File: t_ldap_sasl.py

package info (click to toggle)
python-ldap 3.4.4-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 2,756 kB
  • sloc: python: 9,558; ansic: 3,052; makefile: 139; sh: 79
file content (95 lines) | stat: -rw-r--r-- 2,682 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
 
"""
Automatic tests for python-ldap's module ldap.sasl

See https://www.python-ldap.org/ for details.
"""
import os
import unittest

# Switch off processing .ldaprc or ldap.conf before importing _ldap
os.environ['LDAPNOINIT'] = '1'

from ldap.ldapobject import SimpleLDAPObject
import ldap.sasl
from slapdtest import SlapdTestCase
from slapdtest import requires_ldapi, requires_sasl, requires_tls


LDIF = """
dn: {suffix}
objectClass: dcObject
objectClass: organization
dc: {dc}
o: {dc}

dn: {rootdn}
objectClass: applicationProcess
objectClass: simpleSecurityObject
objectClass: uidObject
cn: {rootcn}
userPassword: {rootpw}
uid: {uid}

dn: cn={certuser},{suffix}
objectClass: applicationProcess
cn: {certuser}

"""


@requires_sasl()
class TestSasl(SlapdTestCase):
    ldap_object_class = SimpleLDAPObject
    # from Tests/certs/client.pem
    certuser = 'client'
    certsubject = "cn=client,ou=slapd-test,o=python-ldap,c=de"

    @classmethod
    def setUpClass(cls):
        super().setUpClass()
        ldif = LDIF.format(
            suffix=cls.server.suffix,
            rootdn=cls.server.root_dn,
            rootcn=cls.server.root_cn,
            rootpw=cls.server.root_pw,
            dc=cls.server.suffix.split(',')[0][3:],
            certuser=cls.certuser,
            uid=os.geteuid(),
        )
        cls.server.ldapadd(ldif)

    @requires_ldapi()
    def test_external_ldapi(self):
        # EXTERNAL authentication with LDAPI (AF_UNIX)
        ldap_conn = self.ldap_object_class(self.server.ldapi_uri)

        auth = ldap.sasl.external("some invalid user")
        with self.assertRaises(ldap.INSUFFICIENT_ACCESS):
            ldap_conn.sasl_interactive_bind_s("", auth)

        auth = ldap.sasl.external("")
        ldap_conn.sasl_interactive_bind_s("", auth)
        self.assertEqual(
            ldap_conn.whoami_s().lower(),
            f"dn:{self.server.root_dn.lower()}"
        )

    @requires_tls()
    def test_external_tlscert(self):
        ldap_conn = self.ldap_object_class(self.server.ldap_uri)
        ldap_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, self.server.cafile)
        ldap_conn.set_option(ldap.OPT_X_TLS_CERTFILE, self.server.clientcert)
        ldap_conn.set_option(ldap.OPT_X_TLS_KEYFILE, self.server.clientkey)
        ldap_conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
        ldap_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
        ldap_conn.start_tls_s()

        auth = ldap.sasl.external()
        ldap_conn.sasl_interactive_bind_s("", auth)
        self.assertEqual(
            ldap_conn.whoami_s().lower(),
            f"dn:{self.certsubject}"
        )

if __name__ == '__main__':
    unittest.main()