def test_local_TPR_supercedes_global_TPR(topo, _add_user, set_global_TPR_policies): """ One Time password with expiration :id: beb2dac4-e116-11eb-a85e-98fa9ba19b65 :customerscenario: True :setup: Standalone :steps: 1. Create DS Instance 2. Create user with appropriate password 3. Configure the Global Password policies with passwordTPRMaxUse 5 4. Configure different local password policy for passwordTPRMaxUse 3 5. Trigger TPR by resetting the user password above 6. Attempt an ldap search with an incorrect bind password for user above 7. Repeat as many times as set by attribute passwordTPRMaxUse 8. Should lock the account after value is set in the local passwordTPRMaxUse is reached 9. Try to search with the correct password account will be locked. :expected results: 1. Success 2. Success 3. Fail(ldap.INSUFFICIENT_ACCESS) 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success """ user1 = UserAccount(topo.standalone, f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}') user2 = UserAccount(topo.standalone, f'uid=jdoe2,ou=People,{DEFAULT_SUFFIX}') log.info('Setting local password Temporary password reset policies') log.info('Setting Global TPR policy attributes') Config(topo.standalone).replace('passwordMustChange', 'on') Config(topo.standalone).replace('passwordTPRMaxUse', '5') Config(topo.standalone).replace('passwordTPRDelayExpireAt', '600') Config(topo.standalone).replace('passwordTPRDelayValidFrom', '6') log.info('Resetting {} password to trigger TPR policy'.format(user1)) user1.replace('userpassword', 'not_allowed_change') count = 0 while count < 4: if count == 4: with pytest.raises(ldap.CONSTRAINT_VIOLATION): user2.bind('badbadbad') else: with pytest.raises(ldap.INVALID_CREDENTIALS): count += 1 user2.bind('badbadbad')
def test_password_repl_error(topo_m2, test_entry): """Check that error about userpassword replication is properly logged :id: 714130ff-e4f0-4633-9def-c1f4b24abfef :setup: Four masters replication setup, a test entry :steps: 1. Change userpassword on the first master 2. Restart the servers to flush the logs 3. Check the error log for an replication error :expectedresults: 1. Password should be successfully changed 2. Server should be successfully restarted 3. There should be no replication errors in the error log """ m1 = topo_m2.ms["master1"] m2 = topo_m2.ms["master2"] TEST_ENTRY_NEW_PASS = '******' log.info('Clean the error log') m2.deleteErrorLogs() log.info('Set replication loglevel') m2.config.loglevel((ErrorLog.REPLICA, )) log.info('Modifying entry {} - change userpassword on master 1'.format( test_entry.dn)) test_entry.set('userpassword', TEST_ENTRY_NEW_PASS) repl = ReplicationManager(DEFAULT_SUFFIX) repl.wait_for_replication(m1, m2) log.info('Restart the servers to flush the logs') for num in range(1, 3): topo_m2.ms["master{}".format(num)].restart() try: log.info('Check that password works on master 2') test_entry_m2 = UserAccount(m2, test_entry.dn) test_entry_m2.bind(TEST_ENTRY_NEW_PASS) log.info('Check the error log for the error with {}'.format( test_entry.dn)) assert not m2.ds_error_log.match( '.*can.t add a change for {}.*'.format(test_entry.dn)) finally: log.info('Set the default loglevel') m2.config.loglevel((ErrorLog.DEFAULT, ))
def test_once_TPR_reset_old_passwd_invalid(topo, _add_user, set_global_TPR_policies): """ Verify that once a password has been reset it cannot be reused :id: f3ea4f00-e89c-11eb-b81d-98fa9ba19b65 :customerscenario: True :setup: Standalone :steps: 1. Create DS Instance 2. Create user jdoe1 with appropriate password 3. Configure the Global Password policies enable passwordMustChange 4. Trigger TPR by resetting the user jdoe1 password above 5. Attempt to login with the old password 6. Login as jdoe1 with the correct password and update the new password :expected results: 1. Success 2. Success 3. Success 4. Success 5. Fail(ldap.CONSTRAINT_VIOLATION) 6. Success """ new_password = '******' log.info('Creating user jdoe1 with appropriate password') user1 = UserAccount(topo.standalone, f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}') user1.replace('userpassword', new_password) log.info( 'Making sure the Global Policy passwordTPRDelayValidFrom is short') config = Config(topo.standalone) config.replace_many( ('passwordLockout', 'off'), ('passwordMaxFailure', '3'), ('passwordLegacyPolicy', 'off'), ('passwordTPRDelayValidFrom', '-1'), ('nsslapd-pwpolicy-local', 'on'), ) log.info(' Attempting to bind as {} with the old password {}'.format( user1, USER1_PASS)) time.sleep(.5) with pytest.raises(ldap.INVALID_CREDENTIALS): user1.bind(USER1_PASS) log.info('Login as jdoe1 with the correct reset password') time.sleep(.5) user1.rebind(new_password)
def test_reset_pwd_before_passwordTPRDelayValidFrom(topo, _add_user, set_global_TPR_policies): """ Verify that user cannot reset pwd before passwordTPRDelayValidFrom value elapses :id: 22987082-e8ae-11eb-a992-98fa9ba19b65 :customerscenario: True :setup: Standalone :steps: 1. Create DS Instance 2. Create user jdoe2 with appropriate password 3. Configure the Global Password policies disable passwordTPRDelayValidFrom to -1 4. Trigger TPR by resetting the user jdoe1 password above 5. Attempt to bind and rebind immediately 6. Set passwordTPRDelayValidFrom - 5secs elapses and bind rebind before 5 secs elapses 6. Wait for the passwordTPRDelayValidFrom value to elapse and try to reset passwd :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Fail(ldap.LDAP_CONSTRAINT_VIOLATION) 7. Success """ user2 = UserAccount(topo.standalone, f'uid=jdoe2,ou=People,{DEFAULT_SUFFIX}') log.info('Creating user {} with appropriate password'.format(user2)) log.info('Disabling TPR policy passwordTPRDelayValidFrom') topo.standalone.config.replace_many(('passwordMustChange', 'on'), ('passwordTPRDelayValidFrom', '10')) log.info('Triggering TPR and binding immediately after') user2.replace('userpassword', 'new_password') time.sleep(.5) with pytest.raises(ldap.CONSTRAINT_VIOLATION): user2.bind('new_password') time.sleep(.5) topo.standalone.config.replace_many(('passwordMustChange', 'on'), ('passwordTPRDelayValidFrom', '-1')) log.info( 'Triggering TPR and binding immediately after with passwordTPRDelayValidFrom set to -1' ) user2.replace('userpassword', 'new_password1') time.sleep(.5) user2.rebind('new_password1')
def userpw_reset(topology_st, suffix, subtree, userid, nousrs, bindusr, bindpw, newpasw): """Reset user password""" while (nousrs > 0): usrrdn = '{}{}'.format(userid, nousrs) userdn = 'uid={},{},{}'.format(usrrdn, subtree, suffix) user = UserAccount(topology_st.standalone, dn=userdn) log.info('Reset user password for user-{}'.format(userdn)) if (bindusr == "DirMgr"): try: user.replace('userPassword', newpasw) except ldap.LDAPError as e: log.error( 'Unable to reset userPassword for user-{}'.format(userdn)) raise e elif (bindusr == "RegUsr"): user_conn = user.bind(bindpw) try: user_conn.replace('userPassword', newpasw) except ldap.LDAPError as e: log.error( 'Unable to reset userPassword for user-{}'.format(userdn)) raise e nousrs = nousrs - 1 time.sleep(1)
def test_only_user_can_reset_TPR(topo, _add_user, set_global_TPR_policies): """ One Time password with expiration :id: 07838d5e-db43-11eb-85e5-fa163ead4114 :customerscenario: True :setup: Standalone :steps: 1. Create DS Instance 2. Create 2 users with appropriate password 3. Create Global TPR policy enable passwordMustChange: on 3. Trigger Temporary password and reset user1 password 3. Bind as user#2 and attempt to Reset user#1 password as user#2 4. Verify admin can reset users#1,2 passwords :expected results: 1. Success 2. Success 3. Fail(ldap.INSUFFICIENT_ACCESS) 4. Success """ log.info('Creating 2 users with appropriate password') user1 = UserAccount(topo.standalone, f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}') user2 = UserAccount(topo.standalone, f'uid=jdoe2,ou=People,{DEFAULT_SUFFIX}') log.info('Setting Local policies...') conn_user2 = user2.bind(USER2_PASS) UserAccount(conn_user2, user2.dn).replace('userpassword', 'reset_pass') log.info('Attempting to change user#1 password as user#2 ') with pytest.raises(ldap.INSUFFICIENT_ACCESS): UserAccount(conn_user2, user1.dn).replace('userpassword', 'reset_pass')
def pwacc_lock(topology_st, suffix, subtree, userid, nousrs): """Lockout user account by attempting invalid password binds""" log.info('Lockout user account by attempting invalid password binds') while (nousrs > 0): usrrdn = '{}{}'.format(userid, nousrs) userdn = 'uid={},{},{}'.format(usrrdn, subtree, suffix) user = UserAccount(topology_st.standalone, dn=userdn) for i in range(3): with pytest.raises(ldap.INVALID_CREDENTIALS): user.bind(INVL_PASW) log.error('No invalid credentials error for User {}'.format(userdn)) with pytest.raises(ldap.CONSTRAINT_VIOLATION): user.bind(USER_PASW) log.error('User {} is not locked, expected error 19'.format(userdn)) nousrs = nousrs - 1 time.sleep(1)
def change_password_of_user(topo, user_password_new_pass_list, pass_to_change): """ Will change password with self binding. """ for user, password, new_pass in user_password_new_pass_list: real_user = UserAccount(topo.standalone, f'{user},{DEFAULT_SUFFIX}') conn = real_user.bind(password) UserAccount(conn, pass_to_change).replace('userpassword', new_pass)
def test_password_repl_error(topo_m4, create_entry): """Check that error about userpassword replication is properly logged :id: d4f12dc0-cd2c-4b92-9b8d-d764a60f0698 :feature: Multi master replication :setup: Four masters replication setup, a test entry :steps: 1. Change userpassword on master 1 2. Restart the servers to flush the logs 3. Check the error log for an replication error :expectedresults: We don't have a replication error in the error log """ m1 = topo_m4.ms["master1"] m2 = topo_m4.ms["master2"] TEST_ENTRY_NEW_PASS = '******'.format(TEST_ENTRY_NAME) log.info('Clean the error log') m2.deleteErrorLogs() log.info('Set replication loglevel') m2.config.loglevel((ErrorLog.REPLICA, )) log.info('Modifying entry {} - change userpassword on master 2'.format( TEST_ENTRY_DN)) test_user_m1 = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN) test_user_m2 = UserAccount(topo_m4.ms["master2"], TEST_ENTRY_DN) test_user_m3 = UserAccount(topo_m4.ms["master3"], TEST_ENTRY_DN) test_user_m4 = UserAccount(topo_m4.ms["master4"], TEST_ENTRY_DN) test_user_m1.set('userpassword', TEST_ENTRY_NEW_PASS) log.info('Restart the servers to flush the logs') for num in range(1, 5): topo_m4.ms["master{}".format(num)].restart(timeout=10) m1_conn = test_user_m1.bind(TEST_ENTRY_NEW_PASS) m2_conn = test_user_m2.bind(TEST_ENTRY_NEW_PASS) m3_conn = test_user_m3.bind(TEST_ENTRY_NEW_PASS) m4_conn = test_user_m4.bind(TEST_ENTRY_NEW_PASS) log.info('Check the error log for the error with {}'.format(TEST_ENTRY_DN)) assert not m2.ds_error_log.match( '.*can.t add a change for uid={}.*'.format(TEST_ENTRY_NAME))
def account_status(topology_st, suffix, subtree, userid, nousrs, ulimit, tochck): """Check account status for the given suffix, subtree, userid and nousrs""" while (nousrs > ulimit): usrrdn = '{}{}'.format(userid, nousrs) userdn = 'uid={},{},{}'.format(usrrdn, subtree, suffix) user = UserAccount(topology_st.standalone, dn=userdn) if (tochck == "Enabled"): try: user.bind(USER_PASW) except ldap.LDAPError as e: log.error('User {} failed to login, expected 0'.format(userdn)) raise e elif (tochck == "Expired"): with pytest.raises(ldap.INVALID_CREDENTIALS): user.bind(USER_PASW) log.error( 'User {} password not expired , expected error 49'.format( userdn)) elif (tochck == "Disabled"): with pytest.raises(ldap.CONSTRAINT_VIOLATION): user.bind(USER_PASW) log.error( 'User {} is not inactivated, expected error 19'.format( userdn)) nousrs = nousrs - 1 time.sleep(1)
def test_local_password_policy(topo, _add_user): """Regression test for bz1044164 part 1. :id: d6f4a7fa-473b-11ea-8766-8c16451d917b :setup: Standalone :steps: 1. Add a User as Password Admin 2. Create a password admin user entry 3. Add an aci to allow this user all rights 4. Configure password admin 5. Create local password policy and enable passwordmustchange 6. Add another generic user but do not include the password (userpassword) 7. Use admin user to perform a password update on generic user 8. We don't need this ACI anymore. Delete it :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success """ # Add a User as Password Admin # Create a password admin user entry user = _create_user(topo, 'pwadm_admin_1', None) user.replace('userpassword', 'Secret123') domian = Domain(topo.standalone, DEFAULT_SUFFIX) # Add an aci to allow this user all rights domian.set( "aci", f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow password admin to write user ' f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)') # Configure password admin # Create local password policy and enable passwordmustchange Config(topo.standalone).replace_many(('passwordAdminDN', user.dn), ('passwordMustChange', 'off'), ('nsslapd-pwpolicy-local', 'on')) # Add another generic user but do not include the password (userpassword) # Use admin user to perform a password update on generic user real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret123') UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace( 'userpassword', 'hello') # We don't need this ACI anymore. Delete it domian.remove( "aci", f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow password admin to write user ' f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
def test_password_gracelimit_section(topo): """Password grace limit section. :id: d6f4a7fa-473b-11ea-8766-8c16451d917c :setup: Standalone :steps: 1. Resets the default password policy 2. Turning on password expiration, passwordMaxAge: 30 and passwordGraceLimit: 7 3. Check users have 7 grace login attempts after their password expires 4. Reset the user passwords to start the clock 5. The the 8th should fail 6. Now try resetting the password before the grace login attempts run out 7. Bind 6 times, and on the 7th change the password 8. Setting passwordMaxAge: 1 and passwordGraceLimit: 7 9. Modify the users passwords to start the clock of zero 10. First 7 good attempts, 8th should fail 11. Setting the passwordMaxAge to 3 seconds once more and the passwordGraceLimit to 0 12. Modify the users passwords to start the clock 13. Users should be blocked automatically after 3 second :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success 10. Success 11. Success 12. Success 13. Success """ config = Config(topo.standalone) # Resets the default password policy config.replace_many(('passwordmincategories', '1'), ('passwordStorageScheme', 'CLEAR')) user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None).create_test_user() # Turning on password expiration, passwordMaxAge: 30 and passwordGraceLimit: 7 config.replace_many(('passwordMaxAge', '3'), ('passwordGraceLimit', '7'), ('passwordexp', 'on'), ('passwordwarning', '30')) # Reset the user passwords to start the clock # Check users have 7 grace login attempts after their password expires user.replace('userpassword', '00fr3d1') for _ in range(3): time.sleep(1) user_account = UserAccount(topo.standalone, user.dn) for _ in range(7): conn = user_account.bind('00fr3d1') # The the 8th should fail with pytest.raises(ldap.INVALID_CREDENTIALS): conn = user_account.bind('00fr3d1') # Now try resetting the password before the grace login attempts run out user.replace('userpassword', '00fr3d2') for _ in range(3): time.sleep(1) user_account = UserAccount(topo.standalone, user.dn) # Bind 6 times, and on the 7th change the password for _ in range(6): conn = user_account.bind('00fr3d2') user.replace('userpassword', '00fr3d1') for _ in range(3): time.sleep(1) for _ in range(7): conn = user_account.bind('00fr3d1') with pytest.raises(ldap.INVALID_CREDENTIALS): conn = user_account.bind('00fr3d1') # Setting passwordMaxAge: 1 and passwordGraceLimit: 7 config.replace_many(('passwordMaxAge', '1'), ('passwordwarning', '1')) # Modify the users passwords to start the clock of zero user.replace('userpassword', '00fr3d2') time.sleep(1) # First 7 good attempts, 8th should fail user_account = UserAccount(topo.standalone, user.dn) for _ in range(7): conn = user_account.bind('00fr3d2') with pytest.raises(ldap.INVALID_CREDENTIALS): conn = user_account.bind('00fr3d2') # Setting the passwordMaxAge to 3 seconds once more and the passwordGraceLimit to 0 config.replace_many(('passwordMaxAge', '3'), ('passwordGraceLimit', '0')) # Modify the users passwords to start the clock # Users should be blocked automatically after 3 second user.replace('userpassword', '00fr3d1') for _ in range(3): time.sleep(1) with pytest.raises(ldap.INVALID_CREDENTIALS): conn = user_account.bind('00fr3d1')
def test_admin_group_to_modify_password(topo, _add_user): """Regression test for bz1044164 part 2. :id: 12e09446-52da-11ea-aa11-8c16451d917b :setup: Standalone :steps: 1. Create unique members of admin group 2. Create admin group with unique members 3. Edit ACIs for admin group 4. Add group as password admin 5. Test password admin group to modify password of another admin user 6. Use admin user to perform a password update on Directory Manager user 7. Test password admin group for local password policy 8. Add top level container 9. Add user 10. Create local policy configuration entry 11. Adding admin group for local policy 12. Change user's password by admin user. Break the local policy rule 13. Test password admin group for global password policy 14. Add top level container 15. Change user's password by admin user. Break the global policy rule 16. Add new user in password admin group 17. Modify ordinary user's password 18. Modify user DN using modrdn of a user in password admin group 19. Test assigning invalid value to password admin attribute 20. Try to add more than one Password Admin attribute to config file 21. Use admin group setup from previous testcases, but delete ACI from that 22. Try to change user's password by admin user 23. Restore ACI 24. Edit ACIs for admin group 25. Delete a user from password admin group 26. Change users password by ex-admin user 27. Remove group from password admin configuration 28. Change admins 29. Change user's password by ex-admin user 30. Change admin user's password by ex-admin user :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Fail(ldap.INSUFFICIENT_ACCESS) 7. Success 8. Success 9. Success 10. Success 11. Success 12. Success 13. Success 14. Success 15. Success 16. Success 17. Success 18. Success 19. Fail 20. Fail 21. Success 22. Success 23. Success 24. Success 25. Success 26. Success 27. Success 28. Success 29. Fail 30. Fail """ # create unique members of admin group admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={ 'cn': 'pwadm_group_adm', 'description': 'pwadm_group_adm', 'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}', f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}'] }) # Edit ACIs for admin group Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)') # Add group as password admin Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn) # Test password admin group to modify password of another admin user change_password_of_user(topo, [ ('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')], f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}') # Use admin user to perform a password update on Directory Manager user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')], f'{DN_DM},{DEFAULT_SUFFIX}') # Add top level container ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'}) # Change user's password by admin user. Break the global policy rule # Add new user in password admin group user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol') user.replace('userpassword', 'Secret123') # Create local policy configuration entry _create_pwp(topo, ou.dn) # Set parameter for pwp for para_meter, op_op in [ ('passwordLockout', 'on'), ('passwordMaxFailure', '4'), ('passwordLockoutDuration', '10'), ('passwordResetFailureCount', '100'), ('passwordMinLength', '8'), ('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]: change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op) # Set ACI OrganizationalUnit(topo.standalone, ou.dn).set('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow passwords admin to write user ' f'passwords";allow (write)' f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Change password with new admin change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn) # Set global parameter Config(topo.standalone).replace_many( ('passwordTrackUpdateTime', 'on'), ('passwordGraceLimit', '4'), ('passwordHistory', 'on'), ('passwordInHistory', '4')) # Test password admin group for global password policy change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Adding admin group for local policy grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}') grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}') # Modify ordinary user's password change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Modify user DN using modrdn of a user in password admin group UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new') # Remove admin grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}') # Add Admin grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}') # Test the group pwp again with pytest.raises(ldap.INVALID_CREDENTIALS): change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') with pytest.raises(ldap.INVALID_SYNTAX): Config(topo.standalone).replace('passwordAdminDN', "Invalid") # Test assigning invalid value to password admin attribute # Try to add more than one Password Admin attribute to config file with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): Config(topo.standalone).replace('passwordAdminDN', [f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}', f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}']) # Use admin group setup from previous, but delete ACI from that people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}") people.remove('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)' f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Try to change user's password by admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Restore ACI people.set('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Edit ACIs for admin group people.add('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to add user ' f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret') real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret') # Test new aci with pytest.raises(ldap.INSUFFICIENT_ACCESS): UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={ 'uid': 'ok', 'cn': 'ok', 'sn': 'ok', 'uidNumber': '1000', 'gidNumber': 'ok', 'homeDirectory': '/home/ok'}) UserAccounts(topo.standalone, DEFAULT_SUFFIX).list() real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret123') # Test new aci which has new rights for uid, cn, password in [ ('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='), ('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]: UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={ 'uid': uid, 'cn': cn, 'sn': cn, 'uidNumber': '1000', 'gidNumber': '1001', 'homeDirectory': f'/home/{uid}', 'userpassword': password}) # Remove ACI Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}").remove('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl ' f'"Allow passwords admin to add user ' f'passwords";allow ' f'(add)(groupdn = ' f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Delete a user from password admin group grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}') grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}') # Change users password by ex-admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Set aci for only user people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}") people.remove('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') people.set('aci', f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin ' f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)') # Remove group from password admin configuration Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}") # Change user's password by ex-admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')], f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')