def tls_minimum_protocol_version(self, version, exitcode, message):
"""Check that `tls_minimum_protocol_version` parameter can be used specify
to specify the minimum protocol version of SSL/TLS."""
servers = {
"openldap4": {
"host": "openldap4",
"port": "6036",
"tls_require_cert": "never",
"tls_minimum_protocol_version": version,
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com",
}
}
users = [{
"server": "openldap4",
"username": "******",
"password": "******",
"login": True,
"exitcode": int(exitcode) if exitcode is not None else None,
"message": message,
}]
login(servers, "openldap4", *users)
def invalid_bind_dn(self):
"""Check that LDAP users can't login when `bind_dn` is invalid.
"""
servers = {
"openldap1": {
"host": "openldap1",
"port": "389",
"enable_tls": "no",
"bind_dn": "cn={user_name},ou=users,dc=company2,dc=com"
}
}
user = {
"server":
"openldap1",
"username":
"******",
"password":
"******",
"login":
True,
"exitcode":
4,
"message":
"DB::Exception: user1: Authentication failed: password is incorrect or there is no user with such name."
}
login(servers, "openldap1", user)
def tls_enable_tls_default_yes(self):
"""Check that the default value for the `enable_tls` is set to `yes`."""
servers = {
"openldap2": {
"host": "openldap2",
"tls_require_cert": "never",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com",
}
}
users = [{
"server": "openldap2",
"username": "******",
"password": "******",
"login": True
}]
login(servers, "openldap2", *users)
def plain_text(self):
"""Check that we can perform LDAP user authentication using `plain text` connection protocol."""
servers = {
"openldap1": {
"host": "openldap1",
"enable_tls": "no",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com",
}
}
users = [{
"server": "openldap1",
"username": "******",
"password": "******",
"login": True
}]
login(servers, "openldap1", *users)
def scenario(self, node="clickhouse1"):
"""Check that an LDAP external user directory can be used to authenticate a user.
"""
self.context.node = self.context.cluster.node(node)
servers = {
"openldap1": {
"host": "openldap1",
"port": "389",
"enable_tls": "no",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
},
}
users = [
{"server": "openldap1", "username": "******", "password": "******", "login": True},
]
login(servers, "openldap1", *users)
def tls_require_cert_default_demand(self):
"""Check that the default value for the `tls_require_cert` is set to `demand`."""
servers = {
"openldap2": {
"host": "openldap2",
"enable_tls": "yes",
"port": "636",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com",
}
}
users = [{
"server": "openldap2",
"username": "******",
"password": "******",
"login": True
}]
login(servers, "openldap2", *users)
def tls_connection(enable_tls, tls_require_cert):
"""Try to login using LDAP user authentication over a TLS connection."""
servers = {
"openldap2": {
"host": "openldap2",
"enable_tls": enable_tls,
"tls_require_cert": tls_require_cert,
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com",
}
}
users = [{
"server": "openldap2",
"username": "******",
"password": "******",
"login": True
}]
requirements = []
if tls_require_cert == "never":
requirements = [
RQ_SRS_009_LDAP_ExternalUserDirectory_Configuration_Server_TLSRequireCert_Options_Never(
"1.0")
]
elif tls_require_cert == "allow":
requirements = [
RQ_SRS_009_LDAP_ExternalUserDirectory_Configuration_Server_TLSRequireCert_Options_Allow(
"1.0")
]
elif tls_require_cert == "try":
requirements = [
RQ_SRS_009_LDAP_ExternalUserDirectory_Configuration_Server_TLSRequireCert_Options_Try(
"1.0")
]
elif tls_require_cert == "demand":
requirements = [
RQ_SRS_009_LDAP_ExternalUserDirectory_Configuration_Server_TLSRequireCert_Options_Demand(
"1.0")
]
with Example(name=f"tls_require_cert='{tls_require_cert}'",
requirements=requirements):
login(servers, "openldap2", *users)
def valid_bind_dn(self):
"""Check that LDAP users can login when `bind_dn` is valid."""
servers = {
"openldap1": {
"host": "openldap1",
"port": "389",
"enable_tls": "no",
"bind_dn": "cn={user_name},ou=users,dc=company,dc=com",
}
}
user = {
"server": "openldap1",
"username": "******",
"password": "******",
"login": True,
}
login(servers, "openldap1", user)
def tls_with_custom_port(self):
"""Check that we can perform LDAP user authentication using `TLS` connection protocol
with the server that uses custom port.
"""
servers = {
"openldap4": {
"host": "openldap4",
"port": "6036",
"tls_require_cert": "never",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com",
}
}
users = [{
"server": "openldap4",
"username": "******",
"password": "******",
"login": True
}]
login(servers, "openldap4", *users)
def plain_text_with_custom_port(self):
"""Check that we can perform LDAP user authentication using `plain text` connection protocol
with the server that uses custom port.
"""
servers = {
"openldap3": {
"host": "openldap3",
"port": "3089",
"enable_tls": "no",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com"
}
}
users = [{
"server": "openldap3",
"username": "******",
"password": "******",
"login": True
}]
login(servers, "openldap3", *users)
def tls_cipher_suite(self):
"""Check that `tls_cipher_suite` parameter can be used specify allowed cipher suites."""
servers = {
"openldap4": {
"host": "openldap4",
"port": "6036",
"tls_require_cert": "never",
"tls_cipher_suite":
"SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC",
"tls_minimum_protocol_version": "tls1.2",
"auth_dn_prefix": "cn=",
"auth_dn_suffix": ",ou=users,dc=company,dc=com",
}
}
users = [{
"server": "openldap4",
"username": "******",
"password": "******",
"login": True
}]
login(servers, "openldap4", *users)
