def enable_ssl(self, binduri, tls_port): """sets TLS Port and enabled TLS on Directory Server. Args: binduri (str): LDAP uri to bind with tls_port (str): TLS port to be setup Returns: bool: True if successfully setup TLS port Exceptions: LdapException """ ldap_obj = LdapOperations(uri=binduri, binddn=self.dsrootdn, bindpw=self.dsrootdn_pwd) # Enable TLS mod_dn1 = 'cn=encryption,cn=config' add_tls = [(ldap.MOD_ADD, 'nsTLS1', 'on')] (ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls) if not return_value: raise LdapException('fail to enable TLS, Error:%s' % (ret)) else: print('Enabled nsTLS1=on') entry1 = { 'objectClass': ['top', 'nsEncryptionModule'], 'cn': 'RSA', 'nsSSLtoken': 'internal (software)', 'nsSSLPersonalitySSL': 'Server-Cert-%s' % (self.dsinstance_host), 'nsSSLActivation': 'on' } dn1 = 'cn=RSA,cn=encryption,cn=config' (ret, return_value) = ldap_obj.add_entry(entry1, dn1) if not return_value: raise LdapException('fail to set Server-Cert nick:%s' % (ret)) else: print('Enabled Server-Cert nick') # Enable security mod_dn2 = 'cn=config' enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', 'on')] (ret, return_value) = ldap_obj.modify_ldap(mod_dn2, enable_security) if not return_value: raise LdapException('fail to enable nsslapd-security, Error:%s' % (ret)) else: print('Enabled nsslapd-security') # set the appropriate TLS port mod_dn3 = 'cn=config' enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort', str(tls_port))] (ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_ssl_port) if not return_value: raise LdapException('fail to set nsslapd-securePort, Error:%s' % (ret)) else: print('Enabled nsslapd-securePort=%r' % tls_port)
def enable_ssl(self, binduri, tls_port): """sets TLS Port and enabled TLS on Directory Server. Args: binduri (str): LDAP uri to bind with tls_port (str): TLS port to be setup Returns: bool: True if successfully setup TLS port Exceptions: LdapException """ ldap_obj = LdapOperations(uri=binduri, binddn=self.dsrootdn, bindpw=self.dsrootdn_pwd) # Enable TLS mod_dn1 = 'cn=encryption,cn=config' add_tls = [(ldap.MOD_ADD, 'nsTLS1', [b'on'])] (ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls) if not return_value: raise LdapException('Failed to enable TLS, Error:%s' % (ret)) else: print('Enabled nsTLS1=on') mod_dn2 = 'cn=RSA,cn=encryption,cn=config' mod_security = [ (ldap.MOD_REPLACE, 'nsSSLPersonalitySSL', [b'Server-Cert-%s' % ((self.dsinstance_host.encode()))]) ] (ret, return_value) = ldap_obj.modify_ldap(mod_dn2, mod_security) if not return_value: raise LdapException('Failed to set Server-Cert nick:%s' % (ret)) else: print('Enabled Server-Cert nick') # Enable security mod_dn3 = 'cn=config' enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', [b'on'])] (ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_security) if not return_value: raise LdapException('Failed to enable nsslapd-security, Error:%s' % (ret)) else: print('Enabled nsslapd-security') # set the appropriate TLS port mod_dn4 = 'cn=config' enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort', str(tls_port).encode())] (ret, return_value) = ldap_obj.modify_ldap(mod_dn4, enable_ssl_port) if not return_value: raise LdapException('Failed to set nsslapd-securePort, Error:%s' % (ret)) else: print('Enabled nsslapd-securePort=%r' % tls_port)
def create_posix_usersgroups(session_multihost): """ Create posix user and groups """ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') for i in range(10): user_info = {'cn': 'foo%d' % i, 'uid': 'foo%d' % i, 'uidNumber': '1458310%d' % i, 'gidNumber': '14564100'} if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): krb.add_principal('foo%d' % i, 'user', 'Secret123') else: print("Unable to add ldap User %s" % (user_info)) assert False memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') group_info = {'cn': 'ldapusers', 'gidNumber': '14564100', 'uniqueMember': memberdn} try: ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info) except LdapException: assert False group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' for i in range(1, 10): user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) assert ret == 'Success'
def enable_anonymous_search(self, binduri): """Enable anonymous search access to basedn Args: binduri (str): LDAP uri to bind with Returns: boold: True if ACI is added Exceptions: LdapException """ ldap_obj = LdapOperations(uri=binduri, binddn=self.dsrootdn, bindpw=self.dsrootdn_pwd) # Enable Anonymous access aci allow_anonymous = "(targetattr!=\"userPassword || aci\")" \ "(version 3.0; acl \"Enable anonymous " \ "access\"; allow " \ "(read, search, compare) userdn=\"ldap:///anyone\";)" add_aci = [(ldap.MOD_ADD, 'aci', [allow_anonymous.encode('utf-8')])] (ret, return_value) = ldap_obj.modify_ldap(self.dsinstance_suffix, add_aci) if not return_value: raise LdapException("Failed to enable anonymous access aci") else: print("Enabled Anonymous access " "aci to %s" % self.dsinstance_suffix)
def test_login_fips_weak_crypto(self, multihost): """ :title: krb5/fips: verify login fails when weak crypto is presented :id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00 """ ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() tools.clear_sssd_cache() user = '******' % domain_name ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST') user_info = { 'cn': 'cracker', 'uid': 'cracker', 'uidNumber': '19583100', 'gidNumber': '14564100' } if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): krb.add_principal('cracker', 'user', 'Secret123', etype='arcfour-hmac') else: pytest.fail("Failed to add user cracker") user_dn = 'uid=cracker,ou=People,%s' % ds_suffix group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) assert ret == 'Success' tools.clear_sssd_cache() ldap_host = multihost.master[0].sys_hostname pcapfile = '/tmp/krb1.pcap' tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile) multihost.client[0].run_command(tcpdump_cmd, bg=True) pkill = 'pkill tcpdump' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: multihost.client[0].run_command(pkill) tshark_cmd = "tshark -r %s -V -2 -R"\ " 'kerberos.msg_type == 30'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) journalctl_cmd = 'journalctl --no-pager -n 150' cmd = multihost.client[0].run_command(journalctl_cmd) check = re.compile(r'KDC has no support for encryption type') assert check.search(cmd.stdout_text) else: pytest.fail("%s Login successfull") ldap_inst.del_dn(user_dn) krb.delete_principal('cracker') rm_pcap_file = 'rm -f %s' % pcapfile multihost.client[0].run_command(rm_pcap_file)
def test_sss_cache_reset(self, multihost, backupsssdconf): """ :title: fix sss_cache to also reset cached timestamp :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1902280 :customerscenario: True :id: c310f1b4-e89b-11eb-84ce-845cf3eff344 :steps: 1. Make a change to group entry in LDAP 2. Run 'ssh_cache -E' on clients 3. Check with 'getent group' on clients to see if correct\ :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() client = sssdTools(multihost.client[0]) domain_params = { 'ldap_schema': 'rfc2307bis', 'ldap_group_member': 'uniquemember', 'debug_level': '9' } client.sssd_conf(f'domain/{domain_name}', domain_params) multihost.client[0].service_sssd('restart') get_ent = multihost.client[0].run_command("getent group " "ldapusers@example1") assert "foo9@example1" in get_ent.stdout_text user_dn = 'uid=foo9,ou=People,dc=example,dc=test' group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) del_member = [(ldap.MOD_DELETE, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, del_member) assert ret == 'Success' multihost.client[0].run_command("sss_cache -G") multihost.client[0].run_command("sss_cache -E") get_ent1 = multihost.client[0].run_command("getent group " "ldapusers@example1") assert "foo9@example1" not in get_ent1.stdout_text assert get_ent.stdout_text != get_ent1.stdout_text
def test_0003_background_refresh(self, multihost): """ :title: netgroup: background refresh task does not refresh updated netgroup entries :id: b17d904d-0d64-4f4a-bbad-4c7f63e1faf2 :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1779486 (RHEL8.2) https://bugzilla.redhat.com/show_bug.cgi?id=1822461 (RHEL7.8) """ multihost.client[0].service_sssd('stop') tools = sssdTools(multihost.client[0]) tools.remove_sss_cache('/var/lib/sss/db') section = "domain/%s" % ds_instance_name domain_params = { 'entry_cache_timeout': '30', 'refresh_expired_interval': '22' } tools.sssd_conf('domain/%s' % ds_instance_name, domain_params) multihost.client[0].service_sssd('restart') # getent netgroup_1 getent_cmd = "getent netgroup netgroup_1" multihost.client[0].run_command(getent_cmd) shortname = multihost.client[0].sys_hostname.strip().split('.')[0] ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) netgroup_dn = 'cn=netgroup_1,ou=Netgroups,%s' % (ds_suffix) nisNetgroupTriple = "(%s,foo1,%s)" % (shortname, ds_suffix) modify_netgroup = [(ldap.MOD_REPLACE, 'nisNetgroupTriple', nisNetgroupTriple.encode('utf-8'))] (_, _) = ldap_inst.modify_ldap(netgroup_dn, modify_netgroup) time.sleep(40) ldb_cmd = 'ldbsearch -H /var/lib/sss/db/cache_%s.ldb'\ ' -b cn=Netgroups,cn=%s,cn=sysdb' % (ds_instance_name, ds_instance_name) cmd = multihost.client[0].run_command(ldb_cmd) new_entry = "netgroupTriple: (%s,foo1,%s)" % (shortname, ds_suffix) tools.sssd_conf('domain/%s' % ds_instance_name, domain_params, action='delete') assert new_entry in cmd.stdout_text.strip().split('\n')
def test_inactivated_filtered_roles(self, multihost): """ title: Inactivated filtered roles :id: 4286dac6-3045-11ec-8fd0-845cf3eff344 :steps: 1. Make filter role inactive 2. User added to the above inactive filtered role 3. User removed from the above inactive filtered role 4. Activate filtered role :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed """ clean_sys(multihost) client_e = multihost.client[0].ip master_e = multihost.master[0].ip ldap_uri = f'ldap://{master_e}' ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) user_dn = 'uid=foo3,ou=People,dc=example,dc=test' role_dn = "filtered" add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) assert ret == 'Success' manage_user_roles(multihost, "cn=filtered", "lock", "role") with pytest.raises(paramiko.ssh_exception.AuthenticationException): SSHClient(client_e, username="******", password="******") time.sleep(3) lock_check(multihost, "foo3") # User added to the above inactive filtered role clean_sys(multihost) with pytest.raises(paramiko.ssh_exception.AuthenticationException): SSHClient(client_e, username="******", password="******") time.sleep(3) lock_check(multihost, "foo4") # User removed from the above inactive filtered role clean_sys(multihost) ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) user_dn = 'uid=foo3,ou=People,dc=example,dc=test' role_dn = "filtered" add_member = [(ldap.MOD_DELETE, 'o', role_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) assert ret == 'Success' ssh1 = SSHClient(client_e, username="******", password="******") ssh1.close() time.sleep(3) unlock_check(multihost, "foo3") # Activate filtered role clean_sys(multihost) manage_user_roles(multihost, "cn=filtered", "unlock", "role") ssh1 = SSHClient(client_e, username="******", password="******") ssh1.close() time.sleep(3) unlock_check(multihost, "foo4")