Python Groups示例

示例#1

文件： dsidm_config_test.py 项目： zero804/389-ds-base

def test_dsidm_config_sssd(topology_st, set_log_file):
    """ Test dsidm creation of sssd.conf content

    :id: 77812ba6-b133-40f4-91a7-13309618f24d
    :setup: Standalone instance
    :steps:
         1. Run dsidm client_config sssd.conf
         2. Enable MemberOfPlugin
         3. Run dsidm client_config sssd.conf with allowed group
    :expectedresults:
         1. Success
         2. Success
         3. Success
    """

    standalone = topology_st.standalone

    sssd_content_list = [
        'Generated by 389 Directory Server - dsidm', 'id_provider = ldap',
        'auth_provider = ldap', 'access_provider = ldap',
        'chpass_provider = ldap', 'ldap_search_base = ' + DEFAULT_SUFFIX,
        'ldap_uri = ' + standalone.ldapuri, 'ldap_user_member_of = memberof',
        'ignore_group_members = False', '[sssd]',
        'services = nss, pam, ssh, sudo', 'config_file_version = 2',
        'domains = ldap', '[nss]', 'homedir_substring = /home'
    ]

    schema = 'ldap_schema = rfc2307'
    args = FakeArgs()
    args.allowed_group = None

    log.info('Create sssd.conf content')
    sssd_conf(standalone, DEFAULT_SUFFIX, log, args)

    log.info('Check if config creation was successful')
    check_value_in_log_and_reset(sssd_content_list, check_value=schema)

    log.info('Now we test allowed_group argument')
    log.info('Enable MemberOf plugin')
    plugin = MemberOfPlugin(standalone)
    plugin.enable()
    standalone.restart()

    log.info('Create test group')
    groups = Groups(standalone, DEFAULT_SUFFIX)
    test_group = groups.create(properties={
        "cn": "new_group",
        "description": "testgroup"
    })

    log.info('Create sssd.conf content with allowed group')
    filter_msg = [
        'ldap_access_filter = (memberOf={})'.format(test_group.dn),
        'ldap_schema = rfc2307bis'
    ]
    args.allowed_group = test_group.rdn
    sssd_conf(standalone, DEFAULT_SUFFIX, log, args)

    log.info('Check if config creation was successful')
    check_value_in_log_and_reset(sssd_content_list, filter_msg)

示例#2

文件： client_config.py 项目： edewata/389-ds-base

def display(inst, basedn, log, args):

    users = nsUserAccounts(inst, basedn)
    groups = Groups(inst, basedn)

    schema_type = "rfc2307"
    try:
        mo_plugin = MemberOfPlugin(inst)
        if mo_plugin.status():
            schema_type = "rfc2307bis"
    except:
        schema_type = "unknown - likely access denied to memberof plugin config"

    # Get required information
    print(
        DISPLAY_TEMPLATE.format(
            ldap_uri=inst.ldapuri,
            ldap_dns_uri=basedn_to_ldap_dns_uri(basedn),
            basedn=basedn,
            schema_type=schema_type,
            user_basedn=users._basedn,
            user_filter=users._get_objectclass_filter(),
            user_id_filter=users._get_selector_filter('<PARAM>'),
            group_basedn=groups._basedn,
            group_filter=groups._get_objectclass_filter(),
            group_id_filter=groups._get_selector_filter('<PARAM>'),
            uuid_attr='nsUniqueId',
            user_rdn=users._filterattrs[0],
            group_rdn=groups._filterattrs[0],
            group_member='member',
        ))

示例#3

文件： client_config.py 项目： vashirov/389-ds-base

def sssd_conf(inst, basedn, log, args):

    schema_type = "rfc2307"
    try:
        mo_plugin = MemberOfPlugin(inst)
        if mo_plugin.status():
            schema_type = "rfc2307bis"
    except:
        schema_type = "unknown - likely access denied to memberof plugin config"

    ldap_access_filter = "# ldap_access_filter = (memberOf=<dn>)"
    if args.allowed_group:
        groups = Groups(inst, basedn)
        g_access = groups.get(args.allowed_group)
        ldap_access_filter = 'ldap_access_filter = (memberOf=%s)' % g_access.dn

    ldap_uri_warning = ""
    if inst.ldapuri.startswith("ldapi://"):
        ldap_uri_warning = "# ⚠️  WARNING: ldap_uri starts with ldapi:// - you should review this parameter"

    # Print a customised sssd.config.
    print(
        SSSD_CONF_TEMPLATE.format(basedn=basedn,
                                  schema_type=schema_type,
                                  ldap_uri=inst.ldapuri,
                                  ldap_access_filter=ldap_access_filter,
                                  ldap_uri_warning=ldap_uri_warning))

    # Print a customised sssd.conf to log for test purpose
    log.debug(
        SSSD_CONF_TEMPLATE.format(basedn=basedn,
                                  schema_type=schema_type,
                                  ldap_uri=inst.ldapuri,
                                  ldap_access_filter=ldap_access_filter,
                                  ldap_uri_warning=ldap_uri_warning))

示例#4

文件： ds_logs_test.py 项目： edewata/389-ds-base

def add_group_and_perform_user_operations(topology_st):
    topo = topology_st.standalone

    # Add the automember group
    groups = Groups(topo, DEFAULT_SUFFIX)
    group = groups.create(properties={'cn': 'group'})

    ous = OrganizationalUnits(topo, DEFAULT_SUFFIX)
    branch1 = ous.create(properties={'ou': 'branch1'})

    # Add the automember config entry
    am_configs = AutoMembershipDefinitions(topo)
    am_config = am_configs.create(properties={'cn': 'config',
                                              'autoMemberScope': branch1.dn,
                                              'autoMemberFilter': 'objectclass=top',
                                              'autoMemberDefaultGroup': group.dn,
                                              'autoMemberGroupingAttr': 'member:dn'})

    # Add a user that should get added to the group
    users = UserAccounts(topo, DEFAULT_SUFFIX, rdn='ou={}'.format(branch1.rdn))
    test_user = users.create_test_user(uid=777)

    # Check if created user is group member
    assert test_user.dn in group.list_members()

    log.info('Renaming user')
    test_user.rename('uid=new_test_user_777', newsuperior=SUFFIX)

    log.info('Delete the user')
    delete_obj(test_user)

    log.info('Delete automember entry, org. unit and group for the next test')
    delete_obj(am_config)
    delete_obj(branch1)
    delete_obj(group)

示例#5

文件： regression_test.py 项目： vashirov/389-ds-base

def add_a_group_with_users(request, topo):
    """
    Add a group and users, which are members of this group.
    """
    groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None)
    group = groups.create(properties={'cn': 'test_group'})
    users_list = []
    users_num = 100
    users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
    for num in range(users_num):
        USER_NAME = f'test_{num}'
        user = users.create(
            properties={
                'uid': USER_NAME,
                'sn': USER_NAME,
                'cn': USER_NAME,
                'uidNumber': f'{num}',
                'gidNumber': f'{num}',
                'homeDirectory': f'/home/{USER_NAME}'
            })
        users_list.append(user)
        group.add_member(user.dn)

    def fin():
        """
        Removes group and users.
        """
        # If the server crashed, start it again to do the cleanup
        if not topo.standalone.status():
            topo.standalone.start()
        for user in users_list:
            user.delete()
        group.delete()

    request.addfinalizer(fin)

示例#6

def test_newly_added_attribute_nsds5replicatedattributelisttotal(
        _create_entries, _add_user_clean):
    """This test case is to test the newly added attribute nsds5replicatedattributelistTotal.

    :id: 2df5971c-38eb-11ea-9e8e-8c16451d917b
    :setup: Supplier and Consumer
    :steps:
        1. Enabling memberOf plugin and then adding few groups with member attributes.
        2. No memberOf plugin enabled on read only replicas
        3. The attributes mentioned in the nsds5replicatedattributelist
           excluded from incremental updates.
    :expected results:
        1. Success
        2. Success
        3. Success
    """
    check_all_replicated()
    user = f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}'
    for instance in (SUPPLIER1, SUPPLIER2, CONSUMER1, CONSUMER2):
        g = Groups(instance, DEFAULT_SUFFIX).get('bug739172_01group')
        assert g.get_attr_val_utf8("member") == user
        assert UserAccount(instance,
                           user).get_attr_val_utf8("sn") == "test_user_1000"
    # The attributes mentioned in the nsds5replicatedattributelist
    # excluded from incremental updates.
    for instance in (CONSUMER1, CONSUMER2):
        for value in ("roomnumber", "manager", "telephoneNumber"):
            assert not UserAccount(instance, user).get_attr_val_utf8(value)

示例#7

文件： automember_mod_test.py 项目： zero804/389-ds-base

def automember_fixture(topo, request):
    # Create group
    groups = []
    group_obj = Groups(topo.standalone, DEFAULT_SUFFIX)
    groups.append(group_obj.create(properties={'cn': 'testgroup'}))
    groups.append(group_obj.create(properties={'cn': 'testgroup2'}))
    groups.append(group_obj.create(properties={'cn': 'testgroup3'}))

    # Create test user
    user_accts = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
    user = user_accts.create_test_user()

    # Create automember definitions and regex rules
    automember_prop = {
        'cn': 'testgroup_definition',
        'autoMemberScope': DEFAULT_SUFFIX,
        'autoMemberFilter': 'objectclass=posixaccount',
        'autoMemberDefaultGroup': groups[0].dn,
        'autoMemberGroupingAttr': 'member:dn',
    }
    automembers = AutoMembershipDefinitions(topo.standalone)
    auto_def = automembers.create(properties=automember_prop)
    auto_def.add_regex_rule("regex1", groups[1].dn, include_regex=['cn=mark.*'])
    auto_def.add_regex_rule("regex2", groups[2].dn, include_regex=['cn=simon.*'])

    # Enable plugin
    automemberplugin = AutoMembershipPlugin(topo.standalone)
    automemberplugin.enable()
    topo.standalone.restart()

    return (user, groups)

示例#8

文件： misc_test.py 项目： tbordaz/389-ds-base

def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
    """Non-regression test for BUG 326000: MemberURL needs to be normalized

    :id: a5d172e6-7db8-11e8-aca7-8c16451d917b
    :setup: Standalone Instance
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    ou_ou = OrganizationalUnit(topo.standalone,
                               "ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
    ou_ou.set(
        'aci', '(targetattr= *)'
        '(version 3.0; acl "tester"; allow(all) '
        'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(
            DEFAULT_SUFFIX))

    groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE')
    groups.create(
        properties={
            "cn":
            "DYNGROUP",
            "description":
            "DYNGROUP",
            'objectClass':
            'groupOfURLS',
            'memberURL':
            "ldap:///ou=PEOPLE,{}??sub?"
            "(uid=test_user_2)".format(DEFAULT_SUFFIX)
        })

    uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
    for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]:
        user = uas.create_test_user(uid=demo1[0], gid=demo1[0])
        user.replace_many(('description', demo1[1]), ('userPassword', PW_DM))

    ##with normal aci
    conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM)
    harry = UserAccount(conn, uas.list()[1].dn)
    harry.add('sn', 'FRED')

    ##with abnomal aci
    dygrp = Group(topo.standalone, DYNGROUP)
    dygrp.remove(
        'memberurl',
        "ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX))
    dygrp.add(
        'memberurl',
        "ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX))
    harry.add('sn', 'Not FRED')

    for i in uas.list():
        i.delete()

示例#9

def add_group(server, cn, subtree):
    group = Groups(server, subtree, rdn=None)
    group.create(
        properties={
            'cn': "%s" % cn,
            'member':
            ['uid=test_m1,%s' % SUBTREE_1,
             'uid=test_m2,%s' % SUBTREE_1],
            'description': 'group'
        })

示例#10

文件： config_test.py 项目： zero804/389-ds-base

def test_require_internal_index(topo):
    """Test nsslapd-ignore-virtual-attrs configuration attribute

    :id: 22b94f30-59e3-4f27-89a1-c4f4be036f7f
    :setup: Standalone instance
    :steps:
        1. Set "nsslapd-require-internalop-index" to "on"
        2. Enable RI plugin, and configure it to use an attribute that is not indexed
        3. Create a user and add it a group
        4. Deleting user should be rejected as the RI plugin issues an
        unindexed internal search
    :expectedresults:
        1. Success
        2. Success
        3. Success
        4. Success
    """
    # Set the config
    be_insts = Backends(topo.standalone).list()
    for be in be_insts:
        if be.get_attr_val_utf8_l('nsslapd-suffix') == DEFAULT_SUFFIX:
            be.set('nsslapd-require-index', 'off')
            be.set('nsslapd-require-internalop-index', 'on')

    # Configure RI plugin
    rip = ReferentialIntegrityPlugin(topo.standalone)
    rip.set('referint-membership-attr', 'description')
    rip.enable()

    # Create a bunch of users
    db_cfg = DatabaseConfig(topo.standalone)
    db_cfg.set([('nsslapd-idlistscanlimit', '100')])
    users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
    for i in range(102, 202):
        users.create_test_user(uid=i)

    # Create user and group
    user = users.create(properties={
        'uid': 'indexuser',
        'cn' : 'indexuser',
        'sn' : 'user',
        'uidNumber' : '1010',
        'gidNumber' : '2010',
        'homeDirectory' : '/home/indexuser'
    })
    groups = Groups(topo.standalone, DEFAULT_SUFFIX)
    group = groups.create(properties={'cn': 'group',
                                      'member': user.dn})

    # Restart the server
    topo.standalone.restart()

    # Deletion of user should be rejected
    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
        user.delete()

示例#11

def test_users_and_groups(topology):
    """
    Ensure that user and group management works as expected.
    """
    if DEBUGGING:
        # Add debugging steps(if any)...
        pass

    users = UserAccounts(topology.standalone, DEFAULT_SUFFIX)
    groups = Groups(topology.standalone, DEFAULT_SUFFIX)

    # No user should exist

    assert(len(users.list()) == 0)

    # Create a user

    users.create(properties=TEST_USER_PROPERTIES)

    assert(len(users.list()) == 1)

    testuser = users.get('testuser')

    # Set password
    testuser.set('userPassword', 'password')
    # bind

    conn = testuser.bind('password')
    conn.unbind_s()

    # create group
    group_properties = {
        'cn' : 'group1',
        'description' : 'testgroup'
    }

    group = groups.create(properties=group_properties)

    # user shouldn't be a member
    assert(not group.is_member(testuser.dn))

    # add user as member
    group.add_member(testuser.dn)
    # check they are a member
    assert(group.is_member(testuser.dn))
    # remove user from group
    group.remove_member(testuser.dn)
    # check they are not a member
    assert(not group.is_member(testuser.dn))

    group.delete()
    testuser.delete()

    log.info('Test PASSED')

示例#12

文件： user_compare_st_test.py 项目： nextoa/389-ds-base

def test_user_compare(topology):
    """
    Testing compare function
    1. Testing comparison of two different users.
    2. Testing comparison of 'str' object with itself, should raise 'ValueError'.
    3. Testing comparison of user with similar user (different object id).
    4. Testing comparison of user with group.
    """
    if DEBUGGING:
        # Add debugging steps(if any)...
        pass

    users = UserAccounts(topology.standalone, DEFAULT_SUFFIX)
    groups = Groups(topology.standalone, DEFAULT_SUFFIX)
    # Create 1st user
    user1_properties = {
        'uid': 'testuser1',
        'cn': 'testuser1',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/testuser1'
    }

    users.create(properties=user1_properties)
    testuser1 = users.get('testuser1')
    # Create 2nd user
    user2_properties = {
        'uid': 'testuser2',
        'cn': 'testuser2',
        'sn': 'user',
        'uidNumber': '1001',
        'gidNumber': '2002',
        'homeDirectory': '/home/testuser2'
    }

    users.create(properties=user2_properties)
    testuser2 = users.get('testuser2')
    # create group
    group_properties = {'cn': 'group1', 'description': 'testgroup'}

    testuser1_copy = users.get("testuser1")
    group = groups.create(properties=group_properties)

    assert (UserAccount.compare(testuser1, testuser2) == False)

    with pytest.raises(ValueError):
        UserAccount.compare("test_str_object", "test_str_object")

    assert (UserAccount.compare(testuser1, testuser1_copy) == True)
    assert (UserAccount.compare(testuser1, group) == False)

    log.info("Test PASSED")

示例#13

def test_betxn_modrdn_memberof_cache_corruption(topology_st):
    """Test modrdn operations and memberOf be txn post op failures

    :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5994

    :setup: Standalone instance

    :steps: 1. Enable and configure memberOf plugin
            2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer"
            3. Create group and user outside of memberOf plugin scope
            4. Do modrdn to move group into scope
            5. Do modrdn to move group into scope (again)

    :expectedresults:
            1. memberOf plugin plugin should be ON
            2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer" should PASS
            3. Creating group and user should PASS
            4. Modrdn should fail with objectclass violation
            5. Second modrdn should also fail with objectclass violation
    """

    peoplebase = 'ou=people,%s' % DEFAULT_SUFFIX
    memberof = MemberOfPlugin(topology_st.standalone)
    memberof.enable()
    memberof.set_autoaddoc('nsContainer')  # Bad OC
    memberof.set('memberOfEntryScope', peoplebase)
    memberof.set('memberOfAllBackends', 'on')
    topology_st.standalone.restart()

    groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
    group = groups.create(properties={
        'cn': 'group',
    })

    # Create user and add it to group
    users = UserAccounts(topology_st.standalone, basedn=DEFAULT_SUFFIX)
    user = users.ensure_state(properties=TEST_USER_PROPERTIES)
    if not ds_is_older('1.3.7'):
        user.remove('objectClass', 'nsMemberOf')

    group.add_member(user.dn)

    # Attempt modrdn that should fail, but the original entry should stay in the cache
    with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
        group.rename('cn=group_to_people', newsuperior=peoplebase)

    # Should fail, but not with NO_SUCH_OBJECT as the original entry should still be in the cache
    with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
        group.rename('cn=group_to_people', newsuperior=peoplebase)

    # Done
    log.info('test_betxn_modrdn_memberof: PASSED')

示例#14

文件： search_real_test.py 项目： zero804/389-ds-base

def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user):
    """Search Test 6 Deny read access to multiple groupdn's

    :id: 8f3ba440-6e11-11e8-8b20-8c16451d917b
    :setup: Standalone Instance
    :steps:
        1. Add Entry
        2. Add ACI
        3. Bind with test USER_ANUJ
        4. Try search
        5. Delete Entry,test USER_ANUJ, ACI
    :expectedresults:
        1. Operation should success
        2. Operation should success
        3. Operation should success
        4. Operation should Fail
        5. Operation should success
    """
    groups = Groups(topo.standalone, DEFAULT_SUFFIX)
    group = groups.create(properties={
        "cn": "group1",
        "description": "testgroup"
    })
    group.add_member(USER_ANANDA)

    posix_groups = PosixGroups(topo.standalone, DEFAULT_SUFFIX)
    posix_group = posix_groups.create(properties={
        "cn": "group2",
        "description": "testgroup2",
        "gidNumber": "2000",
    })
    posix_group.add_member(USER_ANUJ)

    ACI_TARGET = '(targetattr="*")'
    ACI_ALLOW = '(version 3.0; acl "All rights for cn=group1,ou=Groups,{}"; deny(read)'.format(
        DEFAULT_SUFFIX)
    ACI_SUBJECT = 'groupdn="ldap:///cn=group1,ou=Groups,{}||ldap:///cn=group2,ou=Groups,{}";)'.format(
        DEFAULT_SUFFIX, DEFAULT_SUFFIX)
    ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
    conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
    # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
    assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
    conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
    # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
    assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
    # with root there is no aci blockage
    assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
    group = groups.get("group1")
    group.delete()
    posix_groups.get("group2")
    posix_group.delete()

示例#15

def assert_data_present(inst):
    # Do we have the backend marker?
    d = Domain(inst, DEFAULT_SUFFIX)
    try:
        desc = d.get_attr_val_utf8('description')
        if desc == TEST_MARKER:
            return
    except:
        # Just reset everything.
        pass
    # Reset the backends
    bes = Backends(inst)
    try:
        be = bes.get(DEFAULT_SUFFIX)
        be.delete()
    except:
        pass

    be = bes.create(properties={
        'nsslapd-suffix': DEFAULT_SUFFIX,
        'cn': 'userRoot',
    })
    be.create_sample_entries('001004002')

    # Load our data
    # We can't use dbgen as that relies on local access :(

    # Add 40,000 groups
    groups = Groups(inst, DEFAULT_SUFFIX)
    for i in range(1, GROUP_MAX):
        rdn = 'group_{0:07d}'.format(i)
        groups.create(properties={
            'cn': rdn,
        })

    # Add 60,000 users
    users = nsUserAccounts(inst, DEFAULT_SUFFIX)
    for i in range(1, USER_MAX):
        rdn = 'user_{0:07d}'.format(i)
        users.create(
            properties={
                'uid': rdn,
                'cn': rdn,
                'displayName': rdn,
                'uidNumber': '%s' % i,
                'gidNumber': '%s' % i,
                'homeDirectory': '/home/%s' % rdn,
                'userPassword': rdn,
            })

    # Add the marker
    d.replace('description', TEST_MARKER)

示例#16

def test_scheme_violation_errors_logged(topo_m2):
    """Check that ERR messages are verbose enough, if a member entry
    doesn't have the appropriate objectclass to support 'memberof' attribute

    :id: e2af0aaa-447e-4e85-a5ce-57ae66260d0b
    :setup: Standalone instance
    :steps:
        1. Enable memberofPlugin and set autoaddoc to nsMemberOf
        2. Restart the instance
        3. Add a user without nsMemberOf attribute
        4. Create a group and add the user to the group
        5. Check that user has memberOf attribute
        6. Check the error log for ".*oc_check_allowed_sv.*USER_DN.*memberOf.*not allowed.*"
           and ".*schema violation caught - repair operation.*" patterns
    :expectedresults:
        1. Should be successful
        2. Should be successful
        3. Should be successful
        4. Should be successful
        5. User should have the attribute
        6. Errors should be logged
    """

    inst = topo_m2.ms["master1"]
    memberof = MemberOfPlugin(inst)
    memberof.enable()
    memberof.set_autoaddoc('nsMemberOf')
    inst.restart()

    users = UserAccounts(inst, SUFFIX)
    user_props = TEST_USER_PROPERTIES.copy()
    user_props.update({'uid': USER_CN, 'cn': USER_CN, 'sn': USER_CN})
    testuser = users.create(properties=user_props)
    testuser.remove('objectclass', 'nsMemberOf')

    groups = Groups(inst, SUFFIX)
    testgroup = groups.create(properties={'cn': GROUP_CN})

    testgroup.add('member', testuser.dn)

    user_memberof_attr = testuser.get_attr_val_utf8('memberof')
    assert user_memberof_attr
    log.info('memberOf attr value - {}'.format(user_memberof_attr))

    pattern = ".*oc_check_allowed_sv.*{}.*memberOf.*not allowed.*".format(
        testuser.dn)
    log.info("pattern = %s" % pattern)
    assert inst.ds_error_log.match(pattern)

    pattern = ".*schema violation caught - repair operation.*"
    assert inst.ds_error_log.match(pattern)

示例#17

文件： deladd_test.py 项目： tbordaz/389-ds-base

    def fin():
        """
        Deletes entries after the test.
        """
        users1 = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
        for dn_dn in users1.list():
            dn_dn.delete()

        groups = Groups(topo.standalone, DEFAULT_SUFFIX)
        for dn_dn in groups.list():
            dn_dn.delete()

        ou_ou = OrganizationalUnit(topo.standalone, f'ou=Accounting,{DEFAULT_SUFFIX}')
        ou_ou.delete()

示例#18

文件： entryusn_test.py 项目： vashirov/389-ds-base

def setup(topology_st, request):
    """
    Enable USN plug-in
    Enable MEMBEROF plugin
    Add test entries
    """

    inst = topology_st.standalone

    log.info("Enable the USN plugin...")
    plugin = USNPlugin(inst)
    plugin.enable()

    log.info("Enable the MEMBEROF plugin...")
    plugin = MemberOfPlugin(inst)
    plugin.enable()

    inst.restart()

    users_list = []
    log.info("Adding test entries...")
    users = UserAccounts(inst, DEFAULT_SUFFIX)
    for id in range(USER_NUM):
        user = users.create_test_user(uid=id)
        users_list.append(user)

    groups_list = []
    log.info("Adding test groups...")
    groups = Groups(inst, DEFAULT_SUFFIX)
    for id in range(GROUP_NUM):
        group = groups.create(properties={'cn': f'test_group{id}'})
        groups_list.append(group)

    def fin():
        for user in users_list:
            try:
                user.delete()
            except ldap.NO_SUCH_OBJECT:
                pass
        for group in groups_list:
            try:
                group.delete()
            except ldap.NO_SUCH_OBJECT:
                pass
    request.addfinalizer(fin)

    return {"users": users_list,
            "groups": groups_list}

示例#19

文件： fractional_test.py 项目： tbordaz/389-ds-base

def test_attribute_nsds5replicatedattributelisttotal(_create_entries,
                                                     _add_user_clean):
    """This test case is to test the newly added attribute nsds5replicatedattributelistTotal.

    :id: 35de9ff0-38eb-11ea-b420-8c16451d917b
    :setup: Master and Consumer
    :steps:
        1. Add a new entry to MASTER1.
        2. Enabling memberOf plugin and then adding few groups with member attributes.
        3. No memberOf plugin enabled in other consumers,ie., the read only replicas
           won't get incremental updates for the attributes mentioned in the list.
        4. Run total update and verify the same attributes added/modified in the read-only replicas.
    :expected results:
        1. Success
        2. Success
        3. Success
        4. Success
    """
    # Run total update and verify the same attributes added/modified in the read-only replicas.
    user = f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}'
    for agreement in Agreements(MASTER1).list():
        agreement.begin_reinit()
        agreement.wait_reinit()
    check_all_replicated()
    for instance in (MASTER1, MASTER2):
        assert Groups(
            MASTER1,
            DEFAULT_SUFFIX).list()[0].get_attr_val_utf8("member") == user
        assert UserAccount(instance,
                           user).get_attr_val_utf8("sn") == "test_user_1000"
    for instance in (CONSUMER1, CONSUMER2):
        for value in ("memberOf", "manager", "sn"):
            assert UserAccount(instance, user).get_attr_val_utf8(value)

示例#20

文件： fractional_test.py 项目： tbordaz/389-ds-base

def _add_user_clean(request):
    # Enabling memberOf plugin and then adding few groups with member attributes.
    MemberOfPlugin(MASTER1).enable()
    for instance in (MASTER1, MASTER2):
        instance.restart()
    user1 = UserAccounts(MASTER1, DEFAULT_SUFFIX).create_test_user()
    for attribute, value in [("displayName", "Anuj Borah"),
                             ("givenName", "aborah"),
                             ("telephoneNumber", "+1 555 999 333"),
                             ("roomnumber", "123"),
                             ("manager",
                              f'uid=dsmith,ou=People,{DEFAULT_SUFFIX}')]:
        user1.set(attribute, value)
    grp = Groups(MASTER1, DEFAULT_SUFFIX).create(
        properties={
            "cn": "bug739172_01group",
            "member": f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}'
        })

    def final_call():
        """
        Removes User and Group after the test.
        """
        user1.delete()
        grp.delete()

    request.addfinalizer(final_call)

示例#21

文件： acceptance_test.py 项目： zero804/389-ds-base

def test_group_aci_entry_exists(topo,create_user):
    """This test case adds the groupdn aci and check ger contains 'vadn'

    :id: 1d73f715-e4b3-4ed6-a93b-9d529898ca78
    :setup: Standalone instance
    :steps:
        1. Create a group.
        2. Add the user as member into the group.
        3. Apply the ACI which will give the group full rights.
        4. Check entryLevelRights value for entries.
        5. Check 'vadn' is in the entryLevelRights.
    :expectedresults:
        1. It should pass
        2. It should pass
        3. It should pass
        4. It should pass
        5. It should pass
    """
    (test_user,request_ctrl) = create_user
    log.info('Adding group {}'.format(TEST_GROUP_NAME))
    groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None)
    group_properties = {
        'cn': TEST_GROUP_NAME,
        'description': 'testgroup'}
    test_group = groups.create(properties=group_properties)
    test_group.add_member(test_user.dn)
    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
    ACI_TARGET = '(targetattr="*")'
    ACI_TARGET_FILTER = '(targetfilter ="(objectClass=person)")'
    ACI_ALLOW = '(version 3.0; acl "give group1 full rights"; allow (all) '
    ACI_SUBJECT = 'groupdn = "ldap:///{}";)'.format(test_group.dn)
    ACI_BODY = ACI_TARGET + ACI_TARGET_FILTER + ACI_ALLOW + ACI_SUBJECT
    log.info("Add an ACI granting add access to a user matching the groupdn")
    suffix.add('aci', ACI_BODY)
    entries = topo.standalone.search_ext('{}'.format(test_user.dn),
                                         ldap.SCOPE_SUBTREE,
                                         "objectclass=person",
                                         serverctrls=[request_ctrl])

    rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(entries)
    for dn, attrs in rdata:
        topo.standalone.log.info("dn: %s" % dn)
        value = attrs['entryLevelRights'][0]
        topo.standalone.log.info("########  entryLevelRights: %r" % value)
        assert b'vadn' in value

示例#22

def test_mul_derive_mult_dn(topology_st):
    """Test that with multiple cn we derive rdn correctly.

    :id: 1e1f5483-bfad-4f73-9dfb-aec54d08b268

    :setup: standalone instance

    :steps: 1. Create with multiple cn

    :expectedresults: 1. Create success
    """
    gps = Groups(topology_st.standalone, DEFAULT_SUFFIX)
    gp = gps.create(properties={
        'cn': ['test_mul_derive_mult_dn', 'test_mul_derive_single_dn'],
    })
    assert gp.dn.lower(
    ) == f'cn=test_mul_derive_mult_dn,ou=groups,{DEFAULT_SUFFIX}'.lower()
    gp.delete()

示例#23

def test_mul_derive_single_dn(topology_st):
    """Test that with single cn we derive rdn correctly.

    :id: f34f271a-ca57-4aa0-905a-b5392ce06c79

    :setup: standalone instance

    :steps: 1. Create with single cn

    :expectedresults: 1. Create success
    """
    gps = Groups(topology_st.standalone, DEFAULT_SUFFIX)
    gp = gps.create(properties={
        'cn': ['test_mul_derive_single_dn'],
    })
    assert gp.dn.lower(
    ) == f'cn=test_mul_derive_single_dn,ou=groups,{DEFAULT_SUFFIX}'.lower()
    gp.delete()

示例#24

def test_betxn_memberof(topology_st):
    """Test PLUGIN_MEMBER_OF plugin

    :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5993

    :setup: Standalone instance and enabled dynamic plugins

    :steps: 1. Enable and configure memberOf plugin
            2. Set memberofgroupattr="member" and memberofAutoAddOC="referral"
            3. Add two test groups - group1 and group2
            4. Add group2 to group1
            5. Add group1 to group2

    :expectedresults:
            1. memberOf plugin plugin should be ON
            2. Set memberofgroupattr="member" and memberofAutoAddOC="referral" should PASS
            3. Add operation should PASS
            4. Add operation should FAIL
            5. Add operation should FAIL
    """

    memberof = MemberOfPlugin(topology_st.standalone)
    memberof.enable()
    memberof.set_autoaddoc('referral')
    topology_st.standalone.restart()

    groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
    group1 = groups.create(properties={'cn': 'group1'})
    group2 = groups.create(properties={'cn': 'group2'})

    # We may need to mod groups to not have nsMemberOf ... ?
    if not ds_is_older('1.3.7'):
        group1.remove('objectClass', 'nsMemberOf')
        group2.remove('objectClass', 'nsMemberOf')

    # Add group2 to group1 - it should fail with objectclass violation
    with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
        group1.add_member(group2.dn)

    # verify entry cache reflects the current/correct state of group1
    assert not group1.is_member(group2.dn)

    # Done
    log.info('test_betxn_memberof: PASSED')

示例#25

def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url(
        topo, test_uer, aci_of_user):
    """Search Test 27 Deny read access to dynamic group with host:port set on LDAP URL

    :id: ceb62158-6e12-11e8-8c36-8c16451d917b
    :setup: Standalone Instance
    :steps:
        1. Add Entry
        2. Add ACI
        3. Bind with test USER_ANUJ
        4. Try search
        5. Delete Entry,test USER_ANUJ, ACI
    :expectedresults:
        1. Operation should success
        2. Operation should success
        3. Operation should success
        4. Operation should Fail
        5. Operation should success
    """
    groups = Groups(topo.standalone, DEFAULT_SUFFIX)
    group = groups.create(properties={
        "cn": "group1",
        "description": "testgroup"
    })
    group.add('objectClass', 'groupOfURLS')
    group.set(
        'memberURL',
        "ldap:///localhost:38901/{}??sub?(&(ou=Accounting)(cn=Sam*))".format(
            DEFAULT_SUFFIX))
    group.add_member(USER_ANANDA)

    ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format(
        DEFAULT_SUFFIX)
    ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown"
    ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(
        DEFAULT_SUFFIX)
    ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
    conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
    # aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
    assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
    # with root there is no aci blockage
    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
    group.delete()

示例#26

文件： memberof_include_scopes_test.py 项目： vashirov/389-ds-base

def add_member_and_group(server, cn, group_cn, subtree):
    users = UserAccounts(server, subtree, rdn=None)
    users.create(
        properties={
            'uid': f'test_{cn}',
            'cn': f'test_{cn}',
            'sn': f'test_{cn}',
            'description': 'member',
            'uidNumber': '1000',
            'gidNumber': '2000',
            'homeDirectory': '/home/testuser'
        })
    group = Groups(server, subtree, rdn=None)
    group.create(
        properties={
            'cn': group_cn,
            'member': f'uid=test_{cn},{subtree}',
            'description': 'group'
        })

示例#27

def test_allow_delete_access_not_to_dynamic_group(topo, _add_user,
                                                  _aci_of_user):
    """
    Test to  Allow delete access to != dynamic group
    :id: 14ffa452-68ed-11e8-a60d-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI that delete access to != dynamic group
        3. Delete something using test USER_DELADD
        4. Remove ACI
    :expectedresults:
        1. Entry should be added
        2. ACI should be added
        3. Operation should  not succeed
        4. Delete operation for ACI should succeed
    """
    # Create dynamic group
    groups = Groups(topo.standalone, DEFAULT_SUFFIX)
    group = groups.create(properties={
        "cn": "group1",
        "description": "testgroup"
    })
    group.add("objectclass", "groupOfURLs")
    group.add(
        "memberURL",
        f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))'
    )

    # Set ACI
    Domain(topo.standalone, DEFAULT_SUFFIX).\
        add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
                   f'(targetattr=*)(version 3.0; acl "$tet_thistest"; '
                   f'allow (delete) (groupdn != "ldap:///{group.dn}"); )')

    # create connection with USER_WITH_ACI_DELADD
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
    user = UserAccount(conn, USER_DELADD)

    # Perform Allow delete access to != dynamic group
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        user.delete()

示例#28

文件： automember_abort_test.py 项目： vashirov/389-ds-base

def automember_fixture(topo, request):
    # Create group
    group_obj = Groups(topo.standalone, DEFAULT_SUFFIX)
    automem_group = group_obj.create(properties={'cn': 'testgroup'})

    # Create users
    users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
    NUM_USERS = 1000
    for num in range(NUM_USERS):
        num_ran = int(round(num))
        USER_NAME = 'test%05d' % num_ran
        users.create(
            properties={
                'uid': USER_NAME,
                'sn': USER_NAME,
                'cn': USER_NAME,
                'uidNumber': '%s' % num_ran,
                'gidNumber': '%s' % num_ran,
                'homeDirectory': '/home/%s' % USER_NAME,
                'mail': '*****@*****.**' % USER_NAME,
                'userpassword': '******' % num_ran,
            })

    # Create automember definitions and regex rules
    automember_prop = {
        'cn': 'testgroup_definition',
        'autoMemberScope': DEFAULT_SUFFIX,
        'autoMemberFilter': 'objectclass=posixaccount',
        'autoMemberDefaultGroup': automem_group.dn,
        'autoMemberGroupingAttr': 'member:dn',
    }
    automembers = AutoMembershipDefinitions(topo.standalone)
    auto_def = automembers.create(properties=automember_prop)
    auto_def.add_regex_rule("regex1",
                            automem_group.dn,
                            include_regex=['uid=.*'])

    # Enable plugin
    automemberplugin = AutoMembershipPlugin(topo.standalone)
    automemberplugin.enable()
    topo.standalone.restart()

示例#29

def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user,
                                                  _aci_of_user, request):
    """Test to Allow delete access to dynamic group

    :id: 010a4f20-752a-4173-b763-f520c7a85b82
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI that Allow delete privilege to dynamic group
        3. Delete something using test USER_DELADD
        4. Remove ACI
    :expectedresults:
        1. Entry should be added
        2. ACI should be added
        3. Operation should   succeed
        4. Delete operation for ACI should succeed
    """
    # Create dynamic group
    groups = Groups(topo.standalone, DEFAULT_SUFFIX)
    group = groups.create(properties={
        "cn": "group1",
        "description": "testgroup"
    })

    group.add("objectclass", "groupOfURLs")
    group.add(
        "memberURL",
        f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))'
    )

    # Set ACI
    Domain(topo.standalone, DEFAULT_SUFFIX).\
        add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
                   f'(targetattr="uid")(version 3.0; acl "{request.node.name}"; '
                   f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')

    # create connection with USER_WITH_ACI_DELADD
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

    # Perform Allow delete access to dynamic group
    UserAccount(conn, USER_DELADD).delete()

示例#30

def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user):
    """Search Test 26 Deny read access to a dynamic group

    :id: c0c5290e-6e12-11e8-a900-8c16451d917b
    :setup: Standalone Instance
    :steps:
        1. Add Entry
        2. Add ACI
        3. Bind with test USER_ANUJ
        4. Try search
        5. Delete Entry,test USER_ANUJ, ACI
    :expectedresults:
        1. Operation should success
        2. Operation should success
        3. Operation should success
        4. Operation should Fail
        5. Operation should success
    """
    groups = Groups(topo.standalone, DEFAULT_SUFFIX)
    group_properties = {"cn": "group1", "description": "testgroup"}
    group = groups.create(properties=group_properties)
    group.add('objectClass', 'groupOfURLS')
    group.set(
        'memberURL',
        "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX))
    group.add_member(USER_ANANDA)

    ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format(
        DEFAULT_SUFFIX)
    ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown"
    ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(
        DEFAULT_SUFFIX)
    ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
    conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
    # aci will block all 'memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX)
    assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
    conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
    # USER_ANUJ is not a member
    assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
    group.delete()