Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: adding gpo customer test scenario to use the ldap attribute name #7621

Closed
wants to merge 1 commit into from
Closed

tests: adding gpo customer test scenario to use the ldap attribute name #7621

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions src/tests/system/tests/test_gpo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
from sssd_test_framework.roles.ad import AD
from sssd_test_framework.roles.client import Client
from sssd_test_framework.roles.generic import GenericADProvider
from sssd_test_framework.roles.samba import Samba
from sssd_test_framework.topology import KnownTopology, KnownTopologyGroup


Expand Down Expand Up @@ -1025,3 +1026,52 @@ def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts(
"user1", password="Secret123"
), "Allowed user authentication failed!"
assert not client.auth.parametrize(method).password("deny_user1", password="Secret123"), "Denied user logged in!"


@pytest.mark.importance("critical")
@pytest.mark.parametrize("method", ["ssh", "su"])
@pytest.mark.topology(KnownTopologyGroup.AnyAD)
@pytest.mark.ticket(gh=7591)
def test_gpo__ldap_user_name_attribute_mapping(client: Client, provider: GenericADProvider, method: str):
"""
:title: GPO evaluation fails when the LDAP attribute "name" is used instead of default sAMAccountName attribute
:description: The name attribute is not populated in Samba, limiting the test to AD
:setup:
1. Create the following user 'user1' and 'deny_user1' with uids and gids
2. Create and link the GPO 'site policy' and add 'user1' and 'Domain Admins' to
SeInteractiveLogonRight key. Add 'deny_user1 to SeDenyInteractiveLogonRight key'
3. Configure sssd.conf with 'ad_gpo_access_control = enforcing',
'auto_private_groups = false', 'ldap_user_name = name' and 'ldap_id_mapping = false'
4. Start SSSD
:steps:
1. Authenticate as 'user1'
2. Authenticate as 'deny_user1'
:expectedresults:
1. Authentication is successful
2. Authenticated user is unsuccessful
:customerscenario: True
"""
user1 = provider.user("user1").add(uid=10000, gid=10000)
deny_user1 = provider.user("deny_user1").add(uid=10001, gid=10001)

provider.gpo("site policy").add().policy(
{
"SeInteractiveLogonRight": [user1, provider.group("Domain Admins")],
"SeDenyInteractiveLogonRight": [deny_user1],
}
).link()

if isinstance(provider, Samba):
client.sssd.domain["ldap_user_name"] = "givenName"
if isinstance(provider, AD):
client.sssd.domain["ldap_user_name"] = "name"
danlavu marked this conversation as resolved.
Show resolved Hide resolved

client.sssd.domain["ad_gpo_access_control"] = "enforcing"
client.sssd.domain["auto_private_groups"] = "false"
client.sssd.domain["ldap_id_mapping"] = "false"
client.sssd.start()

assert client.auth.parametrize(method).password(
"user1", password="Secret123"
), "Allowed user authentication failed!"
assert not client.auth.parametrize(method).password("deny_user1", password="Secret123"), "Denied user logged in!"
spoore1 marked this conversation as resolved.
Show resolved Hide resolved
Loading