@William Brown <wbr...@suse.de> Please check the attached test case .
I want to put escape_bytes function to lib389 utils.py file . Regards Anuj Borah On Mon, Jun 10, 2019 at 2:18 PM William Brown <wbr...@suse.de> wrote: > > > > On 9 Jun 2019, at 03:40, Anuj Borah <abo...@redhat.com> wrote: > > > > @William Brown > > > > Yes, it does. > > > > Currently i am porting this bug > https://bugzilla.redhat.com/show_bug.cgi?id=170520 > > > > I think with help of this script it will be impossible to port it . > > I'm not authorised to view that bug. :) > > I think youll need to describe, exactly, in sequence the order of events > you want to test so I can advise properly. > > > > > Do you have any advice . > > > > Regards > > Anuj Borah > > > > > > On Fri, Jun 7, 2019 at 2:47 PM William Brown <wbr...@suse.de> wrote: > > I haven't read the link but maybe there is some confusion about TLS > binding here. You do the create_rsa_user and that only set's up the > certificates. > > > > > On 4 Jun 2019, at 17:51, Anuj Borah <abo...@redhat.com> wrote: > > > > > > @William Brown > > > > > > Thanks , I am doing the same . Trying to follow it . (i have make this > script 99% pass) > > > > > > But its way too old . It uses some like : > > > > > > standalone.nss_ssl.create_rsa_user('testuser') ---- not valid > (NssSsl(standalone).create_rsa_user('testuser')) > > > > > > standalone.nss_ssl.get_rsa_user('testuser') ------ not valid > (NssSsl(standalone).get_rsa_user('testuser')) > > > > IIRC this syntax is valid, but maybe the linking type was removed. > > > > > > > > standalone.openConnection --- I dont know what is it . May be bind. > > > > Yes, i think this is bind now. If you grep for create_rsa_user in the > tests you may find another example. > > > > > > > > And Most importantly, after i have make this script 99% pass . I am > not able to see the usercertificate field in the test user that was created > during the test . while i do _unsafe_raw_entry() > > > > Because you don't need it. The certificate's cn is mapped to the cn in > the directory, and then because the certificate was issued be the ca, it > "confirms" the users identity. No userCertificate attribute required. > > > > There is a configuration that DOES require the certificate to not only > be signed, but also in userCertificate for binary matching, but this is a > configuration option, not the default. I seem to recall helping document > all this with Marc, so it should be in the latest RHDS documentation. > Generally though, the userCertificate attribute today would be used to > allow a client like SSSD to read the userCertificate to allow smartCard > authentication to a workstation. > > > > Does that help a bit? > > > > > > > > Also mind changing the lib389 doc > https://spichugi.fedorapeople.org/html/guidelines.html#setting-up-ssl-tls > . Its the same test case given there , which is not relevant now . > > > > > > Regards > > > Anuj Borah > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Jun 4, 2019 at 9:08 PM William Brown <wbr...@suse.de> wrote: > > > I'm currently traveling at the moment, but I can have a look later to > update this to work on latest lib389 etc. > > > > > > You can read it and use it as an example though, even if it doesn't > pass ... > > > > > > > > > > > > > > > > On 4 Jun 2019, at 16:32, Anuj Borah <abo...@redhat.com> wrote: > > > > > > > > @William Brown > > > > > > > > This test script does not pass . Its too old . > > > > > > > > Regards > > > > Anuj Borah > > > > > > > > On Tue, Jun 4, 2019 at 8:00 PM William Brown <wbr...@suse.de> wrote: > > > > Have a look at this test case if you want to do usercertificate > generation and authentication :) > > > > > > > > > https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/tests/tls_external_test.py > > > > > > > > > On 4 Jun 2019, at 14:31, Anuj Borah <abo...@redhat.com> wrote: > > > > > > > > > > Hi all, > > > > > > > > > > Let say i want to create a user with userCertificate fileld. My > user will look like bellow. > > > > > > > > > > users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX) > > > > > users_people.create(properties={ > > > > > 'uid': 'certUser2', > > > > > 'cn': 'CUser2', > > > > > 'sn': 'CertificateUser2', > > > > > 'givenName': 'CU2', > > > > > 'description': "This is certUser2's description", > > > > > 'mail': 'certus...@example.com', > > > > > 'userPassword': PW_DM, > > > > > 'userCertificate': > 'some_cert_+++NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==', > > > > > 'manager': f'uid=certUser2,ou=People,{DEFAULT_SUFFIX}', > > > > > 'homeDirectory': '/home/' + 'certUser2', > > > > > 'uidNumber': '1000', > > > > > 'gidNumber': '2000' > > > > > }) > > > > > > > > > > Here i have put userCertificate field manually (which i dont want > to do). But how can i achieve this without putting userCertificate field > manually . Like create a user and userCertificate field will be auto field > with auto generated certificates . > > > > > > > > > > Regards > > > > > Anuj Borah > > > > > _______________________________________________ > > > > > 389-devel mailing list -- 389-devel@lists.fedoraproject.org > > > > > To unsubscribe send an email to > 389-devel-le...@lists.fedoraproject.org > > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org > > > > > > > > — > > > > Sincerely, > > > > > > > > William Brown > > > > > > > > Senior Software Engineer, 389 Directory Server > > > > SUSE Labs > > > > _______________________________________________ > > > > 389-devel mailing list -- 389-devel@lists.fedoraproject.org > > > > To unsubscribe send an email to > 389-devel-le...@lists.fedoraproject.org > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org > > > > > > — > > > Sincerely, > > > > > > William Brown > > > > > > Senior Software Engineer, 389 Directory Server > > > SUSE Labs > > > > > > > — > > Sincerely, > > > > William Brown > > > > Senior Software Engineer, 389 Directory Server > > SUSE Labs > > > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > >
# --- BEGIN COPYRIGHT BLOCK --- # Copyright (C) 2017 Red Hat, Inc. # All rights reserved. # # License: GPL (version 3 or any later version). # See LICENSE for details. # --- END COPYRIGHT BLOCK --- #https://github.com/cannatag/ldap3/blob/master/ldap3/utils/conv.py #https://pagure.io/389-ds-base/issue/50443 import ldap from lib389.topologies import topology_st from lib389.utils import logging from lib389.idm.user import UserAccounts from lib389._constants import DEFAULT_SUFFIX, SECUREPORT_STANDALONE1 from lib389.nss_ssl import NssSsl from lib389.config import CertmapLegacy import subprocess from lib389.idm.account import Accounts log = logging.getLogger(__name__) def escape_bytes(bytes_value): """ Convert a byte sequence to a properly escaped for LDAP (format BACKSLASH HEX HEX) string""" if bytes_value: if str is not bytes: # Python 3 if isinstance(bytes_value, str): bytes_value = bytearray(bytes_value, encoding='utf-8') escaped = '\\'.join([('%02x' % int(b)) for b in bytes_value]) else: # Python 2 if isinstance(bytes_value, unicode): bytes_value = bytes_value.encode('utf-8') escaped = '\\'.join([('%02x' % ord(b)) for b in bytes_value]) else: escaped = '' return ('\\' + escaped) if escaped else '' def test_tls_external(topology_st): standalone = topology_st.standalone standalone.enable_tls() cmd = 'openssl x509 -outform der -in /etc/dirsrv/ssca/ca.crt -out /etc/dirsrv/ssca/ca.der'.split(' ') subprocess.check_output(cmd) cert = open('/etc/dirsrv/ssca/ca.der', 'rb') users = UserAccounts(standalone, DEFAULT_SUFFIX) crt = cert.read() user_properties = { 'uid': 'testuser', 'cn' : 'testuser', 'sn' : 'user', 'uidNumber' : '1000', 'gidNumber' : '2000', 'homeDirectory' : '/home/testuser', 'userPassword' : 'password', 'userCertificate' : crt } testuser = users.create(properties=user_properties) Accounts(standalone, DEFAULT_SUFFIX).filter(f"(userCertificate={escape_bytes(crt)})")
_______________________________________________ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org