def test_undefined_in_group_eval_eleven(topo, test_user, aci_of_user):
"""
Aci will not allow access as description is there with the user entry which is not allowed in ACI
:id: 4cfa28e2-7841-11e8-8117-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)'
)
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# Test that not(UNDEFINED(attrval1))
user1 = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user1.add("sn", "Fred1")
assert user.get_attr_val_utf8('cn')
user.remove("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
def test_undefined_in_group_eval_eight(topo, test_user, aci_of_user):
"""
Aci will not allow access as Group dn is not allowed so members will not allowed access.
:id: 26ca7456-7841-11e8-801e-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'
.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.replace("description", "Fred")
assert user.get_attr_val_utf8('uid') == 'scratchEntry'
def test_passwordexpirationtime_attribute(topo, _add_user):
"""Regression test for bz1118006.
:id: 867472d2-473c-11ea-b583-8c16451d917b
:setup: Standalone
:steps:
1. Check that the passwordExpirationTime attribute is set to the epoch date
:expected results:
1. Success
"""
Config(topo.standalone).replace('passwordMustChange', 'on')
epoch_date = "19700101000000Z"
time.sleep(1)
user = UserAccount(topo.standalone, f'uid=pwadm_user_1,{DEFAULT_SUFFIX}')
user.replace('userpassword', 'Secret123')
time.sleep(1)
# Check that the passwordExpirationTime attribute is set to the epoch date
assert user.get_attr_val_utf8('passwordExpirationTime') == epoch_date
Config(topo.standalone).replace('passwordMustChange', 'off')
time.sleep(1)
def test_gecos_directoryString_wins_M2(topo_m2, request):
"""Check that if inital syntax are IA5(M2) and DirectoryString(M1)
Then directoryString wins when nsSchemaCSN M2 is the greatest
:id: 2da7f1b1-f86d-4072-a940-ba56d4bc8348
:setup: Two suppliers replication setup
:steps:
1. Create a testuser on M1
2 Stop M1 and M2
3 Change gecos def on M2 to be IA5
4 Start M1 and M2
5 Update M2 schema so that M2 has greatest nsSchemaCSN
6 Update testuser on M2 and trigger replication to M1
7 Update testuser on M2 with gecos directoryString value
8 Check replication is still working
9 Check gecos is DirectoryString on M1 and M2
:expectedresults:
1. success
2. success
3. success
4. success
5. success
6. success
7. success
8. success
9. success
"""
repl = ReplicationManager(DEFAULT_SUFFIX)
m1 = topo_m2.ms["supplier1"]
m2 = topo_m2.ms["supplier2"]
# create a test user
testuser_dn = 'uid={},{}'.format('testuser', DEFAULT_SUFFIX)
testuser = UserAccount(m1, testuser_dn)
try:
testuser.create(
properties={
'uid': 'testuser',
'cn': 'testuser',
'sn': 'testuser',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/testuser',
})
except ldap.ALREADY_EXISTS:
pass
testuser.replace('displayName', 'to trigger replication M1-> M2')
repl.wait_for_replication(m1, m2)
# Stop suppliers to update the schema
m1.stop()
m2.stop()
# on M1: gecos is DirectoryString (default)
# on M2: gecos is IA5
schema_filename = (m2.schemadir + "/99user.ldif")
try:
with open(schema_filename, 'w') as schema_file:
schema_file.write("dn: cn=schema\n")
schema_file.write(
"attributetypes: ( 1.3.6.1.1.1.1.2 NAME " +
"'gecos' DESC 'The GECOS field; the common name' " +
"EQUALITY caseIgnoreIA5Match " +
"SUBSTR caseIgnoreIA5SubstringsMatch " +
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 " + "SINGLE-VALUE )\n")
os.chmod(schema_filename, 0o777)
except OSError as e:
log.fatal("Failed to update schema file: " +
"{} Error: {}".format(schema_filename, str(e)))
# start the instances
m1.start()
m2.start()
# Check that gecos is IA5 on M2
schema = SchemaLegacy(m2)
attributetypes = schema.query_attributetype('gecos')
assert attributetypes[0].syntax == "1.3.6.1.4.1.1466.115.121.1.26"
# update M2 schema to increase its nsschemaCSN
new_at = "( dummy-oid NAME 'dummy' DESC 'dummy attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2307' )"
m2.schema.add_schema('attributetypes', ensure_bytes(new_at))
# update just to trigger replication M2->M1
# and update of M2 schema
testuser_m2 = UserAccount(m2, testuser_dn)
testuser_m2.replace('displayName', 'to trigger replication M2-> M1')
# Add a gecos UTF value on M1
testuser.replace('gecos', 'Hélène')
# Check replication is still working
testuser.replace('displayName', 'ascii value')
repl.wait_for_replication(m1, m2)
assert testuser_m2.exists()
assert testuser_m2.get_attr_val_utf8('displayName') == 'ascii value'
# Check that gecos is DirectoryString on M1
schema = SchemaLegacy(m1)
attributetypes = schema.query_attributetype('gecos')
assert attributetypes[0].syntax == "1.3.6.1.4.1.1466.115.121.1.15"
# Check that gecos is DirectoryString on M2
schema = SchemaLegacy(m2)
attributetypes = schema.query_attributetype('gecos')
assert attributetypes[0].syntax == "1.3.6.1.4.1.1466.115.121.1.15"
def fin():
m1.start()
m2.start()
testuser.delete()
m1.schema.del_schema('attributetypes', ensure_bytes(new_at))
repl.wait_for_replication(m1, m2)
# on M2 restore a default 99user.ldif
m2.stop()
os.remove(m2.schemadir + "/99user.ldif")
schema_filename = (m2.schemadir + "/99user.ldif")
try:
with open(schema_filename, 'w') as schema_file:
schema_file.write("dn: cn=schema\n")
os.chmod(schema_filename, 0o777)
except OSError as e:
log.fatal("Failed to update schema file: " +
"{} Error: {}".format(schema_filename, str(e)))
m2.start()
request.addfinalizer(fin)
def test_gecos_mixed_definition_topo(topo_m2, request):
"""Check that replication is still working if schema contains
definitions that does not conform with a replicated entry
:id: d5940e71-d18a-4b71-aaf7-b9185361fffe
:setup: Two suppliers replication setup
:steps:
1. Create a testuser on M1
2 Stop M1 and M2
3 Change gecos def on M2 to be IA5
4 Update testuser with gecos directoryString value
5 Check replication is still working
:expectedresults:
1. success
2. success
3. success
4. success
5. success
"""
repl = ReplicationManager(DEFAULT_SUFFIX)
m1 = topo_m2.ms["supplier1"]
m2 = topo_m2.ms["supplier2"]
# create a test user
testuser_dn = 'uid={},{}'.format('testuser', DEFAULT_SUFFIX)
testuser = UserAccount(m1, testuser_dn)
try:
testuser.create(
properties={
'uid': 'testuser',
'cn': 'testuser',
'sn': 'testuser',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/testuser',
})
except ldap.ALREADY_EXISTS:
pass
repl.wait_for_replication(m1, m2)
# Stop suppliers to update the schema
m1.stop()
m2.stop()
# on M1: gecos is DirectoryString (default)
# on M2: gecos is IA5
schema_filename = (m2.schemadir + "/99user.ldif")
try:
with open(schema_filename, 'w') as schema_file:
schema_file.write("dn: cn=schema\n")
schema_file.write(
"attributetypes: ( 1.3.6.1.1.1.1.2 NAME " +
"'gecos' DESC 'The GECOS field; the common name' " +
"EQUALITY caseIgnoreIA5Match " +
"SUBSTR caseIgnoreIA5SubstringsMatch " +
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 " + "SINGLE-VALUE )\n")
os.chmod(schema_filename, 0o777)
except OSError as e:
log.fatal("Failed to update schema file: " +
"{} Error: {}".format(schema_filename, str(e)))
# start the instances
m1.start()
m2.start()
# Check that gecos is IA5 on M2
schema = SchemaLegacy(m2)
attributetypes = schema.query_attributetype('gecos')
assert attributetypes[0].syntax == "1.3.6.1.4.1.1466.115.121.1.26"
# Add a gecos UTF value on M1
testuser.replace('gecos', 'Hélène')
# Check replication is still working
testuser.replace('displayName', 'ascii value')
repl.wait_for_replication(m1, m2)
testuser_m2 = UserAccount(m2, testuser_dn)
assert testuser_m2.exists()
assert testuser_m2.get_attr_val_utf8('displayName') == 'ascii value'
def fin():
m1.start()
m2.start()
testuser.delete()
repl.wait_for_replication(m1, m2)
# on M2 restore a default 99user.ldif
m2.stop()
os.remove(m2.schemadir + "/99user.ldif")
schema_filename = (m2.schemadir + "/99user.ldif")
try:
with open(schema_filename, 'w') as schema_file:
schema_file.write("dn: cn=schema\n")
os.chmod(schema_filename, 0o777)
except OSError as e:
log.fatal("Failed to update schema file: " +
"{} Error: {}".format(schema_filename, str(e)))
m2.start()
m1.start()
request.addfinalizer(fin)