1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
|
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2016 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
#
import logging
import ldap.sasl
import pytest
from lib389.tasks import *
from lib389.topologies import topology_st
from lib389._constants import DEFAULT_SUFFIX, BACKEND_NAME, DN_CONFIG
pytestmark = pytest.mark.tier2
log = logging.getLogger(__name__)
BRANCH = 'ou=people,' + DEFAULT_SUFFIX
USER_DN = 'uid=user1,%s' % (BRANCH)
BRANCH_CONTAINER = 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com'
BRANCH_COS_DEF = 'cn=nsPwPolicy_CoS,ou=people,dc=example,dc=com'
BRANCH_PWP = 'cn=cn\\3DnsPwPolicyEntry\\2Cou\\3DPeople\\2Cdc\\3Dexample\\2Cdc\\3Dcom,' + \
'cn=nsPwPolicyContainer,ou=People,dc=example,dc=com'
BRANCH_COS_TMPL = 'cn=cn\\3DnsPwTemplateEntry\\2Cou\\3DPeople\\2Cdc\\3Dexample\\2Cdc\\3Dcom,' + \
'cn=nsPwPolicyContainer,ou=People,dc=example,dc=com'
SECOND_SUFFIX = 'o=netscaperoot'
BE_NAME = 'netscaperoot'
def addSubtreePwPolicy(inst):
#
# Add subtree policy to the people branch
#
try:
inst.add_s(Entry((BRANCH_CONTAINER, {
'objectclass': 'top nsContainer'.split(),
'cn': 'nsPwPolicyContainer'
})))
except ldap.LDAPError as e:
log.error('Failed to add subtree container for ou=people: error ' + e.args[0]['desc'])
assert False
# Add the password policy subentry
try:
inst.add_s(Entry((BRANCH_PWP, {
'objectclass': 'top ldapsubentry passwordpolicy'.split(),
'cn': 'cn=nsPwPolicyEntry,ou=people,dc=example,dc=com',
'passwordMustChange': 'off',
'passwordExp': 'off',
'passwordHistory': 'off',
'passwordMinAge': '0',
'passwordChange': 'off',
'passwordStorageScheme': 'ssha'
})))
except ldap.LDAPError as e:
log.error('Failed to add passwordpolicy: error ' + e.args[0]['desc'])
assert False
# Add the COS template
try:
inst.add_s(Entry((BRANCH_COS_TMPL, {
'objectclass': 'top ldapsubentry costemplate extensibleObject'.split(),
'cn': 'cn=nsPwPolicyEntry,ou=people,dc=example,dc=com',
'cosPriority': '1',
'cn': 'cn=nsPwTemplateEntry,ou=people,dc=example,dc=com',
'pwdpolicysubentry': BRANCH_PWP
})))
except ldap.LDAPError as e:
log.error('Failed to add COS template: error ' + e.args[0]['desc'])
assert False
# Add the COS definition
try:
inst.add_s(Entry((BRANCH_COS_DEF, {
'objectclass': 'top ldapsubentry cosSuperDefinition cosPointerDefinition'.split(),
'cn': 'cn=nsPwPolicyEntry,ou=people,dc=example,dc=com',
'costemplatedn': BRANCH_COS_TMPL,
'cosAttribute': 'pwdpolicysubentry default operational-default'
})))
except ldap.LDAPError as e:
log.error('Failed to add COS def: error ' + e.args[0]['desc'])
assert False
time.sleep(1)
def delSubtreePwPolicy(inst):
try:
inst.delete_s(BRANCH_COS_DEF)
except ldap.LDAPError as e:
log.error('Failed to delete COS def: error ' + e.args[0]['desc'])
assert False
try:
inst.delete_s(BRANCH_COS_TMPL)
except ldap.LDAPError as e:
log.error('Failed to delete COS template: error ' + e.args[0]['desc'])
assert False
try:
inst.delete_s(BRANCH_PWP)
except ldap.LDAPError as e:
log.error('Failed to delete COS password policy: error ' + e.args[0]['desc'])
assert False
try:
inst.delete_s(BRANCH_CONTAINER)
except ldap.LDAPError as e:
log.error('Failed to delete COS container: error ' + e.args[0]['desc'])
assert False
time.sleep(1)
def test_ticket47981(topology_st):
"""
If there are multiple suffixes, and the last suffix checked does not contain any COS entries,
while other suffixes do, then the vattr cache is not invalidated as it should be. Then any
cached entries will still contain the old COS attributes/values.
"""
log.info('Testing Ticket 47981 - Test that COS def changes are correctly reflected in affected users')
#
# Create a second backend that does not have any COS entries
#
log.info('Adding second suffix that will not contain any COS entries...\n')
topology_st.standalone.backend.create(SECOND_SUFFIX, {BACKEND_NAME: BE_NAME})
topology_st.standalone.mappingtree.create(SECOND_SUFFIX, bename=BE_NAME)
try:
topology_st.standalone.add_s(Entry((SECOND_SUFFIX, {
'objectclass': 'top organization'.split(),
'o': BE_NAME})))
except ldap.ALREADY_EXISTS:
pass
except ldap.LDAPError as e:
log.error('Failed to create suffix entry: error ' + e.args[0]['desc'])
assert False
#
# Add People branch, it might already exist
#
log.info('Add our test entries to the default suffix, and proceed with the test...')
try:
topology_st.standalone.add_s(Entry((BRANCH, {
'objectclass': 'top extensibleObject'.split(),
'ou': 'level4'
})))
except ldap.ALREADY_EXISTS:
pass
except ldap.LDAPError as e:
log.error('Failed to add ou=people: error ' + e.args[0]['desc'])
assert False
#
# Add a user to the branch
#
try:
topology_st.standalone.add_s(Entry((USER_DN, {
'objectclass': 'top extensibleObject'.split(),
'uid': 'user1'
})))
except ldap.LDAPError as e:
log.error('Failed to add user1: error ' + e.args[0]['desc'])
assert False
#
# Enable password policy and add the subtree policy
#
try:
topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', b'on')])
except ldap.LDAPError as e:
log.error('Failed to set pwpolicy-local: error ' + e.args[0]['desc'])
assert False
addSubtreePwPolicy(topology_st.standalone)
#
# Now check the user has its expected passwordPolicy subentry
#
try:
entries = topology_st.standalone.search_s(USER_DN,
ldap.SCOPE_BASE,
'(objectclass=top)',
['pwdpolicysubentry', 'dn'])
if not entries[0].hasAttr('pwdpolicysubentry'):
log.fatal('User does not have expected pwdpolicysubentry!')
assert False
except ldap.LDAPError as e:
log.fatal('Unable to search for entry %s: error %s' % (USER_DN, e.args[0]['desc']))
assert False
#
# Delete the password policy and make sure it is removed from the same user
#
delSubtreePwPolicy(topology_st.standalone)
try:
entries = topology_st.standalone.search_s(USER_DN, ldap.SCOPE_BASE, '(objectclass=top)', ['pwdpolicysubentry'])
if entries[0].hasAttr('pwdpolicysubentry'):
log.fatal('User unexpectedly does have the pwdpolicysubentry!')
assert False
except ldap.LDAPError as e:
log.fatal('Unable to search for entry %s: error %s' % (USER_DN, e.args[0]['desc']))
assert False
#
# Add the subtree policvy back and see if the user now has it
#
addSubtreePwPolicy(topology_st.standalone)
try:
entries = topology_st.standalone.search_s(USER_DN, ldap.SCOPE_BASE, '(objectclass=top)', ['pwdpolicysubentry'])
if not entries[0].hasAttr('pwdpolicysubentry'):
log.fatal('User does not have expected pwdpolicysubentry!')
assert False
except ldap.LDAPError as e:
log.fatal('Unable to search for entry %s: error %s' % (USER_DN, e.args[0]['desc']))
assert False
if __name__ == '__main__':
# Run isolated
# -s for DEBUG mode
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s %s" % CURRENT_FILE)
|
