def create_posix_usersgroups(session_multihost):
""" Create posix user and groups """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
for i in range(10):
user_info = {'cn': 'foo%d' % i,
'uid': 'foo%d' % i,
'uidNumber': '1458310%d' % i,
'gidNumber': '14564100'}
if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
krb.add_principal('foo%d' % i, 'user', 'Secret123')
else:
print("Unable to add ldap User %s" % (user_info))
assert False
memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0')
group_info = {'cn': 'ldapusers',
'gidNumber': '14564100',
'uniqueMember': memberdn}
try:
ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info)
except LdapException:
assert False
group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
for i in range(1, 10):
user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i
add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
assert ret == 'Success'
def case_sensitive_sudorule(session_multihost, create_casesensitive_posix_user,
request):
""" Create posix user and groups """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
ldap_inst.org_unit('sudoers', 'dc=example,dc=test')
sudo_ou = 'ou=sudoers,dc=example,dc=test'
rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou)
rule_dn2 = "%s,%s" % ('cn=morerule', sudo_ou)
sudo_options = ["!requiretty", "!authenticate"]
try:
ldap_inst.add_sudo_rule(rule_dn1, 'ALL', '/usr/bin/less', 'capsuser-1',
sudo_options)
except LdapException:
pytest.fail("Failed to add sudo rule %s" % rule_dn1)
try:
ldap_inst.add_sudo_rule(rule_dn2, 'ALL', '/usr/bin/more', 'CAPSUSER-1',
sudo_options)
except LdapException:
pytest.fail("Failed to add sudo rule %s" % rule_dn2)
def del_sensitive_sudo_rule():
""" Delete sudo rule """
(ret, _) = ldap_inst.del_dn(rule_dn1)
assert ret == 'Success'
(ret, _) = ldap_inst.del_dn(rule_dn2)
assert ret == 'Success'
(ret, _) = ldap_inst.del_dn(sudo_ou)
assert ret == 'Success'
request.addfinalizer(del_sensitive_sudo_rule)
def create_casesensitive_posix_user(session_multihost):
""" Create a case sensitive posix user """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
username = '******'
user_info = {'cn': username,
'uid': username,
'uidNumber': '24583100',
'gidNumber': '14564100'}
ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info)
krb.add_principal('CAPSUSER-1', 'user', 'Secret123')
def create_casesensitive_posix_user(session_multihost):
""" Create a case sensitive posix user """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
username = '******'
user_info = {'cn': username,
'uid': username,
'uidNumber': '24583100',
'gidNumber': '14564100'}
ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info)
krb.add_principal('CAPSUSER-1', 'user', 'Secret123')
def create_sudorule(session_multihost, create_casesensitive_posix_user):
""" Create posix user and groups """
# pylint: disable=unused-argument
_pytest_fixtures = [create_casesensitive_posix_user]
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
ldap_inst.org_unit('sudoers', 'dc=example,dc=test')
sudo_ou = 'ou=sudoers,dc=example,dc=test'
rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou)
rule_dn2 = "%s,%s" % ('cn=morerule', sudo_ou)
sudo_options = ["!requiretty", "!authenticate"]
try:
ldap_inst.add_sudo_rule(rule_dn1, 'ALL',
'/usr/bin/less', 'capsuser-1',
sudo_options)
except LdapException:
pytest.fail("Failed to add sudo rule %s" % rule_dn1)
try:
ldap_inst.add_sudo_rule(rule_dn2, 'ALL',
'/usr/bin/more', 'CAPSUSER-1',
sudo_options)
except LdapException:
pytest.fail("Failed to add sudo rule %s" % rule_dn2)
def case_sensitive_sudorule(session_multihost,
create_casesensitive_posix_user,
request):
""" Create posix user and groups """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
ldap_inst.org_unit('sudoers', 'dc=example,dc=test')
sudo_ou = 'ou=sudoers,dc=example,dc=test'
rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou)
rule_dn2 = "%s,%s" % ('cn=morerule', sudo_ou)
sudo_options = ["!requiretty", "!authenticate"]
try:
ldap_inst.add_sudo_rule(rule_dn1, 'ALL',
'/usr/bin/less', 'capsuser-1',
sudo_options)
except LdapException:
pytest.fail("Failed to add sudo rule %s" % rule_dn1)
try:
ldap_inst.add_sudo_rule(rule_dn2, 'ALL',
'/usr/bin/more', 'CAPSUSER-1',
sudo_options)
except LdapException:
pytest.fail("Failed to add sudo rule %s" % rule_dn2)
def del_sensitive_sudo_rule():
""" Delete sudo rule """
(ret, _) = ldap_inst.del_dn(rule_dn1)
assert ret == 'Success'
(ret, _) = ldap_inst.del_dn(rule_dn2)
assert ret == 'Success'
(ret, _) = ldap_inst.del_dn(sudo_ou)
assert ret == 'Success'
request.addfinalizer(del_sensitive_sudo_rule)
def test_sss_cache_reset(self, multihost, backupsssdconf):
"""
:title: fix sss_cache to also reset cached timestamp
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1902280
:customerscenario: True
:id: c310f1b4-e89b-11eb-84ce-845cf3eff344
:steps:
1. Make a change to group entry in LDAP
2. Run 'ssh_cache -E' on clients
3. Check with 'getent group' on clients to see if correct\
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
client = sssdTools(multihost.client[0])
domain_params = {
'ldap_schema': 'rfc2307bis',
'ldap_group_member': 'uniquemember',
'debug_level': '9'
}
client.sssd_conf(f'domain/{domain_name}', domain_params)
multihost.client[0].service_sssd('restart')
get_ent = multihost.client[0].run_command("getent group "
"ldapusers@example1")
assert "foo9@example1" in get_ent.stdout_text
user_dn = 'uid=foo9,ou=People,dc=example,dc=test'
group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
del_member = [(ldap.MOD_DELETE, 'uniqueMember',
user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, del_member)
assert ret == 'Success'
multihost.client[0].run_command("sss_cache -G")
multihost.client[0].run_command("sss_cache -E")
get_ent1 = multihost.client[0].run_command("getent group "
"ldapusers@example1")
assert "foo9@example1" not in get_ent1.stdout_text
assert get_ent.stdout_text != get_ent1.stdout_text
def test_0005_getent_homedirectory(self, multihost, backupsssdconf):
"""
:title: misc: fallback_homedir returns '/'
for empty home directories in passwd file
:id: 69a6b54e-a8eb-4145-8554-c5e666d82276
:customerscenario: True
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1660693
"""
multihost.client[0].service_sssd('restart')
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
user_info = {
'cn':
'user_exp4'.encode('utf-8'),
'objectClass': [
b'top', b'person', b'inetOrgPerson', b'organizationalPerson',
b'posixAccount'
],
'sn':
'user_exp'.encode('utf-8'),
'uid':
'user_exp'.encode('utf-8'),
'userPassword':
'******'.encode('utf-8'),
'homeDirectory':
' '.encode('utf-8'),
'uidNumber':
'121012'.encode('utf-8'),
'gidNumber':
'121012'.encode('utf-8'),
'loginShell':
'/bin/bash'.encode('utf-8')
}
user_dn = 'uid=user_exp4,ou=People,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
cmd_getent = "getent passwd -s sss user_exp4@example1"
cmd = multihost.client[0].run_command(cmd_getent)
ldap_inst.del_dn(user_dn)
assert ":/:" not in cmd.stdout_text
def test_0003_background_refresh(self, multihost):
"""
:title: netgroup: background refresh task does not refresh
updated netgroup entries
:id: b17d904d-0d64-4f4a-bbad-4c7f63e1faf2
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1779486 (RHEL8.2)
https://bugzilla.redhat.com/show_bug.cgi?id=1822461 (RHEL7.8)
"""
multihost.client[0].service_sssd('stop')
tools = sssdTools(multihost.client[0])
tools.remove_sss_cache('/var/lib/sss/db')
section = "domain/%s" % ds_instance_name
domain_params = {
'entry_cache_timeout': '30',
'refresh_expired_interval': '22'
}
tools.sssd_conf('domain/%s' % ds_instance_name, domain_params)
multihost.client[0].service_sssd('restart')
# getent netgroup_1
getent_cmd = "getent netgroup netgroup_1"
multihost.client[0].run_command(getent_cmd)
shortname = multihost.client[0].sys_hostname.strip().split('.')[0]
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
netgroup_dn = 'cn=netgroup_1,ou=Netgroups,%s' % (ds_suffix)
nisNetgroupTriple = "(%s,foo1,%s)" % (shortname, ds_suffix)
modify_netgroup = [(ldap.MOD_REPLACE, 'nisNetgroupTriple',
nisNetgroupTriple.encode('utf-8'))]
(_, _) = ldap_inst.modify_ldap(netgroup_dn, modify_netgroup)
time.sleep(40)
ldb_cmd = 'ldbsearch -H /var/lib/sss/db/cache_%s.ldb'\
' -b cn=Netgroups,cn=%s,cn=sysdb' % (ds_instance_name,
ds_instance_name)
cmd = multihost.client[0].run_command(ldb_cmd)
new_entry = "netgroupTriple: (%s,foo1,%s)" % (shortname, ds_suffix)
tools.sssd_conf('domain/%s' % ds_instance_name,
domain_params,
action='delete')
assert new_entry in cmd.stdout_text.strip().split('\n')
def create_posix_usersgroups(session_multihost):
""" Create posix user and groups """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
for i in range(10):
user_info = {'cn': 'foo%d' % i,
'uid': 'foo%d' % i,
'uidNumber': '1458310%d' % i,
'gidNumber': '14564100'}
if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
krb.add_principal('foo%d' % i, 'user', 'Secret123')
else:
print("Unable to add ldap User %s" % (user_info))
assert False
memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0')
group_info = {'cn': 'ldapusers',
'gidNumber': '14564100',
'uniqueMember': memberdn}
try:
ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info)
except LdapException:
assert False
group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
for i in range(1, 10):
user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i
add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
assert ret == 'Success'
def enable_ssl(self, binduri, tls_port):
"""sets TLS Port and enabled TLS on Directory Server.
Args:
binduri (str): LDAP uri to bind with
tls_port (str): TLS port to be setup
Returns:
bool: True if successfully setup TLS port
Exceptions:
LdapException
"""
ldap_obj = LdapOperations(uri=binduri,
binddn=self.dsrootdn,
bindpw=self.dsrootdn_pwd)
# Enable TLS
mod_dn1 = 'cn=encryption,cn=config'
add_tls = [(ldap.MOD_ADD, 'nsTLS1', 'on')]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls)
if not return_value:
raise LdapException('fail to enable TLS, Error:%s' % (ret))
else:
print('Enabled nsTLS1=on')
entry1 = {
'objectClass': ['top', 'nsEncryptionModule'],
'cn': 'RSA',
'nsSSLtoken': 'internal (software)',
'nsSSLPersonalitySSL': 'Server-Cert-%s' % (self.dsinstance_host),
'nsSSLActivation': 'on'
}
dn1 = 'cn=RSA,cn=encryption,cn=config'
(ret, return_value) = ldap_obj.add_entry(entry1, dn1)
if not return_value:
raise LdapException('fail to set Server-Cert nick:%s' % (ret))
else:
print('Enabled Server-Cert nick')
# Enable security
mod_dn2 = 'cn=config'
enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', 'on')]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn2, enable_security)
if not return_value:
raise LdapException('fail to enable nsslapd-security, Error:%s' %
(ret))
else:
print('Enabled nsslapd-security')
# set the appropriate TLS port
mod_dn3 = 'cn=config'
enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort',
str(tls_port))]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_ssl_port)
if not return_value:
raise LdapException('fail to set nsslapd-securePort, Error:%s' %
(ret))
else:
print('Enabled nsslapd-securePort=%r' % tls_port)
def test_login_fips_weak_crypto(self, multihost):
"""
:title: krb5/fips: verify login fails when weak crypto is presented
:id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00
"""
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
tools.clear_sssd_cache()
user = '******' % domain_name
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST')
user_info = {
'cn': 'cracker',
'uid': 'cracker',
'uidNumber': '19583100',
'gidNumber': '14564100'
}
if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
krb.add_principal('cracker',
'user',
'Secret123',
etype='arcfour-hmac')
else:
pytest.fail("Failed to add user cracker")
user_dn = 'uid=cracker,ou=People,%s' % ds_suffix
group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix
add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
assert ret == 'Success'
tools.clear_sssd_cache()
ldap_host = multihost.master[0].sys_hostname
pcapfile = '/tmp/krb1.pcap'
tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile)
multihost.client[0].run_command(tcpdump_cmd, bg=True)
pkill = 'pkill tcpdump'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
multihost.client[0].run_command(pkill)
tshark_cmd = "tshark -r %s -V -2 -R"\
" 'kerberos.msg_type == 30'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
journalctl_cmd = 'journalctl --no-pager -n 150'
cmd = multihost.client[0].run_command(journalctl_cmd)
check = re.compile(r'KDC has no support for encryption type')
assert check.search(cmd.stdout_text)
else:
pytest.fail("%s Login successfull")
ldap_inst.del_dn(user_dn)
krb.delete_principal('cracker')
rm_pcap_file = 'rm -f %s' % pcapfile
multihost.client[0].run_command(rm_pcap_file)
def generic_sudorule(session_multihost, request):
""" Create a generic sudo rule """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
ldap_inst.org_unit('sudoers', 'dc=example,dc=test')
sudo_ou = 'ou=sudoers,dc=example,dc=test'
rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou)
sudo_options = ["!requiretty", "!authenticate"]
try:
ldap_inst.add_sudo_rule(rule_dn1, 'ALL',
'/usr/bin/less', 'foo1',
sudo_options)
except LdapException:
pytest.fail("Failed to add sudo rule %s" % rule_dn1)
def del_sudo_rule():
""" Delete sudo rule """
(ret, _) = ldap_inst.del_dn(rule_dn1)
assert ret == 'Success'
(ret, _) = ldap_inst.del_dn(sudo_ou)
assert ret == 'Success'
request.addfinalizer(del_sudo_rule)
def enable_ssl(self, binduri, tls_port):
"""sets TLS Port and enabled TLS on Directory Server.
Args:
binduri (str): LDAP uri to bind with
tls_port (str): TLS port to be setup
Returns:
bool: True if successfully setup TLS port
Exceptions:
LdapException
"""
ldap_obj = LdapOperations(uri=binduri,
binddn=self.dsrootdn,
bindpw=self.dsrootdn_pwd)
# Enable TLS
mod_dn1 = 'cn=encryption,cn=config'
add_tls = [(ldap.MOD_ADD, 'nsTLS1', [b'on'])]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls)
if not return_value:
raise LdapException('Failed to enable TLS, Error:%s' % (ret))
else:
print('Enabled nsTLS1=on')
mod_dn2 = 'cn=RSA,cn=encryption,cn=config'
mod_security = [
(ldap.MOD_REPLACE, 'nsSSLPersonalitySSL',
[b'Server-Cert-%s' % ((self.dsinstance_host.encode()))])
]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn2, mod_security)
if not return_value:
raise LdapException('Failed to set Server-Cert nick:%s' % (ret))
else:
print('Enabled Server-Cert nick')
# Enable security
mod_dn3 = 'cn=config'
enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', [b'on'])]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_security)
if not return_value:
raise LdapException('Failed to enable nsslapd-security, Error:%s' %
(ret))
else:
print('Enabled nsslapd-security')
# set the appropriate TLS port
mod_dn4 = 'cn=config'
enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort',
str(tls_port).encode())]
(ret, return_value) = ldap_obj.modify_ldap(mod_dn4, enable_ssl_port)
if not return_value:
raise LdapException('Failed to set nsslapd-securePort, Error:%s' %
(ret))
else:
print('Enabled nsslapd-securePort=%r' % tls_port)
def generic_sudorule(session_multihost, request):
""" Create a generic sudo rule """
ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
ldap_inst.org_unit('sudoers', 'dc=example,dc=test')
sudo_ou = 'ou=sudoers,dc=example,dc=test'
rule_dn1 = "%s,%s" % ('cn=lessrule', sudo_ou)
sudo_options = ["!requiretty", "!authenticate"]
try:
ldap_inst.add_sudo_rule(rule_dn1, 'ALL', '/usr/bin/less', 'foo1',
sudo_options)
except LdapException:
pytest.fail("Failed to add sudo rule %s" % rule_dn1)
def del_sudo_rule():
""" Delete sudo rule """
(ret, _) = ldap_inst.del_dn(rule_dn1)
assert ret == 'Success'
(ret, _) = ldap_inst.del_dn(sudo_ou)
assert ret == 'Success'
request.addfinalizer(del_sudo_rule)
def test_two_automount_maps(self, multihost, backupsssdconf):
"""
:title: Automount sssd issue when 2 maps have same key in
different case
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1873715
:id: d28e6eec-ac9f-11eb-b0f5-002b677efe14
:customerscenario: true
:steps:
1. Configure SSSD with autofs, automountMap,
automount, automountInformation
2. Add 2 automount entries in LDAP with
same key ( cn: MIT and cn: mit)
3. We should have the 2 automounts working
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
client = sssdTools(multihost.client[0])
domain_params = {'services': 'nss, pam, autofs'}
client.sssd_conf('sssd', domain_params)
domain_params = {
'ldap_autofs_map_object_class': 'automountMap',
'ldap_autofs_map_name': 'ou',
'ldap_autofs_entry_object_class': 'automount',
'ldap_autofs_entry_key': 'cn',
'ldap_autofs_entry_value': 'automountInformation'
}
client.sssd_conf(f'domain/{domain_name}', domain_params)
multihost.client[0].service_sssd('restart')
share_list = ['/export', '/export1', '/export2']
nfs_server_ip = multihost.master[0].ip
client_ip = multihost.client[0].ip
server = sssdTools(multihost.master[0])
bkup = 'cp -af /etc/exports /etc/exports.backup'
multihost.master[0].run_command(bkup)
server.export_nfs_fs(share_list, client_ip)
search = multihost.master[0].run_command("grep 'fsid=0' "
"/etc/exports")
if search.returncode == 0:
multihost.master[0].run_command("sed -i 's/,fsid=0//g' "
"/etc/exports")
start_nfs = 'systemctl start nfs-server'
multihost.master[0].run_command(start_nfs)
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
for ou_ou in ['auto.master', 'auto.direct', 'auto.home']:
user_info = {
'ou': f'{ou_ou}'.encode('utf-8'),
'objectClass': [b'top', b'automountMap']
}
user_dn = f'ou={ou_ou},dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn': '/-'.encode('utf-8'),
'objectClass': [b'top', b'automount'],
'automountInformation': 'auto.direct'.encode('utf-8')
}
user_dn = 'cn=/-,ou=auto.master,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn': '/home'.encode('utf-8'),
'objectClass': [b'top', b'automount'],
'automountInformation': 'auto.home'.encode('utf-8')
}
user_dn = 'cn=/home,ou=auto.master,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn': 'MIT'.encode('utf-8'),
'objectClass': [b'top', b'automount']
}
user_dn = f'automountinformation={nfs_server_ip}:/export1,' \
f'ou=auto.home,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn': 'mit'.encode('utf-8'),
'objectClass': [b'top', b'automount']
}
user_dn = f'automountinformation={nfs_server_ip}:/export2,' \
f'ou=auto.home,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
multihost.client[0].run_command("systemctl stop sssd ; "
"rm -rf /var/log/sssd/* ; "
"rm -rf /var/lib/sss/db/* ; "
"systemctl start sssd")
multihost.client[0].run_command("systemctl restart autofs")
multihost.client[0].run_command("automount -m")
multihost.master[0].run_command("touch /export1/export1")
multihost.master[0].run_command("touch /export2/export2")
time.sleep(2)
MIT_export = multihost.client[0].run_command("ls /home/MIT")
mit_export = multihost.client[0].run_command("ls /home/mit")
assert 'export1' in MIT_export.stdout_text
assert 'export2' in mit_export.stdout_text
restore = 'cp -af /etc/exports.backup /etc/exports'
multihost.master[0].run_command(restore)
stop_nfs = 'systemctl stop nfs-server'
multihost.master[0].run_command(stop_nfs)
for dn_dn in [
f'automountinformation={nfs_server_ip}:/export1,'
f'ou=auto.home,dc=example,dc=test',
f'automountinformation={nfs_server_ip}:/export2,'
f'ou=auto.home,dc=example,dc=test',
'cn=/-,ou=auto.master,dc=example,dc=test',
'cn=/home,ou=auto.master,dc=example,dc=test',
'ou=auto.master,dc=example,dc=test',
'ou=auto.direct,dc=example,dc=test',
'ou=auto.home,dc=example,dc=test'
]:
multihost.master[0].run_command(f'ldapdelete -x -D '
f'"cn=Directory Manager" '
f'-w Secret123 -H ldap:// {dn_dn}')
def test_0006_getent_group(self, multihost, backupsssdconf,
delete_groups_users):
"""
:title: 'getent group ldapgroupname' doesn't
show any LDAP users or some LDAP users when
'rfc2307bis' schema is used with SSSD
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1817122
:id: dc81bb8e-72c0-11eb-9eae-002b677efe14
:customerscenario: true
:steps:
1. Configure SSSD with id_provider = ldap and
set ldap_schema = rfc2307bis
2. Add necessary users and groups with uniqueMember.
3. Check 'getent group ldapgroupname' output.
:expectedresults:
1. Should succeed
2. Should succeed
3. 'getent group ldapgroupname' should show
all it's member ldapusers.
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
client = sssdTools(multihost.client[0])
domain_params = {
'ldap_schema': 'rfc2307bis',
'ldap_group_member': 'uniquemember'
}
client.sssd_conf(f'domain/{domain_name}', domain_params)
multihost.client[0].service_sssd('restart')
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
user_info = {
'ou': 'Unit1'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'Unit2'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=Unit2,ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'users'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=users,ou=Unit2,ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'posix_groups'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=posix_groups,ou=Unit2,' \
'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'netgroups'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=netgroups,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'services'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=services,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'ou': 'sudoers'.encode('utf-8'),
'objectClass': [b'top', b'organizationalUnit']
}
user_dn = 'ou=sudoers,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
for i in range(1, 9):
user_info = {
'cn': f'user-{i}'.encode('utf-8'),
'objectClass': [b'top', b'posixAccount'],
'uid': f'user-{i}'.encode('utf-8'),
'uidNumber': f'1111{i}'.encode('utf-8'),
'gidNumber': f'1111{i}'.encode('utf-8'),
'homeDirectory': f'/home/user-{i}'.encode('utf-8')
}
user_dn = f'cn=user-{i},ou=users,ou=Unit2,' \
f'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
for i in range(1, 9):
user_info = {
'cn': f'user-{i}'.encode('utf-8'),
'objectClass': [b'top', b'posixGroup'],
'gidNumber': f'1111{i}'.encode('utf-8')
}
user_dn = f'cn=user-{i},ou=posix_groups,' \
f'ou=Unit2,ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn':
'group-1'.encode('utf-8'),
'objectClass': [b'top', b'posixGroup', b'groupOfUniqueNames'],
'gidNumber':
'20001'.encode('utf-8'),
'uniqueMember': [
b'cn=user-1,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-3,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-5,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-7,ou=users,ou=unit2,ou=unit1,dc=example,dc=test'
]
}
user_dn = 'cn=group-1,ou=posix_groups,ou=Unit2,' \
'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
user_info = {
'cn':
'group-2'.encode('utf-8'),
'objectClass': [b'top', b'posixGroup', b'groupOfUniqueNames'],
'gidNumber':
'20002'.encode('utf-8'),
'uniqueMember': [
b'cn=user-2,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-4,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-6,ou=users,ou=unit2,ou=unit1,dc=example,dc=test',
b'cn=user-8,ou=users,ou=unit2,ou=unit1,dc=example,dc=test'
]
}
user_dn = 'cn=group-2,ou=posix_groups,ou=Unit2,' \
'ou=Unit1,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
time.sleep(3)
cmd = multihost.client[0].run_command("getent group "
"group-2@example1")
assert "group-2@example1:*:20002:user-2@example1," \
"user-4@example1,user-6@example1," \
"user-8@example1" in cmd.stdout_text
def test_inactivated_filtered_roles(self, multihost):
"""
title: Inactivated filtered roles
:id: 4286dac6-3045-11ec-8fd0-845cf3eff344
:steps:
1. Make filter role inactive
2. User added to the above inactive filtered role
3. User removed from the above inactive filtered role
4. Activate filtered role
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
"""
clean_sys(multihost)
client_e = multihost.client[0].ip
master_e = multihost.master[0].ip
ldap_uri = f'ldap://{master_e}'
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
user_dn = 'uid=foo3,ou=People,dc=example,dc=test'
role_dn = "filtered"
add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
assert ret == 'Success'
manage_user_roles(multihost, "cn=filtered", "lock", "role")
with pytest.raises(paramiko.ssh_exception.AuthenticationException):
SSHClient(client_e, username="******", password="******")
time.sleep(3)
lock_check(multihost, "foo3")
# User added to the above inactive filtered role
clean_sys(multihost)
with pytest.raises(paramiko.ssh_exception.AuthenticationException):
SSHClient(client_e, username="******", password="******")
time.sleep(3)
lock_check(multihost, "foo4")
# User removed from the above inactive filtered role
clean_sys(multihost)
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
user_dn = 'uid=foo3,ou=People,dc=example,dc=test'
role_dn = "filtered"
add_member = [(ldap.MOD_DELETE, 'o', role_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(user_dn, add_member)
assert ret == 'Success'
ssh1 = SSHClient(client_e,
username="******",
password="******")
ssh1.close()
time.sleep(3)
unlock_check(multihost, "foo3")
# Activate filtered role
clean_sys(multihost)
manage_user_roles(multihost, "cn=filtered", "unlock", "role")
ssh1 = SSHClient(client_e,
username="******",
password="******")
ssh1.close()
time.sleep(3)
unlock_check(multihost, "foo4")
