def test_renaming_target_entry(topo, _add_user, aci_of_user):
"""Test for renaming target entry
:id: 6be1d33a-7932-11e8-9115-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Create a test user entry
3. Create a new ou entry with an aci
4. Make sure uid=$MYUID has the access
5. Rename ou=OU0 to ou=OU1
6. Create another ou=OU2
7. Move ou=OU1 under ou=OU2
8. Make sure uid=$MYUID still has the access
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
6. Operation should succeed
7. Operation should succeed
8. Operation should succeed
"""
properties = {
'uid': 'TRAC340_MODRDN',
'cn': 'TRAC340_MODRDN',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'TRAC340_MODRDN'
}
user = UserAccount(topo.standalone,
'cn=TRAC340_MODRDN,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
ou = OrganizationalUnit(topo.standalone,
'ou=OU0,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU0'})
ou.set(
'aci',
'(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'
.format(TRAC340_MODRDN))
conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
# Test for renaming target entry
OrganizationalUnits(topo.standalone,
DEFAULT_SUFFIX).get('OU0').rename("ou=OU1")
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
ou = OrganizationalUnit(topo.standalone,
'ou=OU2,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU2'})
# Test for renaming target entry
OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU1').rename(
"ou=OU1", newsuperior=OU2_OU_MODRDN)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
def create(self):
properties = {
'uid': 'FRED',
'cn': 'FRED',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'FRED'
}
user = UserAccount(self.topo.standalone,
"cn=FRED, ou=Accounting,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("title", [self.title1, self.title2, self.title3])
def test_access_aci_list_contains_any_deny_rule(topo, _add_user, aci_of_user):
"""RHDS denies MODRDN access if ACI list contains any DENY rule
Bug description: If you create a deny ACI for some or more attributes there is incorrect behaviour
as you cannot rename the entry anymore
:id: 62cbbb8a-7932-11e8-96a7-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Adding a new ou ou=People to $BASEDN
3. Adding a user NEWENTRY9_MODRDN to ou=People,$BASEDN
4. Adding an allow rule for NEWENTRY9_MODRDN and for others an aci deny rule
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
"""
properties = {
'uid': 'NEWENTRY9_MODRDN',
'cn': 'NEWENTRY9_MODRDN_People',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'NEWENTRY9_MODRDN'
}
user = UserAccount(
topo.standalone,
'cn=NEWENTRY9_MODRDN,ou=People,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
user.set("telephoneNumber", "989898191")
user.set("mail", "*****@*****.**")
user.set("givenName", "givenName")
user.set("uid", "NEWENTRY9_MODRDN")
OrganizationalUnits(
topo.standalone, DEFAULT_SUFFIX
).get('People').add("aci", [
'(targetattr = "*") '
'(version 3.0;acl "admin";allow (all)(userdn = "ldap:///{}");)'.format(
NEWENTRY9_MODRDN),
'(targetattr = "mail") (version 3.0;acl "deny_mail";deny (write)(userdn = "ldap:///anyone");)',
'(targetattr = "uid") (version 3.0;acl "allow uid";allow (write)(userdn = "ldap:///{}");)'
.format(NEWENTRY9_MODRDN)
])
UserAccount(topo.standalone,
NEWENTRY9_MODRDN).replace("userpassword", "Anuj")
useraccount = UserAccount(topo.standalone, NEWENTRY9_MODRDN)
useraccount.rename("uid=newrdnchnged")
assert 'uid=newrdnchnged,ou=People,dc=example,dc=com' == useraccount.dn
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree):
"""
Modify Test 14 allow userdnattr = owner to modify entry
:id:aa302090-7abf-11e8-811a-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'intranet', 'ou': 'groups'})
grp.set('owner', USER_WITH_ACI_DELADD)
ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# allow userdnattr = owner to modify entry
ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com')
ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com")
assert ua.get_attr_val('uniquemember')
def test_password_repl_error(topo_m4, create_entry):
"""Check that error about userpassword replication is properly logged
:id: d4f12dc0-cd2c-4b92-9b8d-d764a60f0698
:feature: Multi master replication
:setup: Four masters replication setup, a test entry
:steps: 1. Change userpassword on master 1
2. Restart the servers to flush the logs
3. Check the error log for an replication error
:expectedresults: We don't have a replication error in the error log
"""
m1 = topo_m4.ms["master1"]
m2 = topo_m4.ms["master2"]
TEST_ENTRY_NEW_PASS = '******'.format(TEST_ENTRY_NAME)
log.info('Clean the error log')
m2.deleteErrorLogs()
log.info('Set replication loglevel')
m2.config.loglevel((ErrorLog.REPLICA, ))
log.info('Modifying entry {} - change userpassword on master 2'.format(
TEST_ENTRY_DN))
test_user_m1 = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
test_user_m2 = UserAccount(topo_m4.ms["master2"], TEST_ENTRY_DN)
test_user_m3 = UserAccount(topo_m4.ms["master3"], TEST_ENTRY_DN)
test_user_m4 = UserAccount(topo_m4.ms["master4"], TEST_ENTRY_DN)
test_user_m1.set('userpassword', TEST_ENTRY_NEW_PASS)
log.info('Restart the servers to flush the logs')
for num in range(1, 5):
topo_m4.ms["master{}".format(num)].restart(timeout=10)
m1_conn = test_user_m1.bind(TEST_ENTRY_NEW_PASS)
m2_conn = test_user_m2.bind(TEST_ENTRY_NEW_PASS)
m3_conn = test_user_m3.bind(TEST_ENTRY_NEW_PASS)
m4_conn = test_user_m4.bind(TEST_ENTRY_NEW_PASS)
log.info('Check the error log for the error with {}'.format(TEST_ENTRY_DN))
assert not m2.ds_error_log.match(
'.*can.t add a change for uid={}.*'.format(TEST_ENTRY_NAME))
def test_write_access_to_naming_atributes_two(topo, _add_user, aci_of_user,
request):
"""Test for write access to naming atributes (2)
:id: 5a2077d2-7932-11e8-9e7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
4. Now try to modrdn it to cn, won't work if request deleteoldrdn.
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should not succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "{}";allow (write) (userdn = "ldap:///anyone");)'
.format(DEFAULT_SUFFIX, request.node.name))
properties = {
'uid': 'Sam Carter1',
'cn': 'Sam Carter1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'SamCarter1'
}
user = UserAccount(
topo.standalone,
'cn=Sam Carter1,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Test for write access to naming atributes
useraccount = UserAccount(conn, SAM_DAMMY_MODRDN)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
useraccount.rename("uid=Jeffbo Vedder")
UserAccount(topo.standalone, SAM_DAMMY_MODRDN).delete()
def test_cannot_add_an_entry_with_attribute_values_we_are_not_allowed_add(
topo, _add_user, aci_of_user
):
"""
Testing the targattrfilters keyword that allows access control based on the value of the
attributes being added (or deleted))
"Valueacl Test $tet_thistest Test not allowed add an entry"
:id:0d0effee-7aaa-11e8-b673-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)) ' \
'&& secretary:(secretary=cn=Meylan, {}), del=title:(|(title=engineer)(title=cool dude)' \
'(title=scum))")(version 3.0; aci "$tet_thistest"; allow (add) userdn = "ldap:///{}";)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
properties = {
'uid': 'FRED',
'cn': 'FRED',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'FRED'
}
user = UserAccount(topo.standalone, 'cn=FRED,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('title', ['anuj', 'kumar', 'borah'])
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci will not allow adding objectclass
user = UserAccount(conn, USER_WITH_ACI_DELADD)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("objectclass", "person")
def test_ticket_49463(topo):
"""Specify a test case purpose or name here
:id: 2a68e8be-387d-4ac7-9452-1439e8483c13
:setup: Fill in set up configuration here
:steps:
1. Enable fractional replication
2. Enable replication logging
3. Check that replication is working fine
4. Generate skipped updates to create keep alive entries
5. Remove M3 from the topology
6. issue cleanAllRuv FORCE that will run on M1 then propagated M2 and M4
7. Check that Number DEL keep alive '3' is <= 1
8. Check M1 is the originator of cleanAllRuv and M2/M4 the propagated ones
9. Check replication M1,M2 and M4 can recover
10. Remove M4 from the topology
11. Issue cleanAllRuv not force while M2 is stopped (that hangs the cleanAllRuv)
12. Check that nsds5ReplicaCleanRUV is correctly encoded on M1 (last value: 1)
13. Check that nsds5ReplicaCleanRUV encoding survives M1 restart
14. Check that nsds5ReplicaCleanRUV encoding is valid on M2 (last value: 0)
15. Check that (for M4 cleanAllRUV) M1 is Originator and M2 propagation
:expectedresults:
1. No report of failure when the RUV is updated
"""
# Step 1 - Configure fractional (skip telephonenumber) replication
M1 = topo.ms["master1"]
M2 = topo.ms["master2"]
M3 = topo.ms["master3"]
M4 = topo.ms["master4"]
repl = ReplicationManager(DEFAULT_SUFFIX)
fractional_server_to_replica(M1, M2)
fractional_server_to_replica(M1, M3)
fractional_server_to_replica(M1, M4)
fractional_server_to_replica(M2, M1)
fractional_server_to_replica(M2, M3)
fractional_server_to_replica(M2, M4)
fractional_server_to_replica(M3, M1)
fractional_server_to_replica(M3, M2)
fractional_server_to_replica(M3, M4)
fractional_server_to_replica(M4, M1)
fractional_server_to_replica(M4, M2)
fractional_server_to_replica(M4, M3)
# Step 2 - enable internal op logging and replication debug
for i in (M1, M2, M3, M4):
i.config.loglevel(vals=[256 + 4], service='access')
i.config.loglevel(vals=[LOG_REPLICA, LOG_DEFAULT], service='error')
# Step 3 - Check that replication is working fine
add_user(M1, 11, desc="add to M1")
add_user(M2, 21, desc="add to M2")
add_user(M3, 31, desc="add to M3")
add_user(M4, 41, desc="add to M4")
for i in (M1, M2, M3, M4):
for j in (M1, M2, M3, M4):
if i == j:
continue
repl.wait_for_replication(i, j)
# Step 4 - Generate skipped updates to create keep alive entries
for i in (M1, M2, M3, M4):
cn = '%s_%d' % (USER_CN, 11)
dn = 'uid=%s,ou=People,%s' % (cn, SUFFIX)
users = UserAccount(i, dn)
for j in range(110):
users.set('telephoneNumber', str(j))
# Step 5 - Remove M3 from the topology
M3.stop()
M1.agreement.delete(suffix=SUFFIX, consumer_host=M3.host, consumer_port=M3.port)
M2.agreement.delete(suffix=SUFFIX, consumer_host=M3.host, consumer_port=M3.port)
M4.agreement.delete(suffix=SUFFIX, consumer_host=M3.host, consumer_port=M3.port)
# Step 6 - Then issue cleanAllRuv FORCE that will run on M1, M2 and M4
M1.tasks.cleanAllRUV(suffix=SUFFIX, replicaid='3',
force=True, args={TASK_WAIT: True})
# Step 7 - Count the number of received DEL of the keep alive 3
for i in (M1, M2, M4):
i.restart()
regex = re.compile(".*DEL dn=.cn=repl keep alive 3.*")
for i in (M1, M2, M4):
count = count_pattern_accesslog(M1, regex)
log.debug("count on %s = %d" % (i, count))
# check that DEL is replicated once (If DEL is kept in the fix)
# check that DEL is is not replicated (If DEL is finally no long done in the fix)
assert ((count == 1) or (count == 0))
# Step 8 - Check that M1 is Originator of cleanAllRuv and M2, M4 propagation
regex = re.compile(".*Original task deletes Keep alive entry .3.*")
assert pattern_errorlog(M1, regex)
regex = re.compile(".*Propagated task does not delete Keep alive entry .3.*")
assert pattern_errorlog(M2, regex)
assert pattern_errorlog(M4, regex)
# Step 9 - Check replication M1,M2 and M4 can recover
add_user(M1, 12, desc="add to M1")
add_user(M2, 22, desc="add to M2")
for i in (M1, M2, M4):
for j in (M1, M2, M4):
if i == j:
continue
repl.wait_for_replication(i, j)
# Step 10 - Remove M4 from the topology
M4.stop()
M1.agreement.delete(suffix=SUFFIX, consumer_host=M4.host, consumer_port=M4.port)
M2.agreement.delete(suffix=SUFFIX, consumer_host=M4.host, consumer_port=M4.port)
# Step 11 - Issue cleanAllRuv not force while M2 is stopped (that hangs the cleanAllRuv)
M2.stop()
M1.tasks.cleanAllRUV(suffix=SUFFIX, replicaid='4',
force=False, args={TASK_WAIT: False})
# Step 12
# CleanAllRuv is hanging waiting for M2 to restart
# Check that nsds5ReplicaCleanRUV is correctly encoded on M1
replicas = Replicas(M1)
replica = replicas.list()[0]
time.sleep(0.5)
replica.present('nsds5ReplicaCleanRUV')
log.info("M1: nsds5ReplicaCleanRUV=%s" % replica.get_attr_val_utf8('nsds5replicacleanruv'))
regex = re.compile("^4:.*:no:1$")
assert regex.match(replica.get_attr_val_utf8('nsds5replicacleanruv'))
# Step 13
# Check that it encoding survives restart
M1.restart()
assert replica.present('nsds5ReplicaCleanRUV')
assert regex.match(replica.get_attr_val_utf8('nsds5replicacleanruv'))
# Step 14 - Check that nsds5ReplicaCleanRUV encoding is valid on M2
M1.stop()
M2.start()
replicas = Replicas(M2)
replica = replicas.list()[0]
M1.start()
time.sleep(0.5)
if replica.present('nsds5ReplicaCleanRUV'):
log.info("M2: nsds5ReplicaCleanRUV=%s" % replica.get_attr_val_utf8('nsds5replicacleanruv'))
regex = re.compile("^4:.*:no:0$")
assert regex.match(replica.get_attr_val_utf8('nsds5replicacleanruv'))
# time to run cleanAllRuv
for i in (M1, M2):
for j in (M1, M2):
if i == j:
continue
repl.wait_for_replication(i, j)
# Step 15 - Check that M1 is Originator of cleanAllRuv and M2 propagation
regex = re.compile(".*Original task deletes Keep alive entry .4.*")
assert pattern_errorlog(M1, regex)
regex = re.compile(".*Propagated task does not delete Keep alive entry .4.*")
assert pattern_errorlog(M2, regex)
def _add_user(request, topo):
for i in ["Product Development", 'Accounting', "Human Resources"]:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': '******'
}
user = UserAccount(topo.standalone,
'cn=Jeff Vedder,{}'.format(CONTAINER_1_DELADD))
user.create(properties=properties)
user.set('secretary', 'cn=Arpitoo Borah, o=Red Hat, c=As')
user.set('mail', '*****@*****.**')
properties = {
'uid': 'Sam Carter',
'cn': 'Sam Carter',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'SamCarter',
'userPassword': '******'
}
user = UserAccount(topo.standalone,
'cn=Sam Carter,{}'.format(CONTAINER_2_DELADD))
user.create(properties=properties)
properties = {
'uid': 'Kirsten Vaughan',
'cn': 'Kirsten Vaughan',
'sn': 'Kirsten Vaughan',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'KirstenVaughan',
'userPassword': '******'
}
user = UserAccount(
topo.standalone,
'cn=Kirsten Vaughan, ou=Human Resources,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'HARRY',
'cn': 'HARRY',
'sn': 'HARRY',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'HARRY',
'userPassword': '******'
}
user = UserAccount(topo.standalone,
'cn=HARRY, ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
def fin():
for DN in [
USER_DELADD, USER_WITH_ACI_DELADD, FRED, HARRY, KIRSTENVAUGHAN,
HUMAN_OU_GLOBAL, CONTAINER_2_DELADD, CONTAINER_1_DELADD
]:
ua = UserAccount(topo.standalone, DN)
try:
ua.delete()
except:
pass
request.addfinalizer(fin)
def test_targattrfilters_keyword(topo):
"""
Testing the targattrfilters keyword that allows access control based on the value
of the attributes being added (or deleted))
"Bug #979515 - ACLs inoperative in some search scenarios [rhel-6.5]"
"Bug #979516 is a clone for DS8.2 on RHEL5.9"
"Bug #979514 is a clone for RHEL6.4 zStream errata"
:id:23f9e9d0-7aaa-11e8-b16b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.set('aci', None)
ou = OrganizationalUnit(topo.standalone, 'ou=bug979515,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'bug979515'})
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target="ldap:///ou=bug979515,{}") '
'(targetattr= "uid") ( version 3.0; acl "read other subscriber"; allow (compare, read, search) '
'userdn="ldap:///uid=*,ou=bug979515,{}" ; )'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX))
properties = {
'uid': 'acientryusr1',
'cn': 'acientryusr1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'acientryusr1'
}
user = UserAccount(topo.standalone, 'cn=acientryusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('telephoneNumber', '99972566596')
user.set('mail', '*****@*****.**')
user.set("userPassword", "password")
properties = {
'uid': 'newaciphoneusr1',
'cn': 'newaciphoneusr1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'newaciphoneusr1'
}
user = UserAccount(topo.standalone, 'cn=newaciphoneusr1,ou=bug979515,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('telephoneNumber', '99972566596')
user.set('mail', '*****@*****.**')
conn = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
user = UserAccount(conn, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
with pytest.raises(IndexError):
user.get_attr_vals('mail')
user.get_attr_vals('telephoneNumber')
user.get_attr_vals('cn')
user = UserAccount(topo.standalone, "cn=acientryusr1,ou=bug979515,{}".format(DEFAULT_SUFFIX))
user.get_attr_vals('mail')
user.get_attr_vals('telephoneNumber')
user.get_attr_vals('cn')