def test_sudo_rule_restricted_to_one_hostmask_setup(self): # We need to detect the hostmask first full_ip = get_host_ip_with_hostmask(self.client) # Make a note for the next test, which needs to be skipped # if hostmask detection failed self.__class__.skip_hostmask_based = False if not full_ip: self.__class__.skip_hostmask_based = True raise pytest.skip("Hostmask could not be detected") self.master.run_command([ 'ipa', '-n', 'sudorule-add-host', 'testrule', '--hostmask', full_ip ]) # SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to # pull in sudoers. Since native schema does not (yet) support # hostmasks, we need to point ldap_sudo_search_base to the old schema domain = self.client.domain modify_sssd_conf( self.client, domain.name, {'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn)}, provider_subtype='sudo')
def test_ssh_from_controller(self): """https://pagure.io/SSSD/sssd/issue/3979 Test ssh from test controller after adding ldap_deref_threshold=0 to sssd.conf on master Steps: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from controller to master using the user created in step 3 """ sssd_version = '' cmd_output = self.master.run_command(['sssd', '--version']) sssd_version = platform_tasks.\ parse_ipa_version(cmd_output.stdout_text.strip()) if sssd_version.version < '2.2.0': pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly") username = "******" + str(random.randint(200000, 9999999)) # add ldap_deref_threshold=0 to /etc/sssd/sssd.conf domain = self.master.domain tasks.modify_sssd_conf( self.master, domain.name, {'ldap_deref_threshold': 0}, ) try: self.master.run_command(['systemctl', 'restart', 'sssd.service']) # kinit admin tasks.kinit_admin(self.master) # add ipa user cmd = [ 'ipa', 'user-add', '--first', username, '--last', username, '--password', username ] input_passwd = 'Secret123\nSecret123\n' cmd_output = self.master.run_command(cmd, stdin_text=input_passwd) assert 'Added user "%s"' % username in cmd_output.stdout_text input_passwd = 'Secret123\nSecret123\nSecret123\n' self.master.run_command(['kinit', username], stdin_text=input_passwd) client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(self.master.hostname, username=username, password='******') client.close() finally: # revert back to original ldap config # remove ldap_deref_threshold=0 tasks.modify_sssd_conf( self.master, domain.name, {'ldap_deref_threshold': None}, ) self.master.run_command(['systemctl', 'restart', 'sssd.service'])
def filter_user_setup(self, user): sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF) filter_user = {'filter_users': self.users[user]['name']} try: tasks.modify_sssd_conf(self.master, self.master.domain.name, filter_user) tasks.clear_sssd_cache(self.master) yield finally: sssd_conf_backup.restore() tasks.clear_sssd_cache(self.master)
def test_extdom_plugin(self): """Extdom plugin should not return error (32)/'No such object' Regression test for https://pagure.io/freeipa/issue/8044 If there is a timeout during a request to SSSD the extdom plugin should not return error 'No such object' and the existing user should not be added to negative cache on the client. """ extdom_dn = DN(('cn', 'ipa_extdom_extop'), ('cn', 'plugins'), ('cn', 'config')) client = self.clients[0] tasks.backup_file(self.master, paths.SSSD_CONF) log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR, client.domain.name) logsize = len(client.get_file_contents(log_file)) res = self.master.run_command(['pidof', 'sssd_be']) pid = res.stdout_text.strip() test_id = 'id testuser@%s' % self.ad_domain client.run_command(test_id) conn = self.master.ldap_connect() entry = conn.get_entry(extdom_dn) # pylint: disable=no-member orig_extdom_timeout = entry.single_value.get('ipaextdommaxnsstimeout') # set the extdom plugin timeout to 1s (1000) entry.single_value['ipaextdommaxnsstimeout'] = 1000 conn.update_entry(entry) # pylint: disable=no-member self.master.run_command(['ipactl', 'restart']) domain = self.master.domain tasks.modify_sssd_conf(self.master, domain.name, {'timeout': '999999'}) remove_cache = 'sss_cache -E' self.master.run_command(remove_cache) client.run_command(remove_cache) try: # stop sssd_be, needed to simulate a timeout in the extdom plugin. stop_sssdbe = self.master.run_command('kill -STOP %s' % pid) client.run_command(test_id) error = 'ldap_extended_operation result: No such object(32)' sssd_log2 = client.get_file_contents(log_file)[logsize:] assert error.encode() not in sssd_log2 finally: if stop_sssdbe.returncode == 0: self.master.run_command('kill -CONT %s' % pid) # reconnect and set back to default extdom plugin conn = self.master.ldap_connect() entry = conn.get_entry(extdom_dn) # pylint: disable=no-member entry.single_value['ipaextdommaxnsstimeout'] = orig_extdom_timeout conn.update_entry(entry) # pylint: disable=no-member tasks.restore_files(self.master) self.master.run_command(['ipactl', 'restart'])
def test_sudo_rule_restricted_to_one_hostmask_negative_teardown(self): # Remove the master's hostmask from the rule ip = self.master.ip self.master.run_command([ 'ipa', '-n', 'sudorule-remove-host', 'testrule', '--hostmask', '%s/32' % ip ]) # reset ldap_sudo_search_base back to the default value, the old # schema is not needed for the upcoming tests domain = self.client.domain modify_sssd_conf(self.client, domain.name, {'ldap_sudo_search_base': None}, provider_subtype='sudo')
def test_override_homedir(self): """POSIX attributes should not be overwritten or missing. Regression test for bug https://pagure.io/SSSD/sssd/issue/2474 When there is IPA-AD trust with POSIX attributes, including the home directory set in the AD LDAP and in sssd.conf subdomain_homedir = %o is added after initgroup call home directory should be correct and do not report in logs like, 'get_subdomain_homedir_of_user failed: * [Home directory is NULL]' """ tasks.backup_file(self.master, paths.SSSD_CONF) log_file = '{0}/sssd_{1}.log' .format(paths.VAR_LOG_SSSD_DIR, self.master.domain.name) logsize = len(self.master.get_file_contents(log_file)) try: testuser = '******' % self.ad_domain domain = self.master.domain tasks.modify_sssd_conf( self.master, domain.name, { 'subdomain_homedir': '%o' } ) tasks.clear_sssd_cache(self.master) # The initgroups operation now uses the LDAP connection because # the LDAP AD DS server contains the POSIX attributes self.master.run_command(['getent', 'initgroups', '-s', 'sss', testuser]) result = self.master.run_command(['getent', 'passwd', testuser]) assert '/home/testuser' in result.stdout_text sssd_log2 = self.master.get_file_contents(log_file)[logsize:] assert b'get_subdomain_homedir_of_user failed' not in sssd_log2 finally: tasks.restore_files(self.master) tasks.clear_sssd_cache(self.master)