Skip to content

Commit

Permalink
tests: add 'expo_force' tests
Browse files Browse the repository at this point in the history
The new value for the ldap_pwmodify_mode option 'exop_force' is added to
existing test. A new test to illustrate the different behavior of 'exop'
and 'exop_force' is added.
  • Loading branch information
sumit-bose committed Oct 2, 2024
1 parent 0e061bf commit b7c640e
Showing 1 changed file with 54 additions and 4 deletions.
58 changes: 54 additions & 4 deletions src/tests/system/tests/test_ldap.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

@pytest.mark.ticket(bz=[795044, 1695574])
@pytest.mark.importance("critical")
@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"])
@pytest.mark.parametrize("use_ppolicy", ["true", "false"])
@pytest.mark.parametrize("sssd_service_user", ("root", "sssd"))
@pytest.mark.topology(KnownTopology.LDAP)
Expand Down Expand Up @@ -75,7 +75,7 @@ def test_ldap__password_change_using_ppolicy(

@pytest.mark.ticket(bz=[795044, 1695574])
@pytest.mark.importance("critical")
@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"])
@pytest.mark.parametrize("use_ppolicy", ["true", "false"])
@pytest.mark.topology(KnownTopology.LDAP)
@pytest.mark.builtwith("ldap_use_ppolicy")
Expand Down Expand Up @@ -109,7 +109,7 @@ def test_ldap__password_change_new_passwords_do_not_match_using_ppolicy(

@pytest.mark.ticket(bz=[795044, 1695574, 1795220])
@pytest.mark.importance("critical")
@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"])
@pytest.mark.parametrize("use_ppolicy", ["true", "false"])
@pytest.mark.topology(KnownTopology.LDAP)
@pytest.mark.builtwith("ldap_use_ppolicy")
Expand Down Expand Up @@ -152,7 +152,7 @@ def test_ldap__password_change_new_password_does_not_meet_complexity_requirement

@pytest.mark.ticket(bz=[1695574, 1795220])
@pytest.mark.importance("critical")
@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify"])
@pytest.mark.parametrize("modify_mode", ["exop", "ldap_modify", "exop_force"])
@pytest.mark.parametrize("use_ppolicy", ["true", "false"])
@pytest.mark.topology(KnownTopology.LDAP)
@pytest.mark.builtwith("ldap_use_ppolicy")
Expand Down Expand Up @@ -454,3 +454,53 @@ def test_ldap__lookup_and_authenticate_as_user_with_different_object_search_base
assert result is not None, "User is not found!"
assert result.name == user.name, "Username is not correct!"
assert client.auth.ssh.password(user.name, "Secret123"), "User login failed!"

@pytest.mark.ticket(jira="RHEL-55993")
@pytest.mark.importance("critical")
@pytest.mark.parametrize("modify_mode, expected, err_msg",
[("exop", 1, "Expected login failure"),
("exop_force", 3, "Expected password change request")])
@pytest.mark.parametrize("method", ["su", "ssh"])
@pytest.mark.topology(KnownTopology.LDAP)
def test_ldap__password_change_no_grace_logins_left(
client: Client, ldap: LDAP, modify_mode: str, expected: int, err_msg: str, method: str
):
"""
:title: Password change when no grace logins left
:description: Typically the LDAP extended operation to change a password
requires an authenticated bind, even if the data send with the extended
operation contains the old password. If the old password is expired and
there are no grace logins left an authenticated bind is not possible anymore
and as a result it is not possible for the user to change their password.
With 'exop' SSSD will not try to ask the user for new credentials while with
'exop_force' SSSD will ask for new credentials and will try to run the password
change extended operation.
:setup:
1. Set "passwordExp" to "on"
2. Set "passwordMaxAge" to "1"
3. Set "passwordGraceLimit" to "0"
4. Add a user to LDAP
5. Wait until the password is expired
6. Set "ldap_pwmodify_mode"
7. Start SSSD
:steps:
1. Authenticate as the user with 'exop_force' set
2. Authenticate as the user with 'exop' set
:expectedresults:
1. With 'exop_force' expect a request to change the password
2. With 'exop' expect just a failed login
:customerscenario: False
"""
ldap.ldap.modify("cn=config", replace={"passwordExp": "on"})
ldap.ldap.modify("cn=config", replace={"passwordMaxAge": "1"})
ldap.ldap.modify("cn=config", replace={"passwordGraceLimit": "0"})
ldap.user("user1").add(password="Secret123")

# make sure the password is expired
time.sleep(3)

client.sssd.domain["ldap_pwmodify_mode"] = modify_mode
client.sssd.start()

rc, _, _, _ = client.auth.parametrize(method).password_with_output("user1", "Secret123")
assert rc == expected, err_msg

0 comments on commit b7c640e

Please sign in to comment.