def test_on_modrdn_allow(topo, _add_user, aci_of_user): """ Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted)) "Valueacl Test $tet_thistest Test modrdn still works (2)" :id:17720562-7aaa-11e8-82ee-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(target="ldap:///{}")(targattrfilters = "add=cn:((cn=engineer)), del=cn:((cn=jonny))")' \ '(version 3.0; aci "$tet_thistest"; allow (write) ' \ 'userdn = "ldap:///{}";)'.format(DEFAULT_SUFFIX, USER_WITH_ACI_DELADD) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) properties = { 'uid': 'jonny', 'cn': 'jonny', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'jonny' } user = UserAccount(topo.standalone, 'cn=jonny,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # aci will allow modrdn_s on cn=engineer useraccount = UserAccount(conn, "cn=jonny,{}".format(DEFAULT_SUFFIX)) useraccount.rename("cn=engineer") assert useraccount.dn == 'cn=engineer,dc=example,dc=com'
def create_test_user(instance, cn=None, suffix=None): """ Creates a new user for testing. It tries to create a user that doesn't already exist by using a different ID each time. However, if it is provided with an existing cn/suffix it will fail to create a new user and it will raise an LDAP error. Returns a UserAccount object. """ global test_user_id if cn is None: cn = "testuser_" + str(test_user_id) test_user_id += 1 if suffix is None: suffix = "ou=People," + DEFAULT_SUFFIX dn = "cn=" + cn + "," + suffix properties = { 'uid': cn, 'cn': cn, 'sn': 'user', 'uidNumber': str(1000+test_user_id), 'gidNumber': '2000', 'homeDirectory': '/home/' + cn } user = UserAccount(instance, dn) user.create(properties=properties) return user
def rdn_write_setup(topology_m2): topology_m2.ms["supplier1"].log.info("\n\n######## Add entry tuser ########\n") user = UserAccount(topology_m2.ms["supplier1"], SRC_ENTRY_DN) user_props = TEST_USER_PROPERTIES.copy() user_props.update({'sn': SRC_ENTRY_CN, 'cn': SRC_ENTRY_CN, 'userpassword': BIND_PW}) user.create(properties=user_props, basedn=SUFFIX)
def moddn_setup(topology_m2): """Creates - a staging DIT - a production DIT - add accounts in staging DIT - enable ACL logging (commented for performance reason) """ m1 = topology_m2.ms["supplier1"] o_roles = OrganizationalRoles(m1, SUFFIX) m1.log.info("\n\n######## INITIALIZATION ########\n") # entry used to bind with m1.log.info("Add {}".format(BIND_DN)) user = UserAccount(m1, BIND_DN) user_props = TEST_USER_PROPERTIES.copy() user_props.update({'sn': BIND_RDN, 'cn': BIND_RDN, 'uid': BIND_RDN, 'userpassword': BIND_PW}) user.create(properties=user_props, basedn=SUFFIX) # Add anonymous read aci ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = " userdn = \"ldap:///anyone\";)" ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(m1, SUFFIX) suffix.add('aci', ACI_BODY) # DIT for staging m1.log.info("Add {}".format(STAGING_DN)) o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"}) # DIT for production m1.log.info("Add {}".format(PRODUCTION_DN)) o_roles.create(properties={'cn': PRODUCTION_CN, 'description': "production DIT"}) # DIT for production/except m1.log.info("Add {}".format(PROD_EXCEPT_DN)) o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN) o_roles_prod.create(properties={'cn': EXCEPT_CN, 'description': "production except DIT"}) # enable acl error logging # mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')] # m1.modify_s(DN_CONFIG, mod) # topology_m2.ms["supplier2"].modify_s(DN_CONFIG, mod) # add dummy entries in the staging DIT staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN)) user_props = TEST_USER_PROPERTIES.copy() for cpt in range(MAX_ACCOUNTS): name = "{}{}".format(NEW_ACCOUNT, cpt) user_props.update({'sn': name, 'cn': name, 'uid': name}) staging_users.create(properties=user_props)
def moddn_setup(topology_m2): """Creates - a staging DIT - a production DIT - add accounts in staging DIT - enable ACL logging (commented for performance reason) """ m1 = topology_m2.ms["master1"] o_roles = OrganizationalRoles(m1, SUFFIX) m1.log.info("\n\n######## INITIALIZATION ########\n") # entry used to bind with m1.log.info("Add {}".format(BIND_DN)) user = UserAccount(m1, BIND_DN) user_props = TEST_USER_PROPERTIES.copy() user_props.update({ 'sn': BIND_RDN, 'cn': BIND_RDN, 'uid': BIND_RDN, 'userpassword': BIND_PW }) user.create(properties=user_props, basedn=SUFFIX) # DIT for staging m1.log.info("Add {}".format(STAGING_DN)) o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"}) # DIT for production m1.log.info("Add {}".format(PRODUCTION_DN)) o_roles.create(properties={ 'cn': PRODUCTION_CN, 'description': "production DIT" }) # DIT for production/except m1.log.info("Add {}".format(PROD_EXCEPT_DN)) o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN) o_roles_prod.create(properties={ 'cn': EXCEPT_CN, 'description': "production except DIT" }) # enable acl error logging # mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')] # m1.modify_s(DN_CONFIG, mod) # topology_m2.ms["master2"].modify_s(DN_CONFIG, mod) # add dummy entries in the staging DIT staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN)) user_props = TEST_USER_PROPERTIES.copy() for cpt in range(MAX_ACCOUNTS): name = "{}{}".format(NEW_ACCOUNT, cpt) user_props.update({'sn': name, 'cn': name, 'uid': name}) staging_users.create(properties=user_props)
def test_renaming_target_entry(topo, _add_user, aci_of_user): """Test for renaming target entry :id: 6be1d33a-7932-11e8-9115-8c16451d917b :setup: server :steps: 1. Add test entry 2. Create a test user entry 3. Create a new ou entry with an aci 4. Make sure uid=$MYUID has the access 5. Rename ou=OU0 to ou=OU1 6. Create another ou=OU2 7. Move ou=OU1 under ou=OU2 8. Make sure uid=$MYUID still has the access :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed 6. Operation should succeed 7. Operation should succeed 8. Operation should succeed """ properties = { 'uid': 'TRAC340_MODRDN', 'cn': 'TRAC340_MODRDN', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'TRAC340_MODRDN' } user = UserAccount(topo.standalone, 'cn=TRAC340_MODRDN,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) user.set("userPassword", "password") ou = OrganizationalUnit(topo.standalone, 'ou=OU0,{}'.format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'OU0'}) ou.set( 'aci', '(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)' .format(TRAC340_MODRDN)) conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM) assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0') # Test for renaming target entry OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU0').rename("ou=OU1") assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1') ou = OrganizationalUnit(topo.standalone, 'ou=OU2,{}'.format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'OU2'}) # Test for renaming target entry OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU1').rename( "ou=OU1", newsuperior=OU2_OU_MODRDN) assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
def test_csnpurge_large_valueset(topo_m2): """Test csn generator test :id: 63e2bdb2-0a8f-4660-9465-7b80a9f72a74 :setup: MMR with 2 masters :steps: 1. Create a test_user 2. add a large set of values (more than 10) 3. delete all the values (more than 10) 4. configure the replica to purge those values (purgedelay=5s) 5. Waiting for 6 second 6. do a series of update :expectedresults: 1. Should succeeds 2. Should succeeds 3. Should succeeds 4. Should succeeds 5. Should succeeds 6. Should not crash """ m1 = topo_m2.ms["master2"] test_user = UserAccount(m1, TEST_ENTRY_DN) if test_user.exists(): log.info('Deleting entry {}'.format(TEST_ENTRY_DN)) test_user.delete() test_user.create( properties={ 'uid': TEST_ENTRY_NAME, 'cn': TEST_ENTRY_NAME, 'sn': TEST_ENTRY_NAME, 'userPassword': TEST_ENTRY_NAME, 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/mmrepl_test', }) # create a large value set so that it is sorted for i in range(1, 20): test_user.add('description', 'value {}'.format(str(i))) # delete all values of the valueset for i in range(1, 20): test_user.remove('description', 'value {}'.format(str(i))) # set purging delay to 5 second and wait more that 5second replicas = Replicas(m1) replica = replicas.list()[0] log.info('nsds5ReplicaPurgeDelay to 5') replica.set('nsds5ReplicaPurgeDelay', '5') time.sleep(6) # add some new values to the valueset containing entries that should be purged for i in range(21, 25): test_user.add('description', 'value {}'.format(str(i)))
def _add_user(request, topo): ou = OrganizationalUnit(topo.standalone, 'ou=Product Development,{}'.format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Product Development'}) ou = OrganizationalUnit(topo.standalone, 'ou=Accounting,{}'.format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Accounting'}) groups = Group(topo.standalone, DYNAMIC_MODRDN) group_properties = { "cn": "Test DYNAMIC_MODRDN Group 70", "objectclass": ["top", 'groupofURLs'], 'memberURL': 'ldap:///{}??base?(cn=*)'.format(USER_WITH_ACI_DELADD) } groups.create(properties=group_properties) properties = { 'uid': 'Jeff Vedder', 'cn': 'Jeff Vedder', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'JeffVedder', 'userPassword': PW_DM } user = UserAccount( topo.standalone, 'cn=Jeff Vedder,ou=Product Development,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) properties = { 'uid': 'Sam Carter', 'cn': 'Sam Carter', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'SamCarter', 'userPassword': PW_DM } user = UserAccount(topo.standalone, 'cn=Sam Carter,ou=Accounting,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) def fin(): for DN in [ USER_DELADD, USER_WITH_ACI_DELADD, DYNAMIC_MODRDN, CONTAINER_2_DELADD, CONTAINER_1_DELADD ]: UserAccount(topo.standalone, DN).delete() request.addfinalizer(fin)
def create(self): properties = { 'uid': 'FRED', 'cn': 'FRED', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'FRED' } user = UserAccount(self.topo.standalone, "cn=FRED, ou=Accounting,{}".format(DEFAULT_SUFFIX)) user.create(properties=properties) user.set("title", [self.title1, self.title2, self.title3])
def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user, cleanup_tree): """ Modify Test 6 Allow write access to target with wildcards :id:825fe884-7abf-11e8-8541-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(target = ldap:///{})(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'.format( DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting', 'Human Resources']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting', 'Kirsten Vaughan, ou=Human Resources' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM) # Allow write access to target with wildcards ua = UserAccount(conn, KIRSTENVAUGHAN) ua.add("title", "Architect") assert ua.get_attr_val('title') conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Allow write access to target with wildcards ua = UserAccount(conn, USER_DELADD) ua.add("title", "Architect") assert ua.get_attr_val('title')
def test_access_aci_list_contains_any_deny_rule(topo, _add_user, aci_of_user): """RHDS denies MODRDN access if ACI list contains any DENY rule Bug description: If you create a deny ACI for some or more attributes there is incorrect behaviour as you cannot rename the entry anymore :id: 62cbbb8a-7932-11e8-96a7-8c16451d917b :setup: server :steps: 1. Add test entry 2. Adding a new ou ou=People to $BASEDN 3. Adding a user NEWENTRY9_MODRDN to ou=People,$BASEDN 4. Adding an allow rule for NEWENTRY9_MODRDN and for others an aci deny rule :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed """ properties = { 'uid': 'NEWENTRY9_MODRDN', 'cn': 'NEWENTRY9_MODRDN_People', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'NEWENTRY9_MODRDN' } user = UserAccount( topo.standalone, 'cn=NEWENTRY9_MODRDN,ou=People,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) user.set("userPassword", "password") user.set("telephoneNumber", "989898191") user.set("mail", "*****@*****.**") user.set("givenName", "givenName") user.set("uid", "NEWENTRY9_MODRDN") OrganizationalUnits( topo.standalone, DEFAULT_SUFFIX ).get('People').add("aci", [ '(targetattr = "*") ' '(version 3.0;acl "admin";allow (all)(userdn = "ldap:///{}");)'.format( NEWENTRY9_MODRDN), '(targetattr = "mail") (version 3.0;acl "deny_mail";deny (write)(userdn = "ldap:///anyone");)', '(targetattr = "uid") (version 3.0;acl "allow uid";allow (write)(userdn = "ldap:///{}");)' .format(NEWENTRY9_MODRDN) ]) UserAccount(topo.standalone, NEWENTRY9_MODRDN).replace("userpassword", "Anuj") useraccount = UserAccount(topo.standalone, NEWENTRY9_MODRDN) useraccount.rename("uid=newrdnchnged") assert 'uid=newrdnchnged,ou=People,dc=example,dc=com' == useraccount.dn
def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree, request): """Modify Test 7 Allow write access to userdnattr :id: 86b418f6-7abf-11e8-ae28-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format( DEFAULT_SUFFIX, request.node.name) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) UserAccount(topo.standalone, USER_WITH_ACI_DELADD).add('manager', USER_WITH_ACI_DELADD) conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Allow write access to userdnattr ua = UserAccount(conn, USER_DELADD) ua.add('uid', 'scoobie') assert ua.get_attr_val('uid') ua.add('uid', 'jvedder') assert ua.get_attr_val('uid')
def test_groupdnattr_value_is_another_group(topo): """Search Test 42 groupdnattr value is another group test #1 :id: 52299e16-7944-11e8-b471-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. USER_ANUJ should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ Organization(topo.standalone).create(properties={"o": "nscpRoot"}, basedn=DEFAULT_SUFFIX) user = UserAccount(topo.standalone, "cn=dchan,o=nscpRoot,{}".format(DEFAULT_SUFFIX)) user.create( properties={ 'uid': 'dchan', 'cn': 'dchan', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'dchan', 'userPassword': PW_DM }) grp = UniqueGroup(topo.standalone, 'cn=groupx,o=nscpRoot,' + DEFAULT_SUFFIX) grp.create(properties={ 'cn': 'groupx', 'ou': 'groups', }) grp.set('uniquemember', 'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX)) grp.set( 'aci', '(targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare) groupdnattr="ldap:///o=nscpRoot?uniquemember?sub";)' ) conn = UserAccount( topo.standalone, 'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX), ).bind(PW_DM) # acil will allow ldap:///o=nscpRoot?uniquemember?sub" assert UserAccount(conn, 'cn=groupx,o=nscpRoot,{}'.format( DEFAULT_SUFFIX)).get_attr_val_utf8('cn') == 'groupx'
def test_ticket50234(topology_st): """ The fix for ticket 50234 The test sequence is: - create more than 10 entries with objectclass organizational units ou=org{} - add an Account in one of them, eg below ou=org5 - do searches with search base ou=org5 and search filter "objectclass=organizationalunit" - a subtree search should return 1 entry, the base entry - a onelevel search should return no entry """ log.info( 'Testing Ticket 50234 - onelvel search returns not matching entry') for i in range(1, 15): ou = OrganizationalUnit(topology_st.standalone, "ou=Org{},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Org'.format(i)}) properties = { 'uid': 'Jeff Vedder', 'cn': 'Jeff Vedder', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'JeffVedder', 'userPassword': '******' } user = UserAccount(topology_st.standalone, "cn=Jeff Vedder,ou=org5,{}".format(DEFAULT_SUFFIX)) user.create(properties=properties) # in a subtree search the entry used as search base matches the filter and shoul be returned ent = topology_st.standalone.getEntry("ou=org5,{}".format(DEFAULT_SUFFIX), ldap.SCOPE_SUBTREE, "(objectclass=organizationalunit)") # in a onelevel search the only child is an useraccount which does not match the filter # no entry should be returned, which would cause getEntry to raise an exception we need to handle found = 1 try: ent = topology_st.standalone.getEntry( "ou=org5,{}".format(DEFAULT_SUFFIX), ldap.SCOPE_ONELEVEL, "(objectclass=organizationalunit)") except ldap.NO_SUCH_OBJECT: found = 0 assert (found == 0)
def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree): """ Modify Test 8 Allow selfwrite access to anyone :id:8b3becf0-7abf-11e8-ac34-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) ACI_BODY = '(target = ldap:///cn=group1,ou=Groups,{})(targetattr = "member")(version 3.0; acl "ACI NAME"; allow (selfwrite) (userdn = "ldap:///anyone") ;)'.format( DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) ou = OrganizationalUnit(topo.standalone, "ou=Product Development,{}".format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Product Development'}) properties = { 'uid': 'Jeff Vedder', 'cn': 'Jeff Vedder', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'JeffVedder', 'userPassword': PW_DM } user = UserAccount( topo.standalone, "cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM) # Allow selfwrite access to anyone groups = Groups(conn, DEFAULT_SUFFIX) groups.list()[0].add_member(USER_DELADD) group.delete()
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree): """ Modify Test 14 allow userdnattr = owner to modify entry :id:aa302090-7abf-11e8-811a-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX) grp.create(properties={'cn': 'intranet', 'ou': 'groups'}) grp.set('owner', USER_WITH_ACI_DELADD) ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format( DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # allow userdnattr = owner to modify entry ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com') ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com") assert ua.get_attr_val('uniquemember')
def test_aci_with_both_allow_and_deny(topo, aci_of_user, cleanup_tree): """ Modify Test 12 aci with both allow and deny :id:9dcfe902-7abf-11e8-86dc-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; deny (read, search)userdn = "ldap:///{}"; allow (all) userdn = "ldap:///{}" ;)'.format( USER_WITH_ACI_DELADD, USER_DELADD) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM) # aci with both allow and deny, testing allow assert UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid') conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # aci with both allow and deny, testing deny with pytest.raises(IndexError): UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user): """Search Test 10 Deny all access with targetattr set :id: e1602ff2-6e11-11e8-8e55-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ testuser = UserAccount(topo.standalone, "cn=Anuj12,ou=People,{}".format(DEFAULT_SUFFIX)) testuser.create( properties={ 'uid': 'Anuj12', 'cn': 'Anuj12', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Anuj12' }) ACI_TARGET = '(targetattr="uid")' ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block only uid=* assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block only uid=* assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) # with root there is no aci blockage assert 4 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)')) testuser.delete()
def test_allow_write_access_to_userdn_all(topo, aci_of_user, cleanup_tree): """ Modify Test 3 Allow write access to userdn 'all' :id:70c58818-7abf-11e8-afa1-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///all") ;)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) # Allow write access to userdn 'all' conn = Anonymous(topo.standalone).bind() with pytest.raises(ldap.INSUFFICIENT_ACCESS): UserAccount(conn, USER_DELADD).add("title", "Architect") conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) UserAccount(conn, USER_DELADD).add("title", "Architect") assert UserAccount(conn, USER_DELADD).get_attr_val('title')
def test_allow_write_access_to_targetattr_with_multiple_attibutes( topo, aci_of_user, cleanup_tree): """ Modify Test 2 Allow write access to targetattr with multiple attibutes :id:6b9f05c6-7abf-11e8-9ba1-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(targetattr = "telephonenumber || roomnumber")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) ou = OrganizationalUnit(topo.standalone, "ou=Product Development,{}".format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Product Development'}) properties = { 'uid': 'Jeff Vedder', 'cn': 'Jeff Vedder', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'JeffVedder', 'userPassword': PW_DM } user = UserAccount( topo.standalone, "cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX)) user.create(properties=properties) # Allow write access to targetattr with multiple attibutes conn = Anonymous(topo.standalone).bind() ua = UserAccount(conn, USER_DELADD) ua.add("telephonenumber", "+1 408 555 1212") assert ua.get_attr_val('telephonenumber') ua.add("roomnumber", "101") assert ua.get_attr_val('roomnumber')
def create_entry(topo_m4, request): """Add test entry to master1""" log.info('Adding entry {}'.format(TEST_ENTRY_DN)) test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN) if test_user.exists(): log.info('Deleting entry {}'.format(TEST_ENTRY_DN)) test_user.delete() test_user.create( properties={ 'uid': TEST_ENTRY_NAME, 'cn': TEST_ENTRY_NAME, 'sn': TEST_ENTRY_NAME, 'userPassword': TEST_ENTRY_NAME, 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/mmrepl_test', })
def test_allow_write_access_to_userdn_with_wildcards_in_dn( topo, aci_of_user, cleanup_tree): """ Modify Test 4 Allow write access to userdn with wildcards in DN :id:766c2312-7abf-11e8-b57d-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write)(userdn = "ldap:///cn=*, ou=Product Development,{}") ;)'.format( DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) ou = OrganizationalUnit(topo.standalone, "ou=Product Development,{}".format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Product Development'}) properties = { 'uid': 'Jeff Vedder', 'cn': 'Jeff Vedder', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'JeffVedder', 'userPassword': PW_DM } user = UserAccount( topo.standalone, "cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM) # Allow write access to userdn with wildcards in DN ua = UserAccount(conn, USER_DELADD) ua.add("title", "Architect") assert ua.get_attr_val('title')
def aci_setup(topo): topo.standalone.log.info("Add {}".format(BIND_DN)) user = UserAccount(topo.standalone, BIND_DN) user_props = TEST_USER_PROPERTIES.copy() user_props.update({'sn': BIND_RDN, 'cn': BIND_RDN, 'uid': BIND_RDN, 'inetUserStatus': '1', 'objectclass': 'extensibleObject', 'userpassword': PASSWORD}) user.create(properties=user_props, basedn=SUFFIX) topo.standalone.log.info("Add {}".format(BIND_DN2)) user2 = UserAccount(topo.standalone, BIND_DN2) user_props = TEST_USER_PROPERTIES.copy() user_props.update({'sn': BIND_RDN2, 'cn': BIND_RDN2, 'uid': BIND_RDN2, 'userpassword': PASSWORD}) user2.create(properties=user_props, basedn=SUFFIX)
def test_write_access_to_naming_atributes_two(topo, _add_user, aci_of_user, request): """Test for write access to naming atributes (2) :id: 5a2077d2-7932-11e8-9e7b-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role 4. Now try to modrdn it to cn, won't work if request deleteoldrdn. :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should not succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add( "aci", '(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "{}";allow (write) (userdn = "ldap:///anyone");)' .format(DEFAULT_SUFFIX, request.node.name)) properties = { 'uid': 'Sam Carter1', 'cn': 'Sam Carter1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'SamCarter1' } user = UserAccount( topo.standalone, 'cn=Sam Carter1,ou=Accounting,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) user.set("userPassword", "password") conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Test for write access to naming atributes useraccount = UserAccount(conn, SAM_DAMMY_MODRDN) with pytest.raises(ldap.INSUFFICIENT_ACCESS): useraccount.rename("uid=Jeffbo Vedder") UserAccount(topo.standalone, SAM_DAMMY_MODRDN).delete()
def test_cannot_add_an_entry_with_attribute_values_we_are_not_allowed_add( topo, _add_user, aci_of_user ): """ Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted)) "Valueacl Test $tet_thistest Test not allowed add an entry" :id:0d0effee-7aaa-11e8-b673-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)) ' \ '&& secretary:(secretary=cn=Meylan, {}), del=title:(|(title=engineer)(title=cool dude)' \ '(title=scum))")(version 3.0; aci "$tet_thistest"; allow (add) userdn = "ldap:///{}";)'.format( DEFAULT_SUFFIX, DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) properties = { 'uid': 'FRED', 'cn': 'FRED', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'FRED' } user = UserAccount(topo.standalone, 'cn=FRED,ou=Accounting,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) user.set('title', ['anuj', 'kumar', 'borah']) conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # aci will not allow adding objectclass user = UserAccount(conn, USER_WITH_ACI_DELADD) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.add("objectclass", "person")
def test_basic_with_hub(topo): """Check that basic operations work in cascading replication, this includes testing plugins that perform internal operatons, and replicated password policy state attributes. :id: 4ac85552-45bc-477b-89a4-226dfff8c6cc :setup: 1 master, 1 hub, 1 consumer :steps: 1. Enable memberOf plugin and set password account lockout settings 2. Restart the instance 3. Add a user 4. Add a group 5. Test that the replication works 6. Add the user as a member to the group 7. Test that the replication works 8. Issue bad binds to update passwordRetryCount 9. Test that replicaton works 10. Check that passwordRetyCount was replicated :expectedresults: 1. Should be a success 2. Should be a success 3. Should be a success 4. Should be a success 5. Should be a success 6. Should be a success 7. Should be a success 8. Should be a success 9. Should be a success 10. Should be a success """ repl_manager = ReplicationManager(DEFAULT_SUFFIX) master = topo.ms["master1"] consumer = topo.cs["consumer1"] hub = topo.hs["hub1"] for inst in topo: config_memberof(inst) inst.config.set('passwordlockout', 'on') inst.config.set('passwordlockoutduration', '60') inst.config.set('passwordmaxfailure', '3') inst.config.set('passwordIsGlobalPolicy', 'on') # Create user user1 = UserAccount(master, BIND_DN) user_props = TEST_USER_PROPERTIES.copy() user_props.update({ 'sn': BIND_RDN, 'cn': BIND_RDN, 'uid': BIND_RDN, 'inetUserStatus': '1', 'objectclass': 'extensibleObject', 'userpassword': PASSWORD }) user1.create(properties=user_props, basedn=SUFFIX) # Create group groups = Groups(master, DEFAULT_SUFFIX) group = groups.create(properties={'cn': 'group'}) # Test replication repl_manager.test_replication(master, consumer) # Trigger memberOf plugin by adding user to group group.replace('member', user1.dn) # Test replication once more repl_manager.test_replication(master, consumer) # Issue bad password to update passwordRetryCount try: master.simple_bind_s(user1.dn, "badpassword") except: pass # Test replication one last time master.simple_bind_s(DN_DM, PASSWORD) repl_manager.test_replication(master, consumer) # Finally check if passwordRetyCount was replicated to the hub and consumer user1 = UserAccount(hub, BIND_DN) count = user1.get_attr_val_int('passwordRetryCount') if count is None: log.fatal('PasswordRetyCount was not replicated to hub') assert False if int(count) != 1: log.fatal('PasswordRetyCount has unexpected value: {}'.format(count)) assert False user1 = UserAccount(consumer, BIND_DN) count = user1.get_attr_val_int('passwordRetryCount') if count is None: log.fatal('PasswordRetyCount was not replicated to consumer') assert False if int(count) != 1: log.fatal('PasswordRetyCount has unexpected value: {}'.format(count)) assert False
def _add_user(request, topo): org = Organization(topo.standalone).create(properties={"o": "acivattr"}, basedn=DEFAULT_SUFFIX) org.add('aci', '(targetattr="*")(targetfilter="(nsrole=*)")(version 3.0; aci "tester"; ' 'allow(all) userdn="ldap:///cn=enguser1,ou=eng,o=acivattr,{}";)'.format(DEFAULT_SUFFIX)) ou = OrganizationalUnit(topo.standalone, "ou=eng,o=acivattr,{}".format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'eng'}) ou = OrganizationalUnit(topo.standalone, "ou=sales,o=acivattr,{}".format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'sales'}) roles = FilteredRoles(topo.standalone, DNBASE) roles.create(properties={'cn':'FILTERROLEENGROLE', 'nsRoleFilter':'cn=eng*'}) roles.create(properties={'cn': 'FILTERROLESALESROLE', 'nsRoleFilter': 'cn=sales*'}) nsContainer(topo.standalone, 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX)).create( properties={'cn': 'cosTemplates'}) properties = {'employeeType': 'EngType', 'cn':'"cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com'} CosTemplate(topo.standalone,'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",' 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX)).\ create(properties=properties) properties = {'employeeType': 'SalesType', 'cn': '"cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com'} CosTemplate(topo.standalone, 'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,' 'o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(properties=properties) properties = { 'cosTemplateDn': 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX), 'cosAttribute': 'employeeType', 'cosSpecifier': 'nsrole', 'cn': 'cosClassicGenerateEmployeeTypeUsingnsrole'} CosClassicDefinition(topo.standalone, 'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX)).create( properties=properties) properties = { 'uid': 'salesuser1', 'cn': 'salesuser1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'salesuser1', 'userPassword': PW_DM } user = UserAccount(topo.standalone, 'cn=salesuser1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) properties = { 'uid': 'salesmanager1', 'cn': 'salesmanager1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'salesmanager1', 'userPassword': PW_DM, } user = UserAccount(topo.standalone, 'cn=salesmanager1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) properties = { 'uid': 'enguser1', 'cn': 'enguser1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'enguser1', 'userPassword': PW_DM } user = UserAccount(topo.standalone, 'cn=enguser1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) properties = { 'uid': 'engmanager1', 'cn': 'engmanager1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'engmanager1', 'userPassword': PW_DM } user = UserAccount(topo.standalone, 'cn=engmanager1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) def fin(): for DN in [ENG_USER,SALES_UESER,ENG_MANAGER,SALES_MANAGER,FILTERROLESALESROLE,FILTERROLEENGROLE,ENG_OU,SALES_OU, 'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",' 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com', 'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",' 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX), 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX), 'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX), DNBASE]: UserAccount(topo.standalone, DN).delete() request.addfinalizer(fin)
def test_filterrole(topo): """Test Filter Role :id: 8ada4064-786b-11e8-8634-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. Search nsconsole role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ Organization(topo.standalone).create(properties={"o": "acivattr"}, basedn=DEFAULT_SUFFIX) properties = { 'ou': 'eng', } ou_ou = OrganizationalUnit(topo.standalone, "ou=eng,o=acivattr,{}".format(DEFAULT_SUFFIX)) ou_ou.create(properties=properties) properties = {'ou': 'sales'} ou_ou = OrganizationalUnit(topo.standalone, "ou=sales,o=acivattr,{}".format(DEFAULT_SUFFIX)) ou_ou.create(properties=properties) roles = FilteredRoles(topo.standalone, DNBASE) roles.create(properties={ 'cn': 'FILTERROLEENGROLE', 'nsRoleFilter': 'cn=eng*' }) roles.create(properties={ 'cn': 'FILTERROLESALESROLE', 'nsRoleFilter': 'cn=sales*' }) properties = { 'uid': 'salesuser1', 'cn': 'salesuser1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'salesuser1', 'userPassword': PW_DM } user = UserAccount( topo.standalone, 'cn=salesuser1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) properties = { 'uid': 'salesmanager1', 'cn': 'salesmanager1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'salesmanager1', 'userPassword': PW_DM, } user = UserAccount( topo.standalone, 'cn=salesmanager1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) properties = { 'uid': 'enguser1', 'cn': 'enguser1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'enguser1', 'userPassword': PW_DM } user = UserAccount( topo.standalone, 'cn=enguser1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) properties = { 'uid': 'engmanager1', 'cn': 'engmanager1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'engmanager1', 'userPassword': PW_DM } user = UserAccount( topo.standalone, 'cn=engmanager1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) # user with cn=sales* will automatically memeber of nsfilterrole # cn=filterrolesalesrole,o=acivattr,dc=example,dc=com assert UserAccount(topo.standalone, 'cn=salesuser1,ou=sales,o=acivattr,dc=example,dc=com').\ get_attr_val_utf8('nsrole') == 'cn=filterrolesalesrole,o=acivattr,dc=example,dc=com' # same goes to SALES_MANAGER assert UserAccount(topo.standalone, SALES_MANAGER).get_attr_val_utf8( 'nsrole') == 'cn=filterrolesalesrole,o=acivattr,dc=example,dc=com' # user with cn=eng* will automatically memeber of nsfilterrole # cn=filterroleengrole,o=acivattr,dc=example,dc=com assert UserAccount(topo.standalone, 'cn=enguser1,ou=eng,o=acivattr,dc=example,dc=com').\ get_attr_val_utf8('nsrole') == 'cn=filterroleengrole,o=acivattr,dc=example,dc=com' # same goes to ENG_MANAGER assert UserAccount(topo.standalone, ENG_MANAGER).get_attr_val_utf8( 'nsrole') == 'cn=filterroleengrole,o=acivattr,dc=example,dc=com' for dn_dn in [ ENG_USER, SALES_UESER, ENG_MANAGER, SALES_MANAGER, FILTERROLESALESROLE, FILTERROLEENGROLE, ENG_OU, SALES_OU, DNBASE ]: UserAccount(topo.standalone, dn_dn).delete()
def test_positive(topo): """ :id: ba6d5e9c-786b-11e8-860d-8c16451d917b :setup: server :steps: 1. Add filter role entry 2. Add ns container 3. Add cos template 4. Add CosClassic Definition 5. Cos entries should be added and searchable 6. employeeType attribute should be there in user entry as per the cos plugin property :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should success 5. Operation should success 6. Operation should success """ # Adding ns filter role roles = FilterRoles(topo.standalone, DEFAULT_SUFFIX) roles.create(properties={ 'cn': 'FILTERROLEENGROLE', 'nsRoleFilter': 'cn=eng*' }) # adding ns container nsContainer(topo.standalone,'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,{}'.format(DEFAULT_SUFFIX))\ .create(properties={'cn': 'cosTemplates'}) # creating cos template properties = { 'employeeType': 'EngType', 'cn': '"cn=filterRoleEngRole,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,dc=example,dc=com' } CosTemplate(topo.standalone, 'cn="cn=filterRoleEngRole,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,{}'.format(DEFAULT_SUFFIX))\ .create(properties=properties) # creating CosClassicDefinition properties = { 'cosTemplateDn': 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,{}'.format( DEFAULT_SUFFIX), 'cosAttribute': 'employeeType', 'cosSpecifier': 'nsrole', 'cn': 'cosClassicGenerateEmployeeTypeUsingnsrole' } CosClassicDefinition(topo.standalone,'cn=cosClassicGenerateEmployeeTypeUsingnsrole,{}'.format(DEFAULT_SUFFIX))\ .create(properties=properties) # Adding User entry properties = { 'uid': 'enguser1', 'cn': 'enguser1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'enguser1' } user = UserAccount(topo.standalone, 'cn=enguser1,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) # Asserting Cos should be added and searchable cosdef = CosClassicDefinitions( topo.standalone, DEFAULT_SUFFIX).get('cosClassicGenerateEmployeeTypeUsingnsrole') assert cosdef.dn == 'cn=cosClassicGenerateEmployeeTypeUsingnsrole,dc=example,dc=com' assert cosdef.get_attr_val_utf8( 'cn') == 'cosClassicGenerateEmployeeTypeUsingnsrole' # CoS definition entry's cosSpecifier attribute specifies the employeeType attribute assert user.present('employeeType')
def test_urp_trigger_substring_search(topo_m2): """Test that a ADD of a entry with a '*' in its DN, triggers an internal search with a escaped DN :id: 9869bb39-419f-42c3-a44b-c93eb0b77667 :setup: MMR with 2 masters :steps: 1. enable internal operation loggging for plugins 2. Create on M1 a test_user with a '*' in its DN 3. Check the test_user is replicated 4. Check in access logs that the internal search does not contain '*' :expectedresults: 1. Should succeeds 2. Should succeeds 3. Should succeeds 4. Should succeeds """ m1 = topo_m2.ms["master1"] m2 = topo_m2.ms["master2"] # Enable loggging of internal operation logging to capture URP intop log.info('Set nsslapd-plugin-logging to on') for inst in (m1, m2): inst.config.loglevel([AccessLog.DEFAULT, AccessLog.INTERNAL], service='access') inst.config.set('nsslapd-plugin-logging', 'on') inst.restart() # add a user with a DN containing '*' test_asterisk_uid = 'asterisk_*_in_value' test_asterisk_dn = 'uid={},{}'.format(test_asterisk_uid, DEFAULT_SUFFIX) test_user = UserAccount(m1, test_asterisk_dn) if test_user.exists(): log.info('Deleting entry {}'.format(test_asterisk_dn)) test_user.delete() test_user.create( properties={ 'uid': test_asterisk_uid, 'cn': test_asterisk_uid, 'sn': test_asterisk_uid, 'userPassword': test_asterisk_uid, 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/asterisk', }) # check that the ADD was replicated on M2 test_user_m2 = UserAccount(m2, test_asterisk_dn) for i in range(1, 5): if test_user_m2.exists(): break else: log.info('Entry not yet replicated on M2, wait a bit') time.sleep(2) # check that M2 access logs does not "(&(objectclass=nstombstone)(nscpentrydn=uid=asterisk_*_in_value,dc=example,dc=com))" log.info('Check that on M2, URP as not triggered such internal search') pattern = ".*\(Internal\).*SRCH.*\(&\(objectclass=nstombstone\)\(nscpentrydn=uid=asterisk_\*_in_value,dc=example,dc=com.*" found = m2.ds_access_log.match(pattern) log.info("found line: %s" % found) assert not found