def new_suffixes(topo):
"""Create new suffix, backend and mapping tree"""
for num in range(1, 4):
backends = Backends(topo.ins["standalone{}".format(num)])
backends.create(properties={
BACKEND_SUFFIX: NEW_SUFFIX,
BACKEND_NAME: NEW_BACKEND
})
domain = Domain(topo.ins["standalone{}".format(num)], NEW_SUFFIX)
domain.create(properties={'dc': 'test', 'description': NEW_SUFFIX})
def create_base_domain(instance, basedn):
"""Create the base domain object"""
domain = Domain(instance, dn=basedn)
# Explode the dn to get the first bit.
avas = dn.str2dn(basedn)
dc_ava = avas[0][0][1]
domain.create(properties={
# I think in python 2 this forces unicode return ...
'dc': dc_ava,
'description': basedn,
})
# ACI can be added later according to your needs
return domain
def _apply(self):
# Create the base domain object
domain = Domain(self._instance, dn=self._basedn)
# Explode the dn to get the first bit.
avas = dn.str2dn(self._basedn)
dc_ava = avas[0][0][1]
domain.create(properties={
# I think in python 2 this forces unicode return ...
'dc': dc_ava,
'description': self._basedn,
'aci': [
# Allow reading the base domain object
'(targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");)',
# Allow reading the ou
'(targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)'
]
})
# Create the 389 service container
# This could also move to be part of core later ....
hidden_containers = nsHiddenContainers(self._instance, self._basedn)
ns389container = hidden_containers.create(properties={
'cn': '389_ds_system'
})
# Create our ous.
ous = OrganisationalUnits(self._instance, self._basedn)
ous.create(properties = {
'ou': 'groups',
'aci': [
# Allow anon partial read
'(targetattr="cn || member || gidNumber || nsUniqueId || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable anyone group read"; allow (read, search, compare)(userdn="ldap:///anyone");)',
# Allow group_modify to modify but not create groups
'(targetattr="member")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_modify to alter members"; allow (write)(groupdn="ldap:///cn=group_modify,ou=permissions,{BASEDN}");)'.format(BASEDN=self._basedn),
# Allow group_admin to fully manage groups (posix or not).
'(targetattr="cn || member || gidNumber || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_admin to manage groups"; allow (write, add, delete)(groupdn="ldap:///cn=group_admin,ou=permissions,{BASEDN}");)'.format(BASEDN=self._basedn),
]
})
ous.create(properties = {
'ou': 'people',
'aci': [
# allow anon partial read.
'(targetattr="objectClass || description || nsUniqueId || uid || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || nsSshPublicKey || nsAccountLock || userCertificate")(targetfilter="(objectClass=posixaccount)")(version 3.0; acl "Enable anyone user read"; allow (read, search, compare)(userdn="ldap:///anyone");)',
# allow self partial mod
'(targetattr="displayName || nsSshPublicKey")(version 3.0; acl "Enable self partial modify"; allow (write)(userdn="ldap:///self");)',
# Allow self full read
'(targetattr="legalName || telephoneNumber || mobile")(targetfilter="(objectClass=nsPerson)")(version 3.0; acl "Enable self legalname read"; allow (read, search, compare)(userdn="ldap:///self");)',
# Allow reading legal name
'(targetattr="legalName || telephoneNumber")(targetfilter="(objectClass=nsPerson)")(version 3.0; acl "Enable user legalname read"; allow (read, search, compare)(groupdn="ldap:///cn=user_private_read,ou=permissions,{BASEDN}");)'.format(BASEDN=self._basedn),
# These below need READ so they can read userPassword and legalName
# Allow user admin create mod
'(targetattr="uid || description || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || legalName || telephoneNumber || mobile")(targetfilter="(&(objectClass=nsPerson)(objectClass=nsAccount))")(version 3.0; acl "Enable user admin create"; allow (write, add, delete, read)(groupdn="ldap:///cn=user_admin,ou=permissions,{BASEDN}");)'.format(BASEDN=self._basedn),
# Allow user mod mod only
'(targetattr="uid || description || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || legalName || telephoneNumber || mobile")(targetfilter="(&(objectClass=nsPerson)(objectClass=nsAccount))")(version 3.0; acl "Enable user modify to change users"; allow (write, read)(groupdn="ldap:///cn=user_modify,ou=permissions,{BASEDN}");)'.format(BASEDN=self._basedn),
# Allow user_pw_admin to nsaccountlock and password
'(targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(objectClass=nsAccount)")(version 3.0; acl "Enable user password reset"; allow (write, read)(groupdn="ldap:///cn=user_passwd_reset,ou=permissions,{BASEDN}");)'.format(BASEDN=self._basedn),
]
})
ous.create(properties = {
'ou': 'permissions',
})
ous.create(properties = {
'ou': 'services',
'aci': [
# Minimal service read
'(targetattr="objectClass || description || nsUniqueId || cn || memberOf || nsAccountLock ")(targetfilter="(objectClass=netscapeServer)")(version 3.0; acl "Enable anyone service account read"; allow (read, search, compare)(userdn="ldap:///anyone");)',
]
})
# Create the demo user
users = nsUserAccounts(self._instance, self._basedn)
users.create(properties={
'uid': 'demo_user',
'cn': 'Demo User',
'displayName': 'Demo User',
'legalName': 'Demo User Name',
'uidNumber': '99998',
'gidNumber': '99998',
'homeDirectory': '/var/empty',
'loginShell': '/bin/false',
'nsAccountlock': 'true'
})
# Create the demo group
groups = PosixGroups(self._instance, self._basedn)
groups.create(properties={
'cn' : 'demo_group',
'gidNumber': '99999'
})
# Create the permission groups required for the acis
permissions = Groups(self._instance, self._basedn, rdn='ou=permissions')
permissions.create(properties={
'cn': 'group_admin',
})
permissions.create(properties={
'cn': 'group_modify',
})
permissions.create(properties={
'cn': 'user_admin',
})
permissions.create(properties={
'cn': 'user_modify',
})
permissions.create(properties={
'cn': 'user_passwd_reset',
})
permissions.create(properties={
'cn': 'user_private_read',
})
def test_attr_encryption_backends(topo, enable_user_attr_encryption):
"""Tests Configuration of attribute encryption for single backend
where more backends are present
:id: f3ef40e1-17d6-44d8-a3a4-4a25a57e9064
:setup: Standalone instance
SSL Enabled
:steps:
1. Add two test backends
2. Configure attribute encryption for telephoneNumber in one test backend
3. Add a test user in both backends with telephoneNumber
4. Export ldif from both test backends
5. Check that telephoneNumber is encrypted in the ldif file of db1
6. Check that telephoneNumber is not encrypted in the ldif file of db2
7. Delete both test backends
:expectedresults:
1. This should be successful
2. This should be successful
3. This should be successful
4. This should be successful
5. This should be successful
6. This should be successful
7. This should be successful
"""
log.info("Add two test backends")
test_suffix1 = 'dc=test1,dc=com'
test_db1 = 'test_db1'
test_suffix2 = 'dc=test2,dc=com'
test_db2 = 'test_db2'
# Create backends
backends = Backends(topo.standalone)
test_backend1 = backends.create(properties={'cn': test_db1,
'nsslapd-suffix': test_suffix1})
test_backend2 = backends.create(properties={'cn': test_db2,
'nsslapd-suffix': test_suffix2})
# Create the top of the tree
suffix1 = Domain(topo.standalone, test_suffix1)
test1 = suffix1.create(properties={'dc': 'test1'})
suffix2 = Domain(topo.standalone, test_suffix2)
test2 = suffix2.create(properties={'dc': 'test2'})
log.info("Enables attribute encryption for telephoneNumber in test_backend1")
backend1_encrypt_attrs = EncryptedAttrs(topo.standalone, basedn='cn=encrypted attributes,{}'.format(test_backend1.dn))
b1_encrypt = backend1_encrypt_attrs.create(properties={'cn': 'telephoneNumber',
'nsEncryptionAlgorithm': 'AES'})
log.info("Add a test user with telephoneNumber in both backends")
users = UserAccounts(topo.standalone, test1.dn, None)
test_user = users.create(properties=TEST_USER_PROPERTIES)
test_user.replace('telephoneNumber', '1234567890')
users = UserAccounts(topo.standalone, test2.dn, None)
test_user = users.create(properties=TEST_USER_PROPERTIES)
test_user.replace('telephoneNumber', '1234567890')
log.info("Export data as ciphertext from both backends")
export_db1 = os.path.join(topo.standalone.ds_paths.ldif_dir, "export_db1.ldif")
export_db2 = os.path.join(topo.standalone.ds_paths.ldif_dir, "export_db2.ldif")
# Offline export
topo.standalone.stop()
if not topo.standalone.db2ldif(bename=test_db1, suffixes=(test_suffix1,),
excludeSuffixes=None, encrypt=False, repl_data=None, outputfile=export_db1):
log.fatal('Failed to run offline db2ldif')
assert False
if not topo.standalone.db2ldif(bename=test_db2, suffixes=(test_suffix2,),
excludeSuffixes=None, encrypt=False, repl_data=None, outputfile=export_db2):
log.fatal('Failed to run offline db2ldif')
assert False
topo.standalone.start()
log.info("Check that the attribute is present in the exported file in db1")
log.info("Check that the encrypted value of attribute is not present in the exported file in db1")
with open(export_db1, 'r') as ldif_file:
ldif = ldif_file.read()
assert 'telephoneNumber' in ldif
assert 'telephoneNumber: 1234567890' not in ldif
log.info("Check that the attribute is present in the exported file in db2")
log.info("Check that the value of attribute is also present in the exported file in db2")
with open(export_db2, 'r') as ldif_file:
ldif = ldif_file.read()
assert 'telephoneNumber' in ldif
assert 'telephoneNumber: 1234567890' in ldif
log.info("Delete test backends")
test_backend1.delete()
test_backend2.delete()
def _apply(self):
# Create the base domain object
domain = Domain(self._instance, dn=self._basedn)
# Explode the dn to get the first bit.
avas = dn.str2dn(self._basedn)
dc_ava = avas[0][0][1]
domain.create(properties={
# I think in python 2 this forces unicode return ...
'dc': dc_ava,
'description': self._basedn,
'aci' : '(targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators,{BASEDN}");)'.format(BASEDN=self._basedn)
})
# Create the OUs
ous = OrganisationalUnits(self._instance, self._basedn)
ous.create(properties = {
'ou': 'Groups',
})
ous.create(properties = {
'ou': 'People',
'aci' : [
'(targetattr ="userpassword || telephonenumber || facsimiletelephonenumber")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)',
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = "ldap:///cn=Accounting Managers,ou=groups,{BASEDN}");)'.format(BASEDN=self._basedn),
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Human Resources)")(version 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR Managers,ou=groups,{BASEDN}");)'.format(BASEDN=self._basedn),
'(targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(version 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Managers,ou=groups,{BASEDN}");)'.format(BASEDN=self._basedn),
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Product Development)")(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups,{BASEDN}");)'.format(BASEDN=self._basedn),
]
})
ous.create(properties = {
'ou': 'Special Users',
'description' : 'Special Administrative Accounts',
})
# Create the groups.
ugs = UniqueGroups(self._instance, self._basedn)
ugs.create(properties = {
'cn': 'Accounting Managers',
'description': 'People who can manage accounting entries',
'ou': 'groups',
'uniqueMember' : self._instance.binddn,
})
ugs.create(properties = {
'cn': 'HR Managers',
'description': 'People who can manage HR entries',
'ou': 'groups',
'uniqueMember' : self._instance.binddn,
})
ugs.create(properties = {
'cn': 'QA Managers',
'description': 'People who can manage QA entries',
'ou': 'groups',
'uniqueMember' : self._instance.binddn,
})
ugs.create(properties = {
'cn': 'PD Managers',
'description': 'People who can manage engineer entries',
'ou': 'groups',
'uniqueMember' : self._instance.binddn,
})
# Create the directory Admin group.
# We can't use the group factory here, as we need a custom DN override.
da_ug = UniqueGroup(self._instance)
da_ug._dn = 'cn=Directory Administrators,%s' % self._basedn
da_ug.create(properties={
'cn': 'Directory Administrators',
'uniqueMember' : self._instance.binddn,
})
