|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
import time
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Run kdbtest against the non-LDAP KDB modules.
|
|
Packit |
fd8b60 |
for realm in multidb_realms(create_kdb=False):
|
|
Packit |
fd8b60 |
realm.run(['./kdbtest'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Set up an OpenLDAP test server if we can.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (not os.path.exists(os.path.join(plugins, 'kdb', 'kldap.so')) and
|
|
Packit |
fd8b60 |
not os.path.exists(os.path.join(buildtop, 'lib', 'libkdb_ldap.a'))):
|
|
Packit |
fd8b60 |
skip_rest('LDAP KDB tests', 'LDAP KDB module not built')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if 'SLAPD' not in os.environ and not which('slapd'):
|
|
Packit |
fd8b60 |
skip_rest('LDAP KDB tests', 'slapd not found')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
slapadd = which('slapadd')
|
|
Packit |
fd8b60 |
if not slapadd:
|
|
Packit |
fd8b60 |
skip_rest('LDAP KDB tests', 'slapadd not found')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ldapdir = os.path.abspath('ldap')
|
|
Packit |
fd8b60 |
dbdir = os.path.join(ldapdir, 'ldap')
|
|
Packit |
fd8b60 |
slapd_conf = os.path.join(ldapdir, 'slapd.d')
|
|
Packit |
fd8b60 |
slapd_out = os.path.join(ldapdir, 'slapd.out')
|
|
Packit |
fd8b60 |
slapd_pidfile = os.path.join(ldapdir, 'pid')
|
|
Packit |
fd8b60 |
ldap_pwfile = os.path.join(ldapdir, 'pw')
|
|
Packit |
fd8b60 |
ldap_sock = os.path.join(ldapdir, 'sock')
|
|
Packit |
fd8b60 |
ldap_uri = 'ldapi://%s/' % ldap_sock.replace(os.path.sep, '%2F')
|
|
Packit |
fd8b60 |
schema = os.path.join(srctop, 'plugins', 'kdb', 'ldap', 'libkdb_ldap',
|
|
Packit |
fd8b60 |
'kerberos.openldap.ldif')
|
|
Packit |
fd8b60 |
top_dn = 'cn=krb5'
|
|
Packit |
fd8b60 |
admin_dn = 'cn=admin,cn=krb5'
|
|
Packit |
fd8b60 |
admin_pw = 'admin'
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
shutil.rmtree(ldapdir, True)
|
|
Packit |
fd8b60 |
os.mkdir(ldapdir)
|
|
Packit |
fd8b60 |
os.mkdir(slapd_conf)
|
|
Packit |
fd8b60 |
os.mkdir(dbdir)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if 'SLAPD' in os.environ:
|
|
Packit |
fd8b60 |
slapd = os.environ['SLAPD']
|
|
Packit |
fd8b60 |
else:
|
|
Packit |
fd8b60 |
# Some Linux installations have AppArmor or similar restrictions
|
|
Packit |
fd8b60 |
# on the slapd binary, which would prevent it from accessing the
|
|
Packit |
fd8b60 |
# build directory. Try to defeat this by copying the binary.
|
|
Packit |
fd8b60 |
system_slapd = which('slapd')
|
|
Packit |
fd8b60 |
slapd = os.path.join(ldapdir, 'slapd')
|
|
Packit |
fd8b60 |
shutil.copy(system_slapd, slapd)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def slap_add(ldif):
|
|
Packit |
fd8b60 |
proc = subprocess.Popen([slapadd, '-b', 'cn=config', '-F', slapd_conf],
|
|
Packit |
fd8b60 |
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
|
Packit |
fd8b60 |
stderr=subprocess.STDOUT, universal_newlines=True)
|
|
Packit |
fd8b60 |
(out, dummy) = proc.communicate(ldif)
|
|
Packit |
fd8b60 |
output(out)
|
|
Packit |
fd8b60 |
return proc.wait()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Configure the pid file and some authorization rules we will need for
|
|
Packit |
fd8b60 |
# SASL testing.
|
|
Packit |
fd8b60 |
if slap_add('dn: cn=config\n'
|
|
Packit |
fd8b60 |
'objectClass: olcGlobal\n'
|
|
Packit |
fd8b60 |
'olcPidFile: %s\n'
|
|
Packit |
fd8b60 |
'olcAuthzRegexp: '
|
|
Packit |
fd8b60 |
'".*uidNumber=%d,cn=peercred,cn=external,cn=auth" "%s"\n'
|
|
Packit |
fd8b60 |
'olcAuthzRegexp: "uid=digestuser,cn=digest-md5,cn=auth" "%s"\n' %
|
|
Packit |
fd8b60 |
(slapd_pidfile, os.geteuid(), admin_dn, admin_dn)) != 0:
|
|
Packit |
fd8b60 |
skip_rest('LDAP KDB tests', 'slapd basic configuration failed')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Find a working writable database type, trying mdb (added in OpenLDAP
|
|
Packit |
fd8b60 |
# 2.4.27) and bdb (deprecated and sometimes not built due to licensing
|
|
Packit |
fd8b60 |
# incompatibilities).
|
|
Packit |
fd8b60 |
for dbtype in ('mdb', 'bdb'):
|
|
Packit |
fd8b60 |
# Try to load the module. This could fail if OpenLDAP is built
|
|
Packit |
fd8b60 |
# without module support, so ignore errors.
|
|
Packit |
fd8b60 |
slap_add('dn: cn=module,cn=config\n'
|
|
Packit |
fd8b60 |
'objectClass: olcModuleList\n'
|
|
Packit |
fd8b60 |
'olcModuleLoad: back_%s\n' % dbtype)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
dbclass = 'olc%sConfig' % dbtype.capitalize()
|
|
Packit |
fd8b60 |
if slap_add('dn: olcDatabase=%s,cn=config\n'
|
|
Packit |
fd8b60 |
'objectClass: olcDatabaseConfig\n'
|
|
Packit |
fd8b60 |
'objectClass: %s\n'
|
|
Packit |
fd8b60 |
'olcSuffix: %s\n'
|
|
Packit |
fd8b60 |
'olcRootDN: %s\n'
|
|
Packit |
fd8b60 |
'olcRootPW: %s\n'
|
|
Packit |
fd8b60 |
'olcDbDirectory: %s\n' %
|
|
Packit |
fd8b60 |
(dbtype, dbclass, top_dn, admin_dn, admin_pw, dbdir)) == 0:
|
|
Packit |
fd8b60 |
break
|
|
Packit |
fd8b60 |
else:
|
|
Packit |
fd8b60 |
skip_rest('LDAP KDB tests', 'could not find working slapd db type')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if slap_add('include: file://%s\n' % schema) != 0:
|
|
Packit |
fd8b60 |
skip_rest('LDAP KDB tests', 'failed to load Kerberos schema')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Load the core schema if we can.
|
|
Packit |
fd8b60 |
ldap_homes = ['/etc/ldap', '/etc/openldap', '/usr/local/etc/openldap',
|
|
Packit |
fd8b60 |
'/usr/local/etc/ldap']
|
|
Packit |
fd8b60 |
local_schema_path = '/schema/core.ldif'
|
|
Packit |
fd8b60 |
core_schema = next((i for i in map(lambda x:x+local_schema_path, ldap_homes)
|
|
Packit |
fd8b60 |
if os.path.isfile(i)), None)
|
|
Packit |
fd8b60 |
if core_schema:
|
|
Packit |
fd8b60 |
if slap_add('include: file://%s\n' % core_schema) != 0:
|
|
Packit |
fd8b60 |
core_schema = None
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
slapd_pid = -1
|
|
Packit |
fd8b60 |
def kill_slapd():
|
|
Packit |
fd8b60 |
global slapd_pid
|
|
Packit |
fd8b60 |
if slapd_pid != -1:
|
|
Packit |
fd8b60 |
os.kill(slapd_pid, signal.SIGTERM)
|
|
Packit |
fd8b60 |
slapd_pid = -1
|
|
Packit |
fd8b60 |
atexit.register(kill_slapd)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
out = open(slapd_out, 'w')
|
|
Packit |
fd8b60 |
subprocess.call([slapd, '-h', ldap_uri, '-F', slapd_conf], stdout=out,
|
|
Packit |
fd8b60 |
stderr=out, universal_newlines=True)
|
|
Packit |
fd8b60 |
out.close()
|
|
Packit |
fd8b60 |
pidf = open(slapd_pidfile, 'r')
|
|
Packit |
fd8b60 |
slapd_pid = int(pidf.read())
|
|
Packit |
fd8b60 |
pidf.close()
|
|
Packit |
fd8b60 |
output('*** Started slapd (pid %d, output in %s)\n' % (slapd_pid, slapd_out))
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# slapd detaches before it finishes setting up its listener sockets
|
|
Packit |
fd8b60 |
# (they are bound but listen() has not been called). Give it a second
|
|
Packit |
fd8b60 |
# to finish.
|
|
Packit |
fd8b60 |
time.sleep(1)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Run kdbtest against the LDAP module.
|
|
Packit |
fd8b60 |
conf = {'realms': {'$realm': {'database_module': 'ldap'}},
|
|
Packit |
fd8b60 |
'dbmodules': {'ldap': {'db_library': 'kldap',
|
|
Packit |
fd8b60 |
'ldap_kerberos_container_dn': top_dn,
|
|
Packit |
fd8b60 |
'ldap_kdc_dn': admin_dn,
|
|
Packit |
fd8b60 |
'ldap_kadmind_dn': admin_dn,
|
|
Packit |
fd8b60 |
'ldap_service_password_file': ldap_pwfile,
|
|
Packit |
fd8b60 |
'ldap_servers': ldap_uri}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(create_kdb=False, kdc_conf=conf)
|
|
Packit |
fd8b60 |
input = admin_pw + '\n' + admin_pw + '\n'
|
|
Packit |
fd8b60 |
realm.run([kdb5_ldap_util, 'stashsrvpw', admin_dn], input=input)
|
|
Packit |
fd8b60 |
realm.run(['./kdbtest'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Run a kdb5_ldap_util command using the test server's admin DN and password.
|
|
Packit |
fd8b60 |
def kldaputil(args, **kw):
|
|
Packit |
fd8b60 |
return realm.run([kdb5_ldap_util, '-D', admin_dn, '-w', admin_pw] + args,
|
|
Packit |
fd8b60 |
**kw)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# kdbtest can't currently clean up after itself since the LDAP module
|
|
Packit |
fd8b60 |
# doesn't support krb5_db_destroy. So clean up after it with
|
|
Packit |
fd8b60 |
# kdb5_ldap_util before proceeding.
|
|
Packit |
fd8b60 |
kldaputil(['destroy', '-f'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ldapmodify = which('ldapmodify')
|
|
Packit |
fd8b60 |
ldapsearch = which('ldapsearch')
|
|
Packit |
fd8b60 |
if not ldapmodify or not ldapsearch:
|
|
Packit |
fd8b60 |
skip_rest('some LDAP KDB tests', 'ldapmodify or ldapsearch not found')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def ldap_search(args):
|
|
Packit |
fd8b60 |
proc = subprocess.Popen([ldapsearch, '-H', ldap_uri, '-b', top_dn,
|
|
Packit |
fd8b60 |
'-D', admin_dn, '-w', admin_pw, args],
|
|
Packit |
fd8b60 |
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
|
Packit |
fd8b60 |
stderr=subprocess.STDOUT, universal_newlines=True)
|
|
Packit |
fd8b60 |
(out, dummy) = proc.communicate()
|
|
Packit |
fd8b60 |
return out
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def ldap_modify(ldif, args=[]):
|
|
Packit |
fd8b60 |
proc = subprocess.Popen([ldapmodify, '-H', ldap_uri, '-D', admin_dn,
|
|
Packit |
fd8b60 |
'-x', '-w', admin_pw] + args,
|
|
Packit |
fd8b60 |
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
|
Packit |
fd8b60 |
stderr=subprocess.STDOUT, universal_newlines=True)
|
|
Packit |
fd8b60 |
(out, dummy) = proc.communicate(ldif)
|
|
Packit |
fd8b60 |
output(out)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
def ldap_add(dn, objectclass, attrs=[]):
|
|
Packit |
fd8b60 |
in_data = 'dn: %s\nobjectclass: %s\n' % (dn, objectclass)
|
|
Packit |
fd8b60 |
in_data += '\n'.join(attrs) + '\n'
|
|
Packit |
fd8b60 |
ldap_modify(in_data, ['-a'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create krbContainer objects for use as subtrees.
|
|
Packit |
fd8b60 |
ldap_add('cn=t1,cn=krb5', 'krbContainer')
|
|
Packit |
fd8b60 |
ldap_add('cn=t2,cn=krb5', 'krbContainer')
|
|
Packit |
fd8b60 |
ldap_add('cn=x,cn=t1,cn=krb5', 'krbContainer')
|
|
Packit |
fd8b60 |
ldap_add('cn=y,cn=t2,cn=krb5', 'krbContainer')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create a realm, exercising all of the realm options.
|
|
Packit |
fd8b60 |
kldaputil(['create', '-s', '-P', 'master', '-subtrees', 'cn=t2,cn=krb5',
|
|
Packit |
fd8b60 |
'-containerref', 'cn=t2,cn=krb5', '-sscope', 'one',
|
|
Packit |
fd8b60 |
'-maxtktlife', '5min', '-maxrenewlife', '10min', '-allow_svr'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Modify the realm, exercising overlapping subtree pruning.
|
|
Packit |
fd8b60 |
kldaputil(['modify', '-subtrees',
|
|
Packit |
fd8b60 |
'cn=x,cn=t1,cn=krb5:cn=t1,cn=krb5:cn=t2,cn=krb5:cn=y,cn=t2,cn=krb5',
|
|
Packit |
fd8b60 |
'-containerref', 'cn=t1,cn=krb5', '-sscope', 'sub',
|
|
Packit |
fd8b60 |
'-maxtktlife', '5hour', '-maxrenewlife', '10hour', '+allow_svr'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
out = kldaputil(['list'])
|
|
Packit |
fd8b60 |
if out != 'KRBTEST.COM\n':
|
|
Packit |
fd8b60 |
fail('Unexpected kdb5_ldap_util list output')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create a principal at a specified DN. This is a little dodgy
|
|
Packit |
fd8b60 |
# because we're sticking a krbPrincipalAux objectclass onto a subtree
|
|
Packit |
fd8b60 |
# krbContainer, but it works and it avoids having to load core.schema
|
|
Packit |
fd8b60 |
# in the test LDAP server.
|
|
Packit |
fd8b60 |
mark('LDAP specified dn')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='DN is out of the realm subtree')
|
|
Packit |
fd8b60 |
# Check that the DN container check is a hierarchy test, not a simple
|
|
Packit |
fd8b60 |
# suffix match (CVE-2018-5730). We expect this operation to fail
|
|
Packit |
fd8b60 |
# either way (because "xcn" isn't a valid DN tag) but the container
|
|
Packit |
fd8b60 |
# check should happen before the DN is parsed.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='DN is out of the realm subtree')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='ldap object is already kerberized')
|
|
Packit |
fd8b60 |
# Check that we can't set linkdn on a non-standalone object.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='link information can not be set')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create a principal with a specified linkdn.
|
|
Packit |
fd8b60 |
mark('LDAP specified linkdn')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='DN is out of the realm subtree')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=t1,cn=krb5', 'princ2'])
|
|
Packit |
fd8b60 |
# Check that we can't reset linkdn.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='kerberos principal is already linked')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create a principal with a specified containerdn.
|
|
Packit |
fd8b60 |
mark('LDAP specified containerdn')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', 'princ3'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='DN is out of the realm subtree')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=t1,cn=krb5',
|
|
Packit |
fd8b60 |
'princ3'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='containerdn option not supported')
|
|
Packit |
fd8b60 |
# Verify that containerdn is checked when linkdn is also supplied
|
|
Packit |
fd8b60 |
# (CVE-2018-5730).
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
|
|
Packit |
fd8b60 |
'-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='DN is out of the realm subtree')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('LDAP ticket policy')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create and modify a ticket policy.
|
|
Packit |
fd8b60 |
kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',
|
|
Packit |
fd8b60 |
'-allow_forwardable', 'tktpol'])
|
|
Packit |
fd8b60 |
kldaputil(['modify_policy', '-maxtktlife', '4hour', '-maxrenewlife', '8hour',
|
|
Packit |
fd8b60 |
'+requires_preauth', 'tktpol'])
|
|
Packit |
fd8b60 |
out = kldaputil(['view_policy', 'tktpol'])
|
|
Packit |
fd8b60 |
if ('Ticket policy: tktpol\n' not in out or
|
|
Packit |
fd8b60 |
'Maximum ticket life: 0 days 04:00:00\n' not in out or
|
|
Packit |
fd8b60 |
'Maximum renewable life: 0 days 08:00:00\n' not in out or
|
|
Packit |
fd8b60 |
'Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PRE_AUTH' not in out):
|
|
Packit |
fd8b60 |
fail('Unexpected kdb5_ldap_util view_policy output')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
out = kldaputil(['list_policy'])
|
|
Packit |
fd8b60 |
if out != 'tktpol\n':
|
|
Packit |
fd8b60 |
fail('Unexpected kdb5_ldap_util list_policy output')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Associate the ticket policy to a principal.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-randkey', '-x', 'tktpolicy=tktpol', 'princ4'])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getprinc', 'princ4'])
|
|
Packit |
fd8b60 |
if ('Maximum ticket life: 0 days 04:00:00\n' not in out or
|
|
Packit |
fd8b60 |
'Maximum renewable life: 0 days 08:00:00\n' not in out or
|
|
Packit |
fd8b60 |
'Attributes: DISALLOW_FORWARDABLE REQUIRES_PRE_AUTH\n' not in out):
|
|
Packit |
fd8b60 |
fail('Unexpected getprinc output with ticket policy')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Destroying the policy should fail while a principal references it.
|
|
Packit |
fd8b60 |
kldaputil(['destroy_policy', '-force', 'tktpol'], expected_code=1)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Dissociate the ticket policy from the principal.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=', 'princ4'])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getprinc', 'princ4'])
|
|
Packit |
fd8b60 |
if ('Maximum ticket life: 0 days 05:00:00\n' not in out or
|
|
Packit |
fd8b60 |
'Maximum renewable life: 0 days 10:00:00\n' not in out or
|
|
Packit |
fd8b60 |
'Attributes:\n' not in out):
|
|
Packit |
fd8b60 |
fail('Unexpected getprinc output without ticket policy')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Destroy the ticket policy.
|
|
Packit |
fd8b60 |
kldaputil(['destroy_policy', '-force', 'tktpol'])
|
|
Packit |
fd8b60 |
kldaputil(['view_policy', 'tktpol'], expected_code=1)
|
|
Packit |
fd8b60 |
out = kldaputil(['list_policy'])
|
|
Packit |
fd8b60 |
if out:
|
|
Packit |
fd8b60 |
fail('Unexpected kdb5_ldap_util list_policy output after destroy')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create another ticket policy to be destroyed with the realm.
|
|
Packit |
fd8b60 |
kldaputil(['create_policy', 'tktpol2'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Try to create a password policy conflicting with a ticket policy.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='Already exists while creating policy "tktpol2"')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Try to create a ticket policy conflicting with a password policy.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', 'pwpol'])
|
|
Packit |
fd8b60 |
out = kldaputil(['create_policy', 'pwpol'], expected_code=1)
|
|
Packit |
fd8b60 |
if 'Already exists while creating policy object' not in out:
|
|
Packit |
fd8b60 |
fail('Expected error not seen in kdb5_ldap_util output')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Try to use a password policy as a ticket policy.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='Object class violation')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use a ticket policy as a password policy (CVE-2014-5353). This
|
|
Packit |
fd8b60 |
# works with a warning; use kadmin.local -q so the warning is shown.
|
|
Packit |
fd8b60 |
realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4'],
|
|
Packit |
fd8b60 |
expected_msg='WARNING: policy "tktpol2" does not exist')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Do some basic tests with a KDC against the LDAP module, exercising the
|
|
Packit |
fd8b60 |
# db_args processing code.
|
|
Packit |
fd8b60 |
mark('LDAP KDC operation')
|
|
Packit |
fd8b60 |
realm.start_kdc(['-x', 'nconns=3', '-x', 'host=' + ldap_uri,
|
|
Packit |
fd8b60 |
'-x', 'binddn=' + admin_dn, '-x', 'bindpwd=' + admin_pw])
|
|
Packit |
fd8b60 |
realm.addprinc(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.addprinc(realm.host_princ)
|
|
Packit |
fd8b60 |
realm.extract_keytab(realm.host_princ, realm.keytab)
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ, realm.host_princ)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('LDAP auth indicator')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test require_auth normalization.
|
|
Packit |
fd8b60 |
realm.addprinc('authind', password('authind'))
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'setstr', 'authind', 'require_auth', 'otp radius'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check that krbPrincipalAuthInd attributes are set when the string
|
|
Packit |
fd8b60 |
# attribute it set.
|
|
Packit |
fd8b60 |
out = ldap_search('(krbPrincipalName=authind*)')
|
|
Packit |
fd8b60 |
if 'krbPrincipalAuthInd: otp' not in out:
|
|
Packit |
fd8b60 |
fail('Expected krbPrincipalAuthInd value not in output')
|
|
Packit |
fd8b60 |
if 'krbPrincipalAuthInd: radius' not in out:
|
|
Packit |
fd8b60 |
fail('Expected krbPrincipalAuthInd value not in output')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check that the string attribute still appears when the principal is
|
|
Packit |
fd8b60 |
# loaded.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getstrs', 'authind'],
|
|
Packit |
fd8b60 |
expected_msg='require_auth: otp radius')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Modify the LDAP attributes and check that the change is reflected in
|
|
Packit |
fd8b60 |
# the string attribute.
|
|
Packit |
fd8b60 |
ldap_modify('dn: krbPrincipalName=authind@KRBTEST.COM,cn=t1,cn=krb5\n'
|
|
Packit |
fd8b60 |
'changetype: modify\n'
|
|
Packit |
fd8b60 |
'replace: krbPrincipalAuthInd\n'
|
|
Packit |
fd8b60 |
'krbPrincipalAuthInd: radius\n'
|
|
Packit |
fd8b60 |
'krbPrincipalAuthInd: pkinit\n')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getstrs', 'authind'],
|
|
Packit |
fd8b60 |
expected_msg='require_auth: radius pkinit')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Regression test for #8877: remove the string attribute and check
|
|
Packit |
fd8b60 |
# that it is reflected in the LDAP attributes and by getstrs.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'delstr', 'authind', 'require_auth'])
|
|
Packit |
fd8b60 |
out = ldap_search('(krbPrincipalName=authind*)')
|
|
Packit |
fd8b60 |
if 'krbPrincipalAuthInd' in out:
|
|
Packit |
fd8b60 |
fail('krbPrincipalAuthInd attribute still present after delstr')
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getstrs', 'authind'])
|
|
Packit |
fd8b60 |
if 'require_auth' in out:
|
|
Packit |
fd8b60 |
fail('require_auth string attribute still visible after delstr')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('LDAP service principal aliases')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test service principal aliases.
|
|
Packit |
fd8b60 |
realm.addprinc('canon', password('canon'))
|
|
Packit |
fd8b60 |
ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n'
|
|
Packit |
fd8b60 |
'changetype: modify\n'
|
|
Packit |
fd8b60 |
'add: krbPrincipalName\n'
|
|
Packit |
fd8b60 |
'krbPrincipalName: alias@KRBTEST.COM\n'
|
|
Packit |
fd8b60 |
'krbPrincipalName: ent@abc@KRBTEST.COM\n'
|
|
Packit |
fd8b60 |
'-\n'
|
|
Packit |
fd8b60 |
'add: krbCanonicalName\n'
|
|
Packit |
fd8b60 |
'krbCanonicalName: canon@KRBTEST.COM\n')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'alias'],
|
|
Packit |
fd8b60 |
expected_msg='Principal: canon@KRBTEST.COM\n')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'ent\@abc'],
|
|
Packit |
fd8b60 |
expected_msg='Principal: canon@KRBTEST.COM\n')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'canon'],
|
|
Packit |
fd8b60 |
expected_msg='Principal: canon@KRBTEST.COM\n')
|
|
Packit |
fd8b60 |
realm.run([kvno, 'alias', 'canon'])
|
|
Packit |
fd8b60 |
out = realm.run([klist])
|
|
Packit |
fd8b60 |
if 'alias@KRBTEST.COM\n' not in out or 'canon@KRBTEST.COM' not in out:
|
|
Packit |
fd8b60 |
fail('After fetching alias and canon, klist is missing one or both')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-S', 'alias'])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure an alias to the local TGS is still treated like an alias.
|
|
Packit |
fd8b60 |
ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,'
|
|
Packit |
fd8b60 |
'cn=KRBTEST.COM,cn=krb5\n'
|
|
Packit |
fd8b60 |
'changetype: modify\n'
|
|
Packit |
fd8b60 |
'add:krbPrincipalName\n'
|
|
Packit |
fd8b60 |
'krbPrincipalName: tgtalias@KRBTEST.COM\n'
|
|
Packit |
fd8b60 |
'-\n'
|
|
Packit |
fd8b60 |
'add: krbCanonicalName\n'
|
|
Packit |
fd8b60 |
'krbCanonicalName: krbtgt/KRBTEST.COM@KRBTEST.COM\n')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'tgtalias'],
|
|
Packit |
fd8b60 |
expected_msg='Principal: krbtgt/KRBTEST.COM@KRBTEST.COM')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run([kvno, 'tgtalias'])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure aliases work in header tickets.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours', 'user'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours',
|
|
Packit |
fd8b60 |
'krbtgt/KRBTEST.COM'])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), ['-l', '1h', '-r', '2h'])
|
|
Packit |
fd8b60 |
realm.run([kvno, 'alias'])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test client principal aliases, with and without preauth.
|
|
Packit |
fd8b60 |
realm.kinit('canon', password('canon'))
|
|
Packit |
fd8b60 |
realm.kinit('alias', password('canon'))
|
|
Packit |
fd8b60 |
realm.run([kvno, 'alias'])
|
|
Packit |
fd8b60 |
realm.klist('alias@KRBTEST.COM', 'alias@KRBTEST.COM')
|
|
Packit |
fd8b60 |
realm.kinit('alias', password('canon'), ['-C'])
|
|
Packit |
fd8b60 |
realm.run([kvno, 'alias'])
|
|
Packit |
fd8b60 |
realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
|
|
Packit |
fd8b60 |
realm.kinit('canon', password('canon'))
|
|
Packit |
fd8b60 |
realm.kinit('alias', password('canon'), ['-C'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test enterprise alias with and without canonicalization.
|
|
Packit |
fd8b60 |
realm.kinit('ent@abc', password('canon'), ['-E', '-C'])
|
|
Packit |
fd8b60 |
realm.run([kvno, 'alias'])
|
|
Packit |
fd8b60 |
realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.kinit('ent@abc', password('canon'), ['-E'])
|
|
Packit |
fd8b60 |
realm.run([kvno, 'alias'])
|
|
Packit |
fd8b60 |
realm.klist('ent\@abc@KRBTEST.COM', 'alias@KRBTEST.COM')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test client name canonicalization in non-krbtgt AS reply
|
|
Packit |
fd8b60 |
realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('LDAP password history')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test password history.
|
|
Packit |
fd8b60 |
def test_pwhist(nhist):
|
|
Packit |
fd8b60 |
def cpw(n, **kwargs):
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', str(n), princ], **kwargs)
|
|
Packit |
fd8b60 |
def cpw_fail(n):
|
|
Packit |
fd8b60 |
cpw(n, expected_code=1)
|
|
Packit |
fd8b60 |
output('*** Testing password history of size %d\n' % nhist)
|
|
Packit |
fd8b60 |
princ = 'pwhistprinc' + str(nhist)
|
|
Packit |
fd8b60 |
pol = 'pwhistpol' + str(nhist)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-history', str(nhist), pol])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-policy', pol, '-nokey', princ])
|
|
Packit |
fd8b60 |
for i in range(nhist):
|
|
Packit |
fd8b60 |
# Set a password, then check that all previous passwords fail.
|
|
Packit |
fd8b60 |
cpw(i)
|
|
Packit |
fd8b60 |
for j in range(i + 1):
|
|
Packit |
fd8b60 |
cpw_fail(j)
|
|
Packit |
fd8b60 |
# Set one more new password, and make sure the oldest key is
|
|
Packit |
fd8b60 |
# rotated out.
|
|
Packit |
fd8b60 |
cpw(nhist)
|
|
Packit |
fd8b60 |
cpw_fail(1)
|
|
Packit |
fd8b60 |
cpw(0)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
for n in (1, 2, 3, 4, 5):
|
|
Packit |
fd8b60 |
test_pwhist(n)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Regression test for #8193: test password character class requirements.
|
|
Packit |
fd8b60 |
princ = 'charclassprinc'
|
|
Packit |
fd8b60 |
pol = 'charclasspol'
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-minclasses', '3', pol])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-policy', pol, '-nokey', princ])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'abcdef', princ], expected_code=1)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'Abcdef', princ], expected_code=1)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'Abcdef1', princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test principal renaming and make sure last modified is changed
|
|
Packit |
fd8b60 |
def get_princ(princ):
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getprinc', princ])
|
|
Packit |
fd8b60 |
return dict(map(str.strip, x.split(":", 1)) for x in out.splitlines())
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('LDAP principal renaming')
|
|
Packit |
fd8b60 |
realm.addprinc("rename", password('rename'))
|
|
Packit |
fd8b60 |
renameprinc = get_princ("rename")
|
|
Packit |
fd8b60 |
realm.run([kadminl, '-p', 'fake@KRBTEST.COM', 'renprinc', 'rename', 'renamed'])
|
|
Packit |
fd8b60 |
renamedprinc = get_princ("renamed")
|
|
Packit |
fd8b60 |
if renameprinc['Last modified'] == renamedprinc['Last modified']:
|
|
Packit |
fd8b60 |
fail('Last modified data not updated when principal was renamed')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Regression test for #7980 (fencepost when dividing keys up by kvno).
|
|
Packit |
fd8b60 |
mark('#7980 regression test')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts',
|
|
Packit |
fd8b60 |
'kvnoprinc'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
|
|
Packit |
fd8b60 |
'aes256-cts,aes128-cts', 'kvnoprinc'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 4')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
|
|
Packit |
fd8b60 |
'aes256-cts,aes128-cts', 'kvnoprinc'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 6')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Regression test for #8041 (NULL dereference on keyless principals).
|
|
Packit |
fd8b60 |
mark('#8041 regression test')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-nokey', 'keylessprinc'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'keylessprinc'],
|
|
Packit |
fd8b60 |
expected_msg='Number of keys: 0')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,aes128-cts',
|
|
Packit |
fd8b60 |
'keylessprinc'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
|
|
Packit |
fd8b60 |
'aes256-cts,aes128-cts', 'keylessprinc'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'keylessprinc'],
|
|
Packit |
fd8b60 |
expected_msg='Number of keys: 4')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'purgekeys', '-all', 'keylessprinc'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'keylessprinc'],
|
|
Packit |
fd8b60 |
expected_msg='Number of keys: 0')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test for 8354 (old password history entries when -keepold is used)
|
|
Packit |
fd8b60 |
mark('#8354 regression test')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-history', '2', 'keepoldpasspol'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-policy', 'keepoldpasspol', '-pw', 'aaaa',
|
|
Packit |
fd8b60 |
'keepoldpassprinc'])
|
|
Packit |
fd8b60 |
for p in ('bbbb', 'cccc', 'aaaa'):
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-keepold', '-pw', p, 'keepoldpassprinc'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if runenv.sizeof_time_t <= 4:
|
|
Packit |
fd8b60 |
skipped('y2038 LDAP test', 'platform has 32-bit time_t')
|
|
Packit |
fd8b60 |
else:
|
|
Packit |
fd8b60 |
# Test storage of timestamps after y2038.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Regression test for #8861 (pw_expiration policy enforcement).
|
|
Packit |
fd8b60 |
mark('pw_expiration propogation')
|
|
Packit |
fd8b60 |
# Create a policy with a max life and verify its application.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addpol', '-maxlife', '1s', 'pw_e'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-policy', 'pw_e', '-pw', 'password',
|
|
Packit |
fd8b60 |
'pwuser'])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getprinc', 'pwuser'],
|
|
Packit |
fd8b60 |
expected_msg='Password expiration date: ')
|
|
Packit |
fd8b60 |
if 'Password expiration date: [never]' in out:
|
|
Packit |
fd8b60 |
fail('pw_expiration not applied at principal creation')
|
|
Packit |
fd8b60 |
# Unset the policy max life and verify its application during password
|
|
Packit |
fd8b60 |
# change.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modpol', '-maxlife', '0', 'pw_e'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'password_', 'pwuser'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'pwuser'],
|
|
Packit |
fd8b60 |
expected_msg='Password expiration date: [never]')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Briefly test dump and load.
|
|
Packit |
fd8b60 |
mark('LDAP dump and load')
|
|
Packit |
fd8b60 |
dumpfile = os.path.join(realm.testdir, 'dump')
|
|
Packit |
fd8b60 |
realm.run([kdb5_util, 'dump', dumpfile])
|
|
Packit |
fd8b60 |
realm.run([kdb5_util, 'load', dumpfile], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='KDB module requires -update argument')
|
|
Packit |
fd8b60 |
realm.run([kdb5_util, 'load', '-update', dumpfile])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Destroy the realm.
|
|
Packit |
fd8b60 |
kldaputil(['destroy', '-f'])
|
|
Packit |
fd8b60 |
out = kldaputil(['list'])
|
|
Packit |
fd8b60 |
if out:
|
|
Packit |
fd8b60 |
fail('Unexpected kdb5_ldap_util list output after destroy')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if not core_schema:
|
|
Packit |
fd8b60 |
skip_rest('LDAP SASL tests', 'core schema not found')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if runenv.have_sasl != 'yes':
|
|
Packit |
fd8b60 |
skip_rest('LDAP SASL tests', 'SASL support not built')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test SASL EXTERNAL auth. Remove the DNs and service password file
|
|
Packit |
fd8b60 |
# from the DB module config.
|
|
Packit |
fd8b60 |
mark('LDAP SASL EXTERNAL auth')
|
|
Packit |
fd8b60 |
os.remove(ldap_pwfile)
|
|
Packit |
fd8b60 |
dbmod = conf['dbmodules']['ldap']
|
|
Packit |
fd8b60 |
dbmod['ldap_kdc_sasl_mech'] = dbmod['ldap_kadmind_sasl_mech'] = 'EXTERNAL'
|
|
Packit |
fd8b60 |
del dbmod['ldap_service_password_file']
|
|
Packit |
fd8b60 |
del dbmod['ldap_kdc_dn'], dbmod['ldap_kadmind_dn']
|
|
Packit |
fd8b60 |
realm = K5Realm(create_kdb=False, kdc_conf=conf)
|
|
Packit |
fd8b60 |
realm.run([kdb5_ldap_util, 'create', '-s', '-P', 'master'])
|
|
Packit |
fd8b60 |
realm.start_kdc()
|
|
Packit |
fd8b60 |
realm.addprinc(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
realm.run([kdb5_ldap_util, 'destroy', '-f'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test SASL DIGEST-MD5 auth. We need to set a clear-text password for
|
|
Packit |
fd8b60 |
# the admin DN, so create a person entry (requires the core schema).
|
|
Packit |
fd8b60 |
# Restore the service password file in the config and set authcids.
|
|
Packit |
fd8b60 |
mark('LDAP SASL DIGEST-MD5 auth')
|
|
Packit |
fd8b60 |
ldap_add('cn=admin,cn=krb5', 'person',
|
|
Packit |
fd8b60 |
['sn: dummy', 'userPassword: admin'])
|
|
Packit |
fd8b60 |
dbmod['ldap_kdc_sasl_mech'] = dbmod['ldap_kadmind_sasl_mech'] = 'DIGEST-MD5'
|
|
Packit |
fd8b60 |
dbmod['ldap_kdc_sasl_authcid'] = 'digestuser'
|
|
Packit |
fd8b60 |
dbmod['ldap_kadmind_sasl_authcid'] = 'digestuser'
|
|
Packit |
fd8b60 |
dbmod['ldap_service_password_file'] = ldap_pwfile
|
|
Packit |
fd8b60 |
realm = K5Realm(create_kdb=False, kdc_conf=conf)
|
|
Packit |
fd8b60 |
input = admin_pw + '\n' + admin_pw + '\n'
|
|
Packit |
fd8b60 |
realm.run([kdb5_ldap_util, 'stashsrvpw', 'digestuser'], input=input)
|
|
Packit |
fd8b60 |
realm.run([kdb5_ldap_util, 'create', '-s', '-P', 'master'])
|
|
Packit |
fd8b60 |
realm.start_kdc()
|
|
Packit |
fd8b60 |
realm.addprinc(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
# Exercise DB options, which should cause binding to fail.
|
|
Packit |
fd8b60 |
realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='Cannot bind to LDAP server')
|
|
Packit |
fd8b60 |
realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'],
|
|
Packit |
fd8b60 |
expected_code=1, expected_msg='Cannot bind to LDAP server')
|
|
Packit |
fd8b60 |
realm.run([kdb5_ldap_util, 'destroy', '-f'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# We could still use tests to exercise:
|
|
Packit |
fd8b60 |
# * DB arg handling in krb5_ldap_create
|
|
Packit |
fd8b60 |
# * krbAllowedToDelegateTo attribute processing
|
|
Packit |
fd8b60 |
# * A load operation overwriting a standalone principal entry which
|
|
Packit |
fd8b60 |
# already exists but doesn't have a krbPrincipalName attribute
|
|
Packit |
fd8b60 |
# matching the principal name.
|
|
Packit |
fd8b60 |
# * A bunch of invalid-input error conditions
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# There is no coverage for the following because it would be difficult:
|
|
Packit |
fd8b60 |
# * Out-of-memory error conditions
|
|
Packit |
fd8b60 |
# * Handling of failures from slapd (including krb5_retry_get_ldap_handle)
|
|
Packit |
fd8b60 |
# * Handling of servers which don't support mod-increment
|
|
Packit |
fd8b60 |
# * krb5_ldap_delete_krbcontainer (only happens if krb5_ldap_create fails)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('LDAP and DB2 KDB tests')
|