def get_config(version):
# We do this to avoid test breaking on older version that may
# not expect the new default layout.
if (version == INSTALL_LATEST_CONFIG and ds_is_newer('1.4.0')):
return c001004000
elif (version == INSTALL_LATEST_CONFIG):
return c001003006
elif (version == '001004000' and ds_is_newer('1.4.0')):
return c001004000
elif (version == '001003006'):
return c001003006
raise Exception('version %s no match' % version)
def _import_online(topo, no_no):
"""
Will import ldifs online
"""
_check_users_before_test(topo, no_no)
ldif_dir = topo.standalone.get_ldif_dir()
import_ldif = ldif_dir + '/basic_import.ldif'
_generate_ldif(topo, no_no)
# Online
import_task = ImportTask(topo.standalone)
import_task.import_suffix_from_ldif(ldiffile=import_ldif,
suffix=DEFAULT_SUFFIX)
# Wait a bit till the task is created and available for searching
time.sleep(0.5)
# Good as place as any to quick test the task has some expected attributes
if ds_is_newer('1.4.1.2'):
assert import_task.present('nstaskcreated')
assert import_task.present('nstasklog')
assert import_task.present('nstaskcurrentitem')
assert import_task.present('nstasktotalitems')
assert import_task.present('ttl')
import_task.wait()
topo.standalone.searchAccessLog('ADD dn="cn=import')
topo.standalone.searchErrorsLog('import userRoot: Import complete.')
_search_for_user(topo, no_no)
def list_files(self):
"""return a list of the schema files in the instance schemadir"""
file_list = []
file_list += glob.glob(self.conn.schemadir + "/*.ldif")
if ds_is_newer('1.3.6.0'):
file_list += glob.glob(self.conn.ds_paths.system_schema_dir + "/*.ldif")
return file_list
def test_unhashed_pw_switch(topo_supplier):
"""Check that nsslapd-unhashed-pw-switch works corrently
:id: e5aba180-d174-424d-92b0-14fe7bb0b92a
:setup: Supplier Instance
:steps:
1. A Supplier is created, enable retrocl (not used here)
2. Create a set of users
3. update userpassword of user1 and check that unhashed#user#password is not logged (default)
4. udpate userpassword of user2 and check that unhashed#user#password is not logged ('nolog')
5. udpate userpassword of user3 and check that unhashed#user#password is logged ('on')
:expectedresults:
1. Success
2. Success
3. Success (unhashed#user#password is not logged in the replication changelog)
4. Success (unhashed#user#password is not logged in the replication changelog)
5. Success (unhashed#user#password is logged in the replication changelog)
"""
MAX_USERS = 10
PEOPLE_DN = ("ou=people," + DEFAULT_SUFFIX)
inst = topo_supplier.ms["supplier1"]
inst.modify_s("cn=Retro Changelog Plugin,cn=plugins,cn=config",
[(ldap.MOD_REPLACE, 'nsslapd-changelogmaxage', b'2m'),
(ldap.MOD_REPLACE, 'nsslapd-changelog-trim-interval', b"5s"),
(ldap.MOD_REPLACE, 'nsslapd-logAccess', b'on')])
inst.config.loglevel(vals=[256 + 4], service='access')
inst.restart()
# If you need any test suite initialization,
# please, write additional fixture for that (including finalizer).
# Topology for suites are predefined in lib389/topologies.py.
# enable dynamic plugins, memberof and retro cl plugin
#
log.info('Enable plugins...')
try:
inst.modify_s(DN_CONFIG,
[(ldap.MOD_REPLACE,
'nsslapd-dynamic-plugins',
b'on')])
except ldap.LDAPError as e:
ldap.error('Failed to enable dynamic plugins! ' + e.message['desc'])
assert False
#topology_st.standalone.plugins.enable(name=PLUGIN_MEMBER_OF)
inst.plugins.enable(name=PLUGIN_RETRO_CHANGELOG)
#topology_st.standalone.modify_s("cn=changelog,cn=ldbm database,cn=plugins,cn=config", [(ldap.MOD_REPLACE, 'nsslapd-cachememsize', str(100000))])
inst.restart()
log.info('create users and group...')
for idx in range(1, MAX_USERS):
try:
USER_DN = ("uid=member%d,%s" % (idx, PEOPLE_DN))
inst.add_s(Entry((USER_DN,
{'objectclass': 'top extensibleObject'.split(),
'uid': 'member%d' % (idx)})))
except ldap.LDAPError as e:
log.fatal('Failed to add user (%s): error %s' % (USER_DN, e.message['desc']))
assert False
# Check default is that unhashed#user#password is not logged on 1.4.1.6+
user = "******" % (PEOPLE_DN)
inst.modify_s(user, [(ldap.MOD_REPLACE,
'userpassword',
PASSWORD.encode())])
inst.stop()
if ds_is_newer('1.4.1.6'):
_check_unhashed_userpw(inst, user, is_present=False)
else:
_check_unhashed_userpw(inst, user, is_present=True)
# Check with nolog that unhashed#user#password is not logged
inst.modify_s(DN_CONFIG,
[(ldap.MOD_REPLACE,
'nsslapd-unhashed-pw-switch',
b'nolog')])
inst.restart()
user = "******" % (PEOPLE_DN)
inst.modify_s(user, [(ldap.MOD_REPLACE,
'userpassword',
PASSWORD.encode())])
inst.stop()
_check_unhashed_userpw(inst, user, is_present=False)
# Check with value 'on' that unhashed#user#password is logged
inst.modify_s(DN_CONFIG,
[(ldap.MOD_REPLACE,
'nsslapd-unhashed-pw-switch',
b'on')])
inst.restart()
user = "******" % (PEOPLE_DN)
inst.modify_s(user, [(ldap.MOD_REPLACE,
'userpassword',
PASSWORD.encode())])
inst.stop()
_check_unhashed_userpw(inst, user, is_present=True)
if DEBUGGING:
# Add debugging steps(if any)...
pass
users._list_attrlist = [f'cn{i}' for i in range(512)]
log.info("Make a search")
users.filter(f'(|(objectclass=tester){large_str_filter}(cn=ending))')
log.info('Restart the server to flush the logs')
topo.restart()
assert topo.ds_access_log.match(r'.*cn=test,cn=test,.*')
assert topo.ds_access_log.match(r'.*objectClass=tester.*')
assert topo.ds_access_log.match(r'.*cn10.*')
assert not topo.ds_access_log.match(r'.*dc=ending.*')
assert not topo.ds_access_log.match(r'.*cn=ending.*')
assert not topo.ds_access_log.match(r'.*cn500.*')
@pytest.mark.skipif(ds_is_newer("1.4.3"), reason="rsearch was removed")
@pytest.mark.xfail(ds_is_older('1.4.2.0'),
reason="May fail because of bug 1732053")
@pytest.mark.bz1732053
@pytest.mark.ds50510
def test_etime_at_border_of_second(topology_st, clean_access_logs):
topo = topology_st.standalone
prog = os.path.join(topo.ds_paths.bin_dir, 'rsearch')
cmd = [prog]
# base search
cmd.extend(['-s', DN_CONFIG])
# scope of the search
def test_basic(topology_st, user):
"""Test basic password policy history feature functionality
:id: 83d74f7d-3036-4944-8839-1b40bbf265ff
:setup: Standalone instance, a test user
:steps:
1. Configure password history policy as bellow:
passwordHistory: on
passwordInHistory: 3
passwordChange: on
passwordStorageScheme: CLEAR
2. Attempt to change password to the same password
3. Change password four times
4. Check that we only have 3 passwords stored in history
5. Attempt to change the password to previous passwords
6. Reset password by Directory Manager (admin reset)
7. Try and change the password to the previous password before the reset
8. Test passwordInHistory set to "0" rejects only the current password
9. Test passwordInHistory set to "2" rejects previous passwords
:expectedresults:
1. Password history policy should be configured successfully
2. Password change should be correctly rejected
with Constrant Violation error
3. Password should be successfully changed
4. Only 3 passwords should be stored in history
5. Password changes should be correctly rejected
with Constrant Violation error
6. Password should be successfully reset
7. Password change should be correctly rejected
with Constrant Violation error
8. Success
9. Success
"""
#
# Configure password history policy and add a test user
#
try:
topology_st.standalone.config.replace_many(
('passwordHistory', 'on'), ('passwordInHistory', '3'),
('passwordChange', 'on'), ('passwordStorageScheme', 'CLEAR'),
('nsslapd-auditlog-logging-enabled', 'on'))
log.info('Configured password policy.')
except ldap.LDAPError as e:
log.fatal('Failed to configure password policy: ' + str(e))
assert False
time.sleep(1)
# Bind as the test user
user.rebind(USER_PWD)
#
# Test that password history is enforced.
#
# Attempt to change password to the same password
try:
user.set('userpassword', 'password')
log.info('Incorrectly able to to set password to existing password.')
assert False
except ldap.CONSTRAINT_VIOLATION:
log.info('Password change correctly rejected')
except ldap.LDAPError as e:
log.fatal('Failed to attempt to change password: '******'userpassword', 'password1')
user.rebind('password1')
time.sleep(.5)
user.set('userpassword', 'password2')
user.rebind('password2')
time.sleep(.5)
user.set('userpassword', 'password3')
user.rebind('password3')
time.sleep(.5)
user.set('userpassword', 'password4')
user.rebind('password4')
time.sleep(.5)
#
# Check that we only have 3 passwords stored in history
#
pwds = user.get_attr_vals('passwordHistory')
if len(pwds) != 3:
log.fatal('Incorrect number of passwords stored in history: %d' %
len(pwds))
log.error('password history: ' + str(pwds))
assert False
else:
log.info('Correct number of passwords found in history.')
#
# Attempt to change the password to previous passwords
#
try:
user.set('userpassword', 'password1')
log.fatal('Incorrectly able to to set password to previous password1.')
log.fatal('password history: ' +
str(user.get_attr_vals('passwordhistory')))
assert False
except ldap.CONSTRAINT_VIOLATION:
log.info('Password change correctly rejected')
except ldap.LDAPError as e:
log.fatal('Failed to attempt to change password: '******'userpassword', 'password2')
log.fatal('Incorrectly able to to set password to previous password2.')
log.fatal('password history: ' +
str(user.get_attr_vals('passwordhistory')))
assert False
except ldap.CONSTRAINT_VIOLATION:
log.info('Password change correctly rejected')
except ldap.LDAPError as e:
log.fatal('Failed to attempt to change password: '******'userpassword', 'password3')
log.fatal('Incorrectly able to to set password to previous password3.')
log.fatal('password history: ' +
str(user.get_attr_vals('passwordhistory')))
assert False
except ldap.CONSTRAINT_VIOLATION:
log.info('Password change correctly rejected')
except ldap.LDAPError as e:
log.fatal('Failed to attempt to change password: '******'userpassword', 'password-reset')
time.sleep(1)
# Try and change the password to the previous password before the reset
try:
user.rebind('password-reset')
user.set('userpassword', 'password4')
log.fatal('Incorrectly able to to set password to previous password4.')
log.fatal('password history: ' +
str(user.get_attr_vals('passwordhistory')))
assert False
except ldap.CONSTRAINT_VIOLATION:
log.info('Password change correctly rejected')
except ldap.LDAPError as e:
log.fatal('Failed to attempt to change password: '******'passwordInHistory', '0')
log.info('Configured passwordInHistory to 0.')
except ldap.LDAPError as e:
log.fatal(
'Failed to configure password policy (passwordInHistory to 0): '
+ str(e))
assert False
time.sleep(1)
# Verify the older passwords in the entry (passwordhistory) are ignored
user.rebind('password-reset')
user.set('userpassword', 'password4')
time.sleep(.5)
try:
user.set('userpassword', 'password4')
log.fatal(
'Incorrectly able to to set password to current password4.')
log.fatal('password history: ' +
str(user.get_attr_vals('passwordhistory')))
assert False
except ldap.CONSTRAINT_VIOLATION:
log.info('Password change correctly rejected')
except ldap.LDAPError as e:
log.fatal('Failed to attempt to change password: '******'userpassword', 'password5')
#
# Set the history count back to a positive value and make sure things still work
# as expected
#
dm = DirectoryManager(topology_st.standalone)
dm.rebind()
try:
topology_st.standalone.config.replace('passwordInHistory', '2')
log.info('Configured passwordInHistory to 2.')
except ldap.LDAPError as e:
log.fatal(
'Failed to configure password policy (passwordInHistory to 2): ' +
str(e))
assert False
time.sleep(1)
try:
user.rebind('password5')
user.set('userpassword', 'password5')
log.fatal('Incorrectly able to to set password to current password5.')
log.fatal('password history: ' +
str(user.get_attr_vals('passwordhistory')))
assert False
except ldap.CONSTRAINT_VIOLATION:
log.info('Password change correctly rejected')
except ldap.LDAPError as e:
log.fatal('Failed to attempt to change password: '******'userpassword', 'password1')
except ldap.LDAPError as e:
log.fatal('Failed to attempt to change password: '******'password history: ' +
str(user.get_attr_vals('passwordhistory')))
assert False
# Done
log.info('Test suite PASSED.')
