def test_undefined_in_group_eval_three(topo, test_user, aci_of_user): """ This aci will allow access :id: 04943dcc-7841-11e8-8c46-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL)) conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM) user = Domain(conn, DEEPGROUPSCRATCHENTRY_GLOBAL) # test UNDEFINED in group user.add("sn", "Fred") assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry' user.remove("sn", "Fred")
def test_local_password_policy(topo, _add_user): """Regression test for bz1044164 part 1. :id: d6f4a7fa-473b-11ea-8766-8c16451d917b :setup: Standalone :steps: 1. Add a User as Password Admin 2. Create a password admin user entry 3. Add an aci to allow this user all rights 4. Configure password admin 5. Create local password policy and enable passwordmustchange 6. Add another generic user but do not include the password (userpassword) 7. Use admin user to perform a password update on generic user 8. We don't need this ACI anymore. Delete it :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success """ # Add a User as Password Admin # Create a password admin user entry user = _create_user(topo, 'pwadm_admin_1', None) user.replace('userpassword', 'Secret123') domian = Domain(topo.standalone, DEFAULT_SUFFIX) # Add an aci to allow this user all rights domian.set( "aci", f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow password admin to write user ' f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)') # Configure password admin # Create local password policy and enable passwordmustchange Config(topo.standalone).replace_many(('passwordAdminDN', user.dn), ('passwordMustChange', 'off'), ('nsslapd-pwpolicy-local', 'on')) # Add another generic user but do not include the password (userpassword) # Use admin user to perform a password update on generic user real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret123') UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace( 'userpassword', 'hello') # We don't need this ACI anymore. Delete it domian.remove( "aci", f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow password admin to write user ' f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup): """This test checks mode legacy : GER with moddn :id: 37c1e537-1b5d-4fab-b62a-50cd8c5b3493 :setup: MMR with two suppliers, M1 - staging DIT M2 - production DIT add test accounts in staging DIT :steps: 1. Disable ACI checks - set nsslapd-moddn-aci: off 2. Add moddn ACI on M1 3. Search for GER controls on M1 4. Check entryLevelRights value for entries 5. Check 'n' is in the entryLevelRights 6. Try MOD with the both ACI :expectedresults: 1. It should pass 2. It should pass 3. It should pass 4. It should pass 5. It should pass 6. It should pass """ suffix = Domain(topology_m2.ms["supplier1"], SUFFIX) topology_m2.ms["supplier1"].log.info("\n\n######## Disable the moddn aci mod ########\n") _bind_manager(topology_m2) topology_m2.ms["supplier1"].config.set(CONFIG_MODDN_ACI_ATTR, 'off') topology_m2.ms["supplier1"].log.info("\n\n######## mode legacy : GER with moddn ########\n") # being allowed to read/write the RDN attribute use to allow the RDN ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"uid\")" % (PRODUCTION_DN) ACI_ALLOW = "(version 3.0; acl \"MODDN production changing the RDN attribute\"; allow (read,search,write)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT # successful MOD with the ACI _bind_manager(topology_m2) suffix.add('aci', ACI_BODY) _bind_normal(topology_m2) request_ctrl = GetEffectiveRightsControl(criticality=True, authzId=ensure_bytes("dn: " + BIND_DN)) msg_id = topology_m2.ms["supplier1"].search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl]) rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["supplier1"].result3(msg_id) # ger={} value = '' for dn, attrs in rdata: topology_m2.ms["supplier1"].log.info("dn: %s" % dn) value = attrs['entryLevelRights'][0] topology_m2.ms["supplier1"].log.info("######## entryLevelRights: %r" % value) assert b'n' in value # successful MOD with the both ACI _bind_manager(topology_m2) suffix.remove('aci', ACI_BODY)
def test_admin_group_to_modify_password(topo, _add_user): """Regression test for bz1044164 part 2. :id: 12e09446-52da-11ea-aa11-8c16451d917b :setup: Standalone :steps: 1. Create unique members of admin group 2. Create admin group with unique members 3. Edit ACIs for admin group 4. Add group as password admin 5. Test password admin group to modify password of another admin user 6. Use admin user to perform a password update on Directory Manager user 7. Test password admin group for local password policy 8. Add top level container 9. Add user 10. Create local policy configuration entry 11. Adding admin group for local policy 12. Change user's password by admin user. Break the local policy rule 13. Test password admin group for global password policy 14. Add top level container 15. Change user's password by admin user. Break the global policy rule 16. Add new user in password admin group 17. Modify ordinary user's password 18. Modify user DN using modrdn of a user in password admin group 19. Test assigning invalid value to password admin attribute 20. Try to add more than one Password Admin attribute to config file 21. Use admin group setup from previous testcases, but delete ACI from that 22. Try to change user's password by admin user 23. Restore ACI 24. Edit ACIs for admin group 25. Delete a user from password admin group 26. Change users password by ex-admin user 27. Remove group from password admin configuration 28. Change admins 29. Change user's password by ex-admin user 30. Change admin user's password by ex-admin user :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Fail(ldap.INSUFFICIENT_ACCESS) 7. Success 8. Success 9. Success 10. Success 11. Success 12. Success 13. Success 14. Success 15. Success 16. Success 17. Success 18. Success 19. Fail 20. Fail 21. Success 22. Success 23. Success 24. Success 25. Success 26. Success 27. Success 28. Success 29. Fail 30. Fail """ # create unique members of admin group admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={ 'cn': 'pwadm_group_adm', 'description': 'pwadm_group_adm', 'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}', f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}'] }) # Edit ACIs for admin group Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)') # Add group as password admin Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn) # Test password admin group to modify password of another admin user change_password_of_user(topo, [ ('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')], f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}') # Use admin user to perform a password update on Directory Manager user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')], f'{DN_DM},{DEFAULT_SUFFIX}') # Add top level container ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'}) # Change user's password by admin user. Break the global policy rule # Add new user in password admin group user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol') user.replace('userpassword', 'Secret123') # Create local policy configuration entry _create_pwp(topo, ou.dn) # Set parameter for pwp for para_meter, op_op in [ ('passwordLockout', 'on'), ('passwordMaxFailure', '4'), ('passwordLockoutDuration', '10'), ('passwordResetFailureCount', '100'), ('passwordMinLength', '8'), ('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]: change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op) # Set ACI OrganizationalUnit(topo.standalone, ou.dn).set('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow passwords admin to write user ' f'passwords";allow (write)' f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Change password with new admin change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn) # Set global parameter Config(topo.standalone).replace_many( ('passwordTrackUpdateTime', 'on'), ('passwordGraceLimit', '4'), ('passwordHistory', 'on'), ('passwordInHistory', '4')) # Test password admin group for global password policy change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Adding admin group for local policy grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}') grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}') # Modify ordinary user's password change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Modify user DN using modrdn of a user in password admin group UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new') # Remove admin grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}') # Add Admin grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}') # Test the group pwp again with pytest.raises(ldap.INVALID_CREDENTIALS): change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') with pytest.raises(ldap.INVALID_SYNTAX): Config(topo.standalone).replace('passwordAdminDN', "Invalid") # Test assigning invalid value to password admin attribute # Try to add more than one Password Admin attribute to config file with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): Config(topo.standalone).replace('passwordAdminDN', [f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}', f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}']) # Use admin group setup from previous, but delete ACI from that people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}") people.remove('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)' f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Try to change user's password by admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Restore ACI people.set('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Edit ACIs for admin group people.add('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to add user ' f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret') real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret') # Test new aci with pytest.raises(ldap.INSUFFICIENT_ACCESS): UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={ 'uid': 'ok', 'cn': 'ok', 'sn': 'ok', 'uidNumber': '1000', 'gidNumber': 'ok', 'homeDirectory': '/home/ok'}) UserAccounts(topo.standalone, DEFAULT_SUFFIX).list() real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret123') # Test new aci which has new rights for uid, cn, password in [ ('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='), ('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]: UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={ 'uid': uid, 'cn': cn, 'sn': cn, 'uidNumber': '1000', 'gidNumber': '1001', 'homeDirectory': f'/home/{uid}', 'userpassword': password}) # Remove ACI Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}").remove('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl ' f'"Allow passwords admin to add user ' f'passwords";allow ' f'(add)(groupdn = ' f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Delete a user from password admin group grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}') grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}') # Change users password by ex-admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Set aci for only user people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}") people.remove('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') people.set('aci', f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin ' f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)') # Remove group from password admin configuration Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}") # Change user's password by ex-admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')], f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')