def create_casesensitive_posix_user(session_multihost): """ Create a case sensitive posix user """ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) username = '******' user_info = {'cn': username, 'uid': username, 'uidNumber': '24583100', 'gidNumber': '14564100'} ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info) krb.add_principal('CAPSUSER-1', 'user', 'Secret123')
def create_posix_usersgroups(session_multihost): """ Create posix user and groups """ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') for i in range(10): user_info = {'cn': 'foo%d' % i, 'uid': 'foo%d' % i, 'uidNumber': '1458310%d' % i, 'gidNumber': '14564100'} if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): krb.add_principal('foo%d' % i, 'user', 'Secret123') else: print("Unable to add ldap User %s" % (user_info)) assert False memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') group_info = {'cn': 'ldapusers', 'gidNumber': '14564100', 'uniqueMember': memberdn} try: ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info) except LdapException: assert False group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' for i in range(1, 10): user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) assert ret == 'Success'
def usr_grp(multihost, obj_info, type): """ Add an object, user or group, in the ldap-server :param dict obj_info: an object(user/group) details :param str type: Either 'user' or 'group' :return: None :exception: LdapException """ ldap_uri = f'ldap://{multihost.master[0].sys_hostname}' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST') if type == 'user': usr = obj_info.get('uid') try: if ldap_inst.posix_user("ou=People", ds_suffix, obj_info): krb.add_principal(usr, 'user', 'Secret123') except LdapException: print(f"Unable to add ldap User {obj_info}") if type == 'group': try: ldap_inst.posix_group("ou=Groups", ds_suffix, obj_info, memberUid=obj_info.get('memberUid')) except LdapException: print(f"Unable to add ldap group {obj_info}")
def test_login_fips_weak_crypto(self, multihost): """ :title: krb5/fips: verify login fails when weak crypto is presented :id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00 """ ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() tools.clear_sssd_cache() user = '******' % domain_name ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST') user_info = { 'cn': 'cracker', 'uid': 'cracker', 'uidNumber': '19583100', 'gidNumber': '14564100' } if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): krb.add_principal('cracker', 'user', 'Secret123', etype='arcfour-hmac') else: pytest.fail("Failed to add user cracker") user_dn = 'uid=cracker,ou=People,%s' % ds_suffix group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) assert ret == 'Success' tools.clear_sssd_cache() ldap_host = multihost.master[0].sys_hostname pcapfile = '/tmp/krb1.pcap' tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile) multihost.client[0].run_command(tcpdump_cmd, bg=True) pkill = 'pkill tcpdump' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: multihost.client[0].run_command(pkill) tshark_cmd = "tshark -r %s -V -2 -R"\ " 'kerberos.msg_type == 30'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) journalctl_cmd = 'journalctl --no-pager -n 150' cmd = multihost.client[0].run_command(journalctl_cmd) check = re.compile(r'KDC has no support for encryption type') assert check.search(cmd.stdout_text) else: pytest.fail("%s Login successfull") ldap_inst.del_dn(user_dn) krb.delete_principal('cracker') rm_pcap_file = 'rm -f %s' % pcapfile multihost.client[0].run_command(rm_pcap_file)