def test_password_max_failure_should_lockout_password(topo):
"""Regression test for bz834060.
:id: f2064efa-52d9-11ea-8037-8c16451d917b
:setup: Standalone
:steps:
1. passwordMaxFailure should lockout password one sooner
2. Setting passwordLockout to \"on\"
3. Set maximum number of login tries to 3
4. Turn off passwordLegacyPolicy
5. Turn off local password policy, so that global is applied
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
config = Config(topo.standalone)
config.replace_many(
('passwordLockout', 'on'),
('passwordMaxFailure', '3'),
('passwordLegacyPolicy', 'off'),
('nsslapd-pwpolicy-local', 'off'))
user = _create_user(topo, 'tuser', 'ou=people')
user.replace('userpassword', 'password')
for _ in range(2):
with pytest.raises(ldap.INVALID_CREDENTIALS):
user.bind('Invalid')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
user.bind("Invalid")
config.replace('nsslapd-pwpolicy-local', 'on')
def test_too_big_password(topo, _fix_password):
"""Test for long long password
:id: 299a3fb4-5a20-11ea-bba8-8c16451d917b
:setup: Standalone
:steps:
1. Setting policy to keep password histories
2. Changing number of password in history to 3
3. Modify password from dby3rs1 to dby3rs2
4. Checking that the passwordhistory attribute has been added
5. Add a password test for long long password
6. Changing number of password in history to 6 and passwordhistory off
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
config = Config(topo.standalone)
# Setting policy to keep password histories
config.replace_many(('passwordchecksyntax', 'off'),
('passwordhistory', 'on'))
assert config.get_attr_val_utf8('passwordinhistory') == '6'
# Changing number of password in history to 3
config.replace('passwordinhistory', '3')
# Modify password from dby3rs1 to dby3rs2
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers2')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers2', 'dbyers1')
# Checking that the passwordhistory attribute has been added
assert UserAccount(
topo.standalone,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}').get_attr_val_utf8(
'passwordhistory')
# Add a password test for long long password
long_pass = 50 * '0123456789' + 'LENGTH=510'
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers2', long_pass)
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
long_pass, long_pass)
_change_password_with_root(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1')
# Changing number of password in history to 6 and passwordhistory off
config.replace_many(('passwordhistory', 'off'), ('passwordinhistory', '6'))
def test_once_TPR_reset_old_passwd_invalid(topo, _add_user,
set_global_TPR_policies):
""" Verify that once a password has been reset it cannot be reused
:id: f3ea4f00-e89c-11eb-b81d-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe1 with appropriate password
3. Configure the Global Password policies enable passwordMustChange
4. Trigger TPR by resetting the user jdoe1 password above
5. Attempt to login with the old password
6. Login as jdoe1 with the correct password and update the new password
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Fail(ldap.CONSTRAINT_VIOLATION)
6. Success
"""
new_password = '******'
log.info('Creating user jdoe1 with appropriate password')
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
user1.replace('userpassword', new_password)
log.info(
'Making sure the Global Policy passwordTPRDelayValidFrom is short')
config = Config(topo.standalone)
config.replace_many(
('passwordLockout', 'off'),
('passwordMaxFailure', '3'),
('passwordLegacyPolicy', 'off'),
('passwordTPRDelayValidFrom', '-1'),
('nsslapd-pwpolicy-local', 'on'),
)
log.info(' Attempting to bind as {} with the old password {}'.format(
user1, USER1_PASS))
time.sleep(.5)
with pytest.raises(ldap.INVALID_CREDENTIALS):
user1.bind(USER1_PASS)
log.info('Login as jdoe1 with the correct reset password')
time.sleep(.5)
user1.rebind(new_password)
def set_global_policy(self, properties):
"""Configure global password policy
:param properties: A dictionary with password policy attributes
:type properties: dict
"""
modlist = []
for attr, value in properties.items():
modlist.append((attr, value))
if len(modlist) > 0:
config = Config(self._instance)
config.replace_many(*modlist)
else:
raise ValueError("There are no password policies to set")
def test_admin_resets_pwd_TPR_attrs_reset(topo, _add_user,
set_global_TPR_policies):
"""Test When the ‘userpassword’ is updated (update_pw_info) by an administrator
and it exists a TPR policy, then the server flags that the entry has a
TPR password with ‘pwdTPRReset: TRUE’, ‘pwdTPRExpTime’ and ‘pwdTPRUseCount’.
:id: e6a84dc0-f142-11eb-8c96-fa163e1f582c
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies enable
4. Trigger TPR by resetting the user jdoe1 password above
5. Reset the users password ‘userpassword’
6. Check that ‘pwdTPRExpTime’ and ‘pwdTPRUseCount’ are updated
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
log.info('Logging current time')
start_time = time.mktime(time.gmtime())
log.info(
'Verifying the Global policy are set and attributes are all set to "None"'
)
for tpr_attrib in ['pwdTPRReset', 'pwdTPRExpTime', 'pwdTPRUseCount']:
assert user1.get_attr_val_utf8(tpr_attrib) is None
config = Config(topo.standalone)
config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'),
('passwordTPRDelayExpireAt', '1800'),
('passwordTPRDelayValidFrom', '1'))
assert user1.get_attr_val_utf8('pwdTPRExpTime') is None
log.info('Triggering TPR as Admin')
user1.replace('userpassword', 'new_password')
time.sleep(1)
log.info(
'Checking that pwdTPRReset, pwdTPRExpTime, pwdTPRUseCount are reset.')
assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert user1.get_attr_val_utf8('pwdTPRExpTime') is None
assert user1.get_attr_val_utf8('pwdTPRUseCount') is '0'
def test_password_expire_works(topology_st):
"""Regression test for bug624080. If passwordMaxAge is set to a
value and a new user is added, if the passwordMaxAge is changed
to a shorter expiration time and the new users password
is then changed ..... the passwordExpirationTime for the
new user should be changed too. There was a bug in DS 6.2
where the expirationtime remained unchanged.
:id: 1ead6052-4636-11ea-b5af-8c16451d917b
:setup: Standalone
:steps:
1. Set the Global password policy and a passwordMaxAge to 5 days
2. Add the new user
3. Check the users password expiration time now
4. Decrease global passwordMaxAge to 2 days
5. Modify the users password
6. Modify the user one more time to make sur etime has been reset
7. turn off the password policy
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
config = Config(topology_st.standalone)
config.replace_many(('passwordMaxAge', '432000'), ('passwordExp', 'on'))
user = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX,
rdn=None).create_test_user()
user.set('userPassword', 'anuj')
time.sleep(0.5)
expire_time = user.get_attr_val_utf8('passwordExpirationTime')
config.replace('passwordMaxAge', '172800')
user.set('userPassword', 'borah')
time.sleep(0.5)
expire_time2 = user.get_attr_val_utf8('passwordExpirationTime')
config.replace('passwordMaxAge', '604800')
user.set('userPassword', 'anujagaiin')
time.sleep(0.5)
expire_time3 = user.get_attr_val_utf8('passwordExpirationTime')
assert expire_time != expire_time2 != expire_time3
config.replace('passwordExp', 'off')
def test_passwordchange_to_no(topo, _fix_password):
"""Change password fo a user even password even though pw policy is set to no
:id: 16c64ef0-5a20-11ea-a902-8c16451d917b
:setup: Standalone
:steps:
1. Adding an user with uid=dbyers
2. Set Password change to Must Not Change After Reset
3. Setting Password policy to May Not Change Password
4. Try to change password fo a user even password even though pw policy is set to no
5. Set Password change to May Change Password
6. Try to change password fo a user even password
7. Try to change password with invalid credentials. Should see error message.
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
"""
# Adding an user with uid=dbyers
user = f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}'
config = Config(topo.standalone)
# Set Password change to Must Not Change After Reset
config.replace_many(('passwordmustchange', 'off'),
('passwordchange', 'off'))
# Try to change password fo a user even password even though pw policy is set to no
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
_change_password_with_own(topo, user, 'dbyers1', 'AB')
# Set Password change to May Change Password
config.replace('passwordchange', 'on')
_change_password_with_own(topo, user, 'dbyers1', 'dbyers1')
# Try to change password with invalid credentials. Should see error message.
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'AB', 'dbyers1')
def test_passwordlockout(topo, _fix_password):
"""Test adding admin user diradmin to Directory Administrator group
:id: 3ffcffda-5a20-11ea-a3af-8c16451d917b
:setup: Standalone
:steps:
1. Account Lockout must be cleared on successful password change
2. Adding admin user diradmin
3. Adding admin user diradmin to Directory Administrator group
4. Turn on passwordlockout
5. Sets lockout duration to 30 seconds
6. Sets failure count reset duration to 30 sec
7. Sets max password bind failure count to 3
8. Reset password retry count (to 0)
9. Try to bind with invalid credentials(3 times)
10. Try to bind with valid pw, should give lockout error
11. Reset password using admin login
12. Try to login as the user to check the unlocking of account. Will also change
the password back to original
13. Change to account lockout forever until reset
14. Reset password retry count (to 0)
15. Try to bind with invalid credentials(3 times)
16. Try to bind with valid pw, should give lockout error
17. Reset password using admin login
18. Try to login as the user to check the unlocking of account. Will also change the
password back to original
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Fail
10. Success
11. Success
12. Success
13. Success
14. Success
15. Fail
16. Success
17. Success
18. Success
"""
config = Config(topo.standalone)
# Adding admin user diradmin
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user()
user.replace('userpassword', 'dby3rs2')
admin = _create_user(topo, 'diradmin', 'Anuj Borah', '1002', 'diradmin')
# Adding admin user diradmin to Directory Administrator group
Group(topo.standalone,
f'cn=Directory Administrators,{DEFAULT_SUFFIX}').add(
'uniquemember', admin.dn)
# Turn on passwordlockout
# Sets lockout duration to 30 seconds
# Sets failure count reset duration to 30 sec
# Sets max password bind failure count to 3
# Reset password retry count (to 0)
config.replace_many(
('passwordlockout', 'on'), ('passwordlockoutduration', '30'),
('passwordresetfailurecount', '30'), ('passwordmaxfailure', '3'),
('passwordhistory', 'off'))
user.replace('passwordretrycount', '0')
# Try to bind with invalid credentials(3 times)
for _ in range(3):
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(topo, user.dn, 'Invalid', 'secreter')
# Try to bind with valid pw, should give lockout error
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo, user.dn, 'Invalid', 'secreter')
# Reset password using admin login
conn = admin.bind('diradmin')
UserAccount(conn, user.dn).replace('userpassword', 'dby3rs2')
time.sleep(1)
# Try to login as the user to check the unlocking of account. Will also change
# the password back to original
_change_password_with_own(topo, user.dn, 'dby3rs2', 'secreter')
# Change to account lockout forever until reset
# Reset password retry count (to 0)
config.replace('passwordunlock', 'off')
user.replace('passwordretrycount', '0')
# Try to bind with invalid credentials(3 times)
for _ in range(3):
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(topo, user.dn, 'Invalid', 'secreter')
# Try to bind with valid pw, should give lockout error
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo, user.dn, 'Invalid', 'secreter')
# Reset password using admin login
UserAccount(conn, user.dn).replace('userpassword', 'dby3rs2')
time.sleep(1)
# Try to login as the user to check the unlocking of account. Will also change the
# password back to original
_change_password_with_own(topo, user.dn, 'dby3rs2', 'secreter')
def test_invalid_credentials(topo, _fix_password):
"""Test bind again with valid password: We should be locked
:id: 3233ca78-5a20-11ea-8d35-8c16451d917b
:setup: Standalone
:steps:
1. Search if passwordlockout is off
2. Turns on passwordlockout
3. sets lockout duration to 3 seconds
4. Changing pw failure count reset duration to 3 sec and passwordminlength to 10
5. Try to bind with invalid credentials
6. Change password to password lockout forever
7. Try to bind with invalid credentials
8. Now bind again with valid password: We should be locked
9. Delete dby3rs before exiting
10. Reset server
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Fail
6. Success
7. Success
8. Success
9. Success
10. Success
"""
config = Config(topo.standalone)
# Search if passwordlockout is off
assert config.get_attr_val_utf8('passwordlockout') == 'off'
# Turns on passwordlockout
# sets lockout duration to 3 seconds
# Changing pw failure count reset duration to 3 sec and passwordminlength to 10
config.replace_many(
('passwordlockout', 'on'), ('passwordlockoutduration', '3'),
('passwordresetfailurecount', '3'), ('passwordminlength', '10'))
# Try to bind with invalid credentials
for _ in range(3):
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(
topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'Invalid',
'dbyers1')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'Invalid', 'dbyers1')
for _ in range(3):
time.sleep(1)
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers1')
# Change password to password lockout forever
config.replace('passwordunlock', 'off')
# Try to bind with invalid credentials
for _ in range(3):
with pytest.raises(ldap.INVALID_CREDENTIALS):
_change_password_with_own(
topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'Invalid',
'dbyers1')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'Invalid', 'dbyers1')
for _ in range(3):
time.sleep(1)
# Now bind again with valid password: We should be locked
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers1')
# Delete dby3rs before exiting
_change_password_with_root(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1')
time.sleep(1)
_change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers1')
# Reset server
config.replace_many(
('passwordinhistory', '6'), ('passwordlockout', 'off'),
('passwordlockoutduration', '3600'), ('passwordminlength', '6'),
('passwordresetfailurecount', '600'), ('passwordunlock', 'on'))
def test_password_check_syntax(topo, _fix_password):
"""Password check syntax
:id: 1e6fcc9e-5a20-11ea-9659-8c16451d917b
:setup: Standalone
:steps:
1. Sets Password check syntax to on
2. Try to change to a password that violates length. Should get error
3. Attempt to Modify password to db which is in error to policy
4. change min pw length to 5
5. Attempt to Modify password to dby3rs which is in error to policy
6. Attempt to Modify password to danny which is in error to policy
7. Attempt to Modify password to byers which is in error to policy
8. Change min pw length to 6
9. Try to change the password
10. Trying to set to a password containing value of sn
11. Sets policy to not check pw syntax
12. Test that when checking syntax is off, you can use small passwords
13. Test that when checking syntax is off, trivial passwords can be used
14. Changing password minimum length from 6 to 10
15. Setting policy to Check Password Syntax again
16. Try to change to a password that violates length
17. Reset Password
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
10. Success
11. Success
12. Success
13. Success
14. Success
15. Success
16. Fail
17. Success
"""
config = Config(topo.standalone)
# Sets Password check syntax to on
config.replace('passwordchecksyntax', 'on')
# Try to change to a password that violates length. Should get error
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'dbyers2')
# Attempt to Modify password to db which is in error to policy
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'db')
# change min pw length to 5
config.replace('passwordminlength', '5')
# Attempt to Modify password to dby3rs which is in error to policy
# Attempt to Modify password to danny which is in error to policy
# Attempt to Modify password to byers which is in error to policy
for password in ['dbyers', 'Danny', 'byers']:
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(
topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1',
password)
# Change min pw length to 6
config.replace('passwordminlength', '6')
# Try to change the password
# Trying to set to a password containing value of sn
for password in ['dby3rs1', 'dbyers2', '67Danny89', 'YAByers8']:
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(
topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1',
password)
# Sets policy to not check pw syntax
# Test that when checking syntax is off, you can use small passwords
# Test that when checking syntax is off, trivial passwords can be used
config.replace('passwordchecksyntax', 'off')
for password, new_pass in [('dbyers1', 'db'), ('db', 'dbyers'),
('dbyers', 'dbyers1')]:
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
password, new_pass)
# Changing password minimum length from 6 to 10
# Setting policy to Check Password Syntax again
config.replace_many(('passwordminlength', '10'),
('passwordchecksyntax', 'on'))
# Try to change to a password that violates length
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
_change_password_with_own(topo,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}',
'dbyers1', 'db')
UserAccount(topo.standalone,
f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}').replace(
'userpassword', 'dbyers1')
def test_password_gracelimit_section(topo):
"""Password grace limit section.
:id: d6f4a7fa-473b-11ea-8766-8c16451d917c
:setup: Standalone
:steps:
1. Resets the default password policy
2. Turning on password expiration, passwordMaxAge: 30 and passwordGraceLimit: 7
3. Check users have 7 grace login attempts after their password expires
4. Reset the user passwords to start the clock
5. The the 8th should fail
6. Now try resetting the password before the grace login attempts run out
7. Bind 6 times, and on the 7th change the password
8. Setting passwordMaxAge: 1 and passwordGraceLimit: 7
9. Modify the users passwords to start the clock of zero
10. First 7 good attempts, 8th should fail
11. Setting the passwordMaxAge to 3 seconds once more and the passwordGraceLimit to 0
12. Modify the users passwords to start the clock
13. Users should be blocked automatically after 3 second
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
10. Success
11. Success
12. Success
13. Success
"""
config = Config(topo.standalone)
# Resets the default password policy
config.replace_many(('passwordmincategories', '1'),
('passwordStorageScheme', 'CLEAR'))
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX,
rdn=None).create_test_user()
# Turning on password expiration, passwordMaxAge: 30 and passwordGraceLimit: 7
config.replace_many(('passwordMaxAge', '3'), ('passwordGraceLimit', '7'),
('passwordexp', 'on'), ('passwordwarning', '30'))
# Reset the user passwords to start the clock
# Check users have 7 grace login attempts after their password expires
user.replace('userpassword', '00fr3d1')
for _ in range(3):
time.sleep(1)
user_account = UserAccount(topo.standalone, user.dn)
for _ in range(7):
conn = user_account.bind('00fr3d1')
# The the 8th should fail
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = user_account.bind('00fr3d1')
# Now try resetting the password before the grace login attempts run out
user.replace('userpassword', '00fr3d2')
for _ in range(3):
time.sleep(1)
user_account = UserAccount(topo.standalone, user.dn)
# Bind 6 times, and on the 7th change the password
for _ in range(6):
conn = user_account.bind('00fr3d2')
user.replace('userpassword', '00fr3d1')
for _ in range(3):
time.sleep(1)
for _ in range(7):
conn = user_account.bind('00fr3d1')
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = user_account.bind('00fr3d1')
# Setting passwordMaxAge: 1 and passwordGraceLimit: 7
config.replace_many(('passwordMaxAge', '1'), ('passwordwarning', '1'))
# Modify the users passwords to start the clock of zero
user.replace('userpassword', '00fr3d2')
time.sleep(1)
# First 7 good attempts, 8th should fail
user_account = UserAccount(topo.standalone, user.dn)
for _ in range(7):
conn = user_account.bind('00fr3d2')
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = user_account.bind('00fr3d2')
# Setting the passwordMaxAge to 3 seconds once more and the passwordGraceLimit to 0
config.replace_many(('passwordMaxAge', '3'), ('passwordGraceLimit', '0'))
# Modify the users passwords to start the clock
# Users should be blocked automatically after 3 second
user.replace('userpassword', '00fr3d1')
for _ in range(3):
time.sleep(1)
with pytest.raises(ldap.INVALID_CREDENTIALS):
conn = user_account.bind('00fr3d1')
def test_user_resets_pwd_TPR_attrs_reset(topo, _add_user,
set_global_TPR_policies):
"""Test once password is reset attributes are set to FALSE
:id: 6614068a-ee7d-11eb-b1a3-98fa9ba19b65
:customerscenario: True
:setup: Standalone
:steps:
1. Create DS Instance
2. Create user jdoe2 with appropriate password
3. Configure the Global Password policies and set passwordMustChange on
4. Trigger TPR by resetting the user jdoe1 password above
5. Reset the users password ‘userpassword’
6. Check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are RESET
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
"""
user1 = UserAccount(topo.standalone,
f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}')
log.info('Logging current time')
start_time = time.mktime(time.gmtime())
log.info(
'Verifying the Global policy are set and attributes are all set to "None"'
)
for tpr_attrib in [
'pwdTPRReset', 'pwdTPRUseCount', 'pwdTPRValidFrom',
'pwdTPRExpireAt'
]:
assert user1.get_attr_val_utf8(tpr_attrib) is None
config = Config(topo.standalone)
config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'),
('passwordTPRDelayExpireAt', '1800'),
('passwordTPRDelayValidFrom', '1'))
assert user1.get_attr_val_utf8('pwdTPRReset') is None
log.info(
'Triggering TPR check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are set'
)
user1.replace('userpassword', 'new_password')
time.sleep(3)
assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE'
assert user1.get_attr_val_utf8('pwdTPRUseCount') == '0'
assert gentime_to_posix_time(
user1.get_attr_val_utf8('pwdTPRValidFrom')) > start_time
assert gentime_to_posix_time(
user1.get_attr_val_utf8('pwdTPRExpireAt')) > start_time
conn = user1.rebind('new_password')
user1.replace('userpassword', 'extra_new_pass')
log.info(
'Checking that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are reset to None'
)
time.sleep(3)
assert user1.get_attr_val_utf8('pwdTPRReset') is None
assert user1.get_attr_val_utf8('pwdTPRUseCount') is None
assert (user1.get_attr_val_utf8('pwdTPRValidFrom')) is None
assert (user1.get_attr_val_utf8('pwdTPRExpireAt')) is None
log.info('Verified that attributes are reset after password is reset')
