URL: https://github.com/freeipa/freeipa/pull/4100
Author: ssidhaye
Title: #4100: [Backport][ipa-4-7]Test: Test to check whether ssh from ipa
client to ipa master
Action: opened
PR body:
"""
is successful after adding ldap_deref_threshold=0 in sssd.conf
Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing
Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4100/head:pr4100
git checkout pr4100
From 579b05d91cd86ce56c0ce8680fcbadf0ea3a1253 Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidh...@redhat.com>
Date: Mon, 24 Jun 2019 15:25:35 +0530
Subject: [PATCH] Test: Test to check whether ssh from ipa client to ipa master
is successful after adding ldap_deref_threshold=0 in sssd.conf
Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing
Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com>
---
ipatests/test_integration/test_commands.py | 138 +++++++++++++--------
1 file changed, 89 insertions(+), 49 deletions(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 6d71d9e36b..52f4f635d7 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -9,8 +9,8 @@
import re
import os
import logging
+import random
import ssl
-from tempfile import NamedTemporaryFile
from itertools import chain, repeat
import textwrap
import time
@@ -28,6 +28,7 @@
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipaplatform.tasks import tasks as platform_tasks
from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
@@ -131,8 +132,6 @@ def test_change_sysaccount_password_issue7561(self):
master = self.master
base_dn = str(master.domain.basedn) # pylint: disable=no-member
- tf = NamedTemporaryFile()
- ldif_file = tf.name
entry_ldif = textwrap.dedent("""
dn: uid=system,cn=sysaccounts,cn=etc,{base_dn}
changetype: add
@@ -145,18 +144,29 @@ def test_change_sysaccount_password_issue7561(self):
""").format(
base_dn=base_dn,
original_passwd=original_passwd)
- master.put_file_contents(ldif_file, entry_ldif)
- arg = ['ldapmodify',
- '-h', master.hostname,
- '-p', '389', '-D',
- str(master.config.dirman_dn), # pylint: disable=no-member
- '-w', master.config.dirman_password,
- '-f', ldif_file]
- master.run_command(arg)
+ tasks.ldapmodify_dm(master, entry_ldif)
tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
new_passwd, master)
+ def get_krbinfo(self, user):
+ base_dn = str(self.master.domain.basedn) # pylint: disable=no-member
+ result = tasks.ldapsearch_dm(
+ self.master,
+ 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
+ user=user, base_dn=base_dn),
+ ['krblastpwdchange', 'krbpasswordexpiration'],
+ scope='base'
+ )
+ output = result.stdout_text.lower()
+
+ # extract krblastpwdchange and krbpasswordexpiration
+ krbchg_pattern = 'krblastpwdchange: (.+)\n'
+ krbexp_pattern = 'krbpasswordexpiration: (.+)\n'
+ krblastpwdchange = re.findall(krbchg_pattern, output)[0]
+ krbexp = re.findall(krbexp_pattern, output)[0]
+ return krblastpwdchange, krbexp
+
def test_ldapmodify_password_issue7601(self):
user = 'ipauser'
original_passwd = 'Secret123'
@@ -179,31 +189,12 @@ def test_ldapmodify_password_issue7601(self):
new=original_passwd)
master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
# Retrieve krblastpwdchange and krbpasswordexpiration
- search_cmd = [
- 'ldapsearch', '-x',
- '-D', 'cn=directory manager',
- '-w', master.config.dirman_password,
- '-s', 'base',
- '-b', 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
- user=user, base_dn=base_dn),
- '-o', 'ldif-wrap=no',
- '-LLL',
- 'krblastpwdchange',
- 'krbpasswordexpiration']
- output = master.run_command(search_cmd).stdout_text.lower()
-
- # extract krblastpwdchange and krbpasswordexpiration
- krbchg_pattern = 'krblastpwdchange: (.+)\n'
- krbexp_pattern = 'krbpasswordexpiration: (.+)\n'
- krblastpwdchange = re.findall(krbchg_pattern, output)[0]
- krbexp = re.findall(krbexp_pattern, output)[0]
+ krblastpwdchange, krbexp = self.get_krbinfo(user)
# sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
# a 1s precision)
time.sleep(1)
# perform ldapmodify on userpassword as dir mgr
- mod = NamedTemporaryFile()
- ldif_file = mod.name
entry_ldif = textwrap.dedent("""
dn: uid={user},cn=users,cn=accounts,{base_dn}
changetype: modify
@@ -213,24 +204,13 @@ def test_ldapmodify_password_issue7601(self):
user=user,
base_dn=base_dn,
new_passwd=new_passwd)
- master.put_file_contents(ldif_file, entry_ldif)
- arg = ['ldapmodify',
- '-h', master.hostname,
- '-p', '389', '-D',
- str(master.config.dirman_dn), # pylint: disable=no-member
- '-w', master.config.dirman_password,
- '-f', ldif_file]
- master.run_command(arg)
+ tasks.ldapmodify_dm(master, entry_ldif)
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd)
- # Retrieve krblastpwdchange and krbpasswordexpiration
- output = master.run_command(search_cmd).stdout_text.lower()
- # extract krblastpwdchange and krbpasswordexpiration
- newkrblastpwdchange = re.findall(krbchg_pattern, output)[0]
- newkrbexp = re.findall(krbexp_pattern, output)[0]
# both should have changed
+ newkrblastpwdchange, newkrbexp = self.get_krbinfo(user)
assert newkrblastpwdchange != krblastpwdchange
assert newkrbexp != krbexp
@@ -249,13 +229,9 @@ def test_ldapmodify_password_issue7601(self):
)
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd2)
- # Retrieve krblastpwdchange and krbpasswordexpiration
- output = master.run_command(search_cmd).stdout_text.lower()
- # extract krblastpwdchange and krbpasswordexpiration
- newkrblastpwdchange2 = re.findall(krbchg_pattern, output)[0]
- newkrbexp2 = re.findall(krbexp_pattern, output)[0]
# both should have changed
+ newkrblastpwdchange2, newkrbexp2 = self.get_krbinfo(user)
assert newkrblastpwdchange != newkrblastpwdchange2
assert newkrbexp != newkrbexp2
@@ -688,3 +664,67 @@ def test_sss_ssh_authorizedkeys(self):
backup.restore()
self.master.run_command(['rm', '-f', pem_file, user_key,
'{}.pub'.format(user_key)])
+
+ def test_ssh_from_controller(self):
+ """https://pagure.io/SSSD/sssd/issue/3979
+ Test ssh from test controller after adding
+ ldap_deref_threshold=0 to sssd.conf on master
+
+ Steps:
+ 1. setup a master
+ 2. add ldap_deref_threshold=0 to sssd.conf on master
+ 3. add an ipa user
+ 4. ssh from controller to master using the user created in step 3
+ """
+ sssd_version = ''
+ cmd_output = self.master.run_command(['sssd', '--version'])
+ sssd_version = platform_tasks.\
+ parse_ipa_version(cmd_output.stdout_text.strip())
+ if sssd_version.version < '2.2.0':
+ pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly")
+
+ username = "testuser" + str(random.randint(200000, 9999999))
+ # add ldap_deref_threshold=0 to /etc/sssd/sssd.conf
+ domain = self.master.domain
+ tasks.modify_sssd_conf(
+ self.master,
+ domain.name,
+ {
+ 'ldap_deref_threshold': 0
+ },
+ )
+ try:
+ self.master.run_command(['systemctl', 'restart', 'sssd.service'])
+
+ # kinit admin
+ tasks.kinit_admin(self.master)
+
+ # add ipa user
+ cmd = ['ipa', 'user-add',
+ '--first', username,
+ '--last', username,
+ '--password', username]
+ input_passwd = 'Secret123\nSecret123\n'
+ cmd_output = self.master.run_command(cmd, stdin_text=input_passwd)
+ assert 'Added user "%s"' % username in cmd_output.stdout_text
+ input_passwd = 'Secret123\nSecret123\nSecret123\n'
+ self.master.run_command(['kinit', username],
+ stdin_text=input_passwd)
+
+ client = paramiko.SSHClient()
+ client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+ client.connect(self.master.hostname,
+ username=username,
+ password='Secret123')
+ client.close()
+ finally:
+ # revert back to original ldap config
+ # remove ldap_deref_threshold=0
+ tasks.modify_sssd_conf(
+ self.master,
+ domain.name,
+ {
+ 'ldap_deref_threshold': None
+ },
+ )
+ self.master.run_command(['systemctl', 'restart', 'sssd.service'])
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
