Re: slapo-ppolicy 2.4 vs. 2.5
On Tue, May 04, 2021 at 12:07:20PM +0200, Michael Ströder wrote: > Still I have failures in my draft-vchu-ldap-pwd-policy tests (see > below). These might be related to ITS#9279, though I'm not sure. Any > changes in this area? Don't know, my guess is compare it with tests/scripts/test022-ppolicy to see what the difference is between it and what you're doing. Don't think this applies here, but a lot of ppolicy behaviour changes based on whether you're classed as a "password administrator" (having "manage" access to the password attribute on the entry), see ITS#7084 and the ppolicy draft. It it makes a difference, it's possible that some of this is interfering, or that it's intentional, will probably have to decide on a case by case basis. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Re: slapo-ppolicy 2.4 vs. 2.5
On 5/4/21 9:47 AM, Ondřej Kuzník wrote:
> On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote:
>> slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in
>> python-ldap0 tests (see test output below).
>> [..]
>> AssertionError: 'Password expired! 1 grace logins left.' != 'Password
>> expired! 2 grace logins left.'
>
> Does the count reported match the wording of the draft in section 6.2?
> [..]
> If not, please reopen ITS#7596 with a test case.
Thanks for pointing out ITS#7596. I've now updated my test to match the
new behaviour when running on OpenLDAP 2.5.
Still I have failures in my draft-vchu-ldap-pwd-policy tests (see
below). These might be related to ITS#9279, though I'm not sure. Any
changes in this area?
Ciao, Michael.
==
FAIL: test001_pwdpolicy_expiration (tests.test_ppolicy.TestPwdPolicy)
--
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 287, in test001_pwdpolicy_expiration
self.assertIsInstance(bind_res.ctrls[0], PasswordExpiringControl)
AssertionError: is not an instance of
==
FAIL: test002_pwdpolicy_expired (tests.test_ppolicy.TestPwdPolicy)
--
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 308, in test002_pwdpolicy_expired
l.simple_bind_s(self.user_dn, user_password.encode('utf-8'))
AssertionError: INVALID_CREDENTIALS not raised
Re: slapo-ppolicy 2.4 vs. 2.5
On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote: > HI! > > slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in > python-ldap0 tests (see test output below). > > Tests: > https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py > > When working with Ondřej for solving ITS#9279 I finally "fixed" ldap0 > tests to accomodate the behaviour of OpenLDAP 2.4.x. I did not feel > comfortable back then because it was not clear to me whether it was the > correct fix. > > Do you have any tests you could run against 2.4 and 2.5 to verify > whether both have same behaviour? > > Ciao, Michael. > > == > FAIL: test003_ppolicy_grace_logins (tests.test_ppolicy.TestPPolicy) > -- > Traceback (most recent call last): > File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", > line 235, in test003_ppolicy_grace_logins > self.assertEqual( > AssertionError: 'Password expired! 1 grace logins left.' != 'Password > expired! 2 grace logins left.' > - Password expired! 1 grace logins left. > ? ^ > + Password expired! 2 grace logins left. > ? ^ Does the count reported match the wording of the draft in section 6.2? """ The graceAuthNsRemaining warning specifies the remaining number of times a user will be allowed to authenticate with an expired password. """ If not, please reopen ITS#7596 with a test case. Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Re: slapo-ppolicy 2.4 vs. 2.5
On 5/3/21 5:39 PM, smckin...@symas.com wrote:
>> From: "Michael Ströder"
>> Do you have any tests you could run against 2.4 and 2.5 to verify
>> whether both have same behaviour?
>
> I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
Do you also look at the decreasing grace login counter in diagnostic
message?
> The only functional difference that I found was 2.5 now requires
> sending the RelaxControl ("1.3.6.1.4.1.4203.666.5.12") on the
> following ops:>
> - lock/unlock
> - mods of user's pwdPolicySubentry attribute
Currently not relevant for my tests.
> Other than that, everything else worked the same, besides no longer
> including the pwpolicy.schema in the server config of course.
This is already covered since quite a while by checking whether file
ppolicy.ldif exists in the schema/ directory or not.
Ciao, Michael.
Re: slapo-ppolicy 2.4 vs. 2.5
>Do you also look at the decreasing grace login counter in diagnostic message?
The AF tests evaluate grace / ensure it maintains proper count, locks when it
reaches zero. Not evaluating the diagnostic message.
--
Shawn
- Original Message -
From: "Michael Ströder"
To: "openldap-devel"
Sent: Monday, May 3, 2021 10:57:44 AM
Subject: Re: slapo-ppolicy 2.4 vs. 2.5
On 5/3/21 5:39 PM, smckin...@symas.com wrote:
>> From: "Michael Ströder"
>> Do you have any tests you could run against 2.4 and 2.5 to verify
>> whether both have same behaviour?
>
> I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
Do you also look at the decreasing grace login counter in diagnostic
message?
> The only functional difference that I found was 2.5 now requires
> sending the RelaxControl ("1.3.6.1.4.1.4203.666.5.12") on the
> following ops:>
> - lock/unlock
> - mods of user's pwdPolicySubentry attribute
Currently not relevant for my tests.
> Other than that, everything else worked the same, besides no longer
> including the pwpolicy.schema in the server config of course.
This is already covered since quite a while by checking whether file
ppolicy.ldif exists in the schema/ directory or not.
Ciao, Michael.
Re: slapo-ppolicy 2.4 vs. 2.5
>From: "Michael Ströder"
>Do you have any tests you could run against 2.4 and 2.5 to verify
>whether both have same behaviour?
Hey Michael,
I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
[PswdPolicyMgrImplTest](https://github.com/apache/directory-fortress-core/blob/master/src/test/java/org/apache/directory/fortress/core/impl/PswdPolicyMgrImplTest.java)
The only functional difference that I found was 2.5 now requires sending the
RelaxControl ("1.3.6.1.4.1.4203.666.5.12") on the following ops:
- lock/unlock
- mods of user's pwdPolicySubentry attribute
Other than that, everything else worked the same, besides no longer including
the pwpolicy.schema in the server config of course.
--
Shawn
slapo-ppolicy 2.4 vs. 2.5
HI!
slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in
python-ldap0 tests (see test output below).
Tests:
https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py
When working with Ondřej for solving ITS#9279 I finally "fixed" ldap0
tests to accomodate the behaviour of OpenLDAP 2.4.x. I did not feel
comfortable back then because it was not clear to me whether it was the
correct fix.
Do you have any tests you could run against 2.4 and 2.5 to verify
whether both have same behaviour?
Ciao, Michael.
==
FAIL: test003_ppolicy_grace_logins (tests.test_ppolicy.TestPPolicy)
--
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 235, in test003_ppolicy_grace_logins
self.assertEqual(
AssertionError: 'Password expired! 1 grace logins left.' != 'Password
expired! 2 grace logins left.'
- Password expired! 1 grace logins left.
? ^
+ Password expired! 2 grace logins left.
? ^
==
FAIL: test001_pwdpolicy_expiration (tests.test_ppolicy.TestPwdPolicy)
--
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 285, in test001_pwdpolicy_expiration
self.assertIsInstance(bind_res.ctrls[0], PasswordExpiringControl)
AssertionError: is not an instance of
==
FAIL: test002_pwdpolicy_expired (tests.test_ppolicy.TestPwdPolicy)
--
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 306, in test002_pwdpolicy_expired
l.simple_bind_s(self.user_dn, user_password.encode('utf-8'))
AssertionError: INVALID_CREDENTIALS not raised
