def test_nestedrole(topo, _final): """ :id: d52a9cw0-3bg6-11e9-9b7b-8c16451d917t :setup: Standalone server :steps: 1. Add test entry 2. Add ACI 3. Search managed role entries :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Create Managed role entry managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) managed_role1 = managed_roles.create(properties={"cn": 'managed_role1'}) managed_role2 = managed_roles.create(properties={"cn": 'managed_role2'}) # Create nested role entry nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX) nested_role = nested_roles.create( properties={ "cn": 'nested_role', "nsRoleDN": [managed_role1.dn, managed_role2.dn] }) # Create user and assign managed role to it users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) user1 = users.create_test_user(uid=1, gid=1) user1.set('nsRoleDN', managed_role1.dn) user1.set('userPassword', PW_DM) # Create another user and assign managed role to it user2 = users.create_test_user(uid=2, gid=2) user2.set('nsRoleDN', managed_role2.dn) user2.set('userPassword', PW_DM) # Create another user and do not assign any role to it user3 = users.create_test_user(uid=3, gid=3) user3.set('userPassword', PW_DM) # Create a ACI with deny access to nested role entry Domain(topo.standalone, DEFAULT_SUFFIX).\ add('aci', f'(targetattr=*)(version 3.0; aci ' f'"role aci"; deny(all) roledn="ldap:///{nested_role.dn}";)') # Create connection with 'uid=test_user_1,ou=People,dc=example,dc=com' member of managed_role1 # and search while bound as the user conn = users.get('test_user_1').bind(PW_DM) assert not UserAccounts(conn, DEFAULT_SUFFIX).list() # Create connection with 'uid=test_user_2,ou=People,dc=example,dc=com' member of managed_role2 # and search while bound as the user conn = users.get('test_user_2').bind(PW_DM) assert not UserAccounts(conn, DEFAULT_SUFFIX).list() # Create connection with 'uid=test_user_3,ou=People,dc=example,dc=com' and # search while bound as the user conn = users.get('test_user_3').bind(PW_DM) assert UserAccounts(conn, DEFAULT_SUFFIX).list()
def fin(): topo.standalone.restart() try: role = ManagedRoles(topo.standalone, DEFAULT_SUFFIX).get('ROLE1') role.delete() except: pass topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def test_usandsconf_dbgen_managed_role(topology_st, set_log_file_and_ldif): """Test ldifgen (formerly dbgen) tool to create a managed role :id: 10e77b41-0bc1-4ad5-a144-2c5107455b91 :setup: Standalone instance :steps: 1. Create DS instance 2. Run ldifgen to generate ldif with managed role 3. Import generated ldif to database 4. Check it was properly imported :expectedresults: 1. Success 2. Success 3. Success 4. Success """ LDAP_RESULT = 'adding new entry "cn=My_Managed_Role,ou=managed roles,dc=example,dc=com"' standalone = topology_st.standalone args = FakeArgs() args.NAME = 'My_Managed_Role' args.parent = 'ou=managed roles,dc=example,dc=com' args.create_parent = True args.type = 'managed' args.filter = None args.role_dn = None args.ldif_file = ldif_file content_list = [ 'Generating LDIF with the following options:', 'NAME={}'.format(args.NAME), 'parent={}'.format(args.parent), 'create-parent={}'.format(args.create_parent), 'type={}'.format(args.type), 'ldif-file={}'.format(args.ldif_file), 'Writing LDIF', 'Successfully created LDIF file: {}'.format(args.ldif_file) ] log.info('Run ldifgen to create managed role ldif') dbgen_create_role(standalone, log, args) log.info('Check if file exists') assert os.path.exists(ldif_file) check_value_in_log_and_reset(content_list) # Groups, COS, Roles and modification ldifs are designed to be used by ldapmodify, not ldif2db run_ldapmodify_from_file(standalone, ldif_file, LDAP_RESULT) log.info('Check that managed role is imported') roles = ManagedRoles(standalone, DEFAULT_SUFFIX) assert roles.exists(args.NAME)
def fin(): topo.standalone.restart() try: filtered_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) for i in filtered_roles.list(): i.delete() except: pass log.info( "Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON" ) topo.standalone.restart() assert topo.standalone.config.get_attr_val_utf8( 'nsslapd-ignore-virtual-attrs') == "on"
def finofaci(): """ Removes and Restores ACIs and other users after the test. """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.remove_all('aci') managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX) users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for i in managed_roles.list() + nested_roles.list() + users.list(): i.delete() for i in aci_list: domain.add("aci", i)
def finofaci(): """ Removes and Restores ACIs and other users after the test. And restore nsslapd-ignore-virtual-attrs to default """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.remove_all('aci') managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX) users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for i in managed_roles.list() + nested_roles.list() + users.list(): i.delete() for i in aci_list: domain.add("aci", i) topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def test_vattr_on_managed_role_replication(topo, request): """Test nsslapd-ignore-virtual-attrs configuration attribute The attribute is ON by default. If a managed role is added it is moved to OFF in replcation scenario :id: 446f2fc3-bbb2-4835-b14a-cb855db78c6f :customerscenario: True :setup: Supplier Consumer :steps: 1. Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config over consumer 2. Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON over consumer 3. Create a managed role in supplier 4. Check the value of nsslapd-ignore-virtual-attrs should be OFF over consumer 5. Check a message "roles_cache_trigger_update_role - Because of virtual attribute.." in error logs of consumer 6. Check after deleting role definition value of attribute nsslapd-ignore-virtual-attrs is set back to ON over consumer :expectedresults: 1. This should be successful 2. This should be successful 3. This should be successful 4. This should be successful 5. This should be successful 6. This should be successful """ s = topo.ms['supplier1'] c = topo.cs['consumer1'] log.info( "Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config" ) assert c.config.present('nsslapd-ignore-virtual-attrs') log.info( "Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON" ) assert c.config.get_attr_val_utf8('nsslapd-ignore-virtual-attrs') == "on" log.info("Create a managed role") roles = ManagedRoles(s, DEFAULT_SUFFIX) role = roles.create(properties={"cn": 'ROLE1'}) log.info( "Check the default value of attribute nsslapd-ignore-virtual-attrs should be OFF" ) time.sleep(5) assert c.config.present('nsslapd-ignore-virtual-attrs', 'off') c.stop() assert c.searchErrorsLog( "roles_cache_trigger_update_role - Because of virtual attribute definition \(role\), nsslapd-ignore-virtual-attrs was set to \'off\'" ) def fin(): s.restart() c.restart() try: filtered_roles = ManagedRoles(s, DEFAULT_SUFFIX) for i in filtered_roles.list(): i.delete() except: pass log.info( "Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON" ) s.restart() c.restart() assert c.config.get_attr_val_utf8( 'nsslapd-ignore-virtual-attrs') == "on" request.addfinalizer(fin)
def _add_user(request, topo): """ A Function that will create necessary users delete the created user """ ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX) ou_ou = ous.create(properties={'ou': 'roledntest'}) ou_ou.set('aci', [ f'(target="ldap:///{NESTED_ROLE_TESTER}")(targetattr="*") ' f'(version 3.0; aci "nested role aci"; allow(all)' f'roledn = "ldap:///{ROLE2}";)', f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")' f'(version 3.0; aci "or role aci"; allow(all) ' f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)', f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)' f'(version 3.0; aci "anyone role aci"; allow(all) ' f'roledn = "ldap:///anyone";)', f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)' f'(version 3.0; aci "not role aci"; allow(all)' f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)' ]) nestedroles = NestedRoles(topo.standalone, OU_ROLE) for i in [('role2', [ROLE1, ROLE21]), ('role3', [ROLE2, ROLE31])]: nestedroles.create(properties={'cn': i[0], 'nsRoleDN': i[1]}) managedroles = ManagedRoles(topo.standalone, OU_ROLE) for i in ['ROLE1', 'ROLE21', 'ROLE31']: managedroles.create(properties={'cn': i}) filterroles = FilteredRoles(topo.standalone, OU_ROLE) filterroles.create( properties={ 'cn': 'filterRole', 'nsRoleFilter': 'sn=Dr Drake', 'description': 'filter role tester' }) users = UserAccounts(topo.standalone, OU_ROLE, rdn=None) for i in [('STEVE_ROLE', ROLE1, 'Has roles 1, 2 and 3.'), ('HARRY_ROLE', ROLE21, 'Has roles 21, 2 and 3.'), ('MARY_ROLE', ROLE31, 'Has roles 31 and 3.')]: users.create( properties={ 'uid': i[0], 'cn': i[0], 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i[0], 'userPassword': PW_DM, 'nsRoleDN': i[1], 'Description': i[2] }) for i in [('JOE_ROLE', 'Has filterRole.'), ('NOROLEUSER', 'Has no roles.'), ('SCRACHENTRY', 'Entry to test rights on.'), ('all access', 'Everyone has acccess (incl anon).'), ('not rule access', 'Only accessible to mary.'), ('or rule access', 'Only to steve and harry but nbot mary or anon'), ('nested role tester', 'Only accessible to harry and steve.')]: users.create( properties={ 'uid': i[0], 'cn': i[0], 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i[0], 'userPassword': PW_DM, 'Description': i[1] }) # Setting SN for user JOE UserAccount(topo.standalone, f'uid=JOE_ROLE,ou=roledntest,{DEFAULT_SUFFIX}').set( 'sn', 'Dr Drake') def fin(): """ It will delete the created users """ for i in users.list() + managedroles.list() + nestedroles.list(): i.delete() request.addfinalizer(fin)
def _create_test_entries(topo): # Changing schema current_schema = Schema(topo.standalone) current_schema.add( 'attributetypes', "( 9.9.8.4 NAME 'emailclass' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 " "X-ORIGIN 'RFC 2256' )") current_schema.add( 'objectclasses', "( 9.9.8.2 NAME 'mailSchemeUser' DESC 'User Defined ObjectClass' " "SUP 'top' MUST ( objectclass ) " "MAY (aci $ emailclass) X-ORIGIN 'RFC 2256' )") # Creating ous ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX) for ou_ou in [ 'Çéliné Ändrè', 'Ännheimè', 'Çlose Crèkä', 'Sàn Fråncêscô', 'Netscape Servers', 'COS', ]: ous.create(properties={'ou': ou_ou}) ous_mail = OrganizationalUnits(topo.standalone, f'ou=COS,{DEFAULT_SUFFIX}') ous_mail.create(properties={'ou': 'MailSchemeClasses'}) # Creating users users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for user, org, l_l, telephone, facetele, rn_rn in [ [ 'scarter', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 4798', '+1 408 555 9751', '4612' ], [ 'tmorris', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 9187', '+1 408 555 8473', '4117' ], [ 'kvaughan', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 5625', ' +1 408 555 3372', '2871' ], [ 'abergin', ['Product Testing', 'People'], 'Cupertino', '+1 408 555 8585', '+1 408 555 7472', '3472' ], [ 'dmiller', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 9423', '+1 408 555 0111', '4135' ], [ 'gfarmer', ['Accounting', 'People'], 'Cupertino', '+1 408 555 6201', '+1 408 555 8473', '1269' ], [ 'kwinters', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 9069', '+1 408 555 1992', '4178' ], [ 'trigden', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 9280', '+1 408 555 8473', '3584' ], [ 'cschmith', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 8011', '+1 408 555 4774', '0416' ], [ 'jwallace', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 0319', '+1 408 555 8473', '1033' ], [ 'jwalker', ['Product Testing', 'People'], 'Cupertino', '+1 408 555 1476', '+1 408 555 1992', '3915' ], [ 'tclow', ['Human Resources', 'People'], 'Santa Clara', '+1 408 555 8825', '+1 408 555 1992', '4376' ], [ 'rdaugherty', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 1296', '+1 408 555 1992', '0194' ], [ 'jreuter', ['Product Testing', 'People'], 'Cupertino', '+1 408 555 1122', '+1 408 555 8721', '2942' ], [ 'tmason', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 1596', '+1 408 555 9751', '1124' ], [ 'bhall', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 4798', '+1 408 555 9751', '4612' ], [ 'btalbot', ['Human Resources', 'People'], 'Cupertino', '+1 408 555 6067', '+1 408 555 9751', '3532' ], [ 'mward', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '1707' ], [ 'bjablons', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 6067', '+1 408 555 9751', '0906' ], [ 'jmcFarla', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '2359' ], [ 'llabonte', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '2854' ], [ 'jcampaig', ['Product Development', 'People'], 'Cupertino', '+1 408 555 6067', '+1 408 555 9751', '4385' ], [ 'bhal2', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 6067', '+1 408 555 9751', '2758' ], [ 'alutz', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '1327' ], [ 'btalbo2', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '1205' ], [ 'achassin', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '0466' ], [ 'hmiller', ['Human Resources', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '4304' ], [ 'jcampai2', ['Human Resources', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '1377' ], [ 'lulrich', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 6067', '+1 408 555 9751', '0985' ], [ 'mlangdon', ['Product Development', 'People'], 'Cupertino', '+1 408 555 6067', '+1 408 555 9751', '4471' ], [ 'striplet', ['Human Resources', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '3083' ], [ 'gtriplet', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 6067', '+1 408 555 9751', '4023' ], [ 'jfalena', ['Human Resources', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '1917' ], [ 'speterso', ['Human Resources', 'People'], 'Cupertino', '+1 408 555 6067', '+1 408 555 9751', '3073' ], [ 'ejohnson', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '3737' ], [ 'prigden', ['Accounting', 'People'], 'Santa', '+1 408 555 6067', '+1 408 555 9751', '1271' ], [ 'bwalker', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 6067', '+1 408 555 9751', '3529' ], [ 'kjensen', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 4798', '+1 408 555 9751', '1944' ], [ 'mlott', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 4798', '+1 408 555 9751', '0498' ], [ 'cwallace', ['Product Development', 'People'], 'Cupertino', '+1 408 555 4798', '+1 408 555 9751', '0349' ], [ 'falbers', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 4798', '+1 408 555 9751', '1439' ], [ 'calexand', ['Product Development', 'People'], 'Sunnyvale', '+1 408 555 4798', '+1 408 555 9751', '2884' ], [ 'phunt', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 4798', '+1 408 555 9751', '1183' ], [ 'awhite', ['Product Testing', 'People'], 'Sunnyvale', '+1 408 555 4798', '+1 408 555 9751', '0142' ], [ 'sfarmer', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 4798', '+1 408 555 9751', '0019' ], [ 'jrentz', ['Human Resources', 'People'], 'Santa Clara', '+1 408 555 4798', '+1 408 555 9751', '3025' ], [ 'ahall', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 4798', '+1 408 555 9751', '3050' ], [ 'lstockto', ['Product Testing', 'People'], 'Santa Clara', '+1 408 555 0518', '+1 408 555 4774', '0169' ], [ 'ttully', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 2274', '+1 408 555 0111', '3924' ], [ 'polfield', ['Human Resources', 'People'], 'Santa Clara', '+1 408 555 4798', '+1 408 555 9751', '1376' ], [ 'scarte2', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 4798', '+1 408 555 9751', '2013' ], [ 'tkelly', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 4295', '+1 408 555 1992', '3107' ], [ 'mmcinnis', ['Product Development', 'People'], 'Santa Clara', '+1 408 555 9655', '+1 408 555 8721', '4818' ], [ 'brigden', ['Human Resources', 'People'], 'Sunnyvale', '+1 408 555 9655', '+1 408 555 8721', '1643' ], [ 'mtyler', ['Human Resources', 'People'], 'Cupertino', '+1 408 555 9655', '+1 408 555 8721', '2701' ], [ 'rjense2', ['Product Testing', 'People'], 'Sunnyvale', '+1 408 555 9655', '+1 408 555 8721', '1984' ], [ 'rhunt', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 9655', '+1 408 555 8721', '0718' ], [ 'ptyler', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 9655', '+1 408 555 8721', '0327' ], [ 'gtyler', ['Accounting', 'People'], 'Santa Clara', '+1 408 555 9655', '+1 408 555 8721', '0312' ] ]: english_named_user(users_people, user, org, l_l, telephone, facetele, rn_rn) # Creating Users users_annahame = UserAccounts(topo.standalone, f'ou=Ännheimè,{DEFAULT_SUFFIX}', rdn=None) users_sanfran = UserAccounts(topo.standalone, f'ou=Sàn Fråncêscô,{DEFAULT_SUFFIX}', rdn=None) users_andre = UserAccounts(topo.standalone, f'ou=Çéliné Ändrè,{DEFAULT_SUFFIX}', rdn=None) users_close = UserAccounts(topo.standalone, f'ou=Çlose Crèkä,{DEFAULT_SUFFIX}', rdn=None) for people, user, cn_cn, ou_ou, des, tele, facetele, be_be, lang in [ [ users_annahame, 'user0', 'Babette Ryndérs', 'Ännheimè', 'This is Babette Ryndérs description', '+1 415 788-4115', '+1 804 849-2367', 'es', 'Babette Ryndérs' ], [ users_sanfran, 'user1', 'mÿrty DeCoùrsin', 'Sàn Fråncêscô', 'This is mÿrty DeCoùrsins description', '+1 408 689-8883', '+1 804 849-2367', 'ie', 'mÿrty DeCoùrsin' ], [ users_sanfran, 'user3', 'Kéñnon Fùndérbùrg', 'Sàn Fråncêscô', "This is Kéñnon Fùndérbùrg's description", '+1 408 689-8883', '+1 804 849-2367', 'it', 'Kéñnon Fùndérbùrg' ], [ users_sanfran, 'user5', 'Dàsya Cozàrt', 'Sàn Fråncêscô', "This is Dàsya Cozàrt's description", '+1 408 689-8883', '+1 804 849-2367', 'be', 'Dàsya Cozàrt' ], [ users_andre, 'user2', "Rôw O'Connér", 'Çéliné Ändrè', "This is Rôw O'Connér's description", '+1 408 689-8883', '+1 804 849-2367', 'it', "Rôw O'Connér" ], [ users_andre, 'user4', 'Theadora Ebérle', 'Çéliné Ändrè', "This is Kéñnon Fùndérbùrg's description", '+1 408 689-8883', '+1 804 849-2367', 'de', 'Theadora Ebérle' ], [ users_andre, 'user6', 'mÿrv Callânân', 'Çéliné Ändrè', "This is mÿrv Callânân's description", '+1 408 689-8883', '+1 804 849-2367', 'fr', 'mÿrv Callânân' ], [ users_close, 'user7', 'Ñäthan Ovâns', 'Çlose Crèkä', "This is Ñäthan Ovâns's description", '+1 408 689-8883', '+1 804 849-2367', 'be', 'Ñäthan Ovâns' ] ]: non_english_user(people, user, cn_cn, ou_ou, des, tele, facetele, be_be, lang) # Creating User Entry for user, address, pin in [ ['Secretary1', '123 Castro St., Mountain View, CA', '99999'], ['Secretary2', '234 Ellis St., Mountain View, CA', '88888'], ['Secretary3', '345 California Av., Mountain View, CA', '77777'], ['Secretary4', '456 Villa St., Mountain View, CA', '66666'], ['Secretary5', '567 University Av., Mountain View, CA', '55555'] ]: user_with_postal_code(users_people, user, address, pin) # Adding properties to mtyler mtyler = UserAccount(topo.standalone, 'uid=mtyler, ou=people, dc=example, dc=com') for value1, value2 in [ ('objectclass', ['mailSchemeUser', 'mailRecipient']), ('emailclass', 'vpemail'), ('mailquota', '600'), ('multiLineDescription', 'fromentry This is the special \2a attribute value') ]: mtyler.add(value1, value2) # Adding properties to rjense2 rjense2 = UserAccount(topo.standalone, 'uid=rjense2, ou=people, dc=example, dc=com') for value1, value2 in [('objectclass', ['mailRecipient', 'mailSchemeUser']), ('emailclass', 'vpemail')]: rjense2.add(value1, value2) # Creating managed role ManagedRoles(topo.standalone, DEFAULT_SUFFIX).create( properties={ 'description': 'This is the new managed role configuration', 'cn': 'new managed role' }) # Creating filter role filters = FilterRoles(topo.standalone, DEFAULT_SUFFIX) filters.create( properties={ 'nsRoleFilter': '(uid=*wal*)', 'description': 'this is the new filtered role', 'cn': 'new filtered role' }) filters.create( properties={ 'nsRoleFilter': '(&(postalCode=77777)(uid=*er*))', 'description': 'This is the new vddr filter role config', 'cn': 'new vaddr filtered role' }) filters.create( properties={ 'nsRoleFilter': '(&(postalCode=66666)(l=Cupertino))', 'description': 'This is the new vddr filter role config', 'cn': 'another vaddr role' })
def test_managedrole(topo): """Test Managed Role :id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. Search managed role entries :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Create Managed role entry roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) role = roles.create(properties={"cn": 'ROLE1'}) # Create user and Assign the role to the entry uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) uas.create( properties={ 'uid': 'Fail', 'cn': 'Fail', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Fail', 'nsRoleDN': role.dn, 'userPassword': PW_DM }) # Create user and do not Assign any role to the entry uas.create( properties={ 'uid': 'Success', 'cn': 'Success', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Success', 'userPassword': PW_DM }) # Assert that Manage role entry is created and its searchable assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \ == 'cn=ROLE1,dc=example,dc=com' # Set an aci that will deny ROLE1 manage role Domain(topo.standalone, DEFAULT_SUFFIX).\ add('aci', '(targetattr=*)(version 3.0; aci "role aci";' ' deny(all) roledn="ldap:///{}";)'.format(role.dn),) # Crate a connection with cn=Fail which is member of ROLE1 conn = UserAccount(topo.standalone, "uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM) # Access denied to ROLE1 members assert not ManagedRoles(conn, DEFAULT_SUFFIX).list() # Now create a connection with cn=Success which is not a member of ROLE1 conn = UserAccount(topo.standalone, "uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM) # Access allowed here assert ManagedRoles(conn, DEFAULT_SUFFIX).list() for i in uas.list(): i.delete() for i in roles.list(): i.delete()
def test_vattr_on_managed_role(topo, request): """Test nsslapd-ignore-virtual-attrs configuration attribute The attribute is ON by default. If a managed role is added it is moved to OFF :id: 664b722d-c1ea-41e4-8f6c-f9c87a212346 :customerscenario: True :setup: Standalone instance :steps: 1. Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config 2. Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON 3. Create a managed role 4. Check the value of nsslapd-ignore-virtual-attrs should be OFF 5. Check a message "roles_cache_trigger_update_role - Because of virtual attribute.." in error logs 6. Check after deleting role definition value of attribute nsslapd-ignore-virtual-attrs is set back to ON :expectedresults: 1. This should be successful 2. This should be successful 3. This should be successful 4. This should be successful 5. This should be successful 6. This should be successful """ log.info( "Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config" ) assert topo.standalone.config.present('nsslapd-ignore-virtual-attrs') log.info( "Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON" ) assert topo.standalone.config.get_attr_val_utf8( 'nsslapd-ignore-virtual-attrs') == "on" log.info("Create a managed role") roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) role = roles.create(properties={"cn": 'ROLE1'}) log.info( "Check the default value of attribute nsslapd-ignore-virtual-attrs should be OFF" ) assert topo.standalone.config.present('nsslapd-ignore-virtual-attrs', 'off') topo.standalone.stop() assert topo.standalone.searchErrorsLog( "roles_cache_trigger_update_role - Because of virtual attribute definition \(role\), nsslapd-ignore-virtual-attrs was set to \'off\'" ) def fin(): topo.standalone.restart() try: filtered_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) for i in filtered_roles.list(): i.delete() except: pass log.info( "Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON" ) topo.standalone.restart() assert topo.standalone.config.get_attr_val_utf8( 'nsslapd-ignore-virtual-attrs') == "on" request.addfinalizer(fin)
def test_managedrole(topo, request): """Test Managed Role :id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. Search managed role entries :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Create Managed role entry roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) role = roles.create(properties={"cn": 'ROLE1'}) # Create user and Assign the role to the entry uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) uas.create( properties={ 'uid': 'Fail', 'cn': 'Fail', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Fail', 'nsRoleDN': role.dn, 'userPassword': PW_DM }) # Create user and do not Assign any role to the entry uas.create( properties={ 'uid': 'Success', 'cn': 'Success', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Success', 'userPassword': PW_DM }) # Assert that Manage role entry is created and its searchable assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \ == 'cn=ROLE1,dc=example,dc=com' # Set an aci that will deny ROLE1 manage role Domain(topo.standalone, DEFAULT_SUFFIX).\ add('aci', '(targetattr="*")(version 3.0; aci "role aci";' ' deny(all) roledn="ldap:///{}";)'.format(role.dn),) # Add self user modification and anonymous aci ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)" suffix = Domain(topo.standalone, DEFAULT_SUFFIX) suffix.add('aci', ANON_ACI) # Crate a connection with cn=Fail which is member of ROLE1 conn = UserAccount(topo.standalone, "uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM) # Access denied to ROLE1 members assert not ManagedRoles(conn, DEFAULT_SUFFIX).list() # Now create a connection with cn=Success which is not a member of ROLE1 conn = UserAccount(topo.standalone, "uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM) # Access allowed here assert ManagedRoles(conn, DEFAULT_SUFFIX).list() for i in uas.list(): i.delete() for i in roles.list(): i.delete() def fin(): topo.standalone.restart() try: role = ManagedRoles(topo.standalone, DEFAULT_SUFFIX).get('ROLE1') role.delete() except: pass topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on') request.addfinalizer(fin)
def _add_user(topo): """ This function will create user for the test and in the end entries will be deleted . """ role_aci_body = '(targetattr=*)(version 3.0; aci "role aci"; allow(all)' # Creating OUs ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX) ou_accounting = ous.create(properties={'ou': 'Accounting'}) ou_accounting.set('aci', [ f'(target="ldap:///{ROLEDNACCESS}"){role_aci_body} ' f'userattr = "Description#ROLEDN";)', f'(target="ldap:///{USERDNACCESS}"){role_aci_body} ' f'userattr = "Description#USERDN";)', f'(target="ldap:///{GROUPDNACCESS}"){role_aci_body} ' f'userattr = "Description#GROUPDN";)', f'(target="ldap:///{LDAPURLACCESS}"){role_aci_body} ' f'userattr = "Description#LDAPURL";)', f'(target="ldap:///{ATTRNAMEACCESS}"){role_aci_body} ' f'userattr = "Description#4612";)' ]) ou_inheritance = ous.create( properties={ 'ou': 'Inheritance', 'street': LEVEL_4, 'seeAlso': LEVEL_3, 'st': LEVEL_2, 'description': LEVEL_1, 'businessCategory': LEVEL_0 }) inheritance_aci_body = '(targetattr=*)(version 3.0; aci "Inheritance aci"; allow(all) ' ou_inheritance.set('aci', [ f'{inheritance_aci_body} ' f'userattr = "parent[0].businessCategory#USERDN";)', f'{inheritance_aci_body} ' f'userattr = "parent[0,1].description#USERDN";)', f'{inheritance_aci_body} ' f'userattr = "parent[0,1,2].st#USERDN";)', f'{inheritance_aci_body} ' f'userattr = "parent[0,1,2,3].seeAlso#USERDN";)', f'{inheritance_aci_body} ' f'userattr = "parent[0,1,2,3,4].street#USERDN";)' ]) # Creating Users users = UserAccounts(topo.standalone, OU, rdn=None) for i in [['Anuj Borah', 'Sunnyvale', ROLE1, '4612'], ['Ananda Borah', 'Santa Clara', ROLE2, 'Its Unknown']]: users.create( properties={ 'uid': i[0], 'cn': i[0].split()[0], 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i[0].split()[0], 'userPassword': PW_DM, 'givenname': i[0].split()[0], 'l': i[1], 'mail': "*****@*****.**", 'telephonenumber': "+1 408 555 4798", 'facsimiletelephonenumber': "+1 408 555 9751", 'roomnumber': i[3], 'Description': i[3], 'nsRoleDN': i[2] }) for demo1 in [('ROLEDNACCESS', ROLE1), ('USERDNACCESS', CAN), ('GROUPDNACCESS', NSSIMPLEGROUP), ('ATTRNAMEACCESS', '4612'), ('LDAPURLACCESS', f"ldap:///{DEFAULT_SUFFIX}??sub?(l=Sunnyvale)")]: users.create( properties={ 'uid': demo1[0], 'cn': demo1[0], 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + demo1[0], 'userPassword': PW_DM, 'Description': demo1[1] }) # Creating roles roles = ManagedRoles(topo.standalone, OU) for i in ['ROLE1', 'ROLE2']: roles.create(properties={"cn": i}) # Creating Groups grps = Groups(topo.standalone, OU, rdn=None) for i in [('NSSIMPLEGROUP', CAN), ('NSSIMPLEGROUP1', CANNOT)]: grps.create(properties={'cn': i[0], 'ou': 'groups', 'member': i[1]}) users = UserAccounts(topo.standalone, OU_2, rdn=None) for i in ['Grandson', 'Child', 'Parent', 'Grandparent', 'Ancestor']: users.create( properties={ 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM }) # Creating Other OUs for dn_dn in [(OU_2, 'ANCESTORS'), (ANCESTORS, 'GRANDPARENTS'), (GRANDPARENTS, 'PARENTS'), (PARENTS, 'CHILDREN'), (CHILDREN, 'GRANDSONS')]: OrganizationalUnits(topo.standalone, dn_dn[0]).create(properties={'ou': dn_dn[1]})