def test_change_sysaccount_password_issue7561(self):
sysuser = '******'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
master = self.master
base_dn = str(master.domain.basedn)
entry_ldif = textwrap.dedent("""
dn: uid={sysuser},cn=sysaccounts,cn=etc,{base_dn}
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: {sysuser}
userPassword: {original_passwd}
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
""").format(
base_dn=base_dn,
original_passwd=original_passwd,
sysuser=sysuser)
tasks.ldapmodify_dm(master, entry_ldif)
tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
new_passwd, master)
def test_ldapmodify_password_issue7601(self):
user = '******'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
new_passwd2 = 'mynewPwd123'
master = self.master
base_dn = str(master.domain.basedn)
# Create a user with a password
tasks.kinit_admin(master)
add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
master.run_command([
'ipa', 'user-add', user, '--first', user, '--last', user,
'--password'
],
stdin_text=add_password_stdin_text)
# kinit as that user in order to modify the pwd
user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
old=original_passwd, new=original_passwd)
master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
# Retrieve krblastpwdchange and krbpasswordexpiration
krblastpwdchange, krbexp = self.get_krbinfo(user)
# sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
# a 1s precision)
time.sleep(1)
# perform ldapmodify on userpassword as dir mgr
entry_ldif = textwrap.dedent("""
dn: uid={user},cn=users,cn=accounts,{base_dn}
changetype: modify
replace: userpassword
userpassword: {new_passwd}
""").format(user=user, base_dn=base_dn, new_passwd=new_passwd)
tasks.ldapmodify_dm(master, entry_ldif)
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd)
# both should have changed
newkrblastpwdchange, newkrbexp = self.get_krbinfo(user)
assert newkrblastpwdchange != krblastpwdchange
assert newkrbexp != krbexp
# Now test passwd modif with ldappasswd
time.sleep(1)
master.run_command([
paths.LDAPPASSWD, '-D',
str(master.config.dirman_dn), '-w', master.config.dirman_password,
'-a', new_passwd, '-s', new_passwd2, '-x', '-ZZ', '-H',
'ldap://{hostname}'.format(hostname=master.hostname),
'uid={user},cn=users,cn=accounts,{base_dn}'.format(user=user,
base_dn=base_dn)
])
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd2)
# both should have changed
newkrblastpwdchange2, newkrbexp2 = self.get_krbinfo(user)
assert newkrblastpwdchange != newkrblastpwdchange2
assert newkrbexp != newkrbexp2
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = tasks.get_backup_dir(self.master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
# disable replication agreement
tasks.ldapmodify_dm(master, entry_ldif)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = backup(master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
# disable replication agreement
tasks.ldapmodify_dm(master, entry_ldif)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def test_external_group_paging(self):
"""SSSD should fetch external groups without any limit.
Regression test for https://pagure.io/SSSD/sssd/issue/4058
1: Add external groups more than limit.
2: Run the command id [email protected]
3: sssd should retrieve all the external groups.
"""
new_limit = 50
master = self.master
conn = master.ldap_connect()
dn = DN(('cn', 'config'))
entry = conn.get_entry(dn)
orig_limit = entry.single_value.get('nsslapd-sizelimit')
ldap_query = textwrap.dedent("""
dn: cn=config
changetype: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: {limit}
""")
tasks.ldapmodify_dm(master, ldap_query.format(limit=new_limit))
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
ldap_page_size = new_limit - 1
group_count = new_limit + 2
# default ldap_page_size is '1000', adding workaround as
# ldap_page_size < nsslapd-sizelimit in sssd.conf
# Related issue : https://pagure.io/389-ds-base/issue/50888
with tasks.remote_sssd_config(self.master) as sssd_conf:
sssd_conf.edit_domain(self.master.domain, 'ldap_page_size',
ldap_page_size)
tasks.clear_sssd_cache(master)
tasks.kinit_admin(master)
for i in range(group_count):
master.run_command(
['ipa', 'group-add', '--external', 'ext-ipatest{0}'.format(i)])
try:
log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR,
master.domain.name)
group_entry = b'[%d] external groups found' % group_count
logsize = tasks.get_logsize(master, log_file)
master.run_command(['id', self.users['ad']['name']])
sssd_logs = master.get_file_contents(log_file)[logsize:]
assert group_entry in sssd_logs
finally:
for i in range(group_count):
master.run_command(
['ipa', 'group-del', 'ext-ipatest{0}'.format(i)])
# reset to original limit
tasks.ldapmodify_dm(master, ldap_query.format(limit=orig_limit))
sssd_conf_backup.restore()
def test_pwpolicy_upgrade(self):
"""Test that ipapwdpolicy objectclass is added to all policies"""
entry_ldif = textwrap.dedent("""
dn: cn=global_policy,cn={realm},cn=kerberos,{base_dn}
changetype: modify
delete: objectclass
objectclass: ipapwdpolicy
""").format(base_dn=str(self.master.domain.basedn),
realm=self.master.domain.realm)
tasks.ldapmodify_dm(self.master, entry_ldif)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa-server-upgrade'])
result = self.master.run_command(["ipa", "pwpolicy-find"])
# if it is still missing the oc it won't be displayed
assert 'global_policy' in result.stdout_text
def unconfigure_replica_as_agent(self, host):
""" Remove a replica from the list of agents.
cn=adtrust agents,cn=sysaccounts,cn=etc,$BASEDN contains a list
of members representing the agents. Remove the replica principal
from this list.
This is a hack allowing to run multiple times
ipa-adtrust-install --add-agents
(otherwise if the replica is in the list of agents, it won't be seen
as a possible agent to be added).
"""
remove_agent_ldif = textwrap.dedent("""
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,{base_dn}
changetype: modify
delete: member
member: fqdn={hostname},cn=computers,cn=accounts,{base_dn}
""".format(base_dn=host.domain.basedn, hostname=host.hostname))
# ok_returncode =16 if the attribute is not present
tasks.ldapmodify_dm(self.master,
remove_agent_ldif,
ok_returncode=[0, 16])
def test_replica_install_with_existing_entry(self):
master = self.master
tasks.install_master(master)
replica = self.replicas[0]
base_dn = "dc=%s" % (",dc=".join(replica.domain.name.split(".")))
# adding entry for replica on master so that master will have it before
# replica installtion begins and creates a situation for pagure-7174
entry_ldif = textwrap.dedent("""
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,{base_dn}
changetype: modify
add: memberPrincipal
memberPrincipal: HTTP/{hostname}@{realm}
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,{base_dn}
changetype: modify
add: memberPrincipal
memberPrincipal: ldap/{hostname}@{realm}""").format(
base_dn=base_dn, hostname=replica.hostname,
realm=replica.domain.name.upper())
tasks.ldapmodify_dm(master, entry_ldif)
tasks.install_replica(master, replica)
def setup_otp_nsslapd(self):
check_services = self.master.run_command(
['systemctl', 'list-units', '--state=failed'])
assert "ipa-otpd" not in check_services.stdout_text
# Be sure no services are running and failed units
self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
# setting nsslapd-idletimeout
new_limit = 30
conn = self.master.ldap_connect()
dn = DN(('cn', 'config'))
entry = conn.get_entry(dn) # pylint: disable=no-member
orig_limit = entry.single_value.get('nsslapd-idletimeout')
ldap_query = textwrap.dedent("""
dn: cn=config
changetype: modify
replace: nsslapd-idletimeout
nsslapd-idletimeout: {limit}
""")
tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit))
yield
# cleanup
tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))
def test_change_sysaccount_pwd_history_issue7181(self, pwpolicy_global):
"""
Test that a sysacount user maintains no password history
because they do not have a Kerberos identity.
"""
sysuser = '******'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
master = self.master
# Add a system account and add it to a group managed by the policy
base_dn = str(master.domain.basedn) # pylint: disable=no-member
entry_ldif = textwrap.dedent("""
dn: uid={account_name},cn=sysaccounts,cn=etc,{base_dn}
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: {account_name}
userPassword: {original_passwd}
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
""").format(
account_name=sysuser,
base_dn=base_dn,
original_passwd=original_passwd)
tasks.ldapmodify_dm(master, entry_ldif)
# Now change the password. It should succeed since password
# policy doesn't apply to non-Kerberos users.
tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
new_passwd, master)
tasks.ldappasswd_sysaccount_change(sysuser, new_passwd,
original_passwd, master)
tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
new_passwd, master)
def test_change_sysaccount_password_issue7561(self):
sysuser = '******'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
master = self.master
base_dn = str(master.domain.basedn) # pylint: disable=no-member
entry_ldif = textwrap.dedent("""
dn: uid=system,cn=sysaccounts,cn=etc,{base_dn}
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: {original_passwd}
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
""").format(
base_dn=base_dn,
original_passwd=original_passwd)
tasks.ldapmodify_dm(master, entry_ldif)
tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
new_passwd, master)
def test_replicamanage_del(self):
"""Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
ldapmodify -D cn="Directory Manager"-w <passwd>
dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN>
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN>
add: ipaconfigstring
ipaconfigstring: configuredService
4. On master,
run ipa-replica-manage del <replicaFQDN> --cleanup --force
"""
# https://pagure.io/freeipa/issue/7929
# modify the replica entry on Master
cmd_output = None
dn_entry = 'dn: cn=KDC,cn=%s,cn=masters,cn=ipa,' \
'cn=etc,%s' % \
(self.replicas[0].hostname,
ipautil.realm_to_suffix(
self.replicas[0].domain.realm).ldap_text())
entry_ldif = textwrap.dedent("""
{dn}
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
{dn}
add: ipaconfigstring
ipaconfigstring: configuredService
""").format(dn=dn_entry)
cmd_output = tasks.ldapmodify_dm(self.master, entry_ldif)
assert 'modifying entry' in cmd_output.stdout_text
cmd_output = self.master.run_command([
'ipa-replica-manage', 'del',
self.replicas[0].hostname, '--cleanup', '--force'
])
assert_text = 'Deleted IPA server "%s"' % self.replicas[0].hostname
assert assert_text in cmd_output.stdout_text
def test_huge_password(self):
user = '******'
hostname = 'toolong.{}'.format(self.master.domain.name)
huge_password = ipa_generate_password(min_len=1536)
original_passwd = 'Secret123'
master = self.master
base_dn = str(master.domain.basedn)
# Create a user with a password that is too long
tasks.kinit_admin(master)
add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password)
result = master.run_command(['ipa', 'user-add', user,
'--first', user,
'--last', user,
'--password'],
stdin_text=add_password_stdin_text,
raiseonerr=False)
assert result.returncode != 0
# Try again with a normal password
add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
master.run_command(['ipa', 'user-add', user,
'--first', user,
'--last', user,
'--password'],
stdin_text=add_password_stdin_text)
# kinit as that user in order to modify the pwd
user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
old=original_passwd,
new=original_passwd)
master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
# sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
# a 1s precision)
time.sleep(1)
# perform ldapmodify on userpassword as dir mgr
entry_ldif = textwrap.dedent("""
dn: uid={user},cn=users,cn=accounts,{base_dn}
changetype: modify
replace: userpassword
userpassword: {new_passwd}
""").format(
user=user,
base_dn=base_dn,
new_passwd=huge_password)
result = tasks.ldapmodify_dm(master, entry_ldif, raiseonerr=False)
assert result.returncode != 0
# ask_password in ipa-getkeytab will complain about too long password
keytab_file = os.path.join(self.master.config.test_dir,
'user.keytab')
password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password)
result = self.master.run_command(['ipa-getkeytab',
'-p', user,
'-P',
'-k', keytab_file,
'-s', self.master.hostname],
stdin_text=password_stdin_text,
raiseonerr=False)
assert result.returncode != 0
assert "clear-text password is too long" in result.stderr_text
# Create a host with a user-set OTP that is too long
tasks.kinit_admin(master)
result = master.run_command(['ipa', 'host-add', '--force',
hostname,
'--password', huge_password],
raiseonerr=False)
assert result.returncode != 0
# Try again with a valid password
result = master.run_command(['ipa', 'host-add', '--force',
hostname,
'--password', original_passwd],
raiseonerr=False)
assert result.returncode == 0
def test_ldapmodify_password_issue7601(self):
user = '******'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
new_passwd2 = 'mynewPwd123'
master = self.master
base_dn = str(master.domain.basedn) # pylint: disable=no-member
# Create a user with a password
tasks.kinit_admin(master)
add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
master.run_command(['ipa', 'user-add', user,
'--first', user,
'--last', user,
'--password'],
stdin_text=add_password_stdin_text)
# kinit as that user in order to modify the pwd
user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
old=original_passwd,
new=original_passwd)
master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
# Retrieve krblastpwdchange and krbpasswordexpiration
krblastpwdchange, krbexp = self.get_krbinfo(user)
# sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
# a 1s precision)
time.sleep(1)
# perform ldapmodify on userpassword as dir mgr
entry_ldif = textwrap.dedent("""
dn: uid={user},cn=users,cn=accounts,{base_dn}
changetype: modify
replace: userpassword
userpassword: {new_passwd}
""").format(
user=user,
base_dn=base_dn,
new_passwd=new_passwd)
tasks.ldapmodify_dm(master, entry_ldif)
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd)
# both should have changed
newkrblastpwdchange, newkrbexp = self.get_krbinfo(user)
assert newkrblastpwdchange != krblastpwdchange
assert newkrbexp != krbexp
# Now test passwd modif with ldappasswd
time.sleep(1)
master.run_command([
paths.LDAPPASSWD,
'-D', str(master.config.dirman_dn), # pylint: disable=no-member
'-w', master.config.dirman_password,
'-a', new_passwd,
'-s', new_passwd2,
'-x', '-ZZ',
'-H', 'ldap://{hostname}'.format(hostname=master.hostname),
'uid={user},cn=users,cn=accounts,{base_dn}'.format(
user=user, base_dn=base_dn)]
)
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd2)
# both should have changed
newkrblastpwdchange2, newkrbexp2 = self.get_krbinfo(user)
assert newkrblastpwdchange != newkrblastpwdchange2
assert newkrbexp != newkrbexp2
