tests: adding gpo customer test scenario to use the ldap attribute name

SSSD · Sep 30, 2024 · 6e74672 · 6e74672
1 parent ef2a618
commit 6e74672
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/src/tests/system/tests/test_gpo.py b/src/tests/system/tests/test_gpo.py
@@ -1025,3 +1025,47 @@ def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts(
         "user1", password="Secret123"
     ), "Allowed user authentication failed!"
     assert not client.auth.parametrize(method).password("deny_user1", password="Secret123"), "Denied user logged in!"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.parametrize("method", ["ssh", "su"])
+@pytest.mark.topology(KnownTopologyGroup.AnyAD)
+@pytest.mark.ticket(gh=7591)
+def test_gpo__ldap_user_name_attribute_mapping(client: Client, provider: GenericADProvider, method: str):
+    """
+    :title: GPO evaluation fails when the LDAP attribute "name" is used instead of default sAMAccountName attribute
+    :setup:
+        1. Create the following user 'user1' and 'deny_user1' with uids and gids
+        2. Create and link the GPO 'site policy' and add 'user1' and 'Domain Admins' to
+           SeInteractiveLogonRight key. Add 'deny_user1 to SeDenyInteractiveLogonRight key'
+        3. Configure sssd.conf with 'ad_gpo_access_control = enforcing',
+           'auto_private_groups = false', 'ldap_user_name = name' and 'ldap_id_mapping = false'
+        4. Start SSSD
+    :steps:
+        1. Authenticate as 'user1'
+        2. Authenticate as 'deny_user1'
+    :expectedresults:
+        1. Authentication is successful
+        2. Authenticated user is unsuccessful
+    :customerscenario: True
+    """
+    user1 = provider.user("user1").add(uid=10000, gid=10000)
+    deny_user1 = provider.user("deny_user1").add(uid=10001, gid=10001)
+
+    provider.gpo("site policy").add().policy(
+        {
+            "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")],
+            "SeDenyInteractiveLogonRight": [deny_user1],
+        }
+    ).link()
+
+    client.sssd.domain["ad_gpo_access_control"] = "enforcing"
+    client.sssd.domain["auto_private_groups"] = "false"
+    client.sssd.domain["ldap_user_name"] = "name"
+    client.sssd.domain["ldap_id_mapping"] = "false"
+    client.sssd.start()
+
+    assert client.auth.parametrize(method).password(
+        "user1", password="Secret123"
+    ), "Allowed user authentication failed!"
+    assert not client.auth.parametrize(method).password("deny_user1", password="Secret123"), "Denied user logged in!"