def test_case_insensitive(ldap_conn, simple_ad): # resolve group and also member of this group group = 'Domain Users' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-513' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
def test_ignore_unreadable_references(ldap_conn, simple_ad_ignore_unrdbl_refs): group = 'group3_dom1-17775' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group
def test_user_operations(ldap_conn, simple_ad): user = '******' user_id = pwd.getpwnam(user).pw_uid user_sid = 'S-1-5-21-1305200397-2901131868-73388776-82809' output = pysss_nss_idmap.getsidbyname(user)[user] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbyid(user_id)[user_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbyuid(user_id)[user_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbygid(user_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(user_sid)[user_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.ID_KEY] == user_id output = pysss_nss_idmap.getnamebysid(user_sid)[user_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.NAME_KEY] == user
def test_group_operations(ldap_conn, simple_ad): group = 'group1_dom1-19661' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82810' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group
def get_trusted_domain_user_and_groups(self, object_name): """ Returns a tuple with user SID and a list of SIDs of all groups he is a member of. First attempts to perform SID lookup via SSSD and in case of failure resorts back to checking trusted domain's AD DC LDAP directly. LIMITATIONS: - only Trusted Admins group members can use this function as it uses secret for IPA-Trusted domain link if SSSD lookup failed - List of group SIDs does not contain group memberships outside of the trusted domain """ group_sids = None group_list = None object_sid = None is_valid_sid = is_sid_valid(object_name) if is_valid_sid: object_sid = object_name result = pysss_nss_idmap.getnamebysid(object_name) if object_name in result and (pysss_nss_idmap.NAME_KEY in result[object_name]): group_list = pysss.getgrouplist(result[object_name][pysss_nss_idmap.NAME_KEY]) else: result = pysss_nss_idmap.getsidbyname(object_name) if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]): object_sid = result[object_name][pysss_nss_idmap.SID_KEY] group_list = pysss.getgrouplist(object_name) if not group_list: return self.__get_trusted_domain_user_and_groups(object_name) group_sids = pysss_nss_idmap.getsidbyname(group_list) return (object_sid, [el[1][pysss_nss_idmap.SID_KEY] for el in group_sids.items()])
def test_case_insensitive(ldap_conn, simple_ad): # resolve group and also member of this group group = 'Domain Users' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-513' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group.lower()
def test_group_operations(ldap_conn, simple_ad): group = 'group3_dom1-17775' group_id = grp.getgrnam(group).gr_gid group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' output = pysss_nss_idmap.getsidbyname(group)[group] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbygid(group_id)[group_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid output = pysss_nss_idmap.getsidbyuid(group_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.NAME_KEY] == group
def test_user_operations(ldap_conn, simple_ad): user = '******' user_id = pwd.getpwnam(user).pw_uid user_sid = 'S-1-5-21-1305200397-2901131868-73388776-82809' output = pysss_nss_idmap.getsidbyname(user)[user] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbyid(user_id)[user_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbyuid(user_id)[user_id] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid output = pysss_nss_idmap.getsidbygid(user_id) assert len(output) == 0 output = pysss_nss_idmap.getidbysid(user_sid)[user_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.ID_KEY] == user_id output = pysss_nss_idmap.getnamebysid(user_sid)[user_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.NAME_KEY] == user
def check(self): if not self.registry.trust_agent: logger.debug('Not a trust agent, skipping') return try: trust_domains = get_trust_domains() except Exception as e: yield Result(self, constants.WARNING, key='trust-find', error=str(e), msg='Execution of {key} failed: {error}') trust_domains = [] for trust_domain in trust_domains: sid = trust_domain.get('domainsid') try: id = pysss_nss_idmap.getnamebysid(sid + '-500') except Exception as e: yield Result(self, constants.ERROR, key=sid, error=str(e), msg='Look up of{key} failed: {error}') continue if not id: yield Result(self, constants.WARNING, key=sid, error='returned nothing', msg='Look up of {key} {error}') else: yield Result(self, constants.SUCCESS, key='Domain Security Identifier', sid=sid) domain = trust_domain.get('domain') args = [paths.SSSCTL, "domain-status", domain, "--active-server"] try: result = ipautil.run(args, capture_output=True) except Exception as e: yield Result(self, constants.ERROR, key='domain-status', error=str(e), msg='Execution of {key} failed: {error}') continue else: for txt in ['AD Global Catalog', 'AD Domain Controller']: if txt not in result.output: yield Result(self, constants.ERROR, key=txt, output=result.output.strip(), sssctl=paths.SSSCTL, domain=domain, msg='{key} not found in {sssctl} ' '\'domain-status\' output: {output}') else: yield Result(self, constants.SUCCESS, key=txt, domain=domain)