'passwordInHistory': 5,
'passwordCheckSyntax': 'on',
'passwordGraceLimit': 3,
'passwordLockoutDuration': 1800,
'passwordResetFailureCount': 1800,
'passwordMaxFailure': nattempts,
'passwordLockout': 'on'
}
m1.setPwdPolicy(pwdpolicy)
m2.setPwdPolicy(pwdpolicy)
#m1.setPwdPolicy(passwordLockout="on", passwordisglobalpolicy="on")
#m2.setPwdPolicy(passwordLockout="on", passwordisglobalpolicy="on")
opattrs = [ 'passwordRetryCount', 'retryCountResetTime', 'accountUnlockTime', 'passwordExpirationTime', 'modifyTimestamp', 'modifiersName' ]
print "Do %d attempts to bind with incorrect password . . ." % nattempts
userconn = DSAdmin(host1, port1)
for xx in range(0, nattempts+1):
try:
userconn.simple_bind_s(userdn, "boguspassword")
except ldap.INVALID_CREDENTIALS: print "password was not correct"
except ldap.CONSTRAINT_VIOLATION: print "too many password attempts"
print "m1 pwd attrs"
print "%s" % m1.getEntry(userdn, ldap.SCOPE_BASE, "(objectclass=*)", opattrs)
print "m2 pwd attrs"
print "%s" % m2.getEntry(userdn, ldap.SCOPE_BASE, "(objectclass=*)", opattrs)
mymod = [(ldap.MOD_REPLACE, "description", "changed %d" % xx)]
m1.modify_s(userdn, mymod)
userconn.unbind()
print "sleep to let repl propagate . . ."
time.sleep(5)
root2 = root1
rootpw1 = 'password'
rootpw2 = rootpw1
basedn = "dc=example,dc=com"
m1replargs = {
'suffix': basedn,
'bename': "userRoot",
'binddn': "cn=replrepl,cn=config",
'bindcn': "replrepl",
'bindpw': "replrepl",
'bindmethod': 'SASL/DIGEST-MD5',
'log': False
}
m1 = DSAdmin(host1, port1, root1, rootpw1)
m1.replicaSetupAll(m1replargs)
m2replargs = m1replargs
m2 = DSAdmin(host2, port2, root2, rootpw2)
m2.replicaSetupAll(m2replargs)
print "create agreements and init consumers"
agmtm1tom2 = m1.setupAgreement(m2, m1replargs)
time.sleep(5)
m1.setLogLevel(1024)
m1.startReplication_async(agmtm1tom2)
print "waiting for init to finish"
time.sleep(5)
m1.waitForReplInit(agmtm1tom2)
agmtm2tom1 = m2.setupAgreement(m1, m2replargs)
initfile = "%s/share/dirsrv/data/Example.ldif" % os.environ.get(
'PREFIX', '/usr')
m1.importLDIF(initfile, '', "userRoot", True)
#m1.setLogLevel(65535)
print "Add the filtered group entry with bogus filter"
dn = "cn=TestDynamicGroup,dc=example,dc=com"
ent = Entry(dn)
ent.setValues('description', "Dynamic test group")
ent.setValues('objectclass', 'top', 'groupofuniquenames', 'groupofurls')
ent.setValues(
'memberurl',
'ldap:///dc=example,dc=com??sub?(&(objectclass=person)(uid=scart*)')
#ent.cn = 'TestDynamicGroup'
m1.add_s(ent)
print "Add the bogus aci for that group"
addmod = [(
ldap.MOD_REPLACE, 'aci',
'(targetattr = "*") (version 3.0;acl "Test Crash ACL";allow (all)(groupdn = "ldap:///cn=TestDynamicGroup,dc=example,dc=com");)'
)]
m1.modify_s("dc=example,dc=com", addmod)
#m1.setLogLevel(0)
print "Do a search binding as a member of the group"
conn = DSAdmin(host1, port1, "uid=scarter,ou=people,dc=example,dc=com",
"sprain")
entries = conn.search_s("uid=scarter,ou=people,dc=example,dc=com",
ldap.SCOPE_BASE, "objectclass=*")
print "Fake AD needs extra schema . . ."
oidnum = 10000000
ad.addAttr("( 2.16.840.1.113730.3.1.%d NAME 'samAccountName' DESC 'AD uid attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )" % oidnum)
oidnum = oidnum + 1
ad.addAttr("( 2.16.840.1.113730.3.1.%d NAME 'objectGUID' DESC 'AD uuid attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )" % oidnum)
oidnum = oidnum + 1
ad.addAttr("( 2.16.840.1.113730.3.1.%d NAME 'userAccountControl' DESC 'AD user account control' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )" % oidnum)
oidnum = oidnum + 1
ad.addObjClass("( 2.16.840.1.113730.3.2.%d NAME 'adPerson' DESC 'AD person mixin' SUP top AUXILIARY MAY ( samAccountName $ objectGUID $ name $ userAccountControl ) )" % oidnum)
oidnum = oidnum + 1
ad.addAttr("( 2.16.840.1.113730.3.1.%d NAME 'groupType' DESC 'AD group type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape NT Synchronization' )" % oidnum)
oidnum = oidnum + 1
ad.addObjClass("( 2.16.840.1.113730.3.2.%d NAME 'group' DESC 'AD group' SUP top STRUCTURAL MAY ( samAccountName $ groupType $ objectGUID $ name $ member $ ou $ cn $ description ) )" % oidnum)
oidnum = oidnum + 1
else:
ad = DSAdmin(host2, port2, root2, rootpw2)
# the list of users we want to check to see if they were synced
userids = {}
# All IPA users must have these objectclasses - they should be
# the same as in the cn=ipaConfig ipaUserObjectClasses list
# ntUser either by the winsync code, or when you want an
# existing IPA user to be synced with AD
userObjClasses = [
'top', 'person', 'organizationalPerson', 'inetOrgPerson'
]
if useds:
print "Create sub-ou's on the AD side and add users . . ."
ii = 0
host2 = "vmf9x8664"
port1 = 389
port2 = port1
rootpw = "secret12"
m1replargs = {
'suffix': "dc=example,dc=com",
'bename': "userRoot",
'binddn': "cn=replrepl,cn=config",
'bindcn': "replrepl",
'bindpw': "replrepl"
# 'log' : False
}
m2replargs = m1replargs
m1 = DSAdmin(host1, port1, "cn=directory manager", rootpw)
m2 = DSAdmin(host2, port2, "cn=directory manager", rootpw)
m1.replicaSetupAll(m1replargs)
m2.replicaSetupAll(m2replargs)
print "create agreements and init consumers"
agmtm1tom2 = m1.setupAgreement(m2, m1replargs)
m1.startReplication_async(agmtm1tom2)
print "waiting for init to finish"
m1.waitForReplInit(agmtm1tom2)
agmtm2tom1 = m2.setupAgreement(m1, m2replargs)
sys.exit(0)
basedn = "dc=example,dc=com"
ent = Entry(admindn)
ent.setValues('objectclass', 'inetOrgPerson')
ent.setValues('cn', 'Chain Admin User')
ent.setValues('sn', 'Chain')
ent.setValues('givenName', 'Admin User')
ent.setValues('userPassword', "adminpw")
mux.add_s(ent)
# add an aci for this user on the farm
mod = [(
ldap.MOD_ADD, 'aci',
'(targetattr = "*") (version 3.0; acl "Administration User ACL";allow (all)(userdn = "ldap:///uid=ttestuser,cn=config");)'
)]
farm.modify_s(suffix, mod)
admin = DSAdmin(host1, port1, admindn, adminpw)
# add a new user using the admin account, first without user password
dn = "uid=chainuser," + suffix
ent = Entry(dn)
ent.setValues('objectclass', 'inetOrgPerson')
ent.setValues('cn', 'Chain User')
ent.setValues('sn', 'Chain')
ent.setValues('givenName', 'User')
admin.add_s(ent)
print "added entry", dn
# next, try it with userPassword
dn = "uid=chainuser2," + suffix
ent = Entry(dn)
ent.setValues('objectclass', 'inetOrgPerson')
for ent in ents:
print ent
print "start search request . . ."
scope = ldap.SCOPE_SUBTREE
filter = '(|(objectclass=*)(objectclass=nsTombstone))'
serverctrls = [TestCtrl()]
ents = m1.search_s(basedn, scope, filter)
print "search returned %d entries" % len(ents)
print "send abandon with controls . . ."
m1.abandon_ext(999, serverctrls)
print "send abandon without controls . . ."
msgid2 = m1.abandon_ext(999)
print "send unbind with controls . . ."
# for some reason, unbind_ext_s is not passing
# controls passed in - so have to set_option
m1.set_option(ldap.OPT_SERVER_CONTROLS, serverctrls)
m1.unbind_ext_s(serverctrls)
print "try a search after the unbind . . ."
try:
ents = m1.search_s(basedn, scope, filter)
except ldap.LDAPError, e:
print "caught exception", e
print "open new connection . . ."
m1 = DSAdmin(host1, port1, binddn, bindpw)
print "show active connections . . ."
ents = m1.search_s("cn=monitor", ldap.SCOPE_BASE, '(objectclass=*)',
['currentconnections', 'connection'])
for ent in ents:
print ent