto.direct'.encode('utf-8') } user_dn = 'cn=/-,ou=auto.master,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'cn': '/home'.encode('utf-8'), 'objectClass': [b'top', b'automount'], 'automountInformation': 'auto.home'.encode('utf-8') } user_dn = 'cn=/home,ou=auto.master,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'cn': 'MIT'.encode('utf-8'), 'objectClass': [b'top', b'automount'] } user_dn = f'automountinformation={nfs_server_ip}:/export1,' \ f'ou=auto.home,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'cn': 'mit'.encode('utf-8'), 'objectClass': [b'top', b'automount'] } user_dn = f'automountinformation={nfs_server_ip}:/export2,' \ f'ou=auto.home,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) multihost.client[0].run_command("systemctl stop sssd ; " "rm -rf /var/log/sssd/* ; " "rm -rf /var/lib/sss/db/* ; " "systemctl start sssd") multihost.client[0].run_command("systemctl restart autofs") multihost.client[0].run_command("automount -m") multihost.master[0].run_command("touch /export1/export1") multihost.master[0].run_command("touch /export2/export2") time.sleep(2) MIT_export = multihost.client[0].run_command("ls /home/MIT") mit_export = multihost.client[0].run_command("ls /home/mit") assert 'export1' in MIT_export.stdout_text assert 'export2' in mit_export.stdout_text restore = 'cp -af /etc/exports.backup /etc/exports' multihost.master[0].run_command(restore) stop_nfs = 'systemctl stop nfs-server' multihost.master[0].run_command(stop_nfs) for dn_dn in [ f'automountinformation={nfs_server_ip}:/export1,' f'ou=auto.home,dc=example,dc=test', f'automountinformation={nfs_server_ip}:/export2,' f'ou=auto.home,dc=example,dc=test', 'cn=/-,ou=auto.master,dc=example,dc=test', 'cn=/home,ou=auto.master,dc=example,dc=test', 'ou=auto.master,dc=example,dc=test', 'ou=auto.direct,dc=example,dc=test', 'ou=auto.home,dc=example,dc=test' ]: multihost.master[0].run_command(f'ldapdelete -x -D ' f'"cn=Directory Manager" ' f'-w Secret123 -H ldap:// {dn_dn}')
def test_0006_getent_group(self, multihost, backupsssdconf, delete_groups_users): """ :title: 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1817122 :id: dc81bb8e-72c0-11eb-9eae-002b677efe14 :customerscenario: true :steps: 1. Configure SSSD with id_provider = ldap and set ldap_schema = rfc2307bis 2. Add necessary users and groups with uniqueMember. 3. Check 'getent group ldapgroupname' output. :expectedresults: 1. Should succeed 2. Should succeed 3. 'getent group ldapgroupname' should show all it's member ldapusers. """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() client = sssdTools(multihost.client[0]) domain_params = { 'ldap_schema': 'rfc2307bis', 'ldap_group_member': 'uniquemember' } client.sssd_conf(f'domain/{domain_name}', domain_params) multihost.client[0].service_sssd('restart') ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) user_info = { 'ou': 'Unit1'.encode('utf-8'), 'objectClass': [b'top', b'organizationalUnit'] } user_dn = 'ou=Unit1,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'ou': 'Unit2'.encode('utf-8'), 'objectClass': [b'top', b'organizationalUnit'] } user_dn = 'ou=Unit2,ou=Unit1,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'ou': 'users'.encode('utf-8'), 'objectClass': [b'top', b'organizationalUnit'] } user_dn = 'ou=users,ou=Unit2,ou=Unit1,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'ou': 'posix_groups'.encode('utf-8'), 'objectClass': [b'top', b'organizationalUnit'] } user_dn = 'ou=posix_groups,ou=Unit2,' \ 'ou=Unit1,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'ou': 'netgroups'.encode('utf-8'), 'objectClass': [b'top', b'organizationalUnit'] } user_dn = 'ou=netgroups,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'ou': 'services'.encode('utf-8'), 'objectClass': [b'top', b'organizationalUnit'] } user_dn = 'ou=services,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'ou': 'sudoers'.encode('utf-8'), 'objectClass': [b'top', b'organizationalUnit'] } user_dn = 'ou=sudoers,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) for i in range(1, 9): user_info = { 'cn': f'user-{i}'.encode('utf-8'), 'objectClass': [b'top', b'posixAccount'], 'uid': f'user-{i}'.encode('utf-8'), 'uidNumber': f'1111{i}'.encode('utf-8'), 'gidNumber': f'1111{i}'.encode('utf-8'), 'homeDirectory': f'/home/user-{i}'.encode('utf-8') } user_dn = f'cn=user-{i},ou=users,ou=Unit2,' \ f'ou=Unit1,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) for i in range(1, 9): user_info = { 'cn': f'user-{i}'.encode('utf-8'), 'objectClass': [b'top', b'posixGroup'], 'gidNumber': f'1111{i}'.encode('utf-8') } user_dn = f'cn=user-{i},ou=posix_groups,' \ f'ou=Unit2,ou=Unit1,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'cn': 'group-1'.encode('utf-8'), 'objectClass': [b'top', b'posixGroup', b'groupOfUniqueNames'], 'gidNumber': '20001'.encode('utf-8'), 'uniqueMember': [ b'cn=user-1,ou=users,ou=unit2,ou=unit1,dc=example,dc=test', b'cn=user-3,ou=users,ou=unit2,ou=unit1,dc=example,dc=test', b'cn=user-5,ou=users,ou=unit2,ou=unit1,dc=example,dc=test', b'cn=user-7,ou=users,ou=unit2,ou=unit1,dc=example,dc=test' ] } user_dn = 'cn=group-1,ou=posix_groups,ou=Unit2,' \ 'ou=Unit1,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) user_info = { 'cn': 'group-2'.encode('utf-8'), 'objectClass': [b'top', b'posixGroup', b'groupOfUniqueNames'], 'gidNumber': '20002'.encode('utf-8'), 'uniqueMember': [ b'cn=user-2,ou=users,ou=unit2,ou=unit1,dc=example,dc=test', b'cn=user-4,ou=users,ou=unit2,ou=unit1,dc=example,dc=test', b'cn=user-6,ou=users,ou=unit2,ou=unit1,dc=example,dc=test', b'cn=user-8,ou=users,ou=unit2,ou=unit1,dc=example,dc=test' ] } user_dn = 'cn=group-2,ou=posix_groups,ou=Unit2,' \ 'ou=Unit1,dc=example,dc=test' (_, _) = ldap_inst.add_entry(user_info, user_dn) time.sleep(3) cmd = multihost.client[0].run_command("getent group " "group-2@example1") assert "group-2@example1:*:20002:user-2@example1," \ "user-4@example1,user-6@example1," \ "user-8@example1" in cmd.stdout_text
def test_inactivated_filtered_roles(self, multihost): """ title: Inactivated filtered roles :id: 4286dac6-3045-11ec-8fd0-845cf3eff344 :steps: 1. Make filter role inactive 2. User added to the above inactive filtered role 3. User removed from the above inactive filtered role 4. Activate filtered role :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed """ clean_sys(multihost) client_e = multihost.client[0].ip master_e = multihost.master[0].ip ldap_uri = f'ldap://{master_e}' ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) user_dn = 'uid=foo3,ou=People,dc=example,dc=test' role_dn = "filtered" add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) assert ret == 'Success' manage_user_roles(multihost, "cn=filtered", "lock", "role") with pytest.raises(paramiko.ssh_exception.AuthenticationException): SSHClient(client_e, username="******", password="******") time.sleep(3) lock_check(multihost, "foo3") # User added to the above inactive filtered role clean_sys(multihost) with pytest.raises(paramiko.ssh_exception.AuthenticationException): SSHClient(client_e, username="******", password="******") time.sleep(3) lock_check(multihost, "foo4") # User removed from the above inactive filtered role clean_sys(multihost) ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) user_dn = 'uid=foo3,ou=People,dc=example,dc=test' role_dn = "filtered" add_member = [(ldap.MOD_DELETE, 'o', role_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) assert ret == 'Success' ssh1 = SSHClient(client_e, username="******", password="******") ssh1.close() time.sleep(3) unlock_check(multihost, "foo3") # Activate filtered role clean_sys(multihost) manage_user_roles(multihost, "cn=filtered", "unlock", "role") ssh1 = SSHClient(client_e, username="******", password="******") ssh1.close() time.sleep(3) unlock_check(multihost, "foo4")