def test_mapping_tree_flipped_components(topology): inst = topology.standalone # First create two Backends, without mapping trees. be1 = create_backend(inst, 'userRootA', 'dc=example,dc=com') be2 = create_backend(inst, 'userRootB', 'dc=com,dc=example') # Okay, now we create the mapping trees for these backends, and we *invert* them in the parent config setting mts = MappingTrees(inst) mtb = mts.create( properties={ 'cn': 'dc=example,dc=com', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootA', }) mta = mts.create( properties={ 'cn': 'dc=com,dc=example', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootB', }) dc_ex = Domain(inst, dn='dc=example,dc=com') assert dc_ex.exists() dc_ab = Domain(inst, dn='dc=com,dc=example') assert dc_ab.exists() # Restart and check again inst.restart() assert dc_ex.exists() assert dc_ab.exists()
def test_mapping_tree_mixed_length(topology): inst = topology.standalone # First create two Backends, without mapping trees. be1 = create_backend(inst, 'userRootA', 'dc=myserver') be1 = create_backend(inst, 'userRootB', 'dc=m') be1 = create_backend(inst, 'userRootC', 'dc=a,dc=b,dc=c,dc=d,dc=e') be1 = create_backend(inst, 'userRootD', 'dc=example,dc=com') be1 = create_backend(inst, 'userRootE', 'dc=myldap') mts = MappingTrees(inst) mts.create( properties={ 'cn': 'dc=myserver', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootA', }) mts.create(properties={ 'cn': 'dc=m', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootB', }) mts.create( properties={ 'cn': 'dc=a,dc=b,dc=c,dc=d,dc=e', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootC', }) mts.create( properties={ 'cn': 'dc=example,dc=com', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootD', }) mts.create( properties={ 'cn': 'dc=myldap', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootE', }) dc_a = Domain(inst, dn='dc=myserver') assert dc_a.exists() dc_b = Domain(inst, dn='dc=m') assert dc_b.exists() dc_c = Domain(inst, dn='dc=a,dc=b,dc=c,dc=d,dc=e') assert dc_c.exists() dc_d = Domain(inst, dn='dc=example,dc=com') assert dc_d.exists() dc_e = Domain(inst, dn='dc=myldap') assert dc_e.exists() inst.restart() assert dc_a.exists() assert dc_b.exists() assert dc_c.exists() assert dc_d.exists() assert dc_e.exists()
def test_mapping_tree_inverted(topology): """Test the results of an inverted parent suffix definition in the configuration. For more details see: https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html :id: 024c4960-3aac-4d05-bc51-963dfdeb16ca :setup: Standalone instance (no backends) :steps: 1. Add two backends without mapping trees. 2. Add the mapping trees with inverted parent-suffix definitions. 3. Attempt to search the definitions :expectedresults: 1. Success 2. Success 3. The search suceed and can see validly arranged entries. """ inst = topology.standalone # First create two Backends, without mapping trees. be1 = create_backend(inst, 'userRootA', 'dc=example,dc=com') be2 = create_backend(inst, 'userRootB', 'dc=straya,dc=example,dc=com') # Okay, now we create the mapping trees for these backends, and we *invert* them in the parent config setting mts = MappingTrees(inst) mtb = mts.create( properties={ 'cn': 'dc=straya,dc=example,dc=com', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootB', }) mta = mts.create( properties={ 'cn': 'dc=example,dc=com', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootA', 'nsslapd-parent-suffix': 'dc=straya,dc=example,dc=com' }) dc_ex = Domain(inst, dn='dc=example,dc=com') assert dc_ex.exists() dc_st = Domain(inst, dn='dc=straya,dc=example,dc=com') assert dc_st.exists() # Restart and check again inst.restart() assert dc_ex.exists() assert dc_st.exists()
def test_mapping_tree_nonexist_parent(topology): """Test a backend whos mapping tree definition has a non-existant parent-suffix For more details see: https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html :id: 7a9a09bd-7604-48f7-93cb-abff9e0d0131 :setup: Standalone instance (no backends) :steps: 1. Add one backend without mapping tree 2. Configure the mapping tree with a non-existant parent suffix 3. Attempt to search the backend :expectedresults: 1. Success 2. Success 3. The search suceed and can see validly entries. """ inst = topology.standalone be1 = create_backend(inst, 'userRootC', 'dc=test,dc=com') mts = MappingTrees(inst) mta = mts.create( properties={ 'cn': 'dc=test,dc=com', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootC', 'nsslapd-parent-suffix': 'dc=com' }) # In this case the MT is never joined properly to the hierachy because the parent suffix # doesn't exist. The config is effectively ignored. That means that it can't be searched! dc_ex = Domain(inst, dn='dc=test,dc=com') assert dc_ex.exists() # Restart and check again. inst.restart() assert dc_ex.exists()
def test_chaining_paged_search(topology): """ Check that when the chaining target has anonymous access disabled that the ping still functions and allows the search to continue with an appropriate bind user. :id: 00bf31db-d93b-4224-8e70-86abb2d4cd17 :setup: Two standalones in chaining. :steps: 1. Configure chaining between the nodes 2. Do a chaining search (w anon allow) to assert it works 3. Configure anon dis allowed on st2 4. Restart both 5. Check search still works :expectedresults: 1. Success 2. Success 3. Success 4. Success 5. Success """ st1 = topology.ins["standalone1"] st2 = topology.ins["standalone2"] ### We setup so that st1 -> st2 # Setup a chaining user on st2 to authenticate to. sa = ServiceAccounts(st2, DEFAULT_SUFFIX).create(properties = { 'cn': 'sa', 'userPassword': PW }) # Add a proxy user. sproxy = ServiceAccounts(st2, DEFAULT_SUFFIX).create(properties = { 'cn': 'proxy', 'userPassword': PW }) # Add the read and proxy ACI dc = Domain(st2, DEFAULT_SUFFIX) dc.add('aci', f"""(targetattr="objectClass || cn || uid")(version 3.0; acl "Enable sa read"; allow (read, search, compare)(userdn="ldap:///{sa.dn}");)""" ) # Add the proxy ACI dc.add('aci', f"""(targetattr="*")(version 3.0; acl "Enable proxy access"; allow (proxy)(userdn="ldap:///{sproxy.dn}");)""" ) # Clear all the BE in st1 bes1 = Backends(st1) for be in bes1.list(): be.delete() # Setup st1 to chain to st2 chain_plugin_1 = ChainingBackendPlugin(st1) chain_plugin_1.enable() # Chain with the proxy user. chains = ChainingLinks(st1) chain = chains.create(properties={ 'cn': 'demochain', 'nsfarmserverurl': st2.toLDAPURL(), 'nsslapd-suffix': DEFAULT_SUFFIX, 'nsmultiplexorbinddn': sproxy.dn, 'nsmultiplexorcredentials': PW, 'nsCheckLocalACI': 'on', 'nsConnectionLife': '30', }) mts = MappingTrees(st1) # Due to a bug in lib389, we need to delete and recreate the mt. for mt in mts.list(): mt.delete() mts.ensure_state(properties={ 'cn': DEFAULT_SUFFIX, 'nsslapd-state': 'backend', 'nsslapd-backend': 'demochain', 'nsslapd-distribution-plugin': 'libreplication-plugin', 'nsslapd-distribution-funct': 'repl_chain_on_update', }) # Enable pwpolicy (Not sure if part of the issue). st1.config.set('passwordIsGlobalPolicy', 'on') st2.config.set('passwordIsGlobalPolicy', 'on') # Restart to enable everything. st1.restart() # Get a proxy auth connection. sa1 = ServiceAccount(st1, sa.dn) sa1_conn = sa1.bind(password=PW) # Now do a search from st1 -> st2 sa1_dc = Domain(sa1_conn, DEFAULT_SUFFIX) assert sa1_dc.exists() # Now on st2 disable anonymous access. st2.config.set('nsslapd-allow-anonymous-access', 'rootdse') # Stop st2 to force the connection to be dead. st2.stop() # Restart st1 - this means it must re-do the ping/keepalive. st1.restart() # do a bind - this should fail, and forces the conn offline. with pytest.raises(ldap.OPERATIONS_ERROR): sa1.bind(password=PW) # Allow time to attach lldb if needed. # print("🔥🔥🔥") # time.sleep(45) # Bring st2 online. st2.start() # Wait a bit time.sleep(5) # Get a proxy auth connection (again) sa1_conn = sa1.bind(password=PW) # Now do a search from st1 -> st2 sa1_dc = Domain(sa1_conn, DEFAULT_SUFFIX) assert sa1_dc.exists()