def test_groupdnattr_value_is_another_group(topo):
"""Search Test 42 groupdnattr value is another group test #1
:id: 52299e16-7944-11e8-b471-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. USER_ANUJ should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Organization(topo.standalone).create(properties={"o": "nscpRoot"},
basedn=DEFAULT_SUFFIX)
user = UserAccount(topo.standalone,
"cn=dchan,o=nscpRoot,{}".format(DEFAULT_SUFFIX))
user.create(
properties={
'uid': 'dchan',
'cn': 'dchan',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'dchan',
'userPassword': PW_DM
})
grp = UniqueGroup(topo.standalone,
'cn=groupx,o=nscpRoot,' + DEFAULT_SUFFIX)
grp.create(properties={
'cn': 'groupx',
'ou': 'groups',
})
grp.set('uniquemember', 'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX))
grp.set(
'aci',
'(targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare) groupdnattr="ldap:///o=nscpRoot?uniquemember?sub";)'
)
conn = UserAccount(
topo.standalone,
'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX),
).bind(PW_DM)
# acil will allow ldap:///o=nscpRoot?uniquemember?sub"
assert UserAccount(conn, 'cn=groupx,o=nscpRoot,{}'.format(
DEFAULT_SUFFIX)).get_attr_val_utf8('cn') == 'groupx'
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree):
"""
Modify Test 14 allow userdnattr = owner to modify entry
:id:aa302090-7abf-11e8-811a-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'intranet', 'ou': 'groups'})
grp.set('owner', USER_WITH_ACI_DELADD)
ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# allow userdnattr = owner to modify entry
ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com')
ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com")
assert ua.get_attr_val('uniquemember')
def test_uniquemember_should_also_be_the_owner(topo, aci_of_user):
"""
Modify Test 10 groupdnattr = \"ldap:///$BASEDN?owner\" if owner is a group, group's
uniquemember should also be the owner
:id:9456b2d4-7abf-11e8-829d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
for i in ['ACLGroupTest']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
ou = OrganizationalUnit(topo.standalone,
"ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'ACLDevelopment'})
ou.set(
'aci', '(targetattr="*")(version 3.0; acl "groupdnattr acl"; '
'allow (all)groupdnattr = "ldap:///{}?owner";)'.format(DEFAULT_SUFFIX))
grp = UniqueGroup(topo.standalone,
"uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
user_props = ({
'sn':
'Borah',
'cn':
'Anuj',
'objectclass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'groupofUniquenames'
],
'userpassword':
PW_DM,
'givenname':
'Anuj',
'ou': ['ACLDevelopment', 'People'],
'roomnumber':
'123',
'uniquemember':
'cn=mandatory member'
})
grp.create(properties=user_props)
grp = UniqueGroup(
topo.standalone,
"uid=2ishani,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
user_props = ({
'sn':
'Borah',
'cn':
'2ishani',
'objectclass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'groupofUniquenames'
],
'userpassword':
PW_DM,
'givenname':
'2ishani',
'ou': ['ACLDevelopment', 'People'],
'roomnumber':
'1234',
'uniquemember':
'cn=mandatory member',
"owner":
"cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
})
grp.create(properties=user_props)
grp = UniqueGroup(topo.standalone,
'cn=group1,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group1', 'ou': 'groups'})
grp.set('uniquemember', [
"cn=group2, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX),
"cn=group3, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
])
grp = UniqueGroup(topo.standalone,
'cn=group3,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group3', 'ou': 'groups'})
grp.set('uniquemember',
["cn=group4, ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)])
grp = UniqueGroup(topo.standalone,
'cn=group4,ou=ACLGroupTest,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'group4', 'ou': 'groups'})
grp.set('uniquemember',
["uid=anuj, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)])
#uniquemember should also be the owner
conn = UserAccount(
topo.standalone,
"uid=anuj,ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX)).bind(PW_DM)
ua = UserAccount(
conn, "uid=2ishani, ou=ACLDevelopment, {}".format(DEFAULT_SUFFIX))
ua.add('roomnumber', '9999')
assert ua.get_attr_val('roomnumber')
for DN in [
"cn=group4,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"cn=group3,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"cn=group1,ou=ACLGroupTest,{}".format(DEFAULT_SUFFIX),
"uid=2ishani,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"uid=anuj,ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"ou=ACLDevelopment,{}".format(DEFAULT_SUFFIX),
"ou=ACLGroupTest, {}".format(DEFAULT_SUFFIX)
]:
UserAccount(topo.standalone, DN).delete()