def create_user(topology_st, request):
"""User for binding operation"""
log.info('Adding user {}'.format(BN))
users = UserAccounts(topology_st.standalone, OU_PEOPLE, rdn=None)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({
'uid': 'buser',
'cn': 'buser',
'userpassword': PASSWORD
})
user = users.create(properties=user_props)
log.info('Adding an aci for the bind user')
BN_ACI = '(targetattr="*")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///%s";)' % user.dn
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.get('people')
ou_people.add('aci', BN_ACI)
def fin():
log.info('Deleting user {}'.format(BN))
user.delete()
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.get('people')
ou_people.remove('aci', BN_ACI)
request.addfinalizer(fin)
def dna_plugin(topology_st, request):
inst = topology_st.standalone
plugin = DNAPlugin(inst)
ous = OrganizationalUnits(inst, DEFAULT_SUFFIX)
ou_people = ous.get("People")
log.info("Add dna plugin config entry...")
configs = DNAPluginConfigs(inst, plugin.dn)
dna_config = configs.create(
properties={
'cn': 'dna config',
'dnaType': 'uidNumber',
'dnaMaxValue': '1000',
'dnaMagicRegen': '-1',
'dnaFilter': '(objectclass=top)',
'dnaScope': ou_people.dn,
'dnaNextValue': '10',
'dnaInterval': '10'
})
log.info("Enable the DNA plugin and restart...")
plugin.enable()
inst.restart()
def fin():
inst.stop()
dse_ldif = DSEldif(inst)
dse_ldif.delete_dn(f'cn=dna config,{plugin.dn}')
inst.start()
request.addfinalizer(fin)
return dna_config
def clean(request, topo):
"""
:param request:
:param topo:
"""
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
try:
for i in ['Product Development', 'Accounting']:
ous.create(properties={'ou': i})
except ldap.ALREADY_EXISTS as eoor_eoor:
topo.standalone.log.info("Exception (expected): %s" %
type(eoor_eoor).__name__)
def fin():
"""
Deletes entries after the test.
"""
for scope_scope in [CONTAINER_1_DELADD, CONTAINER_2_DELADD, PEOPLE]:
try:
DSLdapObject(topo.standalone, scope_scope).delete()
except ldap.ALREADY_EXISTS as eoor_eoor:
topo.standalone.log.info("Exception (expected): %s" %
type(eoor_eoor).__name__)
request.addfinalizer(fin)
def test_dsidm_organizational_unit_delete(topology_st, create_test_ou):
""" Test dsidm organizationalunit delete
:id: 5d35a5ee-85c2-4b83-9101-938ba7732ccd
:customerscenario: True
:setup: Standalone instance
:steps:
1. Run dsidm organizationalunit delete
2. Check the ou is deleted
:expectedresults:
1. Success
2. Entry is deleted
"""
standalone = topology_st.standalone
ous = OrganizationalUnits(standalone, DEFAULT_SUFFIX)
test_ou = ous.get('toDelete')
delete_value = 'Successfully deleted {}'.format(test_ou.dn)
args = FakeArgs()
args.dn = test_ou.dn
log.info('Test dsidm organizationalunit delete')
delete(standalone, DEFAULT_SUFFIX, topology_st.logcap.log, args, warn=False)
check_value_in_log_and_reset(topology_st, check_value=delete_value)
log.info('Check the entry is deleted')
assert not test_ou.exists()
def add_group_and_perform_user_operations(topology_st):
topo = topology_st.standalone
# Add the automember group
groups = Groups(topo, DEFAULT_SUFFIX)
group = groups.create(properties={'cn': 'group'})
ous = OrganizationalUnits(topo, DEFAULT_SUFFIX)
branch1 = ous.create(properties={'ou': 'branch1'})
# Add the automember config entry
am_configs = AutoMembershipDefinitions(topo)
am_config = am_configs.create(properties={'cn': 'config',
'autoMemberScope': branch1.dn,
'autoMemberFilter': 'objectclass=top',
'autoMemberDefaultGroup': group.dn,
'autoMemberGroupingAttr': 'member:dn'})
# Add a user that should get added to the group
users = UserAccounts(topo, DEFAULT_SUFFIX, rdn='ou={}'.format(branch1.rdn))
test_user = users.create_test_user(uid=777)
# Check if created user is group member
assert test_user.dn in group.list_members()
log.info('Renaming user')
test_user.rename('uid=new_test_user_777', newsuperior=SUFFIX)
log.info('Delete the user')
delete_obj(test_user)
log.info('Delete automember entry, org. unit and group for the next test')
delete_obj(am_config)
delete_obj(branch1)
delete_obj(group)
def test_uer(request, topo):
topo.standalone.config.loglevel((ErrorLog.ACL_SUMMARY, ))
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
for i in ['Product Development', 'Accounting']:
ous.create(properties={'ou': i})
users = UserAccounts(topo.standalone,
DEFAULT_SUFFIX,
rdn='ou=Product Development')
users.create(
properties={
'uid': 'Anuj Borah',
'cn': 'Anuj Borah',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'AnujBorah',
'userPassword': PW_DM
})
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
users.create(
properties={
'uid': 'Ananda Borah',
'cn': 'Ananda Borah',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'AnandaBorah',
'userPassword': PW_DM
})
def _add_user(request, topo):
"""
This function will create user for the test and in the end entries will be deleted .
"""
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user = users.create_test_user()
user.set("userPassword", PW_DM)
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ous.create(properties={'ou': 'Accounting'})
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
for i in range(1, 3):
user = users.create_test_user(uid=i, gid=i)
user.set("userPassword", PW_DM)
def fin():
"""
Deletes entries after the test.
"""
users1 = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
for dn_dn in users1.list():
dn_dn.delete()
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
for dn_dn in groups.list():
dn_dn.delete()
ou_ou = OrganizationalUnit(topo.standalone,
f'ou=Accounting,{DEFAULT_SUFFIX}')
ou_ou.delete()
request.addfinalizer(fin)
def entries(topology_m2, request):
"""Adds entries to the master1"""
master1 = topology_m2.ms["master1"]
test_list = []
log.info("Add 100 nested entries under replicated suffix on %s" % master1.serverid)
ous = OrganizationalUnits(master1, DEFAULT_SUFFIX)
for i in range(100):
ou = ous.create(properties={
'ou' : 'test_ou_%s' % i,
})
test_list.append(ou)
log.info("Delete created entries")
for test_ou in test_list:
test_ou.delete()
def fin():
log.info("Clear the errors log in the end of the test case")
with open(master1.errlog, 'w') as errlog:
errlog.writelines("")
request.addfinalizer(fin)
def test_user(topology_st, request):
"""User for binding operation"""
log.info('Adding user {}'.format(BN))
try:
topology_st.standalone.add_s(Entry((BN,
{'objectclass': ['top',
'person',
'organizationalPerson',
'inetOrgPerson'],
'cn': 'bind user',
'sn': 'bind user',
'userPassword': PASSWORD})))
log.info('Adding an aci for the bind user')
BN_ACI = '(targetattr="*")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///%s";)' % BN
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.get('people')
ou_people.add('aci', BN_ACI)
except ldap.LDAPError as e:
log.error('Failed to add user (%s): error (%s)' % (BN,
e.message['desc']))
raise e
def fin():
log.info('Deleting user {}'.format(BN))
topology_st.standalone.delete_s(BN)
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.get('people')
ou_people.remove('aci', BN_ACI)
request.addfinalizer(fin)
def test_renaming_target_entry(topo, _add_user, aci_of_user):
"""Test for renaming target entry
:id: 6be1d33a-7932-11e8-9115-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Create a test user entry
3. Create a new ou entry with an aci
4. Make sure uid=$MYUID has the access
5. Rename ou=OU0 to ou=OU1
6. Create another ou=OU2
7. Move ou=OU1 under ou=OU2
8. Make sure uid=$MYUID still has the access
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
6. Operation should succeed
7. Operation should succeed
8. Operation should succeed
"""
properties = {
'uid': 'TRAC340_MODRDN',
'cn': 'TRAC340_MODRDN',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'TRAC340_MODRDN'
}
user = UserAccount(topo.standalone,
'cn=TRAC340_MODRDN,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
ou = OrganizationalUnit(topo.standalone,
'ou=OU0,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU0'})
ou.set(
'aci',
'(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'
.format(TRAC340_MODRDN))
conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
# Test for renaming target entry
OrganizationalUnits(topo.standalone,
DEFAULT_SUFFIX).get('OU0').rename("ou=OU1")
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
ou = OrganizationalUnit(topo.standalone,
'ou=OU2,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU2'})
# Test for renaming target entry
OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU1').rename(
"ou=OU1", newsuperior=OU2_OU_MODRDN)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
def do_setup(topology_st, request):
"""Create a user and make sure ou=pople exists
"""
sys.stdout = io.StringIO()
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
users.ensure_state(properties=TEST_USER_PROPERTIES)
ou = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou.ensure_state(properties={'ou': 'people'})
def pwd_setup(topo):
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou = ous.get('people')
ou.add('aci', USER_ACI)
topo.standalone.config.replace_many(('passwordCheckSyntax', 'on'),
('passwordMinLength', '4'),
('passwordMinCategories', '1'))
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
return users.create(properties=user_properties)
def create_test_ou(topology_st, request):
log.info('Create organizational unit')
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
test_ou = ous.create(properties={
'ou': 'toDelete',
'description': 'Test OU',
})
def fin():
log.info('Delete organizational unit')
if test_ou.exists():
test_ou.delete()
request.addfinalizer(fin)
def password_policy(topology_st, test_user):
"""Set global password policy.
Then, set fine-grained subtree level password policy
to ou=People with no password syntax.
Note: do not touch nsslapd-pwpolicy-inherit-global -- off by default
"""
log.info('Enable fine-grained policy')
try:
topology_st.standalone.config.set('nsslapd-pwpolicy-local', 'on')
except ldap.LDAPError as e:
log.error('Failed to set fine-grained policy: error {}'.format(
e.message['desc']))
raise e
log.info('Create password policy for subtree {}'.format(OU_PEOPLE))
try:
subprocess.call(['%s/ns-newpwpolicy.pl' % topology_st.standalone.get_sbin_dir(),
'-D', DN_DM, '-w', PASSWORD,
'-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE,
'-S', OU_PEOPLE, '-Z', SERVERID_STANDALONE])
except subprocess.CalledProcessError as e:
log.error('Failed to create pw policy policy for {}: error {}'.format(
OU_PEOPLE, e.message['desc']))
raise e
log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE))
try:
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.get('people')
ou_people.set('pwdpolicysubentry', PWP_CONTAINER_PEOPLE)
except ldap.LDAPError as e:
log.error('Failed to pwdpolicysubentry pw policy ' \
'policy for {}: error {}'.format(OU_PEOPLE,
e.message['desc']))
raise e
log.info("Set the default settings for the policy container.")
topology_st.standalone.modify_s(PWP_CONTAINER_PEOPLE,
[(ldap.MOD_REPLACE, 'passwordMustChange', b'off'),
(ldap.MOD_REPLACE, 'passwordExp', b'off'),
(ldap.MOD_REPLACE, 'passwordMinAge', b'0'),
(ldap.MOD_REPLACE, 'passwordChange', b'off'),
(ldap.MOD_REPLACE, 'passwordStorageScheme', b'ssha')])
check_attr_val(topology_st, CONFIG_DN, ATTR_INHERIT_GLOBAL, 'off')
check_attr_val(topology_st, CONFIG_DN, ATTR_CHECK_SYNTAX, 'off')
def test_pwp_local_unlock(topo, passw_policy, create_user):
"""Test subtree policies use the same global default for passwordUnlock
:id: 741a8417-5f65-4012-b9ed-87987ce3ca1b
:setup: Standalone instance
:steps:
1. Test user can bind
2. Bind with bad passwords to lockout account, and verify account is locked
3. Wait for lockout interval, and bind with valid password
:expectedresults:
1. Bind successful
2. Entry is locked
3. Entry can bind with correct password
"""
# Add aci so users can change their own password
USER_ACI = '(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)'
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou = ous.get('people')
ou.add('aci', USER_ACI)
log.info("Verify user can bind...")
create_user.bind(PASSWORD)
log.info(
'Test passwordUnlock default - user should be able to reset password after lockout'
)
for i in range(0, 2):
try:
create_user.bind("bad-password")
except ldap.INVALID_CREDENTIALS:
# expected
pass
except ldap.LDAPError as e:
log.fatal("Got unexpected failure: " + str(e))
raise e
log.info('Verify account is locked')
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
create_user.bind(PASSWORD)
log.info('Wait for lockout duration...')
time.sleep(4)
log.info('Check if user can now bind with correct password')
create_user.bind(PASSWORD)
def test_pwd_must_change(topo, init_user):
"""Test for expiration control when password must be changed because an
admin reset the password
:id: a3d99be5-0b69-410d-b72f-04eda8821a56
:setup: Standalone instance, a user for testing
:steps:
1. Configure password policy and reset password as admin
2. Bind, and check for expired control withthe proper error code "2"
:expectedresults:
1. Config update succeeds, adn the password is reset
2. The EXPIRED control is returned, and we the expected error code "2"
"""
log.info('Configure password policy with paswordMustChange set to "on"')
topo.standalone.config.set('passwordExp', 'on')
topo.standalone.config.set('passwordMaxAge', '200')
topo.standalone.config.set('passwordGraceLimit', '0')
topo.standalone.config.set('passwordWarning', '199')
topo.standalone.config.set('passwordMustChange', 'on')
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou = ous.get('people')
ou.add('aci', USER_ACI)
log.info('Reset userpassword as Directory Manager')
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user = users.get('test entry')
user.reset_password(USER_PW)
log.info('Bind should return ctrl with error code 2 (changeAfterReset)')
time.sleep(2)
ctrls = bind_and_get_control(topo)
if ctrls and len(ctrls) > 0:
if ctrls[0].error is None:
log.fatal("Response ctrl error code not set")
assert False
elif ctrls[0].error != 2:
log.fatal("Got unexpected error code: {}".format(ctrls[0].error))
assert False
else:
log.fatal("We did not get a response ctrl")
assert False
def test_expiry_time(topology_st, global_policy, add_user):
"""Test whether the password expiry warning
time for a user is returned appropriately
:id: 7adfd395-9b25-4cc0-9b71-14710dc1a28c
:setup: Standalone instance, a user entry,
Global password policy configured as below:
passwordExp: on
passwordMaxAge: 172800
passwordWarning: 86400
passwordSendExpiringTime: on
:steps:
1. Bind as the normal user
2. Request password policy control for the user
3. Bind as DM
:expectedresults:
1. Bind should be successful
2. The password expiry warning time for the user should be returned
3. Bind should be successful
"""
res_ctrls = None
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou = ous.get('people')
ou.add('aci', USER_ACI)
log.info('Get the password expiry warning time')
log.info(
"Binding with ({}) and requesting the password expiry warning time".
format(USER_DN))
res_ctrls = get_password_warning(topology_st)
log.info('Check whether the time is returned')
assert res_ctrls
log.info("user's password will expire in {:d} seconds".format(
res_ctrls[0].timeBeforeExpiration))
log.info("Rebinding as DM")
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
def test_services(topology):
"""
Test and assert that a simple service account can be bound to and created.
These are really useful in simple tests.
"""
ous = OrganizationalUnits(topology.standalone, DEFAULT_SUFFIX)
services = ServiceAccounts(topology.standalone, DEFAULT_SUFFIX)
# Create the OU for them.
ous.create(properties={
'ou': 'Services',
'description': 'Computer Service accounts which request DS bind',
})
# Now, we can create the services from here.
service = services.create(properties={
'cn': 'testbind',
'userPassword': '******'
})
conn = service.bind('Password1')
conn.unbind_s()
def create_user(topology_st, request):
"""User for binding operation"""
topology_st.standalone.config.set('nsslapd-auditlog-logging-enabled', 'on')
log.info('Adding test user {}')
users = UserAccounts(topology_st.standalone, OU_PEOPLE, rdn=None)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'uid': TEST_USER_NAME, 'userpassword': TEST_USER_PWD})
try:
user = users.create(properties=user_props)
except:
pass # debug only
USER_ACI = '(targetattr="*")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///%s";)' % user.dn
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.get('people')
ou_people.add('aci', USER_ACI)
def fin():
log.info('Deleting user {}'.format(user.dn))
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
request.addfinalizer(fin)
def test_access_aci_list_contains_any_deny_rule(topo, _add_user, aci_of_user):
"""RHDS denies MODRDN access if ACI list contains any DENY rule
Bug description: If you create a deny ACI for some or more attributes there is incorrect behaviour
as you cannot rename the entry anymore
:id: 62cbbb8a-7932-11e8-96a7-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Adding a new ou ou=People to $BASEDN
3. Adding a user NEWENTRY9_MODRDN to ou=People,$BASEDN
4. Adding an allow rule for NEWENTRY9_MODRDN and for others an aci deny rule
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
"""
properties = {
'uid': 'NEWENTRY9_MODRDN',
'cn': 'NEWENTRY9_MODRDN_People',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'NEWENTRY9_MODRDN'
}
user = UserAccount(
topo.standalone,
'cn=NEWENTRY9_MODRDN,ou=People,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
user.set("telephoneNumber", "989898191")
user.set("mail", "*****@*****.**")
user.set("givenName", "givenName")
user.set("uid", "NEWENTRY9_MODRDN")
OrganizationalUnits(
topo.standalone, DEFAULT_SUFFIX
).get('People').add("aci", [
'(targetattr = "*") '
'(version 3.0;acl "admin";allow (all)(userdn = "ldap:///{}");)'.format(
NEWENTRY9_MODRDN),
'(targetattr = "mail") (version 3.0;acl "deny_mail";deny (write)(userdn = "ldap:///anyone");)',
'(targetattr = "uid") (version 3.0;acl "allow uid";allow (write)(userdn = "ldap:///{}");)'
.format(NEWENTRY9_MODRDN)
])
UserAccount(topo.standalone,
NEWENTRY9_MODRDN).replace("userpassword", "Anuj")
useraccount = UserAccount(topo.standalone, NEWENTRY9_MODRDN)
useraccount.rename("uid=newrdnchnged")
assert 'uid=newrdnchnged,ou=People,dc=example,dc=com' == useraccount.dn
def user(topology_st, request):
"""Add and remove a test user"""
dm = DirectoryManager(topology_st.standalone)
# Add aci so users can change their own password
USER_ACI = '(targetattr="userpassword || passwordHistory")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)'
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou = ous.get('people')
ou.add('aci', USER_ACI)
# Create a user
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
user = users.create_test_user()
user.set('userpassword', USER_PWD)
def fin():
dm.rebind()
user.delete()
ou.remove('aci', USER_ACI)
request.addfinalizer(fin)
return user
def _create_test_entries(topo):
# Changing schema
current_schema = Schema(topo.standalone)
current_schema.add(
'attributetypes',
"( 9.9.8.4 NAME 'emailclass' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
"X-ORIGIN 'RFC 2256' )")
current_schema.add(
'objectclasses',
"( 9.9.8.2 NAME 'mailSchemeUser' DESC 'User Defined ObjectClass' "
"SUP 'top' MUST ( objectclass ) "
"MAY (aci $ emailclass) X-ORIGIN 'RFC 2256' )")
# Creating ous
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
for ou_ou in [
'Çéliné Ändrè',
'Ännheimè',
'Çlose Crèkä',
'Sàn Fråncêscô',
'Netscape Servers',
'COS',
]:
ous.create(properties={'ou': ou_ou})
ous_mail = OrganizationalUnits(topo.standalone, f'ou=COS,{DEFAULT_SUFFIX}')
ous_mail.create(properties={'ou': 'MailSchemeClasses'})
# Creating users
users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for user, org, l_l, telephone, facetele, rn_rn in [
[
'scarter', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '4612'
],
[
'tmorris', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9187', '+1 408 555 8473', '4117'
],
[
'kvaughan', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 5625', ' +1 408 555 3372', '2871'
],
[
'abergin', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 8585', '+1 408 555 7472', '3472'
],
[
'dmiller', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 9423', '+1 408 555 0111', '4135'
],
[
'gfarmer', ['Accounting', 'People'], 'Cupertino',
'+1 408 555 6201', '+1 408 555 8473', '1269'
],
[
'kwinters', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9069', '+1 408 555 1992', '4178'
],
[
'trigden', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9280', '+1 408 555 8473', '3584'
],
[
'cschmith', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 8011', '+1 408 555 4774', '0416'
],
[
'jwallace', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 0319', '+1 408 555 8473', '1033'
],
[
'jwalker', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 1476', '+1 408 555 1992', '3915'
],
[
'tclow', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 8825', '+1 408 555 1992', '4376'
],
[
'rdaugherty', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 1296', '+1 408 555 1992', '0194'
],
[
'jreuter', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 1122', '+1 408 555 8721', '2942'
],
[
'tmason', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 1596', '+1 408 555 9751', '1124'
],
[
'bhall', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '4612'
],
[
'btalbot', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '3532'
],
[
'mward', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1707'
],
[
'bjablons', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '0906'
],
[
'jmcFarla', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '2359'
],
[
'llabonte', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '2854'
],
[
'jcampaig', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '4385'
],
[
'bhal2', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 6067',
'+1 408 555 9751', '2758'
],
[
'alutz', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1327'
],
[
'btalbo2', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1205'
],
[
'achassin', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '0466'
],
[
'hmiller', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '4304'
],
[
'jcampai2', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1377'
],
[
'lulrich', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '0985'
],
[
'mlangdon', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '4471'
],
[
'striplet', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3083'
],
[
'gtriplet', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '4023'
],
[
'jfalena', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1917'
],
[
'speterso', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '3073'
],
[
'ejohnson', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3737'
],
[
'prigden', ['Accounting', 'People'], 'Santa', '+1 408 555 6067',
'+1 408 555 9751', '1271'
],
[
'bwalker', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3529'
],
[
'kjensen', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '1944'
],
[
'mlott', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '0498'
],
[
'cwallace', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 4798', '+1 408 555 9751', '0349'
],
[
'falbers', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '1439'
],
[
'calexand', ['Product Development', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '2884'
],
[
'phunt', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '1183'
],
[
'awhite', ['Product Testing', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '0142'
],
[
'sfarmer', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '0019'
],
[
'jrentz', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '3025'
],
[
'ahall', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '3050'
],
[
'lstockto', ['Product Testing', 'People'], 'Santa Clara',
'+1 408 555 0518', '+1 408 555 4774', '0169'
],
[
'ttully', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 2274', '+1 408 555 0111', '3924'
],
[
'polfield', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '1376'
],
[
'scarte2', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '2013'
],
[
'tkelly', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4295', '+1 408 555 1992', '3107'
],
[
'mmcinnis', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '4818'
],
[
'brigden', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 9655', '+1 408 555 8721', '1643'
],
[
'mtyler', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 9655', '+1 408 555 8721', '2701'
],
[
'rjense2', ['Product Testing', 'People'], 'Sunnyvale',
'+1 408 555 9655', '+1 408 555 8721', '1984'
],
[
'rhunt', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0718'
],
[
'ptyler', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0327'
],
[
'gtyler', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0312'
]
]:
english_named_user(users_people, user, org, l_l, telephone, facetele,
rn_rn)
# Creating Users
users_annahame = UserAccounts(topo.standalone,
f'ou=Ännheimè,{DEFAULT_SUFFIX}',
rdn=None)
users_sanfran = UserAccounts(topo.standalone,
f'ou=Sàn Fråncêscô,{DEFAULT_SUFFIX}',
rdn=None)
users_andre = UserAccounts(topo.standalone,
f'ou=Çéliné Ändrè,{DEFAULT_SUFFIX}',
rdn=None)
users_close = UserAccounts(topo.standalone,
f'ou=Çlose Crèkä,{DEFAULT_SUFFIX}',
rdn=None)
for people, user, cn_cn, ou_ou, des, tele, facetele, be_be, lang in [
[
users_annahame, 'user0', 'Babette Ryndérs', 'Ännheimè',
'This is Babette Ryndérs description', '+1 415 788-4115',
'+1 804 849-2367', 'es', 'Babette Ryndérs'
],
[
users_sanfran, 'user1', 'mÿrty DeCoùrsin', 'Sàn Fråncêscô',
'This is mÿrty DeCoùrsins description', '+1 408 689-8883',
'+1 804 849-2367', 'ie', 'mÿrty DeCoùrsin'
],
[
users_sanfran, 'user3', 'Kéñnon Fùndérbùrg', 'Sàn Fråncêscô',
"This is Kéñnon Fùndérbùrg's description", '+1 408 689-8883',
'+1 804 849-2367', 'it', 'Kéñnon Fùndérbùrg'
],
[
users_sanfran, 'user5', 'Dàsya Cozàrt', 'Sàn Fråncêscô',
"This is Dàsya Cozàrt's description", '+1 408 689-8883',
'+1 804 849-2367', 'be', 'Dàsya Cozàrt'
],
[
users_andre, 'user2', "Rôw O'Connér", 'Çéliné Ändrè',
"This is Rôw O'Connér's description", '+1 408 689-8883',
'+1 804 849-2367', 'it', "Rôw O'Connér"
],
[
users_andre, 'user4', 'Theadora Ebérle', 'Çéliné Ändrè',
"This is Kéñnon Fùndérbùrg's description", '+1 408 689-8883',
'+1 804 849-2367', 'de', 'Theadora Ebérle'
],
[
users_andre, 'user6', 'mÿrv Callânân', 'Çéliné Ändrè',
"This is mÿrv Callânân's description", '+1 408 689-8883',
'+1 804 849-2367', 'fr', 'mÿrv Callânân'
],
[
users_close, 'user7', 'Ñäthan Ovâns', 'Çlose Crèkä',
"This is Ñäthan Ovâns's description", '+1 408 689-8883',
'+1 804 849-2367', 'be', 'Ñäthan Ovâns'
]
]:
non_english_user(people, user, cn_cn, ou_ou, des, tele, facetele,
be_be, lang)
# Creating User Entry
for user, address, pin in [
['Secretary1', '123 Castro St., Mountain View, CA', '99999'],
['Secretary2', '234 Ellis St., Mountain View, CA', '88888'],
['Secretary3', '345 California Av., Mountain View, CA', '77777'],
['Secretary4', '456 Villa St., Mountain View, CA', '66666'],
['Secretary5', '567 University Av., Mountain View, CA', '55555']
]:
user_with_postal_code(users_people, user, address, pin)
# Adding properties to mtyler
mtyler = UserAccount(topo.standalone,
'uid=mtyler, ou=people, dc=example, dc=com')
for value1, value2 in [
('objectclass', ['mailSchemeUser', 'mailRecipient']),
('emailclass', 'vpemail'), ('mailquota', '600'),
('multiLineDescription',
'fromentry This is the special \2a attribute value')
]:
mtyler.add(value1, value2)
# Adding properties to rjense2
rjense2 = UserAccount(topo.standalone,
'uid=rjense2, ou=people, dc=example, dc=com')
for value1, value2 in [('objectclass', ['mailRecipient',
'mailSchemeUser']),
('emailclass', 'vpemail')]:
rjense2.add(value1, value2)
# Creating managed role
ManagedRoles(topo.standalone, DEFAULT_SUFFIX).create(
properties={
'description': 'This is the new managed role configuration',
'cn': 'new managed role'
})
# Creating filter role
filters = FilterRoles(topo.standalone, DEFAULT_SUFFIX)
filters.create(
properties={
'nsRoleFilter': '(uid=*wal*)',
'description': 'this is the new filtered role',
'cn': 'new filtered role'
})
filters.create(
properties={
'nsRoleFilter': '(&(postalCode=77777)(uid=*er*))',
'description': 'This is the new vddr filter role config',
'cn': 'new vaddr filtered role'
})
filters.create(
properties={
'nsRoleFilter': '(&(postalCode=66666)(l=Cupertino))',
'description': 'This is the new vddr filter role config',
'cn': 'another vaddr role'
})
def test_basic(topology_st, create_user, password_policy):
"""Ensure that on a password change, the policy syntax
is enforced correctly.
:id: e8de7029-7fa6-4e96-9eb6-4a121f4c8fb3
:setup: Standalone instance, a test user,
global password policy with:
passwordCheckSyntax - on; nsslapd-pwpolicy-local - off;
passwordMinCategories - 1
:steps:
1. Set passwordMinLength to 10 in cn=config
2. Set userPassword to 'passwd' in cn=config
3. Set userPassword to 'password123' in cn=config
4. Set passwordMinLength to 2 in cn=config
5. Set passwordMinDigits to 2 in cn=config
6. Set userPassword to 'passwd' in cn=config
7. Set userPassword to 'password123' in cn=config
8. Set passwordMinDigits to 0 in cn=config
9. Set passwordMinAlphas to 2 in cn=config
10. Set userPassword to 'p123456789' in cn=config
11. Set userPassword to 'password123' in cn=config
12. Set passwordMinAlphas to 0 in cn=config
13. Set passwordMaxRepeats to 2 in cn=config
14. Set userPassword to 'password' in cn=config
15. Set userPassword to 'password123' in cn=config
16. Set passwordMaxRepeats to 0 in cn=config
17. Set passwordMinSpecials to 2 in cn=config
18. Set userPassword to 'passwd' in cn=config
19. Set userPassword to 'password_#$' in cn=config
20. Set passwordMinSpecials to 0 in cn=config
21. Set passwordMinLowers to 2 in cn=config
22. Set userPassword to 'PASSWORD123' in cn=config
23. Set userPassword to 'password123' in cn=config
24. Set passwordMinLowers to 0 in cn=config
25. Set passwordMinUppers to 2 in cn=config
26. Set userPassword to 'password' in cn=config
27. Set userPassword to 'PASSWORD' in cn=config
28. Set passwordMinUppers to 0 in cn=config
29. Test passwordDictCheck
30. Test passwordPalindrome
31. Test passwordMaxSequence for forward number sequence
32. Test passwordMaxSequence for backward number sequence
33. Test passwordMaxSequence for forward alpha sequence
34. Test passwordMaxSequence for backward alpha sequence
35. Test passwordMaxClassChars for digits
36. Test passwordMaxClassChars for specials
37. Test passwordMaxClassChars for lowers
38. Test passwordMaxClassChars for uppers
39. Test passwordBadWords using 'redhat' and 'fedora'
40. Test passwordUserAttrs using description attribute
:expectedresults:
1. passwordMinLength should be successfully set
2. Password should be rejected because length too short
3. Password should be accepted
4. passwordMinLength should be successfully set
5. passwordMinDigits should be successfully set
6. Password should be rejected because
it does not contain minimum number of digits
7. Password should be accepted
8. passwordMinDigits should be successfully set
9. passwordMinAlphas should be successfully set
10. Password should be rejected because
it does not contain minimum number of alphas
11. Password should be accepted
12. passwordMinAlphas should be successfully set
13. passwordMaxRepeats should be successfully set
14. Password should be rejected because too many repeating characters
15. Password should be accepted
16. passwordMaxRepeats should be successfully set
17. passwordMinSpecials should be successfully set
18. Password should be rejected because
it does not contain minimum number of special characters
19. Password should be accepted
20. passwordMinSpecials should be successfully set
21. passwordMinLowers should be successfully set
22. Password should be rejected because
it does not contain minimum number of lowercase characters
23. Password should be accepted
24. passwordMinLowers should be successfully set
25. passwordMinUppers should be successfully set
26. Password should be rejected because
it does not contain minimum number of lowercase characters
27. Password should be accepted
28. passwordMinUppers should be successfully set
29. The passwordDictCheck test succeeds
30. The passwordPalindrome test succeeds
31. Test passwordMaxSequence for forward number sequence succeeds
32. Test passwordMaxSequence for backward number sequence succeeds
33. Test passwordMaxSequence for forward alpha sequence succeeds
34. Test passwordMaxSequence for backward alpha sequence succeeds
35. Test passwordMaxClassChars for digits succeeds
36. Test passwordMaxClassChars for specials succeeds
37. Test passwordMaxClassChars for lowers succeeds
38. Test passwordMaxClassChars for uppers succeeds
39. The passwordBadWords test succeeds
40. The passwordUserAttrs test succeeds
"""
#
# Test each syntax category
#
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou = ous.get('people')
ou.add('aci', USER_ACI)
# Min Length
tryPassword(topology_st.standalone, 'passwordMinLength', 10, 2, 'passwd',
'password123', 'length too short')
# Min Digit
tryPassword(topology_st.standalone, 'passwordMinDigits', 2, 0, 'passwd',
'password123', 'does not contain minimum number of digits')
# Min Alphas
tryPassword(topology_st.standalone, 'passwordMinAlphas', 2, 0,
'p123456789', 'password123',
'does not contain minimum number of alphas')
# Max Repeats
tryPassword(topology_st.standalone, 'passwordMaxRepeats', 2, 0,
'passsword', 'password123', 'too many repeating characters')
# Min Specials
tryPassword(topology_st.standalone, 'passwordMinSpecials', 2, 0, 'passwd',
'password_#$',
'does not contain minimum number of special characters')
# Min Lowers
tryPassword(topology_st.standalone, 'passwordMinLowers', 2, 0,
'PASSWORD123', 'password123',
'does not contain minimum number of lowercase characters')
# Min Uppers
tryPassword(topology_st.standalone, 'passwordMinUppers', 2, 0, 'password',
'PASSWORD',
'does not contain minimum number of lowercase characters')
# Min 8-bits - "ldap" package only accepts ascii strings at the moment
if ds_is_newer('1.4.0.13'):
# Dictionary check
tryPassword(topology_st.standalone, 'passwordDictCheck', 'on', 'on',
'PASSWORD', '13_#Kad472h', 'Password found in dictionary')
# Palindromes
tryPassword(topology_st.standalone, 'passwordPalindrome', 'on', 'on',
'Za12_#_21aZ', '13_#Kad472h', 'Password is palindrome')
# Sequences
tryPassword(topology_st.standalone, 'passwordMaxSequence', 3, 0,
'Za1_1234', '13_#Kad472h',
'Max montonic sequence is not allowed')
tryPassword(topology_st.standalone, 'passwordMaxSequence', 3, 0,
'Za1_4321', '13_#Kad472h',
'Max montonic sequence is not allowed')
tryPassword(topology_st.standalone, 'passwordMaxSequence', 3, 0,
'Za1_abcd', '13_#Kad472h',
'Max montonic sequence is not allowed')
tryPassword(topology_st.standalone, 'passwordMaxSequence', 3, 0,
'Za1_dcba', '13_#Kad472h',
'Max montonic sequence is not allowed')
# Sequence Sets
tryPassword(topology_st.standalone, 'passwordMaxSeqSets', 2, 0,
'Za1_123--123', '13_#Kad472h',
'Max montonic sequence is not allowed')
# Max characters in a character class
tryPassword(topology_st.standalone, 'passwordMaxClassChars', 3, 0,
'Za1_9376', '13_#Kad472h',
'Too may consecutive characters from the same class')
tryPassword(topology_st.standalone, 'passwordMaxClassChars', 3, 0,
'Za1_#$&!', '13_#Kad472h',
'Too may consecutive characters from the same class')
tryPassword(topology_st.standalone, 'passwordMaxClassChars', 3, 0,
'Za1_ahtf', '13_#Kad472h',
'Too may consecutive characters from the same class')
tryPassword(topology_st.standalone, 'passwordMaxClassChars', 3, 0,
'Za1_HTSE', '13_#Kad472h',
'Too may consecutive characters from the same class')
# Bad words
tryPassword(topology_st.standalone, 'passwordBadWords',
'redhat fedora', 'none', 'Za1_redhat', '13_#Kad472h',
'Too may consecutive characters from the same class')
tryPassword(topology_st.standalone, 'passwordBadWords',
'redhat fedora', 'none', 'Za1_fedora', '13_#Kad472h',
'Too may consecutive characters from the same class')
# User Attributes
tryPassword(topology_st.standalone, 'passwordUserAttributes',
'description', 0, 'Za1_d_e_s_c', '13_#Kad472h',
'Password found in user entry')
log.info('pwdPolicy tests PASSED')
def _apply(self):
# Create the base domain object
domain = create_base_domain(self._instance, self._basedn)
domain.add(
'aci',
'(targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators,{BASEDN}");)'
.format(BASEDN=self._basedn))
# Create the OUs
ous = OrganizationalUnits(self._instance, self._basedn)
ous.create(properties={
'ou': 'Groups',
})
ous.create(
properties={
'ou':
'People',
'aci': [
'(targetattr ="userpassword || telephonenumber || facsimiletelephonenumber")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)',
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = "ldap:///cn=Accounting Managers,ou=groups,{BASEDN}");)'
.format(BASEDN=self._basedn),
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Human Resources)")(version 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR Managers,ou=groups,{BASEDN}");)'
.format(BASEDN=self._basedn),
'(targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(version 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Managers,ou=groups,{BASEDN}");)'
.format(BASEDN=self._basedn),
'(targetattr !="cn || sn || uid")(targetfilter ="(ou=Product Development)")(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups,{BASEDN}");)'
.format(BASEDN=self._basedn),
]
})
ous.create(
properties={
'ou': 'Special Users',
'description': 'Special Administrative Accounts',
})
# Create the groups.
ugs = UniqueGroups(self._instance, self._basedn)
ugs.create(
properties={
'cn': 'Accounting Managers',
'description': 'People who can manage accounting entries',
'ou': 'groups',
'uniqueMember': self._instance.binddn,
})
ugs.create(
properties={
'cn': 'HR Managers',
'description': 'People who can manage HR entries',
'ou': 'groups',
'uniqueMember': self._instance.binddn,
})
ugs.create(
properties={
'cn': 'QA Managers',
'description': 'People who can manage QA entries',
'ou': 'groups',
'uniqueMember': self._instance.binddn,
})
ugs.create(
properties={
'cn': 'PD Managers',
'description': 'People who can manage engineer entries',
'ou': 'groups',
'uniqueMember': self._instance.binddn,
})
# Create the directory Admin group.
# We can't use the group factory here, as we need a custom DN override.
da_ug = UniqueGroup(self._instance)
da_ug._dn = 'cn=Directory Administrators,%s' % self._basedn
da_ug.create(
properties={
'cn': 'Directory Administrators',
'uniqueMember': self._instance.binddn,
})
def test_moving_entry_make_online_init_fail(topo_m2):
"""
Moving an entry could make the online init fail
:id: e3895be7-884a-4e9f-80e3-24e9a5167c9e
:setup: Two suppliers replication setup
:steps:
1. Generate DIT_0
2. Generate password policy for DIT_0
3. Create users for DIT_0
4. Turn idx % 2 == 0 users into tombstones
5. Generate DIT_1
6. Move 'ou=OU0,ou=OU0,dc=example,dc=com' to DIT_1
7. Move 'ou=OU0,dc=example,dc=com' to DIT_1
8. Move idx % 2 == 1 users to 'ou=OU0,ou=OU0,ou=OU1,dc=example,dc=com'
9. Init replicas
10. Number of entries should match on both suppliers
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
10. Success
"""
M1 = topo_m2.ms["supplier1"]
M2 = topo_m2.ms["supplier2"]
log.info("Generating DIT_0")
idx = 0
add_ou_entry(M1, idx, DEFAULT_SUFFIX)
log.info("Created entry: ou=OU0, dc=example, dc=com")
ou0 = 'ou=OU%d' % idx
first_parent = '%s,%s' % (ou0, DEFAULT_SUFFIX)
add_ou_entry(M1, idx, first_parent)
log.info("Created entry: ou=OU0, ou=OU0, dc=example, dc=com")
add_ldapsubentry(M1, first_parent)
ou_name = 'ou=OU%d,ou=OU%d' % (idx, idx)
second_parent = 'ou=OU%d,%s' % (idx, first_parent)
for idx in range(0, 9):
add_user_entry(M1, idx, ou_name)
if idx % 2 == 0:
log.info("Turning tuser%d into a tombstone entry" % idx)
del_user_entry(M1, idx, ou_name)
log.info('%s => %s => %s => 10 USERS' %
(DEFAULT_SUFFIX, first_parent, second_parent))
log.info("Generating DIT_1")
idx = 1
add_ou_entry(M1, idx, DEFAULT_SUFFIX)
log.info("Created entry: ou=OU1,dc=example,dc=com")
third_parent = 'ou=OU%d,%s' % (idx, DEFAULT_SUFFIX)
add_ou_entry(M1, idx, third_parent)
log.info("Created entry: ou=OU1, ou=OU1, dc=example, dc=com")
add_ldapsubentry(M1, third_parent)
log.info("Moving %s to DIT_1" % second_parent)
OrganizationalUnits(M1, second_parent).get('OU0').rename(
ou0, newsuperior=third_parent)
log.info("Moving %s to DIT_1" % first_parent)
fourth_parent = '%s,%s' % (ou0, third_parent)
OrganizationalUnits(M1, first_parent).get('OU0').rename(
ou0, newsuperior=fourth_parent)
fifth_parent = '%s,%s' % (ou0, fourth_parent)
ou_name = 'ou=OU0,ou=OU1'
log.info("Moving USERS to %s" % fifth_parent)
for idx in range(0, 9):
if idx % 2 == 1:
rename_entry(M1, idx, ou_name, fifth_parent)
log.info('%s => %s => %s => %s => 10 USERS' %
(DEFAULT_SUFFIX, third_parent, fourth_parent, fifth_parent))
log.info("Run Initialization.")
repl = ReplicationManager(DEFAULT_SUFFIX)
repl.wait_for_replication(M1, M2, timeout=5)
m1entries = M1.search_s(
DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
'(|(objectclass=ldapsubentry)(objectclass=nstombstone)(nsuniqueid=*))')
m2entries = M2.search_s(
DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
'(|(objectclass=ldapsubentry)(objectclass=nstombstone)(nsuniqueid=*))')
log.info("m1entry count - %d", len(m1entries))
log.info("m2entry count - %d", len(m2entries))
assert len(m1entries) == len(m2entries)
def test_repl_modrdn(topo_m2):
"""Test that replicated MODRDN does not break replication
:id: a3e17698-9eb4-41e0-b537-8724b9915fa6
:setup: Two masters replication setup
:steps:
1. Add 3 test OrganizationalUnits A, B and C
2. Add 1 test user under OU=A
3. Add same test user under OU=B
4. Stop Replication
5. Apply modrdn to M1 - move test user from OU A -> C
6. Apply modrdn on M2 - move test user from OU B -> C
7. Start Replication
8. Check that there should be only one test entry under ou=C on both masters
9. Check that the replication is working fine both ways M1 <-> M2
:expectedresults:
1. This should pass
2. This should pass
3. This should pass
4. This should pass
5. This should pass
6. This should pass
7. This should pass
8. This should pass
9. This should pass
"""
master1 = topo_m2.ms["master1"]
master2 = topo_m2.ms["master2"]
repl = ReplicationManager(DEFAULT_SUFFIX)
log.info(
"Add test entries - Add 3 OUs and 2 same users under 2 different OUs")
OUs = OrganizationalUnits(master1, DEFAULT_SUFFIX)
OU_A = OUs.create(properties={
'ou': 'A',
'description': 'A',
})
OU_B = OUs.create(properties={
'ou': 'B',
'description': 'B',
})
OU_C = OUs.create(properties={
'ou': 'C',
'description': 'C',
})
users = UserAccounts(master1, DEFAULT_SUFFIX, rdn='ou={}'.format(OU_A.rdn))
tuser_A = users.create(properties=TEST_USER_PROPERTIES)
users = UserAccounts(master1, DEFAULT_SUFFIX, rdn='ou={}'.format(OU_B.rdn))
tuser_B = users.create(properties=TEST_USER_PROPERTIES)
repl.test_replication(master1, master2)
repl.test_replication(master2, master1)
log.info("Stop Replication")
topo_m2.pause_all_replicas()
log.info("Apply modrdn to M1 - move test user from OU A -> C")
master1.rename_s(tuser_A.dn,
'uid=testuser1',
newsuperior=OU_C.dn,
delold=1)
log.info("Apply modrdn on M2 - move test user from OU B -> C")
master2.rename_s(tuser_B.dn,
'uid=testuser1',
newsuperior=OU_C.dn,
delold=1)
log.info("Start Replication")
topo_m2.resume_all_replicas()
log.info("Wait for sometime for repl to resume")
repl.test_replication(master1, master2)
repl.test_replication(master2, master1)
log.info(
"Check that there should be only one test entry under ou=C on both masters"
)
users = UserAccounts(master1, DEFAULT_SUFFIX, rdn='ou={}'.format(OU_C.rdn))
assert len(users.list()) == 1
users = UserAccounts(master2, DEFAULT_SUFFIX, rdn='ou={}'.format(OU_C.rdn))
assert len(users.list()) == 1
log.info("Check that the replication is working fine both ways, M1 <-> M2")
repl.test_replication(master1, master2)
repl.test_replication(master2, master1)
def test_sync_repl_mep(topology, request):
"""Test sync repl with MEP plugin that triggers several
updates on the same entry
:id: d9515930-293e-42da-9835-9f255fa6111b
:setup: Standalone Instance
:steps:
1. enable retro/sync_repl/mep
2. Add mep Template and definition entry
3. start sync_repl client
4. Add users with PosixAccount ObjectClass (mep will update it several times)
5. Check that the received cookie are progressing
:expected results:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
inst = topology[0]
# Enable/configure retroCL
plugin = RetroChangelogPlugin(inst)
plugin.disable()
plugin.enable()
plugin.set('nsslapd-attribute', 'nsuniqueid:targetuniqueid')
# Enable sync plugin
plugin = ContentSyncPlugin(inst)
plugin.enable()
# Check the plug-in status
mana = ManagedEntriesPlugin(inst)
plugin.enable()
# Add Template and definition entry
org1 = OrganizationalUnits(
inst, DEFAULT_SUFFIX).create(properties={'ou': 'Users'})
org2 = OrganizationalUnit(inst, f'ou=Groups,{DEFAULT_SUFFIX}')
meps = MEPTemplates(inst, DEFAULT_SUFFIX)
mep_template1 = meps.create(
properties={
'cn':
'UPG Template1',
'mepRDNAttr':
'cn',
'mepStaticAttr':
'objectclass: posixGroup',
'mepMappedAttr':
'cn: $uid|gidNumber: $gidNumber|description: User private group for $uid'
.split('|')
})
conf_mep = MEPConfigs(inst)
mep_config = conf_mep.create(
properties={
'cn': 'UPG Definition2',
'originScope': org1.dn,
'originFilter': 'objectclass=posixaccount',
'managedBase': org2.dn,
'managedTemplate': mep_template1.dn
})
# Enable plugin log level (usefull for debug)
inst.setLogLevel(65536)
inst.restart()
# create a sync repl client and wait 5 seconds to be sure it is running
sync_repl = Sync_persist(inst)
sync_repl.start()
time.sleep(5)
# Add users with PosixAccount ObjectClass and verify creation of User Private Group
user = UserAccounts(inst, f'ou=Users,{DEFAULT_SUFFIX}',
rdn=None).create_test_user()
assert user.get_attr_val_utf8(
'mepManagedEntry') == f'cn=test_user_1000,ou=Groups,{DEFAULT_SUFFIX}'
# stop the server to get the sync_repl result set (exit from while loop).
# Only way I found to acheive that.
# and wait a bit to let sync_repl thread time to set its result before fetching it.
inst.stop()
time.sleep(10)
cookies = sync_repl.get_result()
# checking that the cookie are in increasing and in an acceptable range (0..1000)
assert len(cookies) > 0
prev = 0
for cookie in cookies:
log.info('Check cookie %s' % cookie)
assert int(cookie) > 0
assert int(cookie) < 1000
assert int(cookie) > prev
prev = int(cookie)
sync_repl.join()
log.info('test_sync_repl_map: PASS\n')
def _add_user(request, topo):
"""
A Function that will create necessary users delete the created user
"""
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou_ou = ous.create(properties={'ou': 'roledntest'})
ou_ou.set('aci', [
f'(target="ldap:///{NESTED_ROLE_TESTER}")(targetattr="*") '
f'(version 3.0; aci "nested role aci"; allow(all)'
f'roledn = "ldap:///{ROLE2}";)',
f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
f'(version 3.0; aci "or role aci"; allow(all) '
f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
f'(version 3.0; aci "anyone role aci"; allow(all) '
f'roledn = "ldap:///anyone";)',
f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
f'(version 3.0; aci "not role aci"; allow(all)'
f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'
])
nestedroles = NestedRoles(topo.standalone, OU_ROLE)
for i in [('role2', [ROLE1, ROLE21]), ('role3', [ROLE2, ROLE31])]:
nestedroles.create(properties={'cn': i[0], 'nsRoleDN': i[1]})
managedroles = ManagedRoles(topo.standalone, OU_ROLE)
for i in ['ROLE1', 'ROLE21', 'ROLE31']:
managedroles.create(properties={'cn': i})
filterroles = FilteredRoles(topo.standalone, OU_ROLE)
filterroles.create(
properties={
'cn': 'filterRole',
'nsRoleFilter': 'sn=Dr Drake',
'description': 'filter role tester'
})
users = UserAccounts(topo.standalone, OU_ROLE, rdn=None)
for i in [('STEVE_ROLE', ROLE1, 'Has roles 1, 2 and 3.'),
('HARRY_ROLE', ROLE21, 'Has roles 21, 2 and 3.'),
('MARY_ROLE', ROLE31, 'Has roles 31 and 3.')]:
users.create(
properties={
'uid': i[0],
'cn': i[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0],
'userPassword': PW_DM,
'nsRoleDN': i[1],
'Description': i[2]
})
for i in [('JOE_ROLE', 'Has filterRole.'), ('NOROLEUSER', 'Has no roles.'),
('SCRACHENTRY', 'Entry to test rights on.'),
('all access', 'Everyone has acccess (incl anon).'),
('not rule access', 'Only accessible to mary.'),
('or rule access',
'Only to steve and harry but nbot mary or anon'),
('nested role tester', 'Only accessible to harry and steve.')]:
users.create(
properties={
'uid': i[0],
'cn': i[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0],
'userPassword': PW_DM,
'Description': i[1]
})
# Setting SN for user JOE
UserAccount(topo.standalone,
f'uid=JOE_ROLE,ou=roledntest,{DEFAULT_SUFFIX}').set(
'sn', 'Dr Drake')
def fin():
"""
It will delete the created users
"""
for i in users.list() + managedroles.list() + nestedroles.list():
i.delete()
request.addfinalizer(fin)
def test_managed_entries(self, topology_m2):
"""Check that conflict properly resolved for operations
with managed entries
:id: 77f09b18-03d1-45da-940b-1ad2c2908eb4
:setup: Two master replication, test container for entries, enable plugin logging,
audit log, error log for replica and access log for internal
:steps:
1. Create ou=managed_users and ou=managed_groups under test container
2. Configure managed entries plugin and add a template to test container
3. Add a user to m1 and wait for replication to happen
4. Pause replication
5. Create a user on m1 and m2 with a same group ID on both master
6. Create a user on m1 and m2 with a different group ID on both master
7. Resume replication
8. Check that the entries on both masters are the same and replication is working
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should pass
5. It should pass
6. It should pass
7. It should pass
8. It should pass
"""
pytest.xfail("Issue 49591 - work in progress")
M1 = topology_m2.ms["master1"]
M2 = topology_m2.ms["master2"]
repl = ReplicationManager(SUFFIX)
ous = OrganizationalUnits(M1, DEFAULT_SUFFIX)
ou_people = ous.create(properties={'ou': 'managed_people'})
ou_groups = ous.create(properties={'ou': 'managed_groups'})
test_users_m1 = UserAccounts(M1,
DEFAULT_SUFFIX,
rdn='ou={}'.format(ou_people.rdn))
test_users_m2 = UserAccounts(M2,
DEFAULT_SUFFIX,
rdn='ou={}'.format(ou_people.rdn))
# TODO: Refactor ManagedPlugin class functionality (also add configs and templates)
conts = nsContainers(M1, SUFFIX)
template = conts.create(
properties={
'objectclass':
'top mepTemplateEntry extensibleObject'.split(),
'cn':
'MEP Template',
'mepRDNAttr':
'cn',
'mepStaticAttr':
['objectclass: posixGroup', 'objectclass: extensibleObject'],
'mepMappedAttr':
['cn: $uid', 'uid: $cn', 'gidNumber: $uidNumber']
})
repl.test_replication(M1, M2)
for inst in topology_m2.ms.values():
conts = nsContainers(
inst, "cn={},{}".format(PLUGIN_MANAGED_ENTRY, DN_PLUGIN))
conts.create(
properties={
'objectclass': 'top extensibleObject'.split(),
'cn': 'config',
'originScope': ou_people.dn,
'originFilter': 'objectclass=posixAccount',
'managedBase': ou_groups.dn,
'managedTemplate': template.dn
})
inst.restart()
_create_user(test_users_m1, 1, 1)
topology_m2.pause_all_replicas()
_create_user(test_users_m1, 2, 2, sleep=True)
_create_user(test_users_m2, 2, 2, sleep=True)
_create_user(test_users_m1, 3, 3, sleep=True)
_create_user(test_users_m2, 3, 33)
topology_m2.resume_all_replicas()
repl.test_replication_topology(topology_m2)
user_dns_m1 = [user.dn for user in test_users_m1.list()]
user_dns_m2 = [user.dn for user in test_users_m2.list()]
assert set(user_dns_m1) == set(user_dns_m2)
def _apply(self):
# Create the base domain object
domain = create_base_domain(self._instance, self._basedn)
domain.add(
'aci',
[
# Allow reading the base domain object
'(targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");)',
# Allow reading the ou
'(targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)'
])
# Create the 389 service container
# This could also move to be part of core later ....
hidden_containers = nsHiddenContainers(self._instance, self._basedn)
ns389container = hidden_containers.create(
properties={'cn': '389_ds_system'})
# Create our ous.
ous = OrganizationalUnits(self._instance, self._basedn)
ous.create(
properties={
'ou':
'groups',
'aci': [
# Allow anon partial read
'(targetattr="cn || member || gidNumber || nsUniqueId || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable anyone group read"; allow (read, search, compare)(userdn="ldap:///anyone");)',
# Allow group_modify to modify but not create groups
'(targetattr="member")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_modify to alter members"; allow (write)(groupdn="ldap:///cn=group_modify,ou=permissions,{BASEDN}");)'
.format(BASEDN=self._basedn),
# Allow group_admin to fully manage groups (posix or not).
'(targetattr="cn || member || gidNumber || description || objectClass")(targetfilter="(objectClass=groupOfNames)")(version 3.0; acl "Enable group_admin to manage groups"; allow (write, add, delete)(groupdn="ldap:///cn=group_admin,ou=permissions,{BASEDN}");)'
.format(BASEDN=self._basedn),
]
})
ous.create(
properties={
'ou':
'people',
'aci': [
# allow anon partial read.
'(targetattr="objectClass || description || nsUniqueId || uid || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || nsSshPublicKey || nsAccountLock || userCertificate")(targetfilter="(objectClass=posixaccount)")(version 3.0; acl "Enable anyone user read"; allow (read, search, compare)(userdn="ldap:///anyone");)',
# allow self partial mod
'(targetattr="displayName || nsSshPublicKey")(version 3.0; acl "Enable self partial modify"; allow (write)(userdn="ldap:///self");)',
# Allow self full read
'(targetattr="legalName || telephoneNumber || mobile")(targetfilter="(objectClass=nsPerson)")(version 3.0; acl "Enable self legalname read"; allow (read, search, compare)(userdn="ldap:///self");)',
# Allow reading legal name
'(targetattr="legalName || telephoneNumber")(targetfilter="(objectClass=nsPerson)")(version 3.0; acl "Enable user legalname read"; allow (read, search, compare)(groupdn="ldap:///cn=user_private_read,ou=permissions,{BASEDN}");)'
.format(BASEDN=self._basedn),
# These below need READ so they can read userPassword and legalName
# Allow user admin create mod
'(targetattr="uid || description || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || legalName || telephoneNumber || mobile")(targetfilter="(&(objectClass=nsPerson)(objectClass=nsAccount))")(version 3.0; acl "Enable user admin create"; allow (write, add, delete, read)(groupdn="ldap:///cn=user_admin,ou=permissions,{BASEDN}");)'
.format(BASEDN=self._basedn),
# Allow user mod mod only
'(targetattr="uid || description || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || legalName || telephoneNumber || mobile")(targetfilter="(&(objectClass=nsPerson)(objectClass=nsAccount))")(version 3.0; acl "Enable user modify to change users"; allow (write, read)(groupdn="ldap:///cn=user_modify,ou=permissions,{BASEDN}");)'
.format(BASEDN=self._basedn),
# Allow user_pw_admin to nsaccountlock and password
'(targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(objectClass=nsAccount)")(version 3.0; acl "Enable user password reset"; allow (write, read)(groupdn="ldap:///cn=user_passwd_reset,ou=permissions,{BASEDN}");)'
.format(BASEDN=self._basedn),
]
})
ous.create(properties={
'ou': 'permissions',
})
ous.create(
properties={
'ou':
'services',
'aci': [
# Minimal service read
'(targetattr="objectClass || description || nsUniqueId || cn || memberOf || nsAccountLock ")(targetfilter="(objectClass=netscapeServer)")(version 3.0; acl "Enable anyone service account read"; allow (read, search, compare)(userdn="ldap:///anyone");)',
]
})
# Create the demo user
users = nsUserAccounts(self._instance, self._basedn)
users.create(
properties={
'uid': 'demo_user',
'cn': 'Demo User',
'displayName': 'Demo User',
'legalName': 'Demo User Name',
'uidNumber': '99998',
'gidNumber': '99998',
'homeDirectory': '/var/empty',
'loginShell': '/bin/false',
'nsAccountlock': 'true'
})
# Create the demo group
groups = PosixGroups(self._instance, self._basedn)
groups.create(properties={'cn': 'demo_group', 'gidNumber': '99999'})
# Create the permission groups required for the acis
permissions = Groups(self._instance,
self._basedn,
rdn='ou=permissions')
permissions.create(properties={
'cn': 'group_admin',
})
permissions.create(properties={
'cn': 'group_modify',
})
permissions.create(properties={
'cn': 'user_admin',
})
permissions.create(properties={
'cn': 'user_modify',
})
permissions.create(properties={
'cn': 'user_passwd_reset',
})
permissions.create(properties={
'cn': 'user_private_read',
})
