def test_graceperiod_not_replicated(self): """Test that the grace period is reset on password reset""" str(self.master.domain.basedn) dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( user=USER, base_dn=str(self.master.domain.basedn)) # Resetting the password will mark it as expired self.reset_password(self.master) # Generate some logins but don't exceed the limit for _i in range(2, -1, -1): result = self.master.run_command([ "ldapsearch", "-e", "ppolicy", "-D", dn, "-w", PASSWORD, "-b", dn ], raiseonerr=False) # Verify that passwordgraceusertime is not replicated result = tasks.ldapsearch_dm( self.master, dn, [ 'passwordgraceusertime', ], ) assert 'passwordgraceusertime: 3' in result.stdout_text.lower() result = tasks.ldapsearch_dm( self.replicas[0], dn, [ 'passwordgraceusertime', ], ) # Never been set at all so won't return assert 'passwordgraceusertime' not in result.stdout_text.lower() # Resetting the password should reset passwordgraceusertime self.reset_password(self.master) result = tasks.ldapsearch_dm( self.master, dn, [ 'passwordgraceusertime', ], ) assert 'passwordgraceusertime: 0' in result.stdout_text.lower() self.reset_password(self.master)
def test_ds_disable_upgrade_hash(self): # Test case for https://pagure.io/freeipa/issue/8315 # Disable password schema migration on LDAP bind result = tasks.ldapsearch_dm(self.master, "cn=config", ldap_args=["nsslapd-enable-upgrade-hash"], scope="base") assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text
def test_graceperiod_expired(self): """Test the LDAP bind grace period""" str(self.master.domain.basedn) dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( user=USER, base_dn=str(self.master.domain.basedn)) self.master.run_command([ "ipa", "pwpolicy-mod", POLICY, "--gracelimit", "3", ], ) # Resetting the password will mark it as expired self.reset_password(self.master) for i in range(2, -1, -1): result = self.master.run_command([ "ldapsearch", "-e", "ppolicy", "-D", dn, "-w", PASSWORD, "-b", dn ], raiseonerr=False) # We're in grace, this will succeed assert result.returncode == 0 # verify that we get the expected ppolicy output assert 'Password expired, {} grace logins remain'.format(i) \ in result.stderr_text # Now grace is done and binds should fail. result = self.master.run_command([ "ldapsearch", "-e", "ppolicy", "-D", dn, "-w", PASSWORD, "-b", dn ], raiseonerr=False) assert result.returncode == 49 assert 'Password is expired' in result.stderr_text assert 'Password expired, 0 grace logins remain' in result.stderr_text # Test that resetting the password resets the grace counter self.reset_password(self.master) result = tasks.ldapsearch_dm( self.master, dn, [ 'passwordgraceusertime', ], ) assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd): """Test for OTP when the LDAP connection timed out. Test for : https://pagure.io/freeipa/issue/6587 ipa-otpd was exiting with failure when LDAP connection timed out. Test to verify that when the nsslapd-idletimeout is exceeded (30s idle, 60s sleep) then the ipa-otpd process should exit without error. """ since = time.strftime('%Y-%m-%d %H:%M:%S') tasks.kinit_admin(self.master) otpuid, totp = add_otptoken(self.master, USER, otptype="totp") try: # kinit with OTP auth otpvalue = totp.generate(int(time.time())).decode("ascii") kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) time.sleep(60) # ldapsearch will wake up slapd and force walking through # the connection list, in order to spot the idle connections tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base") def test_cb(cmd_jornalctl): # check if LDAP connection is timed out expected_msg = "Can't contact LDAP server" return expected_msg in cmd_jornalctl # ipa-otpd don't flush its logs to syslog immediately cmd = ['journalctl', '--since={}'.format(since)] tasks.run_repeatedly(self.master, command=cmd, test=test_cb, timeout=90) failed_services = self.master.run_command( ['systemctl', 'list-units', '--state=failed']) assert "ipa-otpd" not in failed_services.stdout_text finally: del_otptoken(self.master, otpuid)
def get_krbinfo(self, user): base_dn = str(self.master.domain.basedn) # pylint: disable=no-member result = tasks.ldapsearch_dm( self.master, 'uid={user},cn=users,cn=accounts,{base_dn}'.format( user=user, base_dn=base_dn), ['krblastpwdchange', 'krbpasswordexpiration'], scope='base') output = result.stdout_text.lower() # extract krblastpwdchange and krbpasswordexpiration krbchg_pattern = 'krblastpwdchange: (.+)\n' krbexp_pattern = 'krbpasswordexpiration: (.+)\n' krblastpwdchange = re.findall(krbchg_pattern, output)[0] krbexp = re.findall(krbexp_pattern, output)[0] return krblastpwdchange, krbexp
def get_krbinfo(self, user): base_dn = str(self.master.domain.basedn) # pylint: disable=no-member result = tasks.ldapsearch_dm( self.master, 'uid={user},cn=users,cn=accounts,{base_dn}'.format( user=user, base_dn=base_dn), ['krblastpwdchange', 'krbpasswordexpiration'], scope='base' ) output = result.stdout_text.lower() # extract krblastpwdchange and krbpasswordexpiration krbchg_pattern = 'krblastpwdchange: (.+)\n' krbexp_pattern = 'krbpasswordexpiration: (.+)\n' krblastpwdchange = re.findall(krbchg_pattern, output)[0] krbexp = re.findall(krbexp_pattern, output)[0] return krblastpwdchange, krbexp
def test_aes_sha_kerberos_enctypes(self): """Test AES SHA 256 and 384 Kerberos enctypes enabled AES SHA 256 and 384-bit enctypes supported by MIT kerberos but was not enabled in IPA. This test is to check if these types are enabled. related: https://pagure.io/freeipa/issue/8110 """ tasks.kinit_admin(self.master) dn = DN(("cn", self.master.domain.realm), ("cn", "kerberos"), realm_to_suffix(self.master.domain.realm)) result = tasks.ldapsearch_dm(self.master, str(dn), ["krbSupportedEncSaltTypes"], scope="base") assert "aes128-sha2:normal" in result.stdout_text assert "aes128-sha2:special" in result.stdout_text assert "aes256-sha2:normal" in result.stdout_text assert "aes256-sha2:special" in result.stdout_text
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1( self.master, extra_args=['--external-ca-type=ms-cs'] ) assert result.returncode == 0 # check CSR for extension ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) check_mscs_extension(ipa_csr, MSCSTemplateV1(u'SubCA')) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2( self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = tasks.ldapsearch_dm( self.master, 'cn=mapping tree,cn=config', ['(cn=replica)'], ) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1( self.master, extra_args=['--external-ca-type=ms-cs']) assert result.returncode == 0 # check CSR for extension ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA')) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = tasks.ldapsearch_dm( self.master, 'cn=mapping tree,cn=config', ['(cn=replica)'], ) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text