def test_graceperiod_not_replicated(self):
"""Test that the grace period is reset on password reset"""
str(self.master.domain.basedn)
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
user=USER, base_dn=str(self.master.domain.basedn))
# Resetting the password will mark it as expired
self.reset_password(self.master)
# Generate some logins but don't exceed the limit
for _i in range(2, -1, -1):
result = self.master.run_command([
"ldapsearch", "-e", "ppolicy", "-D", dn, "-w", PASSWORD, "-b",
dn
],
raiseonerr=False)
# Verify that passwordgraceusertime is not replicated
result = tasks.ldapsearch_dm(
self.master,
dn,
[
'passwordgraceusertime',
],
)
assert 'passwordgraceusertime: 3' in result.stdout_text.lower()
result = tasks.ldapsearch_dm(
self.replicas[0],
dn,
[
'passwordgraceusertime',
],
)
# Never been set at all so won't return
assert 'passwordgraceusertime' not in result.stdout_text.lower()
# Resetting the password should reset passwordgraceusertime
self.reset_password(self.master)
result = tasks.ldapsearch_dm(
self.master,
dn,
[
'passwordgraceusertime',
],
)
assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
self.reset_password(self.master)
def test_ds_disable_upgrade_hash(self):
# Test case for https://pagure.io/freeipa/issue/8315
# Disable password schema migration on LDAP bind
result = tasks.ldapsearch_dm(self.master,
"cn=config",
ldap_args=["nsslapd-enable-upgrade-hash"],
scope="base")
assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text
def test_graceperiod_expired(self):
"""Test the LDAP bind grace period"""
str(self.master.domain.basedn)
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
user=USER, base_dn=str(self.master.domain.basedn))
self.master.run_command([
"ipa",
"pwpolicy-mod",
POLICY,
"--gracelimit",
"3",
], )
# Resetting the password will mark it as expired
self.reset_password(self.master)
for i in range(2, -1, -1):
result = self.master.run_command([
"ldapsearch", "-e", "ppolicy", "-D", dn, "-w", PASSWORD, "-b",
dn
],
raiseonerr=False)
# We're in grace, this will succeed
assert result.returncode == 0
# verify that we get the expected ppolicy output
assert 'Password expired, {} grace logins remain'.format(i) \
in result.stderr_text
# Now grace is done and binds should fail.
result = self.master.run_command([
"ldapsearch", "-e", "ppolicy", "-D", dn, "-w", PASSWORD, "-b", dn
],
raiseonerr=False)
assert result.returncode == 49
assert 'Password is expired' in result.stderr_text
assert 'Password expired, 0 grace logins remain' in result.stderr_text
# Test that resetting the password resets the grace counter
self.reset_password(self.master)
result = tasks.ldapsearch_dm(
self.master,
dn,
[
'passwordgraceusertime',
],
)
assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd):
"""Test for OTP when the LDAP connection timed out.
Test for : https://pagure.io/freeipa/issue/6587
ipa-otpd was exiting with failure when LDAP connection timed out.
Test to verify that when the nsslapd-idletimeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.
"""
since = time.strftime('%Y-%m-%d %H:%M:%S')
tasks.kinit_admin(self.master)
otpuid, totp = add_otptoken(self.master, USER, otptype="totp")
try:
# kinit with OTP auth
otpvalue = totp.generate(int(time.time())).decode("ascii")
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
time.sleep(60)
# ldapsearch will wake up slapd and force walking through
# the connection list, in order to spot the idle connections
tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
def test_cb(cmd_jornalctl):
# check if LDAP connection is timed out
expected_msg = "Can't contact LDAP server"
return expected_msg in cmd_jornalctl
# ipa-otpd don't flush its logs to syslog immediately
cmd = ['journalctl', '--since={}'.format(since)]
tasks.run_repeatedly(self.master,
command=cmd,
test=test_cb,
timeout=90)
failed_services = self.master.run_command(
['systemctl', 'list-units', '--state=failed'])
assert "ipa-otpd" not in failed_services.stdout_text
finally:
del_otptoken(self.master, otpuid)
def get_krbinfo(self, user):
base_dn = str(self.master.domain.basedn) # pylint: disable=no-member
result = tasks.ldapsearch_dm(
self.master,
'uid={user},cn=users,cn=accounts,{base_dn}'.format(
user=user, base_dn=base_dn),
['krblastpwdchange', 'krbpasswordexpiration'],
scope='base')
output = result.stdout_text.lower()
# extract krblastpwdchange and krbpasswordexpiration
krbchg_pattern = 'krblastpwdchange: (.+)\n'
krbexp_pattern = 'krbpasswordexpiration: (.+)\n'
krblastpwdchange = re.findall(krbchg_pattern, output)[0]
krbexp = re.findall(krbexp_pattern, output)[0]
return krblastpwdchange, krbexp
def get_krbinfo(self, user):
base_dn = str(self.master.domain.basedn) # pylint: disable=no-member
result = tasks.ldapsearch_dm(
self.master,
'uid={user},cn=users,cn=accounts,{base_dn}'.format(
user=user, base_dn=base_dn),
['krblastpwdchange', 'krbpasswordexpiration'],
scope='base'
)
output = result.stdout_text.lower()
# extract krblastpwdchange and krbpasswordexpiration
krbchg_pattern = 'krblastpwdchange: (.+)\n'
krbexp_pattern = 'krbpasswordexpiration: (.+)\n'
krblastpwdchange = re.findall(krbchg_pattern, output)[0]
krbexp = re.findall(krbexp_pattern, output)[0]
return krblastpwdchange, krbexp
def test_aes_sha_kerberos_enctypes(self):
"""Test AES SHA 256 and 384 Kerberos enctypes enabled
AES SHA 256 and 384-bit enctypes supported by MIT kerberos but
was not enabled in IPA. This test is to check if these types are
enabled.
related: https://pagure.io/freeipa/issue/8110
"""
tasks.kinit_admin(self.master)
dn = DN(("cn", self.master.domain.realm), ("cn", "kerberos"),
realm_to_suffix(self.master.domain.realm))
result = tasks.ldapsearch_dm(self.master, str(dn),
["krbSupportedEncSaltTypes"],
scope="base")
assert "aes128-sha2:normal" in result.stdout_text
assert "aes128-sha2:special" in result.stdout_text
assert "aes256-sha2:normal" in result.stdout_text
assert "aes256-sha2:special" in result.stdout_text
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(
self.master, extra_args=['--external-ca-type=ms-cs']
)
assert result.returncode == 0
# check CSR for extension
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
check_mscs_extension(ipa_csr, MSCSTemplateV1(u'SubCA'))
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = tasks.ldapsearch_dm(
self.master,
'cn=mapping tree,cn=config',
['(cn=replica)'],
)
# case insensitive match
text = result.stdout_text.lower()
# see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(
self.master, extra_args=['--external-ca-type=ms-cs'])
assert result.returncode == 0
# check CSR for extension
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA'))
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = tasks.ldapsearch_dm(
self.master,
'cn=mapping tree,cn=config',
['(cn=replica)'],
)
# case insensitive match
text = result.stdout_text.lower()
# see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
