> On 9 Jun 2019, at 03:40, Anuj Borah <[email protected]> wrote: > > @William Brown > > Yes, it does. > > Currently i am porting this bug > https://bugzilla.redhat.com/show_bug.cgi?id=170520 > > I think with help of this script it will be impossible to port it .
I'm not authorised to view that bug. :) I think youll need to describe, exactly, in sequence the order of events you want to test so I can advise properly. > > Do you have any advice . > > Regards > Anuj Borah > > > On Fri, Jun 7, 2019 at 2:47 PM William Brown <[email protected]> wrote: > I haven't read the link but maybe there is some confusion about TLS binding > here. You do the create_rsa_user and that only set's up the certificates. > > > On 4 Jun 2019, at 17:51, Anuj Borah <[email protected]> wrote: > > > > @William Brown > > > > Thanks , I am doing the same . Trying to follow it . (i have make this > > script 99% pass) > > > > But its way too old . It uses some like : > > > > standalone.nss_ssl.create_rsa_user('testuser') ---- not valid > > (NssSsl(standalone).create_rsa_user('testuser')) > > > > standalone.nss_ssl.get_rsa_user('testuser') ------ not valid > > (NssSsl(standalone).get_rsa_user('testuser')) > > IIRC this syntax is valid, but maybe the linking type was removed. > > > > > standalone.openConnection --- I dont know what is it . May be bind. > > Yes, i think this is bind now. If you grep for create_rsa_user in the tests > you may find another example. > > > > > And Most importantly, after i have make this script 99% pass . I am not > > able to see the usercertificate field in the test user that was created > > during the test . while i do _unsafe_raw_entry() > > Because you don't need it. The certificate's cn is mapped to the cn in the > directory, and then because the certificate was issued be the ca, it > "confirms" the users identity. No userCertificate attribute required. > > There is a configuration that DOES require the certificate to not only be > signed, but also in userCertificate for binary matching, but this is a > configuration option, not the default. I seem to recall helping document all > this with Marc, so it should be in the latest RHDS documentation. Generally > though, the userCertificate attribute today would be used to allow a client > like SSSD to read the userCertificate to allow smartCard authentication to a > workstation. > > Does that help a bit? > > > > > Also mind changing the lib389 doc > > https://spichugi.fedorapeople.org/html/guidelines.html#setting-up-ssl-tls . > > Its the same test case given there , which is not relevant now . > > > > Regards > > Anuj Borah > > > > > > > > > > > > > > > > On Tue, Jun 4, 2019 at 9:08 PM William Brown <[email protected]> wrote: > > I'm currently traveling at the moment, but I can have a look later to > > update this to work on latest lib389 etc. > > > > You can read it and use it as an example though, even if it doesn't pass > > ... > > > > > > > > > > > On 4 Jun 2019, at 16:32, Anuj Borah <[email protected]> wrote: > > > > > > @William Brown > > > > > > This test script does not pass . Its too old . > > > > > > Regards > > > Anuj Borah > > > > > > On Tue, Jun 4, 2019 at 8:00 PM William Brown <[email protected]> wrote: > > > Have a look at this test case if you want to do usercertificate > > > generation and authentication :) > > > > > > https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/tests/tls_external_test.py > > > > > > > On 4 Jun 2019, at 14:31, Anuj Borah <[email protected]> wrote: > > > > > > > > Hi all, > > > > > > > > Let say i want to create a user with userCertificate fileld. My user > > > > will look like bellow. > > > > > > > > users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX) > > > > users_people.create(properties={ > > > > 'uid': 'certUser2', > > > > 'cn': 'CUser2', > > > > 'sn': 'CertificateUser2', > > > > 'givenName': 'CU2', > > > > 'description': "This is certUser2's description", > > > > 'mail': '[email protected]', > > > > 'userPassword': PW_DM, > > > > 'userCertificate': > > > > 'some_cert_+++NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==', > > > > 'manager': f'uid=certUser2,ou=People,{DEFAULT_SUFFIX}', > > > > 'homeDirectory': '/home/' + 'certUser2', > > > > 'uidNumber': '1000', > > > > 'gidNumber': '2000' > > > > }) > > > > > > > > Here i have put userCertificate field manually (which i dont want to > > > > do). But how can i achieve this without putting userCertificate field > > > > manually . Like create a user and userCertificate field will be auto > > > > field with auto generated certificates . > > > > > > > > Regards > > > > Anuj Borah > > > > _______________________________________________ > > > > 389-devel mailing list -- [email protected] > > > > To unsubscribe send an email to [email protected] > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > https://lists.fedoraproject.org/archives/list/[email protected] > > > > > > — > > > Sincerely, > > > > > > William Brown > > > > > > Senior Software Engineer, 389 Directory Server > > > SUSE Labs > > > _______________________________________________ > > > 389-devel mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedoraproject.org/archives/list/[email protected] > > > > — > > Sincerely, > > > > William Brown > > > > Senior Software Engineer, 389 Directory Server > > SUSE Labs > > > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
