Hi all,
We have recently implemented Filter and Anonymous to lib389 . But it seems
like Filter does not work with Anonymous connection .
It actually does not work with any kind of connection whether ACI allow or
not rather than root .
My suspense is it is related to this issue which is not yet fixed:
https://pagure.io/389-ds-base/issue/50137
Please check attached test case .
Regards
Anuj Borah
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 RED Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ----
import pytest, os, ldap
from lib389._constants import DEFAULT_SUFFIX, PW_DM
from lib389.idm.user import UserAccount, UserAccounts
from lib389.idm.account import Anonymous, Accounts
from lib389.idm.organization import Organization
from lib389.idm.organizationalunit import OrganizationalUnit
from lib389.idm.group import Groups
from lib389.topologies import topology_st as topo
from lib389.idm.domain import Domain
USER_MIC = "cn=Anuj,ou=product development,{}".format(DEFAULT_SUFFIX)
ANUJBORAH = "cn=Anuj Borah, {}".format(DEFAULT_SUFFIX)
ANANADABORAH = "cn=Ananda Borah, ou=Accounting, {}".format(DEFAULT_SUFFIX)
RED = "o=RED.com,{}".format(DEFAULT_SUFFIX)
PEOPLE = "ou=PEOPLE,{}".format(RED)
DYNGROUP = "cn=DYNGROUP,{}".format(PEOPLE)
STEVE = "cn=STEVE,{}".format(PEOPLE)
HARRY = "cn=HARRY,{}".format(PEOPLE)
TEST_ORG = "o=test,{}".format(DEFAULT_SUFFIX)
TEST_USER1 = "cn=test1,{}".format(DEFAULT_SUFFIX)
TEST_USER2 = "cn=test2,{}".format(DEFAULT_SUFFIX)
CONTAINER_1_DELADD = "ou=Product Development,{}".format(DEFAULT_SUFFIX)
CONTAINER_2_DELADD = "ou=Accounting,{}".format(DEFAULT_SUFFIX)
@pytest.fixture(scope="function")
def aci_of_user(request, topo):
aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.set('aci', None)
for i in aci_list:
domain.add("aci", i)
request.addfinalizer(finofaci)
@pytest.fixture(scope="function")
def test_user(request, topo):
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
properties = {
'uid': 'Anuj',
'cn': 'Anuj',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Anuj',
"givenname;subattr1": 'Anuj',
"givenname;subattr2": 'Anuj',
"givenname;subattr3": 'Anuj',
"givenname;subattr4": 'Anuj',
"secretary": "cn=Santa Clara,{}".format(DEFAULT_SUFFIX),
"mail": "[email protected]",
"telephonenumber": "12345",
"roomnumber": "12345",
"facsimiletelephonenumber": "12345",
"l": "sadada",
"userPassword": "password"
}
user = UserAccount(topo.standalone, "cn=Anuj,ou=product development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'Anuj Borah',
'cn': 'Anuj Borah',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'AnujBorah',
'mail': "[email protected]",
"userPassword": "password"
}
user = UserAccount(topo.standalone, "cn=Anuj Borah,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'Ananda Borah',
'cn': 'Ananda Borah',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'AnandaBorah',
'mail': "[email protected]",
"userPassword": "password"
}
user = UserAccount(topo.standalone, ANANADABORAH)
user.create(properties=properties)
def test_only_allow_some_targetattr(topo, test_user, aci_of_user):
"""
Misc Test 5 only allow some targetattr (1/2)
:id:9d27f048-7db8-11e8-a71c-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).replace("aci", '(target="ldap:///{}";)(targetattr="mail")(version 3.0; acl "Test";allow (read,search,compare) (userdn = "ldap:///anyone";); )'.format(DEFAULT_SUFFIX))
conn = Anonymous(topo.standalone).bind()
# filter does not works with Anonymous
assert 3 == Accounts(conn, DEFAULT_SUFFIX).filter('(mail=*)')
assert 3 == len(conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "mail=*"))
# but it works with root
assert 3 == Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(mail=*)')
assert 3 == len(topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "mail=*"))
if __name__ == "__main__":
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s -v %s" % CURRENT_FILE)
_______________________________________________
389-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
