def test_local_TPR_supercedes_global_TPR(topo, _add_user, set_global_TPR_policies): """ One Time password with expiration :id: beb2dac4-e116-11eb-a85e-98fa9ba19b65 :customerscenario: True :setup: Standalone :steps: 1. Create DS Instance 2. Create user with appropriate password 3. Configure the Global Password policies with passwordTPRMaxUse 5 4. Configure different local password policy for passwordTPRMaxUse 3 5. Trigger TPR by resetting the user password above 6. Attempt an ldap search with an incorrect bind password for user above 7. Repeat as many times as set by attribute passwordTPRMaxUse 8. Should lock the account after value is set in the local passwordTPRMaxUse is reached 9. Try to search with the correct password account will be locked. :expected results: 1. Success 2. Success 3. Fail(ldap.INSUFFICIENT_ACCESS) 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success """ user1 = UserAccount(topo.standalone, f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}') user2 = UserAccount(topo.standalone, f'uid=jdoe2,ou=People,{DEFAULT_SUFFIX}') log.info('Setting local password Temporary password reset policies') log.info('Setting Global TPR policy attributes') Config(topo.standalone).replace('passwordMustChange', 'on') Config(topo.standalone).replace('passwordTPRMaxUse', '5') Config(topo.standalone).replace('passwordTPRDelayExpireAt', '600') Config(topo.standalone).replace('passwordTPRDelayValidFrom', '6') log.info('Resetting {} password to trigger TPR policy'.format(user1)) user1.replace('userpassword', 'not_allowed_change') count = 0 while count < 4: if count == 4: with pytest.raises(ldap.CONSTRAINT_VIOLATION): user2.bind('badbadbad') else: with pytest.raises(ldap.INVALID_CREDENTIALS): count += 1 user2.bind('badbadbad')
def validate_syntax_off(topo, request): config = Config(topo.standalone) config.replace("nsslapd-syntaxcheck", "off") def fin(): config.replace("nsslapd-syntaxcheck", "on") request.addfinalizer(fin)
def test_password_max_failure_should_lockout_password(topo): """Regression test for bz834060. :id: f2064efa-52d9-11ea-8037-8c16451d917b :setup: Standalone :steps: 1. passwordMaxFailure should lockout password one sooner 2. Setting passwordLockout to \"on\" 3. Set maximum number of login tries to 3 4. Turn off passwordLegacyPolicy 5. Turn off local password policy, so that global is applied :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success """ config = Config(topo.standalone) config.replace_many( ('passwordLockout', 'on'), ('passwordMaxFailure', '3'), ('passwordLegacyPolicy', 'off'), ('nsslapd-pwpolicy-local', 'off')) user = _create_user(topo, 'tuser', 'ou=people') user.replace('userpassword', 'password') for _ in range(2): with pytest.raises(ldap.INVALID_CREDENTIALS): user.bind('Invalid') with pytest.raises(ldap.CONSTRAINT_VIOLATION): user.bind("Invalid") config.replace('nsslapd-pwpolicy-local', 'on')
def user_config(topo, field_value): """ Will set storage schema and create user. """ Config(topo.standalone).replace("passwordStorageScheme", field_value) user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user() user.set('userpassword', 'ItsMeAnuj') return user
def test_passwordexpirationtime_attribute(topo, _add_user): """Regression test for bz1118006. :id: 867472d2-473c-11ea-b583-8c16451d917b :setup: Standalone :steps: 1. Check that the passwordExpirationTime attribute is set to the epoch date :expected results: 1. Success """ Config(topo.standalone).replace('passwordMustChange', 'on') epoch_date = "19700101000000Z" time.sleep(1) user = UserAccount(topo.standalone, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}') user.replace('userpassword', 'Secret123') time.sleep(1) # Check that the passwordExpirationTime attribute is set to the epoch date assert user.get_attr_val_utf8('passwordExpirationTime') == epoch_date Config(topo.standalone).replace('passwordMustChange', 'off') time.sleep(1)
def test_local_password_policy(topo, _add_user): """Regression test for bz1044164 part 1. :id: d6f4a7fa-473b-11ea-8766-8c16451d917b :setup: Standalone :steps: 1. Add a User as Password Admin 2. Create a password admin user entry 3. Add an aci to allow this user all rights 4. Configure password admin 5. Create local password policy and enable passwordmustchange 6. Add another generic user but do not include the password (userpassword) 7. Use admin user to perform a password update on generic user 8. We don't need this ACI anymore. Delete it :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success """ # Add a User as Password Admin # Create a password admin user entry user = _create_user(topo, 'pwadm_admin_1', None) user.replace('userpassword', 'Secret123') domian = Domain(topo.standalone, DEFAULT_SUFFIX) # Add an aci to allow this user all rights domian.set( "aci", f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow password admin to write user ' f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)') # Configure password admin # Create local password policy and enable passwordmustchange Config(topo.standalone).replace_many(('passwordAdminDN', user.dn), ('passwordMustChange', 'off'), ('nsslapd-pwpolicy-local', 'on')) # Add another generic user but do not include the password (userpassword) # Use admin user to perform a password update on generic user real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret123') UserAccount(conn, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}').replace( 'userpassword', 'hello') # We don't need this ACI anymore. Delete it domian.remove( "aci", f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow password admin to write user ' f'passwords";allow (write)(userdn = "ldap:///{user.dn}");)')
def test_too_big_password(topo, _fix_password): """Test for long long password :id: 299a3fb4-5a20-11ea-bba8-8c16451d917b :setup: Standalone :steps: 1. Setting policy to keep password histories 2. Changing number of password in history to 3 3. Modify password from dby3rs1 to dby3rs2 4. Checking that the passwordhistory attribute has been added 5. Add a password test for long long password 6. Changing number of password in history to 6 and passwordhistory off :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success """ config = Config(topo.standalone) # Setting policy to keep password histories config.replace_many(('passwordchecksyntax', 'off'), ('passwordhistory', 'on')) assert config.get_attr_val_utf8('passwordinhistory') == '6' # Changing number of password in history to 3 config.replace('passwordinhistory', '3') # Modify password from dby3rs1 to dby3rs2 _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', 'dbyers2') with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers2', 'dbyers1') # Checking that the passwordhistory attribute has been added assert UserAccount( topo.standalone, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}').get_attr_val_utf8( 'passwordhistory') # Add a password test for long long password long_pass = 50 * '0123456789' + 'LENGTH=510' _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers2', long_pass) with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', long_pass, long_pass) _change_password_with_root(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1') # Changing number of password in history to 6 and passwordhistory off config.replace_many(('passwordhistory', 'off'), ('passwordinhistory', '6'))
def test_once_TPR_reset_old_passwd_invalid(topo, _add_user, set_global_TPR_policies): """ Verify that once a password has been reset it cannot be reused :id: f3ea4f00-e89c-11eb-b81d-98fa9ba19b65 :customerscenario: True :setup: Standalone :steps: 1. Create DS Instance 2. Create user jdoe1 with appropriate password 3. Configure the Global Password policies enable passwordMustChange 4. Trigger TPR by resetting the user jdoe1 password above 5. Attempt to login with the old password 6. Login as jdoe1 with the correct password and update the new password :expected results: 1. Success 2. Success 3. Success 4. Success 5. Fail(ldap.CONSTRAINT_VIOLATION) 6. Success """ new_password = '******' log.info('Creating user jdoe1 with appropriate password') user1 = UserAccount(topo.standalone, f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}') user1.replace('userpassword', new_password) log.info( 'Making sure the Global Policy passwordTPRDelayValidFrom is short') config = Config(topo.standalone) config.replace_many( ('passwordLockout', 'off'), ('passwordMaxFailure', '3'), ('passwordLegacyPolicy', 'off'), ('passwordTPRDelayValidFrom', '-1'), ('nsslapd-pwpolicy-local', 'on'), ) log.info(' Attempting to bind as {} with the old password {}'.format( user1, USER1_PASS)) time.sleep(.5) with pytest.raises(ldap.INVALID_CREDENTIALS): user1.bind(USER1_PASS) log.info('Login as jdoe1 with the correct reset password') time.sleep(.5) user1.rebind(new_password)
def set_global_policy(self, properties): """Configure global password policy :param properties: A dictionary with password policy attributes :type properties: dict """ modlist = [] for attr, value in properties.items(): modlist.append((attr, value)) if len(modlist) > 0: config = Config(self._instance) config.replace_many(*modlist) else: raise ValueError("There are no password policies to set")
def test_admin_resets_pwd_TPR_attrs_reset(topo, _add_user, set_global_TPR_policies): """Test When the ‘userpassword’ is updated (update_pw_info) by an administrator and it exists a TPR policy, then the server flags that the entry has a TPR password with ‘pwdTPRReset: TRUE’, ‘pwdTPRExpTime’ and ‘pwdTPRUseCount’. :id: e6a84dc0-f142-11eb-8c96-fa163e1f582c :customerscenario: True :setup: Standalone :steps: 1. Create DS Instance 2. Create user jdoe2 with appropriate password 3. Configure the Global Password policies enable 4. Trigger TPR by resetting the user jdoe1 password above 5. Reset the users password ‘userpassword’ 6. Check that ‘pwdTPRExpTime’ and ‘pwdTPRUseCount’ are updated :expectedresults: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success """ user1 = UserAccount(topo.standalone, f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}') log.info('Logging current time') start_time = time.mktime(time.gmtime()) log.info( 'Verifying the Global policy are set and attributes are all set to "None"' ) for tpr_attrib in ['pwdTPRReset', 'pwdTPRExpTime', 'pwdTPRUseCount']: assert user1.get_attr_val_utf8(tpr_attrib) is None config = Config(topo.standalone) config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'), ('passwordTPRDelayExpireAt', '1800'), ('passwordTPRDelayValidFrom', '1')) assert user1.get_attr_val_utf8('pwdTPRExpTime') is None log.info('Triggering TPR as Admin') user1.replace('userpassword', 'new_password') time.sleep(1) log.info( 'Checking that pwdTPRReset, pwdTPRExpTime, pwdTPRUseCount are reset.') assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE' assert user1.get_attr_val_utf8('pwdTPRExpTime') is None assert user1.get_attr_val_utf8('pwdTPRUseCount') is '0'
def security_enable(inst, basedn, log, args): dbpath = inst.get_cert_dir() tlsdb = NssSsl(dbpath=dbpath) certs = tlsdb.list_certs() if len(certs) == 0: raise ValueError('There are no server certificates in the security ' + 'database, security can not be enabled.') if len(certs) == 1: # If there is only cert make sure it is set as the server certificate RSA(inst).set('nsSSLPersonalitySSL', certs[0][0]) elif args.cert_name is not None: # A certificate nickname was provided, set it as the server certificate RSA(inst).set('nsSSLPersonalitySSL', args.cert_name) # it should now be safe to enable security Config(inst).set('nsslapd-security', 'on')
def test_implicit_replication_of_password_policy(_create_entries): """For bug 800173, we want to cause the implicit replication of password policy attributes due to failed bind operations we want to make sure that replication still works despite the policy attributes being removed from the update leaving an empty modify operation :id: 3f4affe8-38eb-11ea-8936-8c16451d917b :setup: Master and Consumer :steps: 1. Add a new entry to MASTER1. 2. Try binding user with correct password 3. Try binding user with incorrect password (twice) 4. Make sure user got locked 5. Run total update and verify the same attributes added/modified in the read-only replicas. :expected results: 1. Success 2. Success 3. FAIL(ldap.INVALID_CREDENTIALS) 4. Success 5. Success """ for attribute, value in [("passwordlockout", "on"), ("passwordmaxfailure", "1")]: Config(MASTER1).set(attribute, value) user = UserAccounts(MASTER1, DEFAULT_SUFFIX).create_test_user() user.set("userpassword", "ItsmeAnuj") check_all_replicated() assert UserAccount(MASTER2, user.dn).get_attr_val_utf8("uid") == "test_user_1000" # Try binding user with correct password conn = UserAccount(MASTER2, user.dn).bind("ItsmeAnuj") with pytest.raises(ldap.INVALID_CREDENTIALS): UserAccount(MASTER1, user.dn).bind("badpass") with pytest.raises(ldap.CONSTRAINT_VIOLATION): UserAccount(MASTER1, user.dn).bind("badpass") # asserting user got locked with pytest.raises(ldap.CONSTRAINT_VIOLATION): conn = UserAccount(MASTER1, user.dn).bind("ItsmeAnuj") check_all_replicated() # modify user and verify that replication is still working user.replace("seealso", "cn=seealso") check_all_replicated() for instance in (MASTER1, MASTER2): assert UserAccount( instance, user.dn).get_attr_val_utf8("seealso") == "cn=seealso"
def test_entryusn_no_duplicates(topology_st, setup): """Verify that entryUSN is not duplicated after memberOf operation :id: 1a7d382d-1214-4d56-b9c2-9c4ed57d1683 :setup: Standalone instance, Groups and Users, USN and memberOf are enabled :steps: 1. Add a member to group 1 2. Add a member to group 1 and 2 3. Check that entryUSNs are different 4. Check that lastusn before and after a restart are the same :expectedresults: 1. Success 2. Success 3. Success 4. Success """ inst = topology_st.standalone config = Config(inst) config.replace('nsslapd-accesslog-level', '260') # Internal op config.replace('nsslapd-errorlog-level', '65536') config.replace('nsslapd-plugin-logging', 'on') entryusn_list = [] users = setup["users"] groups = setup["groups"] groups[0].replace('member', users[0].dn) entryusn_list.append(users[0].get_attr_val_int('entryusn')) log.info(f"{users[0].dn}_1: {entryusn_list[-1:]}") entryusn_list.append(groups[0].get_attr_val_int('entryusn')) log.info(f"{groups[0].dn}_1: {entryusn_list[-1:]}") check_entryusn_no_duplicates(entryusn_list) groups[1].replace('member', [users[0].dn, users[1].dn]) entryusn_list.append(users[0].get_attr_val_int('entryusn')) log.info(f"{users[0].dn}_2: {entryusn_list[-1:]}") entryusn_list.append(users[1].get_attr_val_int('entryusn')) log.info(f"{users[1].dn}_2: {entryusn_list[-1:]}") entryusn_list.append(groups[1].get_attr_val_int('entryusn')) log.info(f"{groups[1].dn}_2: {entryusn_list[-1:]}") check_entryusn_no_duplicates(entryusn_list) check_lastusn_after_restart(inst)
def test_password_expire_works(topology_st): """Regression test for bug624080. If passwordMaxAge is set to a value and a new user is added, if the passwordMaxAge is changed to a shorter expiration time and the new users password is then changed ..... the passwordExpirationTime for the new user should be changed too. There was a bug in DS 6.2 where the expirationtime remained unchanged. :id: 1ead6052-4636-11ea-b5af-8c16451d917b :setup: Standalone :steps: 1. Set the Global password policy and a passwordMaxAge to 5 days 2. Add the new user 3. Check the users password expiration time now 4. Decrease global passwordMaxAge to 2 days 5. Modify the users password 6. Modify the user one more time to make sur etime has been reset 7. turn off the password policy :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success """ config = Config(topology_st.standalone) config.replace_many(('passwordMaxAge', '432000'), ('passwordExp', 'on')) user = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX, rdn=None).create_test_user() user.set('userPassword', 'anuj') time.sleep(0.5) expire_time = user.get_attr_val_utf8('passwordExpirationTime') config.replace('passwordMaxAge', '172800') user.set('userPassword', 'borah') time.sleep(0.5) expire_time2 = user.get_attr_val_utf8('passwordExpirationTime') config.replace('passwordMaxAge', '604800') user.set('userPassword', 'anujagaiin') time.sleep(0.5) expire_time3 = user.get_attr_val_utf8('passwordExpirationTime') assert expire_time != expire_time2 != expire_time3 config.replace('passwordExp', 'off')
def test_passwordchange_to_no(topo, _fix_password): """Change password fo a user even password even though pw policy is set to no :id: 16c64ef0-5a20-11ea-a902-8c16451d917b :setup: Standalone :steps: 1. Adding an user with uid=dbyers 2. Set Password change to Must Not Change After Reset 3. Setting Password policy to May Not Change Password 4. Try to change password fo a user even password even though pw policy is set to no 5. Set Password change to May Change Password 6. Try to change password fo a user even password 7. Try to change password with invalid credentials. Should see error message. :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success """ # Adding an user with uid=dbyers user = f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}' config = Config(topo.standalone) # Set Password change to Must Not Change After Reset config.replace_many(('passwordmustchange', 'off'), ('passwordchange', 'off')) # Try to change password fo a user even password even though pw policy is set to no with pytest.raises(ldap.UNWILLING_TO_PERFORM): _change_password_with_own(topo, user, 'dbyers1', 'AB') # Set Password change to May Change Password config.replace('passwordchange', 'on') _change_password_with_own(topo, user, 'dbyers1', 'dbyers1') # Try to change password with invalid credentials. Should see error message. with pytest.raises(ldap.INVALID_CREDENTIALS): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'AB', 'dbyers1')
def test_check_two_scheme(topo): """Check password scheme SHA and CRYPT :id: 2b677f1e-33a6-11ea-a371-8c16451d917b :setup: Standalone :steps: 1. Change password scheme and create user with password. 2. check password scheme is set . 3. Delete user :expected results: 1. Pass 2. Pass 3. Pass """ for schema, value in [("nsslapd-rootpwstoragescheme", "SHA"), ("passwordStorageScheme", "CRYPT")]: Config(topo.standalone).replace(schema, value) topo.standalone.restart() user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user() user.set('userpassword', 'ItsMeAnuj') assert '{' + f'{"CRYPT".lower()}' + '}' \ in UserAccount(topo.standalone, user.dn).get_attr_val_utf8('userpassword').lower() user.delete()
def test_pwminage(topo, _fix_password): """Test pwminage :id: 2df7bf32-5a20-11ea-ad23-8c16451d917b :setup: Standalone :steps: 1. Get pwminage; should be 0 currently 2. Sets policy to pwminage 3 3. Change current password 4. Try to change password again 5. Try now after 3 secs is up, should work. :expected results: 1. Success 2. Success 3. Success 4. Fail 5. Success """ config = Config(topo.standalone) # Get pwminage; should be 0 currently assert config.get_attr_val_utf8('passwordminage') == '0' # Sets policy to pwminage 3 config.replace('passwordminage', '3') # Change current password _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', 'dbyers2') # Try to change password again with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers2', 'dbyers1') for _ in range(3): time.sleep(1) # Try now after 3 secs is up, should work. _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers2', 'dbyers1') config.replace('passwordminage', '0')
def test_check_pbkdf2_sha256(topo): """Check password scheme PBKDF2_SHA256. :id: 31612e7e-33a6-11ea-a750-8c16451d917b :setup: Standalone :steps: 1. Try to delete PBKDF2_SHA256. 2. Should not deleted PBKDF2_SHA256 and server should up. :expected results: 1. Pass 2. Pass """ value = 'PBKDF2_SHA256' user = user_config(topo, value) assert '{' + f'{value.lower()}' + '}' in \ UserAccount(topo.standalone, user.dn).get_attr_val_utf8('userpassword').lower() plg = PBKDF2Plugin(topo.standalone) plg._protected = False plg.delete() topo.standalone.restart() assert Config(topo.standalone).get_attr_val_utf8( 'passwordStorageScheme') == 'PBKDF2_SHA256' assert topo.standalone.status() user.delete()
def test_password_gracelimit_section(topo): """Password grace limit section. :id: d6f4a7fa-473b-11ea-8766-8c16451d917c :setup: Standalone :steps: 1. Resets the default password policy 2. Turning on password expiration, passwordMaxAge: 30 and passwordGraceLimit: 7 3. Check users have 7 grace login attempts after their password expires 4. Reset the user passwords to start the clock 5. The the 8th should fail 6. Now try resetting the password before the grace login attempts run out 7. Bind 6 times, and on the 7th change the password 8. Setting passwordMaxAge: 1 and passwordGraceLimit: 7 9. Modify the users passwords to start the clock of zero 10. First 7 good attempts, 8th should fail 11. Setting the passwordMaxAge to 3 seconds once more and the passwordGraceLimit to 0 12. Modify the users passwords to start the clock 13. Users should be blocked automatically after 3 second :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success 10. Success 11. Success 12. Success 13. Success """ config = Config(topo.standalone) # Resets the default password policy config.replace_many(('passwordmincategories', '1'), ('passwordStorageScheme', 'CLEAR')) user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None).create_test_user() # Turning on password expiration, passwordMaxAge: 30 and passwordGraceLimit: 7 config.replace_many(('passwordMaxAge', '3'), ('passwordGraceLimit', '7'), ('passwordexp', 'on'), ('passwordwarning', '30')) # Reset the user passwords to start the clock # Check users have 7 grace login attempts after their password expires user.replace('userpassword', '00fr3d1') for _ in range(3): time.sleep(1) user_account = UserAccount(topo.standalone, user.dn) for _ in range(7): conn = user_account.bind('00fr3d1') # The the 8th should fail with pytest.raises(ldap.INVALID_CREDENTIALS): conn = user_account.bind('00fr3d1') # Now try resetting the password before the grace login attempts run out user.replace('userpassword', '00fr3d2') for _ in range(3): time.sleep(1) user_account = UserAccount(topo.standalone, user.dn) # Bind 6 times, and on the 7th change the password for _ in range(6): conn = user_account.bind('00fr3d2') user.replace('userpassword', '00fr3d1') for _ in range(3): time.sleep(1) for _ in range(7): conn = user_account.bind('00fr3d1') with pytest.raises(ldap.INVALID_CREDENTIALS): conn = user_account.bind('00fr3d1') # Setting passwordMaxAge: 1 and passwordGraceLimit: 7 config.replace_many(('passwordMaxAge', '1'), ('passwordwarning', '1')) # Modify the users passwords to start the clock of zero user.replace('userpassword', '00fr3d2') time.sleep(1) # First 7 good attempts, 8th should fail user_account = UserAccount(topo.standalone, user.dn) for _ in range(7): conn = user_account.bind('00fr3d2') with pytest.raises(ldap.INVALID_CREDENTIALS): conn = user_account.bind('00fr3d2') # Setting the passwordMaxAge to 3 seconds once more and the passwordGraceLimit to 0 config.replace_many(('passwordMaxAge', '3'), ('passwordGraceLimit', '0')) # Modify the users passwords to start the clock # Users should be blocked automatically after 3 second user.replace('userpassword', '00fr3d1') for _ in range(3): time.sleep(1) with pytest.raises(ldap.INVALID_CREDENTIALS): conn = user_account.bind('00fr3d1')
def security_disable(inst, basedn, log, args): Config(inst).set('nsslapd-security', 'off')
def test_automemscope_and_running_modrdn(topo_m4, _create_entries): """ Adding bulk users to non-automem_scope and running modrdn operation with new superior to automem_scope :id: bf60f958-be57-11e9-945d-8c16451d917b :setup: Instance with 4 suppliers :steps: 1. Running modrdn operation to change the ou to automem_scope 2. Add 3000 user entries to non-automem_scope at topo_m4.ms['supplier1'] 3. Run AutomemberRebuildMembershipTask 4. Check the same created in rest suppliers :expected results: 1. Pass 2. Pass 3. Pass 4. Pass """ user_rdn = "long09usr" automem_scope1 = "ou=Employees,{}".format(DEFAULT_SUFFIX) automem_scope2 = "cn=NewEmployees,{}".format(DEFAULT_SUFFIX) grp_container = "cn=replsubGroups,{}".format(DEFAULT_SUFFIX) default_group1 = "cn=SubDef3,{}".format(DEFAULT_SUFFIX) default_group2 = "cn=SubDef5,{}".format(DEFAULT_SUFFIX) OrganizationalUnits( topo_m4.ms['supplier1'], DEFAULT_SUFFIX).create(properties={'ou': 'NewEmployees'}) Group(topo_m4.ms['supplier1'], f'cn=replsubGroups,cn=autoMembersPlugin,{DEFAULT_SUFFIX}').replace( 'autoMemberScope', automem_scope2) for instance in [ topo_m4.ms['supplier1'], topo_m4.ms['supplier2'], topo_m4.ms['supplier3'], topo_m4.ms['supplier4'] ]: Config(instance).replace('nsslapd-errorlog-level', '73728') instance.restart() # Adding bulk users for number in range(3000): create_entry(topo_m4, f'automemusrs{number}', automem_scope1, '3994', '5695', 'OnDeputation') try: for supplier in [ topo_m4.ms['supplier2'], topo_m4.ms['supplier3'], topo_m4.ms['supplier4'] ]: ReplicationManager(DEFAULT_SUFFIX).wait_for_replication( topo_m4.ms['supplier1'], supplier, timeout=30000) for grp, instance in [(default_group2, topo_m4.ms['supplier3']), ("cn=Managers,{}".format(grp_container), topo_m4.ms['supplier1']), ("cn=Contractors,{}".format(grp_container), topo_m4.ms['supplier3'])]: assert not nsAdminGroup(instance, grp).get_attr_vals_utf8('member') count = 0 for user in nsAdminGroups(topo_m4.ms['supplier3'], automem_scope1, rdn=None).list(): topo_m4.ms['supplier1'].rename_s(user.dn, f'cn=New{user_rdn}{count}', newsuperior=automem_scope2, delold=1) count += 1 for supplier in [ topo_m4.ms['supplier2'], topo_m4.ms['supplier3'], topo_m4.ms['supplier4'] ]: ReplicationManager(DEFAULT_SUFFIX).wait_for_replication( topo_m4.ms['supplier1'], supplier, timeout=30000) AutomemberRebuildMembershipTask(topo_m4.ms['supplier1']).create( properties={ 'basedn': automem_scope2, 'filter': "objectClass=posixAccount" }) for supplier in [ topo_m4.ms['supplier2'], topo_m4.ms['supplier3'], topo_m4.ms['supplier4'] ]: ReplicationManager(DEFAULT_SUFFIX).wait_for_replication( topo_m4.ms['supplier1'], supplier, timeout=30000) for instance, grp in [(topo_m4.ms['supplier3'], default_group2), (topo_m4.ms['supplier3'], default_group1)]: assert len( nsAdminGroup(instance, grp).get_attr_vals_utf8('member')) == 3000 for instance, grp in [(topo_m4.ms['supplier1'], 'Managers'), (topo_m4.ms['supplier3'], 'Contractors'), (topo_m4.ms['supplier2'], 'Interns'), (topo_m4.ms['supplier4'], 'Visitors')]: assert not nsAdminGroup(instance, "cn={},{}".format( grp, grp_container)).get_attr_vals_utf8('member') finally: for scope in [automem_scope1, automem_scope2]: delete_users_and_wait(topo_m4, scope)
def test_binddn_tracking(topo, _create_inital): """Test Managed Entries basic functionality :id: ea2ddfd4-aaec-11ea-8416-8c16451d917b :setup: Standalone Instance :steps: 1. Set nsslapd-plugin-binddn-tracking attribute under cn=config 2. Add user 3. Managed Entry Plugin runs against managed entries upon any update without validating 4. verify creation of User Private Group with its time stamp value 5. Modify the SN attribute which is not mapped with managed entry 6. run ModRDN operation and check the User Private group 7. Check the time stamp of UPG should be changed now 8. Check the creatorsname should be user dn and internalCreatorsname should be plugin name 9. Check if a managed group entry was created :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success """ config = Config(topo.standalone) # set nsslapd-plugin-binddn-tracking attribute under cn=config config.replace('nsslapd-plugin-binddn-tracking', 'on') # Add user user = UserAccounts(topo.standalone, f'cn=Users,{DEFAULT_SUFFIX}', rdn=None).create_test_user() assert user.get_attr_val_utf8( 'mepManagedEntry') == f'cn=test_user_1000,cn=Groups,{DEFAULT_SUFFIX}' entry = Account(topo.standalone, f'cn=test_user_1000,cn=Groups,{DEFAULT_SUFFIX}') # Managed Entry Plugin runs against managed entries upon any update without validating # verify creation of User Private Group with its time stamp value stamp1 = entry.get_attr_val_utf8('modifyTimestamp') user.replace('sn', 'NewSN_modified') stamp2 = entry.get_attr_val_utf8('modifyTimestamp') # Modify the SN attribute which is not mapped with managed entry # Check the time stamp of UPG should not be changed assert stamp1 == stamp2 time.sleep(1) # run ModRDN operation and check the User Private group user.rename(new_rdn='uid=UserNewRDN', newsuperior='cn=Users,dc=example,dc=com') assert user.get_attr_val_utf8( 'mepManagedEntry') == f'cn=UserNewRDN,cn=Groups,{DEFAULT_SUFFIX}' entry = Account(topo.standalone, f'cn=UserNewRDN,cn=Groups,{DEFAULT_SUFFIX}') stamp3 = entry.get_attr_val_utf8('modifyTimestamp') # Check the time stamp of UPG should be changed now assert stamp2 != stamp3 time.sleep(1) user.replace('gidNumber', '1') stamp4 = entry.get_attr_val_utf8('modifyTimestamp') assert stamp4 != stamp3 # Check the creatorsname should be user dn and internalCreatorsname should be plugin name assert entry.get_attr_val_utf8('creatorsname') == 'cn=directory manager' assert entry.get_attr_val_utf8( 'internalCreatorsname') == 'cn=Managed Entries,cn=plugins,cn=config' assert entry.get_attr_val_utf8('modifiersname') == 'cn=directory manager' user.delete() config.replace('nsslapd-plugin-binddn-tracking', 'off')
def test_passwordlockout(topo, _fix_password): """Test adding admin user diradmin to Directory Administrator group :id: 3ffcffda-5a20-11ea-a3af-8c16451d917b :setup: Standalone :steps: 1. Account Lockout must be cleared on successful password change 2. Adding admin user diradmin 3. Adding admin user diradmin to Directory Administrator group 4. Turn on passwordlockout 5. Sets lockout duration to 30 seconds 6. Sets failure count reset duration to 30 sec 7. Sets max password bind failure count to 3 8. Reset password retry count (to 0) 9. Try to bind with invalid credentials(3 times) 10. Try to bind with valid pw, should give lockout error 11. Reset password using admin login 12. Try to login as the user to check the unlocking of account. Will also change the password back to original 13. Change to account lockout forever until reset 14. Reset password retry count (to 0) 15. Try to bind with invalid credentials(3 times) 16. Try to bind with valid pw, should give lockout error 17. Reset password using admin login 18. Try to login as the user to check the unlocking of account. Will also change the password back to original :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success 9. Fail 10. Success 11. Success 12. Success 13. Success 14. Success 15. Fail 16. Success 17. Success 18. Success """ config = Config(topo.standalone) # Adding admin user diradmin user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user() user.replace('userpassword', 'dby3rs2') admin = _create_user(topo, 'diradmin', 'Anuj Borah', '1002', 'diradmin') # Adding admin user diradmin to Directory Administrator group Group(topo.standalone, f'cn=Directory Administrators,{DEFAULT_SUFFIX}').add( 'uniquemember', admin.dn) # Turn on passwordlockout # Sets lockout duration to 30 seconds # Sets failure count reset duration to 30 sec # Sets max password bind failure count to 3 # Reset password retry count (to 0) config.replace_many( ('passwordlockout', 'on'), ('passwordlockoutduration', '30'), ('passwordresetfailurecount', '30'), ('passwordmaxfailure', '3'), ('passwordhistory', 'off')) user.replace('passwordretrycount', '0') # Try to bind with invalid credentials(3 times) for _ in range(3): with pytest.raises(ldap.INVALID_CREDENTIALS): _change_password_with_own(topo, user.dn, 'Invalid', 'secreter') # Try to bind with valid pw, should give lockout error with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, user.dn, 'Invalid', 'secreter') # Reset password using admin login conn = admin.bind('diradmin') UserAccount(conn, user.dn).replace('userpassword', 'dby3rs2') time.sleep(1) # Try to login as the user to check the unlocking of account. Will also change # the password back to original _change_password_with_own(topo, user.dn, 'dby3rs2', 'secreter') # Change to account lockout forever until reset # Reset password retry count (to 0) config.replace('passwordunlock', 'off') user.replace('passwordretrycount', '0') # Try to bind with invalid credentials(3 times) for _ in range(3): with pytest.raises(ldap.INVALID_CREDENTIALS): _change_password_with_own(topo, user.dn, 'Invalid', 'secreter') # Try to bind with valid pw, should give lockout error with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, user.dn, 'Invalid', 'secreter') # Reset password using admin login UserAccount(conn, user.dn).replace('userpassword', 'dby3rs2') time.sleep(1) # Try to login as the user to check the unlocking of account. Will also change the # password back to original _change_password_with_own(topo, user.dn, 'dby3rs2', 'secreter')
def test_expiration_date(topo, _fix_password): """Test check the expiration date is still in the future :id: 3691739a-5a20-11ea-8712-8c16451d917b :setup: Standalone :steps: 1. Password expiration 2. Add a user with a password expiration date 3. Modify their password 4. Check the expiration date is still in the future 5. Modify the password expiration date 6. Check the expiration date is still in the future 7. Change policy so that user can change passwords 8. Deleting user 9. Adding user 10. Set password history ON 11. Modify password Once 12. Try to change the password with same one :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success 10. Success 11. Success 12. Fail """ # Add a user with a password expiration date user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user() user.replace_many(('userpassword', 'bind4now'), ('passwordExpirationTime', '20380119031404Z')) # Modify their password user.replace('userPassword', 'secreter') # Check the expiration date is still in the future assert user.get_attr_val_utf8( 'passwordExpirationTime') == '20380119031404Z' # Modify the password expiration date user.replace('passwordExpirationTime', '20380119031405Z') # Check the expiration date is still in the future assert user.get_attr_val_utf8( 'passwordExpirationTime') == '20380119031405Z' config = Config(topo.standalone) # Change policy so that user can change passwords config.replace('passwordchange', 'on') # Deleting user UserAccount(topo.standalone, f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}').delete() # Adding user user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user() # Set password history ON config.replace('passwordhistory', 'on') # Modify password Once user.replace('userPassword', 'secreter') time.sleep(1) assert DEFAULT_PASSWORD_STORAGE_SCHEME in user.get_attr_val_utf8( 'userPassword') # Try to change the password with same one for _ in range(3): with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, user.dn, 'secreter', 'secreter') user.delete()
def test_invalid_credentials(topo, _fix_password): """Test bind again with valid password: We should be locked :id: 3233ca78-5a20-11ea-8d35-8c16451d917b :setup: Standalone :steps: 1. Search if passwordlockout is off 2. Turns on passwordlockout 3. sets lockout duration to 3 seconds 4. Changing pw failure count reset duration to 3 sec and passwordminlength to 10 5. Try to bind with invalid credentials 6. Change password to password lockout forever 7. Try to bind with invalid credentials 8. Now bind again with valid password: We should be locked 9. Delete dby3rs before exiting 10. Reset server :expected results: 1. Success 2. Success 3. Success 4. Success 5. Fail 6. Success 7. Success 8. Success 9. Success 10. Success """ config = Config(topo.standalone) # Search if passwordlockout is off assert config.get_attr_val_utf8('passwordlockout') == 'off' # Turns on passwordlockout # sets lockout duration to 3 seconds # Changing pw failure count reset duration to 3 sec and passwordminlength to 10 config.replace_many( ('passwordlockout', 'on'), ('passwordlockoutduration', '3'), ('passwordresetfailurecount', '3'), ('passwordminlength', '10')) # Try to bind with invalid credentials for _ in range(3): with pytest.raises(ldap.INVALID_CREDENTIALS): _change_password_with_own( topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'Invalid', 'dbyers1') with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'Invalid', 'dbyers1') for _ in range(3): time.sleep(1) _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', 'dbyers1') # Change password to password lockout forever config.replace('passwordunlock', 'off') # Try to bind with invalid credentials for _ in range(3): with pytest.raises(ldap.INVALID_CREDENTIALS): _change_password_with_own( topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'Invalid', 'dbyers1') with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'Invalid', 'dbyers1') for _ in range(3): time.sleep(1) # Now bind again with valid password: We should be locked with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', 'dbyers1') # Delete dby3rs before exiting _change_password_with_root(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1') time.sleep(1) _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', 'dbyers1') # Reset server config.replace_many( ('passwordinhistory', '6'), ('passwordlockout', 'off'), ('passwordlockoutduration', '3600'), ('passwordminlength', '6'), ('passwordresetfailurecount', '600'), ('passwordunlock', 'on'))
def test_pwd_update_time_attribute(topo): """Regression test for bz834063 :id: ec2b1d4e-52d9-11ea-b13e-8c16451d917b :setup: Standalone :steps: 1. Add the attribute passwordTrackUpdateTime to cn=config 2. Add a test entry while passwordTrackUpdateTime is on 3. Check if new attribute pwdUpdateTime added automatically after changing the pwd 4. Modify User pwd 5. check for the pwdupdatetime attribute added to the test entry as passwordTrackUpdateTime is on 6. Set passwordTrackUpdateTime to OFF and modify test entry's pwd 7. Check passwordUpdateTime should not be changed 8. Record last pwdUpdateTime before changing the password 9. Modify Pwd 10. Set passwordTrackUpdateTime to ON and modify test entry's pwd, check passwordUpdateTime should be changed 11. Try setting Invalid value for passwordTrackUpdateTime 12. Try setting Invalid value for pwdupdatetime :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success 10. Success 11. Fail 12. Fail """ config = Config(topo.standalone) # Add the attribute passwordTrackUpdateTime to cn=config config.replace('passwordTrackUpdateTime', 'on') # Add a test entry while passwordTrackUpdateTime is on user = _create_user(topo, 'test_bz834063', None) user.set('userpassword', 'Unknown') # Modify User pwd user.replace('userpassword', 'Unknown1') # Check if new attribute pwdUpdateTime added automatically after changing the pwd assert user.get_attr_val_utf8('pwdUpdateTime') # Set passwordTrackUpdateTime to OFF and modify test entry's pwd config.replace('passwordTrackUpdateTime', 'off') # Record last pwdUpdateTime before changing the password update_time = user.get_attr_val_utf8('pwdUpdateTime') time.sleep(1) user.replace('userpassword', 'Unknown') # Check passwordUpdateTime should not be changed update_time_again = user.get_attr_val_utf8('pwdUpdateTime') assert update_time == update_time_again # Set passwordTrackUpdateTime to ON and modify test entry's pwd, # check passwordUpdateTime should be changed time.sleep(1) config.replace('passwordTrackUpdateTime', 'on') user.replace('userpassword', 'Unknown') time.sleep(1) update_time_1 = user.get_attr_val_utf8('pwdUpdateTime') assert update_time_again != update_time_1 with pytest.raises(ldap.OPERATIONS_ERROR): config.replace('passwordTrackUpdateTime', "invalid") with pytest.raises(ldap.UNWILLING_TO_PERFORM): config.replace('pwdupdatetime', 'Invalid')
def test_password_check_syntax(topo, _fix_password): """Password check syntax :id: 1e6fcc9e-5a20-11ea-9659-8c16451d917b :setup: Standalone :steps: 1. Sets Password check syntax to on 2. Try to change to a password that violates length. Should get error 3. Attempt to Modify password to db which is in error to policy 4. change min pw length to 5 5. Attempt to Modify password to dby3rs which is in error to policy 6. Attempt to Modify password to danny which is in error to policy 7. Attempt to Modify password to byers which is in error to policy 8. Change min pw length to 6 9. Try to change the password 10. Trying to set to a password containing value of sn 11. Sets policy to not check pw syntax 12. Test that when checking syntax is off, you can use small passwords 13. Test that when checking syntax is off, trivial passwords can be used 14. Changing password minimum length from 6 to 10 15. Setting policy to Check Password Syntax again 16. Try to change to a password that violates length 17. Reset Password :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Success 8. Success 9. Success 10. Success 11. Success 12. Success 13. Success 14. Success 15. Success 16. Fail 17. Success """ config = Config(topo.standalone) # Sets Password check syntax to on config.replace('passwordchecksyntax', 'on') # Try to change to a password that violates length. Should get error with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', 'dbyers2') # Attempt to Modify password to db which is in error to policy with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', 'db') # change min pw length to 5 config.replace('passwordminlength', '5') # Attempt to Modify password to dby3rs which is in error to policy # Attempt to Modify password to danny which is in error to policy # Attempt to Modify password to byers which is in error to policy for password in ['dbyers', 'Danny', 'byers']: with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own( topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', password) # Change min pw length to 6 config.replace('passwordminlength', '6') # Try to change the password # Trying to set to a password containing value of sn for password in ['dby3rs1', 'dbyers2', '67Danny89', 'YAByers8']: with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own( topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', password) # Sets policy to not check pw syntax # Test that when checking syntax is off, you can use small passwords # Test that when checking syntax is off, trivial passwords can be used config.replace('passwordchecksyntax', 'off') for password, new_pass in [('dbyers1', 'db'), ('db', 'dbyers'), ('dbyers', 'dbyers1')]: _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', password, new_pass) # Changing password minimum length from 6 to 10 # Setting policy to Check Password Syntax again config.replace_many(('passwordminlength', '10'), ('passwordchecksyntax', 'on')) # Try to change to a password that violates length with pytest.raises(ldap.CONSTRAINT_VIOLATION): _change_password_with_own(topo, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}', 'dbyers1', 'db') UserAccount(topo.standalone, f'uid=dbyers,ou=People,{DEFAULT_SUFFIX}').replace( 'userpassword', 'dbyers1')
def test_user_resets_pwd_TPR_attrs_reset(topo, _add_user, set_global_TPR_policies): """Test once password is reset attributes are set to FALSE :id: 6614068a-ee7d-11eb-b1a3-98fa9ba19b65 :customerscenario: True :setup: Standalone :steps: 1. Create DS Instance 2. Create user jdoe2 with appropriate password 3. Configure the Global Password policies and set passwordMustChange on 4. Trigger TPR by resetting the user jdoe1 password above 5. Reset the users password ‘userpassword’ 6. Check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are RESET :expectedresults: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success """ user1 = UserAccount(topo.standalone, f'uid=jdoe1,ou=People,{DEFAULT_SUFFIX}') log.info('Logging current time') start_time = time.mktime(time.gmtime()) log.info( 'Verifying the Global policy are set and attributes are all set to "None"' ) for tpr_attrib in [ 'pwdTPRReset', 'pwdTPRUseCount', 'pwdTPRValidFrom', 'pwdTPRExpireAt' ]: assert user1.get_attr_val_utf8(tpr_attrib) is None config = Config(topo.standalone) config.replace_many(('pwdmustchange', 'on'), ('passwordTPRMaxUse', '3'), ('passwordTPRDelayExpireAt', '1800'), ('passwordTPRDelayValidFrom', '1')) assert user1.get_attr_val_utf8('pwdTPRReset') is None log.info( 'Triggering TPR check that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are set' ) user1.replace('userpassword', 'new_password') time.sleep(3) assert user1.get_attr_val_utf8('pwdTPRReset') == 'TRUE' assert user1.get_attr_val_utf8('pwdTPRUseCount') == '0' assert gentime_to_posix_time( user1.get_attr_val_utf8('pwdTPRValidFrom')) > start_time assert gentime_to_posix_time( user1.get_attr_val_utf8('pwdTPRExpireAt')) > start_time conn = user1.rebind('new_password') user1.replace('userpassword', 'extra_new_pass') log.info( 'Checking that pwdTPRReset, pwdTPRUseCount, pwdTPRValidFrom, pwdTPRExpireAt are reset to None' ) time.sleep(3) assert user1.get_attr_val_utf8('pwdTPRReset') is None assert user1.get_attr_val_utf8('pwdTPRUseCount') is None assert (user1.get_attr_val_utf8('pwdTPRValidFrom')) is None assert (user1.get_attr_val_utf8('pwdTPRExpireAt')) is None log.info('Verified that attributes are reset after password is reset')
def test_admin_group_to_modify_password(topo, _add_user): """Regression test for bz1044164 part 2. :id: 12e09446-52da-11ea-aa11-8c16451d917b :setup: Standalone :steps: 1. Create unique members of admin group 2. Create admin group with unique members 3. Edit ACIs for admin group 4. Add group as password admin 5. Test password admin group to modify password of another admin user 6. Use admin user to perform a password update on Directory Manager user 7. Test password admin group for local password policy 8. Add top level container 9. Add user 10. Create local policy configuration entry 11. Adding admin group for local policy 12. Change user's password by admin user. Break the local policy rule 13. Test password admin group for global password policy 14. Add top level container 15. Change user's password by admin user. Break the global policy rule 16. Add new user in password admin group 17. Modify ordinary user's password 18. Modify user DN using modrdn of a user in password admin group 19. Test assigning invalid value to password admin attribute 20. Try to add more than one Password Admin attribute to config file 21. Use admin group setup from previous testcases, but delete ACI from that 22. Try to change user's password by admin user 23. Restore ACI 24. Edit ACIs for admin group 25. Delete a user from password admin group 26. Change users password by ex-admin user 27. Remove group from password admin configuration 28. Change admins 29. Change user's password by ex-admin user 30. Change admin user's password by ex-admin user :expected results: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Fail(ldap.INSUFFICIENT_ACCESS) 7. Success 8. Success 9. Success 10. Success 11. Success 12. Success 13. Success 14. Success 15. Success 16. Success 17. Success 18. Success 19. Fail 20. Fail 21. Success 22. Success 23. Success 24. Success 25. Success 26. Success 27. Success 28. Success 29. Fail 30. Fail """ # create unique members of admin group admin_grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX).create(properties={ 'cn': 'pwadm_group_adm', 'description': 'pwadm_group_adm', 'uniqueMember': [f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}', f'uid=pwadm_admin_3,ou=People,{DEFAULT_SUFFIX}'] }) # Edit ACIs for admin group Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}").set('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///{admin_grp.dn}");)') # Add group as password admin Config(topo.standalone).replace('passwordAdminDN', admin_grp.dn) # Test password admin group to modify password of another admin user change_password_of_user(topo, [ ('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')], f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}') # Use admin user to perform a password update on Directory Manager user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hello')], f'{DN_DM},{DEFAULT_SUFFIX}') # Add top level container ou = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'pwadm_locpol'}) # Change user's password by admin user. Break the global policy rule # Add new user in password admin group user = _create_user(topo, 'pwadm_locpol_user', 'ou=pwadm_locpol') user.replace('userpassword', 'Secret123') # Create local policy configuration entry _create_pwp(topo, ou.dn) # Set parameter for pwp for para_meter, op_op in [ ('passwordLockout', 'on'), ('passwordMaxFailure', '4'), ('passwordLockoutDuration', '10'), ('passwordResetFailureCount', '100'), ('passwordMinLength', '8'), ('passwordAdminDN', f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}')]: change_pwp_parameter(topo, 'ou=pwadm_locpol', para_meter, op_op) # Set ACI OrganizationalUnit(topo.standalone, ou.dn).set('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl "Allow passwords admin to write user ' f'passwords";allow (write)' f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Change password with new admin change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], user.dn) # Set global parameter Config(topo.standalone).replace_many( ('passwordTrackUpdateTime', 'on'), ('passwordGraceLimit', '4'), ('passwordHistory', 'on'), ('passwordInHistory', '4')) # Test password admin group for global password policy change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Adding admin group for local policy grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}') grp.add('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}') # Modify ordinary user's password change_password_of_user(topo, [('uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Modify user DN using modrdn of a user in password admin group UserAccount(topo.standalone, f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}').rename('uid=pwadm_admin_4_new') # Remove admin grp.remove('uniqueMember', f'uid=pwadm_admin_4,ou=People,{DEFAULT_SUFFIX}') # Add Admin grp.add('uniqueMember', f'uid=pwadm_admin_4_new,ou=People,{DEFAULT_SUFFIX}') # Test the group pwp again with pytest.raises(ldap.INVALID_CREDENTIALS): change_password_of_user(topo, [(f'uid=pwadm_admin_4,ou=People', 'Secret123', 'Secret1')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') change_password_of_user(topo, [(f'uid=pwadm_admin_4_new,ou=People', 'Secret123', 'Secret1')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') with pytest.raises(ldap.INVALID_SYNTAX): Config(topo.standalone).replace('passwordAdminDN', "Invalid") # Test assigning invalid value to password admin attribute # Try to add more than one Password Admin attribute to config file with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): Config(topo.standalone).replace('passwordAdminDN', [f'uid=pwadm_admin_2,ou=people,{DEFAULT_SUFFIX}', f'uid=pwadm_admin_3,ou=people,{DEFAULT_SUFFIX}']) # Use admin group setup from previous, but delete ACI from that people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}") people.remove('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)' f'(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Try to change user's password by admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Sec')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Restore ACI people.set('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Edit ACIs for admin group people.add('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to add user ' f'passwords";allow (add)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}').replace('userpassword', 'Secret') real_user = UserAccount(topo.standalone, f'uid=pwadm_user_2,ou=people,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret') # Test new aci with pytest.raises(ldap.INSUFFICIENT_ACCESS): UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={ 'uid': 'ok', 'cn': 'ok', 'sn': 'ok', 'uidNumber': '1000', 'gidNumber': 'ok', 'homeDirectory': '/home/ok'}) UserAccounts(topo.standalone, DEFAULT_SUFFIX).list() real_user = UserAccount(topo.standalone, f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}') conn = real_user.bind('Secret123') # Test new aci which has new rights for uid, cn, password in [ ('pwadm_user_3', 'pwadm_user_1', 'U2VjcmV0MTIzCg=='), ('pwadm_user_4', 'pwadm_user_2', 'U2VjcmV0MTIzCg==')]: UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=People').create(properties={ 'uid': uid, 'cn': cn, 'sn': cn, 'uidNumber': '1000', 'gidNumber': '1001', 'homeDirectory': f'/home/{uid}', 'userpassword': password}) # Remove ACI Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}").remove('aci', f'(targetattr ="userpassword")' f'(version 3.0;acl ' f'"Allow passwords admin to add user ' f'passwords";allow ' f'(add)(groupdn = ' f'"ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') # Delete a user from password admin group grp = UniqueGroup(topo.standalone, f'cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}') grp.remove('uniqueMember', f'uid=pwadm_admin_2,ou=People,{DEFAULT_SUFFIX}') # Change users password by ex-admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'Secret')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') # Set aci for only user people = Domain(topo.standalone, f"ou=People,{DEFAULT_SUFFIX}") people.remove('aci', f'(targetattr ="userpassword")(version 3.0;acl ' f'"Allow passwords admin to write user ' f'passwords";allow (write)(groupdn = "ldap:///cn=pwadm_group_adm,ou=Groups,{DEFAULT_SUFFIX}");)') people.set('aci', f'(targetattr ="userpassword")(version 3.0;acl "Allow passwords admin ' f'to write user passwords";allow (write)(groupdn = "ldap:///uid=pwadm_admin_1,{DEFAULT_SUFFIX}");)') # Remove group from password admin configuration Config(topo.standalone).replace('passwordAdminDN', f"uid=pwadm_admin_1,{DEFAULT_SUFFIX}") # Change user's password by ex-admin user with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')], f'uid=pwadm_user_2,ou=People,{DEFAULT_SUFFIX}') with pytest.raises(ldap.INSUFFICIENT_ACCESS): change_password_of_user(topo, [('uid=pwadm_admin_2,ou=People', 'Secret123', 'hellso')], f'uid=pwadm_admin_1,{DEFAULT_SUFFIX}')