def test_change_sysaccount_password_issue7561(self): sysuser = '******' original_passwd = 'Secret123' new_passwd = 'userPasswd123' master = self.master base_dn = str(master.domain.basedn) entry_ldif = textwrap.dedent(""" dn: uid={sysuser},cn=sysaccounts,cn=etc,{base_dn} changetype: add objectclass: account objectclass: simplesecurityobject uid: {sysuser} userPassword: {original_passwd} passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 """).format( base_dn=base_dn, original_passwd=original_passwd, sysuser=sysuser) tasks.ldapmodify_dm(master, entry_ldif) tasks.ldappasswd_sysaccount_change(sysuser, original_passwd, new_passwd, master)
def test_ldapmodify_password_issue7601(self): user = '******' original_passwd = 'Secret123' new_passwd = 'userPasswd123' new_passwd2 = 'mynewPwd123' master = self.master base_dn = str(master.domain.basedn) # Create a user with a password tasks.kinit_admin(master) add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd) master.run_command([ 'ipa', 'user-add', user, '--first', user, '--last', user, '--password' ], stdin_text=add_password_stdin_text) # kinit as that user in order to modify the pwd user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format( old=original_passwd, new=original_passwd) master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text) # Retrieve krblastpwdchange and krbpasswordexpiration krblastpwdchange, krbexp = self.get_krbinfo(user) # sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most # a 1s precision) time.sleep(1) # perform ldapmodify on userpassword as dir mgr entry_ldif = textwrap.dedent(""" dn: uid={user},cn=users,cn=accounts,{base_dn} changetype: modify replace: userpassword userpassword: {new_passwd} """).format(user=user, base_dn=base_dn, new_passwd=new_passwd) tasks.ldapmodify_dm(master, entry_ldif) # Test new password with kinit master.run_command(['kinit', user], stdin_text=new_passwd) # both should have changed newkrblastpwdchange, newkrbexp = self.get_krbinfo(user) assert newkrblastpwdchange != krblastpwdchange assert newkrbexp != krbexp # Now test passwd modif with ldappasswd time.sleep(1) master.run_command([ paths.LDAPPASSWD, '-D', str(master.config.dirman_dn), '-w', master.config.dirman_password, '-a', new_passwd, '-s', new_passwd2, '-x', '-ZZ', '-H', 'ldap://{hostname}'.format(hostname=master.hostname), 'uid={user},cn=users,cn=accounts,{base_dn}'.format(user=user, base_dn=base_dn) ]) # Test new password with kinit master.run_command(['kinit', user], stdin_text=new_passwd2) # both should have changed newkrblastpwdchange2, newkrbexp2 = self.get_krbinfo(user) assert newkrblastpwdchange != newkrblastpwdchange2 assert newkrbexp != newkrbexp2
def test_replica_install_after_restore(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_master(master) tasks.install_replica(master, replica1) check_replication(master, replica1, "testuser1") # backup master. backup_path = tasks.get_backup_dir(self.master) suffix = ipautil.realm_to_suffix(master.domain.realm) suffix = escape_dn_chars(str(suffix)) entry_ldif = ( "dn: cn=meTo{hostname},cn=replica," "cn={suffix}," "cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off\n\n" "dn: cn=caTo{hostname},cn=replica," "cn=o\\3Dipaca,cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off").format( hostname=replica1.hostname, suffix=suffix) # disable replication agreement tasks.ldapmodify_dm(master, entry_ldif) # uninstall master. tasks.uninstall_master(master, clean=False) # master restore. dirman_password = master.config.dirman_password master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # re-initialize topology after restore. topo_name = "{}-to-{}".format(master.hostname, replica1.hostname) for topo_suffix in 'domain', 'ca': arg = ['ipa', 'topologysegment-reinitialize', topo_suffix, topo_name, '--left'] replica1.run_command(arg) # wait sometime for re-initialization tasks.wait_for_replication(replica1.ldap_connect()) # install second replica after restore tasks.install_replica(master, replica2) check_replication(master, replica2, "testuser2")
def test_replica_install_after_restore(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_master(master) tasks.install_replica(master, replica1) check_replication(master, replica1, "testuser1") # backup master. backup_path = backup(master) suffix = ipautil.realm_to_suffix(master.domain.realm) suffix = escape_dn_chars(str(suffix)) entry_ldif = ( "dn: cn=meTo{hostname},cn=replica," "cn={suffix}," "cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off\n\n" "dn: cn=caTo{hostname},cn=replica," "cn=o\\3Dipaca,cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off").format( hostname=replica1.hostname, suffix=suffix) # disable replication agreement tasks.ldapmodify_dm(master, entry_ldif) # uninstall master. tasks.uninstall_master(master, clean=False) # master restore. dirman_password = master.config.dirman_password master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # re-initialize topology after restore. topo_name = "{}-to-{}".format(master.hostname, replica1.hostname) for topo_suffix in 'domain', 'ca': arg = ['ipa', 'topologysegment-reinitialize', topo_suffix, topo_name, '--left'] replica1.run_command(arg) # wait sometime for re-initialization tasks.wait_for_replication(replica1.ldap_connect()) # install second replica after restore tasks.install_replica(master, replica2) check_replication(master, replica2, "testuser2")
def test_external_group_paging(self): """SSSD should fetch external groups without any limit. Regression test for https://pagure.io/SSSD/sssd/issue/4058 1: Add external groups more than limit. 2: Run the command id [email protected] 3: sssd should retrieve all the external groups. """ new_limit = 50 master = self.master conn = master.ldap_connect() dn = DN(('cn', 'config')) entry = conn.get_entry(dn) orig_limit = entry.single_value.get('nsslapd-sizelimit') ldap_query = textwrap.dedent(""" dn: cn=config changetype: modify replace: nsslapd-sizelimit nsslapd-sizelimit: {limit} """) tasks.ldapmodify_dm(master, ldap_query.format(limit=new_limit)) sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF) ldap_page_size = new_limit - 1 group_count = new_limit + 2 # default ldap_page_size is '1000', adding workaround as # ldap_page_size < nsslapd-sizelimit in sssd.conf # Related issue : https://pagure.io/389-ds-base/issue/50888 with tasks.remote_sssd_config(self.master) as sssd_conf: sssd_conf.edit_domain(self.master.domain, 'ldap_page_size', ldap_page_size) tasks.clear_sssd_cache(master) tasks.kinit_admin(master) for i in range(group_count): master.run_command( ['ipa', 'group-add', '--external', 'ext-ipatest{0}'.format(i)]) try: log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR, master.domain.name) group_entry = b'[%d] external groups found' % group_count logsize = tasks.get_logsize(master, log_file) master.run_command(['id', self.users['ad']['name']]) sssd_logs = master.get_file_contents(log_file)[logsize:] assert group_entry in sssd_logs finally: for i in range(group_count): master.run_command( ['ipa', 'group-del', 'ext-ipatest{0}'.format(i)]) # reset to original limit tasks.ldapmodify_dm(master, ldap_query.format(limit=orig_limit)) sssd_conf_backup.restore()
def test_pwpolicy_upgrade(self): """Test that ipapwdpolicy objectclass is added to all policies""" entry_ldif = textwrap.dedent(""" dn: cn=global_policy,cn={realm},cn=kerberos,{base_dn} changetype: modify delete: objectclass objectclass: ipapwdpolicy """).format(base_dn=str(self.master.domain.basedn), realm=self.master.domain.realm) tasks.ldapmodify_dm(self.master, entry_ldif) tasks.kinit_admin(self.master) self.master.run_command(['ipa-server-upgrade']) result = self.master.run_command(["ipa", "pwpolicy-find"]) # if it is still missing the oc it won't be displayed assert 'global_policy' in result.stdout_text
def unconfigure_replica_as_agent(self, host): """ Remove a replica from the list of agents. cn=adtrust agents,cn=sysaccounts,cn=etc,$BASEDN contains a list of members representing the agents. Remove the replica principal from this list. This is a hack allowing to run multiple times ipa-adtrust-install --add-agents (otherwise if the replica is in the list of agents, it won't be seen as a possible agent to be added). """ remove_agent_ldif = textwrap.dedent(""" dn: cn=adtrust agents,cn=sysaccounts,cn=etc,{base_dn} changetype: modify delete: member member: fqdn={hostname},cn=computers,cn=accounts,{base_dn} """.format(base_dn=host.domain.basedn, hostname=host.hostname)) # ok_returncode =16 if the attribute is not present tasks.ldapmodify_dm(self.master, remove_agent_ldif, ok_returncode=[0, 16])
def test_replica_install_with_existing_entry(self): master = self.master tasks.install_master(master) replica = self.replicas[0] base_dn = "dc=%s" % (",dc=".join(replica.domain.name.split("."))) # adding entry for replica on master so that master will have it before # replica installtion begins and creates a situation for pagure-7174 entry_ldif = textwrap.dedent(""" dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,{base_dn} changetype: modify add: memberPrincipal memberPrincipal: HTTP/{hostname}@{realm} dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,{base_dn} changetype: modify add: memberPrincipal memberPrincipal: ldap/{hostname}@{realm}""").format( base_dn=base_dn, hostname=replica.hostname, realm=replica.domain.name.upper()) tasks.ldapmodify_dm(master, entry_ldif) tasks.install_replica(master, replica)
def setup_otp_nsslapd(self): check_services = self.master.run_command( ['systemctl', 'list-units', '--state=failed']) assert "ipa-otpd" not in check_services.stdout_text # Be sure no services are running and failed units self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) # setting nsslapd-idletimeout new_limit = 30 conn = self.master.ldap_connect() dn = DN(('cn', 'config')) entry = conn.get_entry(dn) # pylint: disable=no-member orig_limit = entry.single_value.get('nsslapd-idletimeout') ldap_query = textwrap.dedent(""" dn: cn=config changetype: modify replace: nsslapd-idletimeout nsslapd-idletimeout: {limit} """) tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit)) yield # cleanup tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))
def test_change_sysaccount_pwd_history_issue7181(self, pwpolicy_global): """ Test that a sysacount user maintains no password history because they do not have a Kerberos identity. """ sysuser = '******' original_passwd = 'Secret123' new_passwd = 'userPasswd123' master = self.master # Add a system account and add it to a group managed by the policy base_dn = str(master.domain.basedn) # pylint: disable=no-member entry_ldif = textwrap.dedent(""" dn: uid={account_name},cn=sysaccounts,cn=etc,{base_dn} changetype: add objectclass: account objectclass: simplesecurityobject uid: {account_name} userPassword: {original_passwd} passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 """).format( account_name=sysuser, base_dn=base_dn, original_passwd=original_passwd) tasks.ldapmodify_dm(master, entry_ldif) # Now change the password. It should succeed since password # policy doesn't apply to non-Kerberos users. tasks.ldappasswd_sysaccount_change(sysuser, original_passwd, new_passwd, master) tasks.ldappasswd_sysaccount_change(sysuser, new_passwd, original_passwd, master) tasks.ldappasswd_sysaccount_change(sysuser, original_passwd, new_passwd, master)
def test_change_sysaccount_password_issue7561(self): sysuser = '******' original_passwd = 'Secret123' new_passwd = 'userPasswd123' master = self.master base_dn = str(master.domain.basedn) # pylint: disable=no-member entry_ldif = textwrap.dedent(""" dn: uid=system,cn=sysaccounts,cn=etc,{base_dn} changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: {original_passwd} passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 """).format( base_dn=base_dn, original_passwd=original_passwd) tasks.ldapmodify_dm(master, entry_ldif) tasks.ldappasswd_sysaccount_change(sysuser, original_passwd, new_passwd, master)
def test_replicamanage_del(self): """Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify delete: ipaconfigstring ipaconfigstring: enabledService dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> add: ipaconfigstring ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force """ # https://pagure.io/freeipa/issue/7929 # modify the replica entry on Master cmd_output = None dn_entry = 'dn: cn=KDC,cn=%s,cn=masters,cn=ipa,' \ 'cn=etc,%s' % \ (self.replicas[0].hostname, ipautil.realm_to_suffix( self.replicas[0].domain.realm).ldap_text()) entry_ldif = textwrap.dedent(""" {dn} changetype: modify delete: ipaconfigstring ipaconfigstring: enabledService {dn} add: ipaconfigstring ipaconfigstring: configuredService """).format(dn=dn_entry) cmd_output = tasks.ldapmodify_dm(self.master, entry_ldif) assert 'modifying entry' in cmd_output.stdout_text cmd_output = self.master.run_command([ 'ipa-replica-manage', 'del', self.replicas[0].hostname, '--cleanup', '--force' ]) assert_text = 'Deleted IPA server "%s"' % self.replicas[0].hostname assert assert_text in cmd_output.stdout_text
def test_huge_password(self): user = '******' hostname = 'toolong.{}'.format(self.master.domain.name) huge_password = ipa_generate_password(min_len=1536) original_passwd = 'Secret123' master = self.master base_dn = str(master.domain.basedn) # Create a user with a password that is too long tasks.kinit_admin(master) add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password) result = master.run_command(['ipa', 'user-add', user, '--first', user, '--last', user, '--password'], stdin_text=add_password_stdin_text, raiseonerr=False) assert result.returncode != 0 # Try again with a normal password add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd) master.run_command(['ipa', 'user-add', user, '--first', user, '--last', user, '--password'], stdin_text=add_password_stdin_text) # kinit as that user in order to modify the pwd user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format( old=original_passwd, new=original_passwd) master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text) # sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most # a 1s precision) time.sleep(1) # perform ldapmodify on userpassword as dir mgr entry_ldif = textwrap.dedent(""" dn: uid={user},cn=users,cn=accounts,{base_dn} changetype: modify replace: userpassword userpassword: {new_passwd} """).format( user=user, base_dn=base_dn, new_passwd=huge_password) result = tasks.ldapmodify_dm(master, entry_ldif, raiseonerr=False) assert result.returncode != 0 # ask_password in ipa-getkeytab will complain about too long password keytab_file = os.path.join(self.master.config.test_dir, 'user.keytab') password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password) result = self.master.run_command(['ipa-getkeytab', '-p', user, '-P', '-k', keytab_file, '-s', self.master.hostname], stdin_text=password_stdin_text, raiseonerr=False) assert result.returncode != 0 assert "clear-text password is too long" in result.stderr_text # Create a host with a user-set OTP that is too long tasks.kinit_admin(master) result = master.run_command(['ipa', 'host-add', '--force', hostname, '--password', huge_password], raiseonerr=False) assert result.returncode != 0 # Try again with a valid password result = master.run_command(['ipa', 'host-add', '--force', hostname, '--password', original_passwd], raiseonerr=False) assert result.returncode == 0
def test_ldapmodify_password_issue7601(self): user = '******' original_passwd = 'Secret123' new_passwd = 'userPasswd123' new_passwd2 = 'mynewPwd123' master = self.master base_dn = str(master.domain.basedn) # pylint: disable=no-member # Create a user with a password tasks.kinit_admin(master) add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd) master.run_command(['ipa', 'user-add', user, '--first', user, '--last', user, '--password'], stdin_text=add_password_stdin_text) # kinit as that user in order to modify the pwd user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format( old=original_passwd, new=original_passwd) master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text) # Retrieve krblastpwdchange and krbpasswordexpiration krblastpwdchange, krbexp = self.get_krbinfo(user) # sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most # a 1s precision) time.sleep(1) # perform ldapmodify on userpassword as dir mgr entry_ldif = textwrap.dedent(""" dn: uid={user},cn=users,cn=accounts,{base_dn} changetype: modify replace: userpassword userpassword: {new_passwd} """).format( user=user, base_dn=base_dn, new_passwd=new_passwd) tasks.ldapmodify_dm(master, entry_ldif) # Test new password with kinit master.run_command(['kinit', user], stdin_text=new_passwd) # both should have changed newkrblastpwdchange, newkrbexp = self.get_krbinfo(user) assert newkrblastpwdchange != krblastpwdchange assert newkrbexp != krbexp # Now test passwd modif with ldappasswd time.sleep(1) master.run_command([ paths.LDAPPASSWD, '-D', str(master.config.dirman_dn), # pylint: disable=no-member '-w', master.config.dirman_password, '-a', new_passwd, '-s', new_passwd2, '-x', '-ZZ', '-H', 'ldap://{hostname}'.format(hostname=master.hostname), 'uid={user},cn=users,cn=accounts,{base_dn}'.format( user=user, base_dn=base_dn)] ) # Test new password with kinit master.run_command(['kinit', user], stdin_text=new_passwd2) # both should have changed newkrblastpwdchange2, newkrbexp2 = self.get_krbinfo(user) assert newkrblastpwdchange != newkrblastpwdchange2 assert newkrbexp != newkrbexp2