[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 8 commits: Revert "CI: flake8 move target to pull_request_target"
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Jun 22 11:21:22 BST 2022
Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd
Commits:
eb4a2f3a by Iker Pedrosa at 2022-06-06T13:36:01+02:00
Revert "CI: flake8 move target to pull_request_target"
This reverts commit 67814634868523c59dec98876bcf34fb97d3dee8.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 242fb3f9e6992795764c402250da27db9016d7b1)
- - - - -
5f387805 by Steeve Goveas at 2022-06-06T13:36:29+02:00
TEST: Fix the indentation in doctrings
The indentation of multiple lines in the steps and expectedresults must
be properly aligned for the importer to pick correctly.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit bff0a4a6a605b303fe9754acc6c4097f9bafbecf)
- - - - -
3fc66049 by Steeve Goveas at 2022-06-08T12:12:49+02:00
TEST: Update to search the start string for hostname
There was a recent dns fix in idm-ci due to which the username in the
known_hosts keys has the FQDN of the host. This caused the test to fail.
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit e89d7e442918afc6efe9d30970f6df0dd9614613)
- - - - -
26d8601e by Sumit Bose at 2022-06-09T10:30:02+02:00
pac: relax default for pac_check option
PAC might not be always present, especially in IPA environments. So the
default of pac_check should not contain 'pac_present'.
Resolves: https://github.com/SSSD/sssd/issues/5868
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 55e93cf1cf4d61c6de7975cbdc97a723545586c0)
- - - - -
dbb9d62b by Anuj Borah at 2022-06-10T14:43:29+02:00
Tests: port proxy_provider/misc
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.7/client/proxy_provider/misc
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit bb4e054cf84529c735cebdac654284cae3c9bc1e)
- - - - -
56a15877 by Jakub Vavra at 2022-06-13T09:32:30+02:00
Tests: Set FIPS:AD-SUPPORT crypto-policy for AD integration
There is now a new crypto sub-policy for enabling AD interoperability
that needs to be set make AD krb5 work.
https://bugzilla.redhat.com/show_bug.cgi?id=2056676
Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 50a6f23d7d6fd7f1931c1dea4ae1c11c42369edc)
- - - - -
536dc9e4 by Sumit Bose at 2022-06-13T12:17:49+02:00
names: only check sub-domains for regex match
It is allowed to have different regular-expression to split the input
name for different domains. After the regex is evaluated and a domain
name was found in the input it has to be check if the domain name
corresponds to the domain the regex is coming from.
E.g. with the implicit files provider enabled the file provider might
use a simple default regex while and additional IPA or AD provider will
have a more complex one which e.g. properly handles @-characters in
names. When evaluation in input the simple regex will come first and
will split the name but will miss part of the user name part if the name
contains an @-character. Currently SSSD check if the found domain name
matches any of the know domains or sub-domains which is wrong because
the regex was coming from the files provider and hence it should only
handle its own objects.
With this patch not all domains are checked but only the current one and
its sub-domains, if any. This behavior is also mentioned in a comment
already in the code. As a result in the above example the check with
the results form the simple regex with fail and then the more complex
regex of the other domain will be used which can split the name
properly.
Resolves: https://github.com/SSSD/sssd/issues/6055
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9656516b9af2b3ea4627eab42f11c7667564020f)
- - - - -
ef79966b by Pavel Březina at 2022-06-13T15:35:19+02:00
Release sssd-2.7.2
- - - - -
23 changed files:
- .github/workflows/analyze-target.yml
- .github/workflows/static-code-analysis.yml
- src/confdb/confdb.h
- src/man/sssd.conf.5.xml
- src/tests/cmocka/test_fqnames.c
- src/tests/multihost/ad/conftest.py
- src/tests/multihost/ad/test_adparameters.py
- src/tests/multihost/ad/test_automount.py
- src/tests/multihost/ad/test_sudo.py
- src/tests/multihost/alltests/conftest.py
- + src/tests/multihost/alltests/script/sssdproxymisc.sh
- src/tests/multihost/alltests/test_automount.py
- src/tests/multihost/alltests/test_default_debug_level.py
- src/tests/multihost/alltests/test_kcm.py
- src/tests/multihost/alltests/test_misc.py
- + src/tests/multihost/alltests/test_misc_proxy.py
- src/tests/multihost/alltests/test_offline.py
- src/tests/multihost/alltests/test_proxy_provider_krb_auth.py
- src/tests/multihost/alltests/test_services.py
- src/tests/multihost/alltests/test_sssctl_local.py
- src/tests/multihost/ipa/test_misc.py
- src/util/usertools.c
- version.m4
Changes:
=====================================
.github/workflows/analyze-target.yml
=====================================
@@ -81,21 +81,3 @@ jobs:
name: covscan
path: |
./logs/*.err
-
- flake8:
- runs-on: ubuntu-latest
- permissions:
- contents: read
- pull-requests: write
- steps:
- - name: Checkout repository
- uses: actions/checkout at v2
- with:
- ref: ${{ github.event.pull_request.head.sha }}
- persist-credentials: false
-
- - name: Run flake8
- uses: grantmcconnaughey/lintly-flake8-github-action at d9db4fd0be9fb1cd19206a48ec0773bd93b82cbd
- with:
- token: ${{ secrets.GITHUB_TOKEN }}
- failIf: new
=====================================
.github/workflows/static-code-analysis.yml
=====================================
@@ -40,3 +40,16 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze at v2
+
+ flake8:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout at v2
+
+ - name: Run flake8
+ uses: grantmcconnaughey/lintly-flake8-github-action at d9db4fd0be9fb1cd19206a48ec0773bd93b82cbd
+ if: github.event_name == 'pull_request'
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
+ failIf: new
=====================================
src/confdb/confdb.h
=====================================
@@ -181,7 +181,7 @@
#define CONFDB_PAC_LIFETIME "pac_lifetime"
#define CONFDB_PAC_CHECK "pac_check"
#define CONFDB_PAC_CHECK_DEFAULT "no_check"
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "pac_present, check_upn, check_upn_dns_info_ex"
+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
/* InfoPipe */
#define CONFDB_IFP_CONF_ENTRY "config/ifp"
=====================================
src/man/sssd.conf.5.xml
=====================================
@@ -2298,7 +2298,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</para>
<para>
Default: no_check (AD and IPA provider
- 'pac_present, check_upn, check_upn_dns_info_ex')
+ 'check_upn, check_upn_dns_info_ex')
</para>
</listitem>
</varlistentry>
=====================================
src/tests/cmocka/test_fqnames.c
=====================================
@@ -318,6 +318,41 @@ static int parse_name_test_setup(void **state)
return 0;
}
+static int parse_name_test_two_names_ctx_setup(void **state)
+{
+ struct parse_name_test_ctx *test_ctx;
+ struct sss_names_ctx *nctx1 = NULL;
+ struct sss_names_ctx *nctx2 = NULL;
+ struct sss_domain_info *dom;
+ int ret;
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context, struct parse_name_test_ctx);
+ assert_non_null(test_ctx);
+
+ ret = sss_names_init_from_args(test_ctx, SSS_DEFAULT_RE,
+ "%1$s@%2$s", &nctx1);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_names_init_from_args(test_ctx, SSS_IPA_AD_DEFAULT_RE,
+ "%1$s@%2$s", &nctx2);
+ assert_int_equal(ret, EOK);
+
+ test_ctx->dom = create_test_domain(test_ctx, DOMNAME, FLATNAME,
+ NULL, nctx1);
+ assert_non_null(test_ctx->dom);
+
+ dom = create_test_domain(test_ctx, DOMNAME2, FLATNAME2,
+ NULL, nctx2);
+ assert_non_null(dom);
+ DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *);
+
+ check_leaks_push(test_ctx);
+ *state = test_ctx;
+ return 0;
+}
+
static int parse_name_test_teardown(void **state)
{
struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -448,6 +483,18 @@ void test_init_nouser(void **state)
assert_int_not_equal(ret, EOK);
}
+void test_different_regexps(void **state)
+{
+ struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
+ struct parse_name_test_ctx);
+ parse_name_check(test_ctx, NAME"@"DOMNAME, NULL, EOK, NAME, DOMNAME);
+ parse_name_check(test_ctx, NAME"@"DOMNAME2, NULL, EOK, NAME, DOMNAME2);
+ parse_name_check(test_ctx, NAME"@WITH_AT@"DOMNAME2, NULL, EOK, NAME"@WITH_AT", DOMNAME2);
+ parse_name_check(test_ctx, FLATNAME"\\"NAME, NULL, EOK, FLATNAME"\\"NAME, NULL);
+ parse_name_check(test_ctx, FLATNAME2"\\"NAME, NULL, EOK, NAME, DOMNAME2);
+ parse_name_check(test_ctx, FLATNAME2"\\"NAME"@WITH_AT", NULL, EOK, NAME"@WITH_AT", DOMNAME2);
+}
+
void sss_parse_name_fail(void **state)
{
struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -502,6 +549,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(sss_parse_name_fail,
parse_name_test_setup,
parse_name_test_teardown),
+ cmocka_unit_test_setup_teardown(test_different_regexps,
+ parse_name_test_two_names_ctx_setup,
+ parse_name_test_teardown),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
=====================================
src/tests/multihost/ad/conftest.py
=====================================
@@ -720,6 +720,24 @@ def samba_share_permissions(session_multihost, request):
# ################### Session scoped fixtures #########################
+ at pytest.fixture(scope='session', autouse=True)
+def fips_ad_support_policy(session_multihost, request):
+ """ Enable FIPS:AD-SUPPORT crypto policy added in bz2056676"""
+ old_policy = session_multihost.client[0].run_command(
+ 'update-crypto-policies --show', raiseonerr=False).stdout_text
+ old_policy = old_policy.strip()
+ if "FIPS" == old_policy:
+ session_multihost.client[0].run_command(
+ 'update-crypto-policies --set FIPS:AD-SUPPORT', raiseonerr=False)
+
+ def restore_policy():
+ """ Restore crypto policy """
+ if "FIPS" == old_policy:
+ session_multihost.client[0].run_command(
+ f'update-crypto-policies --set {old_policy}', raiseonerr=False)
+ request.addfinalizer(restore_policy)
+
+
@pytest.fixture(scope="session", autouse=True)
def setup_session(request, session_multihost):
""" Setup Session """
=====================================
src/tests/multihost/ad/test_adparameters.py
=====================================
@@ -174,7 +174,7 @@ class TestBugzillaAutomation(object):
:steps:
1. Create AD group with scope as "Global" and type "Security"
2. Update the properties newly created group and update under
- "Member of" tab and add Users BUILTIN group.
+ "Member of" tab and add Users BUILTIN group.
3. Check the group lookup for BUILTIN group.
4. Check the cache entry, for built in group.
:expectedresults:
@@ -443,7 +443,7 @@ class TestBugzillaAutomation(object):
:id: b8382774-e568-4e5b-b787-bdd4db380c28
:steps:
1. Add user and set its UPN different from the username,
- Ex: TestUserUPN at ad.vm
+ Ex: TestUserUPN at ad.vm
2. Run command "dbus-send --print-reply --system
--dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/
infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:
=====================================
src/tests/multihost/ad/test_automount.py
=====================================
@@ -109,7 +109,7 @@ class Testautofsresponder(object):
:id: e8dbd94d-c557-4533-8ab7-bc891e1609a3
:steps:
1. Edit sssd.conf and specify below parameters: autofs_provider = ad
- ldap_autofs_search_base = ou=automount,dc=<ad-domain>
+ ldap_autofs_search_base = ou=automount,dc=<ad-domain>
2. Restart sssd
3. Execute automount -m
4. Access /export shared
@@ -205,7 +205,7 @@ class Testautofsresponder(object):
:expectedresults:
1. autofs_provider is not set
2. Verify automount maps are loaded from AD and client is able to
- mount nfs share
+ mount nfs share
"""
# pylint: disable=unused-argument
client = sssdTools(multihost.client[0])
=====================================
src/tests/multihost/ad/test_sudo.py
=====================================
@@ -52,9 +52,8 @@ class TestSudo(object):
1. Should succeed
2. Verify the the user when logged in with upper
and lower case can fetch the sudo rules from AD
- Note: This test case also cover BZ-1622109 and BZ-bz1519287
- Sudo rules used in the fixture contains multiple
- sudoUser attributes added.
+ :description: Note: This test case also cover BZ-1622109 and BZ-bz1519287
+ Sudo rules used in the fixture contains multiple sudoUser attributes added.
"""
multihost.client[0].service_sssd('restart')
realm = multihost.ad[0].realm
@@ -174,10 +173,10 @@ class TestSudo(object):
3. Set debug level to 2
:steps:
- 1.Run sudo command as AD-user for whom rule is created
+ 1. Run sudo command as AD-user for whom rule is created
:expectedResuls:
- 1. There should be no error in the sudo or domain log related
- to 'short-username or non-fqdn username'
+ 1. There should be no error in the sudo or domain log related
+ to 'short-username or non-fqdn username'
"""
client = sssdTools(multihost.client[0], multihost.ad[0])
domain_name = client.get_domain_section_name()
=====================================
src/tests/multihost/alltests/conftest.py
=====================================
@@ -132,6 +132,36 @@ def localusers(session_multihost, request):
return users
+ at pytest.fixture(scope='function')
+def create_350_posix_users(session_multihost, request):
+ """ Create posix user and groups """
+ ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
+ ds_rootdn = 'cn=Directory Manager'
+ ds_rootpw = 'Secret123'
+ ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+ krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
+ for i in range(1, 351):
+ user_info = {'cn': 'doo%d' % i,
+ 'uid': 'doo%d' % i,
+ 'uidNumber': '145831%d' % i,
+ 'gidNumber': f'145641{i}'}
+ if ldap_inst.posix_user("ou=People",
+ "dc=example,dc=test",
+ user_info):
+ krb.add_principal('doo%d' % i, 'user', 'Secret123')
+ else:
+ print("Unable to add ldap User %s" % (user_info))
+ assert False
+
+ def remove_users():
+ """ Remove default sssd.conf """
+ for i in range(1, 351):
+ ldap_inst.del_dn(f'uid=doo{i},ou=People,dc=example,dc=test')
+ krb.delete_principal(f'doo{i}')
+
+ request.addfinalizer(remove_users)
+
+
@pytest.fixture(scope='function')
def enable_sss_sudo_nsswitch(session_multihost, request):
"""Enable sss backend for sudoers in nsswitch.conf """
@@ -669,32 +699,43 @@ def sssdproxyldap(session_multihost, request):
request.addfinalizer(removeproxyldap)
+ at pytest.fixture(scope='class')
+def install_nslcd(session_multihost, request):
+ """ Install nss-pam-ldapd Configure nslcd.conf """
+ client = session_multihost.client[0]
+ client.run_command("yum install -y nss-pam-ldapd")
+ execute_cmd(session_multihost, "echo 'uid nslcd' > /etc/nslcd.conf")
+ execute_cmd(session_multihost, "echo 'gid ldap' >> /etc/nslcd.conf")
+ execute_cmd(session_multihost, f"echo 'uri ldap://"
+ f"{session_multihost.master[0].ip}'"
+ f" >> /etc/nslcd.conf")
+ execute_cmd(session_multihost, f"echo 'base {ds_suffix}' >> "
+ f"/etc/nslcd.conf")
+ execute_cmd(session_multihost, "systemctl restart nslcd")
+
+ def restore_install_nslcd():
+ """ Restore"""
+ client.run_command("rm -vf /etc/nslcd.conf")
+ execute_cmd(session_multihost, "systemctl stop nslcd")
+
+ request.addfinalizer(restore_install_nslcd)
+
+
@pytest.fixture(scope='class')
def sssdproxyldap_test(session_multihost, request):
""" Configure sssdproxyldap
Configure sssd.conf
- Configure nslcd.conf
Transport sssdproxyldap.sh to client machine
configure password for ldap user
"""
master = session_multihost.master[0]
client = session_multihost.client[0]
- client.run_command("yum install -y nss-pam-ldapd",
- raiseonerr=False)
tools = sssdTools(session_multihost.client[0])
domain_name = tools.get_domain_section_name()
domain_params = {'proxy_pam_target': 'sssdproxyldap',
'id_provider': 'proxy',
'proxy_lib_name': 'ldap'}
tools.sssd_conf('domain/' + domain_name, domain_params)
- execute_cmd(session_multihost, "> /etc/nslcd.conf")
- execute_cmd(session_multihost, "echo 'uid nslcd' > /etc/nslcd.conf")
- execute_cmd(session_multihost, "echo 'gid ldap' >> /etc/nslcd.conf")
- execute_cmd(session_multihost, f"echo 'uri ldap://{master.ip}' "
- f">> /etc/nslcd.conf")
- execute_cmd(session_multihost, f"echo 'base {ds_suffix}' "
- f">> /etc/nslcd.conf")
- execute_cmd(session_multihost, "systemctl restart nslcd")
file_location = '/script/sssdproxyldap.sh'
client.transport.put_file(os.path.dirname(os.path.abspath(__file__))
+ file_location,
@@ -708,7 +749,6 @@ def sssdproxyldap_test(session_multihost, request):
def restore_sssdproxyldap_test():
""" Restore"""
client.run_command("rm -vf /tmp/sssdproxyldap.sh")
- client.run_command("rm -vf /etc/nslcd.conf")
request.addfinalizer(restore_sssdproxyldap_test)
=====================================
src/tests/multihost/alltests/script/sssdproxymisc.sh
=====================================
@@ -0,0 +1,16 @@
+expect -f - <<<'
+ spawn ssh -o StrictHostKeyChecking=no -l foo12 localhost
+ expect "*assword:"
+ send -- "Secret123\r"
+ expect "*$ "
+ send -- "passwd\r"
+ expect "*Current Password: "
+ send -- "Secret123\r"
+ expect "New password: "
+ send -- "LsaASion#@123\r"
+ expect "Retype new password: "
+ send -- "LsaASion#@123\r"
+ expect "*"
+ send -- "logout\r"
+ expect eof
+'
=====================================
src/tests/multihost/alltests/test_automount.py
=====================================
@@ -206,9 +206,9 @@ class Testautofsresponder(object):
:customerscenario: true
:steps:
1. Configure SSSD with autofs, automountMap,
- automount, automountInformation
+ automount, automountInformation
2. Add 2 automount entries in LDAP with
- same key ( cn: MIT and cn: mit)
+ same key ( cn: MIT and cn: mit)
3. We should have the 2 automounts working
:expectedresults:
1. Should succeed
@@ -314,7 +314,7 @@ class Testautofsresponder(object):
1. Access nfs share /export/nfs-test with autofs provider not set
:expectedresults:
1. Verify automount maps are loaded from AD and client is able to
- mount nfs share
+ mount nfs share
"""
# pylint: disable=unused-argument
client = sssdTools(multihost.client[0])
@@ -410,7 +410,7 @@ class Testautofsresponder(object):
:id: 92640015-52b9-4e76-9e63-ea7357eec9cd
:steps:
1. Add Indirect map auto.idmtest which has mount point keys
- from foo1 to foo20 pointing to /projects/foo1 to /projects/foo20
+ from foo1 to foo20 pointing to /projects/foo1 to /projects/foo20
:expectedresults:
1. Verify sssd doesn't use (cn=*)(objectclass=nisObject)
"""
=====================================
src/tests/multihost/alltests/test_default_debug_level.py
=====================================
@@ -33,9 +33,9 @@ class TestDefaultDebugLevel(object):
1. sssd should use default debug level with no level defined
2. sssd services start successfully
3. Log files has
- a. default level set to 0x0070
- b. 0x1f7c0 logs for "SSSDBG_IMPORTANT_INFO"
- c. Other logs could be <= 0x0040
+ a. default level set to 0x0070
+ b. 0x1f7c0 logs for "SSSDBG_IMPORTANT_INFO"
+ c. Other logs could be <= 0x0040
"""
section = f"domain/{ds_instance_name}"
domain_params = {'debug_level': ''}
=====================================
src/tests/multihost/alltests/test_kcm.py
=====================================
@@ -68,7 +68,7 @@ class TestKcm(object):
1. Configure SSSD with sudo
2. Leave ou=sudoers empty - do not define any rules
3. See that smart refresh does not contain
- modifyTimestamp in the filter
+ modifyTimestamp in the filter
:expectedresults:
1. Should succeed
2. Should succeed
=====================================
src/tests/multihost/alltests/test_misc.py
=====================================
@@ -244,14 +244,14 @@ class TestMisc(object):
:customerscenario: true
:steps:
1. Configure SSSD with id_provider = ldap and
- set ldap_schema = rfc2307bis
+ set ldap_schema = rfc2307bis
2. Add necessary users and groups with uniqueMember.
3. Check 'getent group ldapgroupname' output.
:expectedresults:
1. Should succeed
2. Should succeed
3. 'getent group ldapgroupname' should show
- all it's member ldapusers.
+ all it's member ldapusers.
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
=====================================
src/tests/multihost/alltests/test_misc_proxy.py
=====================================
@@ -0,0 +1,392 @@
+""" Automation of proxy provider suite
+
+:requirement: IDM-SSSD-REQ : Proxy Provider
+:casecomponent: sssd
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
+from __future__ import print_function
+import pytest
+import subprocess
+import time
+import os
+import ldap
+from sssd.testlib.common.utils import sssdTools, SSHClient, LdapOperations
+from sssd.testlib.common.libkrb5 import krb5srv
+
+
+def execute_cmd(multihost, command):
+ """ Execute command on client """
+ cmd = multihost.client[0].run_command(command)
+ return cmd
+
+
+ at pytest.fixture(scope='class')
+def create_user_with_cn(multihost, request):
+ """
+ Configure sssd.conf
+ Create a dedicated user with
+ a DN starting e.g. with cn=...
+ Create a local user foo12
+ """
+ ldap_uri = 'ldap://%s' % multihost.master[0].sys_hostname
+ ds_rootdn = 'cn=Directory Manager'
+ ds_rootpw = 'Secret123'
+ ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+ krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST')
+ user_info = {'cn': 'foo12'.encode('utf-8'),
+ 'sn': 'foo12'.encode('utf-8'),
+ 'uid': 'foo12'.encode('utf-8'),
+ 'homeDirectory': '/home/foo12'.encode('utf-8'),
+ 'objectClass': [b'top',
+ b'inetOrgPerson',
+ b'organizationalPerson',
+ b'person',
+ b'posixAccount'],
+ 'uidNumber': '1458310'.encode('utf-8'),
+ 'gidNumber': '1456410'.encode('utf-8')}
+ user_dn = 'cn=foo12,ou=People,dc=example,dc=test'
+ (_, _) = ldap_inst.add_entry(user_info, user_dn)
+ krb.add_principal('foo12', 'user', 'Secret123')
+ execute_cmd(multihost, "useradd foo12")
+ execute_cmd(multihost, f"echo Secret123 | passwd --stdin foo12")
+ client = multihost.client[0]
+ file_location = '/script/sssdproxymisc.sh'
+ client.transport.put_file(os.path.dirname(os.path.abspath(__file__))
+ + file_location,
+ '/tmp/sssdproxymisc.sh')
+ execute_cmd(multihost, f"chmod 755 /tmp/sssdproxymisc.sh")
+
+ def restoresssdconf():
+ """ Restore sssd.conf """
+ execute_cmd(multihost, "userdel -rf foo12")
+ ldap_inst.del_dn(f'cn=foo12,ou=People,dc=example,dc=test')
+ krb.delete_principal(f'foo12')
+ execute_cmd(multihost, "rm -vf /tmp/sssdproxymisc.sh")
+
+ request.addfinalizer(restoresssdconf)
+
+
+ at pytest.mark.usefixtures('setup_sssd_krb',
+ 'create_posix_usersgroups',
+ 'sssdproxyldap',
+ 'install_nslcd',
+ 'create_user_with_cn',
+ 'netgroups')
+ at pytest.mark.tier1_3
+class TestProxyMisc(object):
+ """
+ This is test case class for proxy provider suite
+ """
+ def test_bz1036758(self, multihost, backupsssdconf):
+ """
+ :title: Allow for custom attributes in RDN bz1036758
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1036758
+ :id: 10eb49a4-b252-11ec-87ea-845cf3eff344
+ :steps:
+ 1. sssd to fetch id information from local user
+ 2. Auth should work using ldap provider
+ :expectedresults:
+ 1. Should succeed
+ 2. Should succeed
+ """
+ tools = sssdTools(multihost.client[0])
+ domain_name = tools.get_domain_section_name()
+ domain_params = {'id_provider': 'proxy',
+ 'proxy_lib_name': 'files',
+ 'auth_provider': 'ldap'}
+ tools.sssd_conf('domain/' + domain_name, domain_params)
+ tools.clear_sssd_cache()
+ # Auth should work using ldap provider
+ execute_cmd(multihost, "chown -R foo12 ~foo12")
+ execute_cmd(multihost, "chown -R foo12 /var/spool/mail/foo12")
+ # error logged in log
+ execute_cmd(multihost, "systemctl stop sssd.service")
+ execute_cmd(multihost, "rm -rf /var/lib/sss/{db,mc}/*")
+ execute_cmd(multihost, "systemctl start sssd.service")
+
+ def test_bz785902(self, multihost):
+ """
+ :title: Errors with empty loginShell and proxy provider bz785902
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=785902
+ :id: 17831b7a-b252-11ec-9942-845cf3eff344
+ :steps:
+ 1. Adding the user in ldap server with empty login shell
+ 2. Search for Internal Error
+ 3. Non existing netgroup returned with proxy
+ provider when proxy lib name is ldap
+ :expectedresults:
+ 1. Should succeed
+ 2. Should not succeed
+ 3. Should not succeed
+ """
+ # Errors with empty loginShell and proxy provider bz785902
+ tools = sssdTools(multihost.client[0])
+ master_e = multihost.master[0].ip
+ ldap_uri = f'ldap://{master_e}'
+ ds_rootdn = 'cn=Directory Manager'
+ ds_rootpw = 'Secret123'
+ ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
+ user_dn = 'uid=foo1,ou=People,dc=example,dc=test'
+ del_member = [(ldap.MOD_REPLACE, 'loginShell', "".encode('utf-8'))]
+ (ret, _) = ldap_inst.modify_ldap(user_dn, del_member)
+ assert ret == 'Success'
+ domain_name = tools.get_domain_section_name()
+ domain_params = {'use_fully_qualified_names': 'False',
+ 'id_provider': 'proxy',
+ 'auth_provider': 'proxy',
+ 'cache_credentials': 'true',
+ 'proxy_lib_name': 'ldap',
+ 'proxy_pam_target': 'sssdproxyldap'}
+ tools.sssd_conf('domain/' + domain_name, domain_params)
+ tools.clear_sssd_cache()
+ execute_cmd(multihost, "id foo1")
+ del_member = [(ldap.MOD_REPLACE, 'loginShell',
+ "/bin/bash".encode('utf-8'))]
+ (ret, _) = ldap_inst.modify_ldap(user_dn, del_member)
+ assert ret == 'Success'
+ for error_error in ['[sysdb_set_entry_attr] (6): '
+ 'Error: 14 (Bad address)',
+ '[sysdb_store_user] (6): '
+ 'Error: 14 (Bad address)',
+ 'Internal Error (Cannot make/remove '
+ 'an entry for the specified session)']:
+ with pytest.raises(subprocess.CalledProcessError):
+ execute_cmd(multihost, f"grep {error_error} /var/log/sssd/*")
+
+ def test_bz804103(self, multihost):
+ """
+ :title: Nss-pam-ldapd returns empty netgroup when a
+ nonexistent netgroup is requested
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=804103
+ :id: 9b2b7be0-ca01-11ec-9be1-845cf3eff344
+ :steps:
+ 1. Check non existing netgroup
+ 2. Clear cache
+ 3. Check existing netgroup
+ 4. Again check non existing netgroup
+ :expectedresults:
+ 1. Should not Succeed
+ 2. Should Succeed
+ 3. Should Succeed
+ 4. Should not Succeed
+ """
+ # non existing netgroup returned with proxy provider
+ # when proxy lib name is ldap bz804103
+ tools = sssdTools(multihost.client[0])
+ with pytest.raises(subprocess.CalledProcessError):
+ execute_cmd(multihost, "getent netgroup testsumgroup")
+ tools.clear_sssd_cache()
+ execute_cmd(multihost, "getent netgroup netgroup_1")
+ with pytest.raises(subprocess.CalledProcessError):
+ execute_cmd(multihost, "getent netgroup testsumgroup")
+
+ def test_bz801377(self, multihost, backupsssdconf):
+ """
+ :title: Non existing netgroup returned with proxy provider
+ when proxy lib name is file bz801377
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=801377
+ :id: 6ec16a9a-ca03-11ec-9675-845cf3eff344
+ :steps:
+ 1. Configure proxy lib name is file
+ 2. Check for non existing group
+ 3. Configure /etc/negoup file
+ 4. Check netgoup name from /etc/netgroup
+ :expectedresults:
+ 1. Should succeed
+ 2. Should not Succeed
+ 3. Should Succeed
+ 4. Should Succeed
+ """
+ tools = sssdTools(multihost.client[0])
+ domain_name = tools.get_domain_section_name()
+ domain_params = {'use_fully_qualified_names': 'False',
+ 'id_provider': 'proxy',
+ 'auth_provider': 'proxy',
+ 'cache_credentials': 'true',
+ 'proxy_lib_name': 'files',
+ 'proxy_pam_target': 'sssdproxyldap'}
+ tools.sssd_conf('domain/' + domain_name, domain_params)
+ tools.clear_sssd_cache()
+ with pytest.raises(subprocess.CalledProcessError):
+ execute_cmd(multihost, "getent netgroup testsumgroup")
+ execute_cmd(multihost, "echo 'QAeng "
+ "(host1.example.com, ami1, example.com)'"
+ " > /etc/netgroup")
+ tools.clear_sssd_cache()
+ execute_cmd(multihost, "getent netgroup QAeng")
+ execute_cmd(multihost, 'echo "" > /etc/netgroup')
+
+ def test_bz647816(self, multihost, backupsssdconf):
+ """
+ :title: More than 10 auth attempt times out bz647816
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=647816
+ :id: 201a44c0-b252-11ec-94b7-845cf3eff344
+ :steps:
+ 1. Auth a user more than 12 times
+ 2. Search for Error
+ :expectedresults:
+ 1. Should succeed
+ 2. Should not succeed
+ """
+ # more than 10 auth attempt times out bz647816
+ tools = sssdTools(multihost.client[0])
+ domain_name = tools.get_domain_section_name()
+ domain_params = {'proxy_lib_name': 'ldap',
+ 'debug_level': '0xFFF0'}
+ tools.sssd_conf('domain/' + domain_name, domain_params)
+ tools.clear_sssd_cache()
+ client_e = multihost.client[0].ip
+ for _ in range(12):
+ ssh1 = SSHClient(client_e, username="foo1 at example1",
+ password="Secret123")
+ ssh1.close()
+ with pytest.raises(subprocess.CalledProcessError):
+ execute_cmd(multihost, "grep 'All available child slots are full, "
+ "queuing request' /var/log/sssd/*")
+
+ def test_bz871424(self, multihost, backupsssdconf):
+ """
+ :title: authconfig chokes on sssd.conf with chpass_provider directive
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=871424
+ :id: ce5fe4d2-e6e0-11ec-af7d-845cf3eff344
+ :steps:
+ 1. Configure SSSD chpass_provider = proxy
+ 2. Run authconfig --test
+ :expectedresults:
+ 1. Should succeed
+ 2. Should succeed
+ """
+ # more than 10 auth attempt times out bz647816
+ tools = sssdTools(multihost.client[0])
+ domain_name = tools.get_domain_section_name()
+ domain_params = {'id_provider': 'ldap',
+ 'auth_provider': 'ldap',
+ 'chpass_provider': 'proxy',
+ 'proxy_pam_target': 'sssdproxyldap',
+ 'ldap_schema': 'rfc2307',
+ 'enumerate': 'false',
+ 'cache_credentials': 'true' }
+ tools.sssd_conf('domain/' + domain_name, domain_params)
+ tools.clear_sssd_cache()
+ execute_cmd(multihost, "authselect test sssd")
+
+ def test_bz1221992(self, multihost, backupsssdconf):
+ """
+ :title: sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1221992
+ :id: a97bf86a-e6e3-11ec-a1ee-845cf3eff344
+ :steps:
+ 1. Configure user=sssd in sssd.conf
+ 2. user should be able to change the
+ password without segfault
+ :expectedresults:
+ 1. Should succeed
+ 2. Should succeed
+ """
+ tools = sssdTools(multihost.client[0])
+ domain_name = 'sssd'
+ domain_params = {'user': 'sssd'}
+ tools.sssd_conf(domain_name, domain_params)
+ domain_name = tools.get_domain_section_name()
+ domain_params = {'id_provider': 'ldap',
+ 'auth_provider': 'ldap',
+ 'chpass_provider': 'proxy',
+ 'proxy_pam_target': 'sssdproxyldap',
+ 'proxy_lib_name': 'ldap' }
+ tools.sssd_conf('domain/' + domain_name, domain_params)
+ execute_cmd(multihost, "> /var/log/messages")
+ tools.clear_sssd_cache()
+ execute_cmd(multihost, "sh /tmp/sssdproxymisc.sh")
+ time.sleep(3)
+ with pytest.raises(subprocess.CalledProcessError):
+ execute_cmd(multihost, "grep 'segfault at 0 ip' /var/log/messages")
+ assert 'sssd' in execute_cmd(multihost,
+ "stat -c %G /var/lib/sss/pipes"
+ "/private/sbus-dp_example1.*").stdout_text
+
+ def test_0002_bz1209483(self, multihost, backupsssdconf):
+ """
+ :title: sssd does not work as expected when id provider
+ equal to proxy and auth provider equal to ldap bz1209483
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1209483
+ :id: 2fa4834c-b252-11ec-919d-845cf3eff344
+ :steps:
+ 1. Add a local user with the same name as an existing ldap user
+ 2. set id provider equal to proxy and auth provider equal to ldap
+ 3. lookup local user
+ :expectedresults:
+ 1. Should succeed
+ 2. Should succeed
+ 3. Should succeed
+ """
+ client_e = multihost.client[0].ip
+ tools = sssdTools(multihost.client[0])
+ # sssd does not work as expected when id provider equal to proxy
+ # and auth provider equal to ldap bz1209483
+ execute_cmd(multihost, "systemctl stop nslcd.service")
+ execute_cmd(multihost, "systemctl stop sssd")
+ assert "uid=foo2,ou=People,dc=example,dc=test" in \
+ multihost.master[0].run_command("ldapsearch -x -LLL uid=foo2").stdout_text
+ execute_cmd(multihost, "useradd -u 2001 foo2")
+ execute_cmd(multihost, "echo 'pam.d/ pam_ldap.conf' > /etc/pam")
+ services = {'filter_groups': 'root', 'filter_users': 'root'}
+ tools.sssd_conf('nss', services)
+ domain_name = tools.get_domain_section_name()
+ domain_params = {'debug_level': '0xFFF0',
+ 'id_provider': 'proxy',
+ 'proxy_lib_name': 'files',
+ 'auth_provider': 'ldap',
+ 'chpass_provider': 'ldap',
+ 'cache_credentials': 'true',
+ 'use_fully_qualified_names': 'False'}
+ tools.sssd_conf('domain/' + domain_name, domain_params)
+ tools.clear_sssd_cache()
+ assert "foo2:*:2001:2001::/home/foo2:/bin/bash" \
+ in execute_cmd(multihost, "getent passwd -s "
+ "sss foo2").stdout_text
+ ssh1 = SSHClient(client_e, username="foo2", password="Secret123")
+ ssh1.close()
+ execute_cmd(multihost, "userdel -rf foo2")
+
+ def test_bz1368467(self, multihost, backupsssdconf,
+ create_350_posix_users):
+ """
+ :title: sssd runs out of available child slots and
+ starts queuing requests in proxy mode bz1368467
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1368467
+ :id: 452376f2-e2f3-11ec-96b9-845cf3eff344
+ :steps:
+ 1. Configure sssd with proxy
+ 2. Create 350 users
+ 3. Try to ssh with 350 users
+ 4. Logs should not have error 'All available
+ child slots are full'
+ :expectedresults:
+ 1. Should succeed
+ 2. Should succeed
+ 3. Should succeed
+ 4. Should succeed
+ """
+ tools = sssdTools(multihost.client[0])
+ client_e = multihost.client[0].ip
+ domain_name = tools.get_domain_section_name()
+ domain_params = {'debug_level': '0xFFF0',
+ 'id_provider': 'ldap',
+ 'proxy_lib_name': 'ldap',
+ 'proxy_pam_target': 'sssdproxyldap',
+ 'auth_provider': 'proxy',
+ 'chpass_provider': 'ldap',
+ 'proxy_max_children': '10',
+ 'use_fully_qualified_names': 'False'}
+ tools.sssd_conf('domain/' + domain_name, domain_params)
+ tools.clear_sssd_cache()
+ # sssd runs out of available child slots and starts
+ # queuing requests in proxy mode
+ execute_cmd(multihost, "systemctl start nslcd.service")
+ for i in range(1, 351):
+ ssh1 = SSHClient(client_e, username=f"doo{i}", password="Secret123")
+ ssh1.close()
+ with pytest.raises(subprocess.CalledProcessError):
+ execute_cmd(multihost, "grep 'All available child slots are full, "
+ "queuing request' /var/log/sssd/*")
=====================================
src/tests/multihost/alltests/test_offline.py
=====================================
@@ -68,14 +68,14 @@ class TestOffline(object):
2. Configure SSSD with only 1 id_provider.
3. Block "id_provider" using "iptables" command.
4. Step 6 should fail and similar messages
- should be observed in log file
- (/var/log/sssd/sssd_<domainname>.log).
+ should be observed in log file
+ (/var/log/sssd/sssd_<domainname>.log).
5. The log snip should contain following
- timeout parameters.
- - ldap_opt_timeout
- - ldap_search_timeout
- - ldap_network_timeout
- - dns_resolver_timeout
+ timeout parameters.
+ - ldap_opt_timeout
+ - ldap_search_timeout
+ - ldap_network_timeout
+ - dns_resolver_timeout
:expectedresults:
1. Should succeed
2. Should succeed
=====================================
src/tests/multihost/alltests/test_proxy_provider_krb_auth.py
=====================================
@@ -19,6 +19,7 @@ def execute_cmd(multihost, command):
@pytest.mark.usefixtures('setup_sssd_krb',
'create_posix_usersgroups',
+ 'install_nslcd',
'sssdproxyldap',
'sssdproxyldap_test')
@pytest.mark.tier1_3
=====================================
src/tests/multihost/alltests/test_services.py
=====================================
@@ -177,9 +177,9 @@ class TestServices(object):
1. Find main sssd process id
2. Send SIGHUP
3. There should not be any logs for
- Unable to signal service .* No such
- file or directory
- modifyTimestamp in the filter
+ 'Unable to signal service .* No such
+ file or directory
+ modifyTimestamp' in the filter
:expectedresults:
1. Should succeed
2. Should succeed
=====================================
src/tests/multihost/alltests/test_sssctl_local.py
=====================================
@@ -94,13 +94,12 @@ class Testsssctl(object):
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661182
:steps:
1. Configure sssd without any domain
- 2. Restart sssd (sssd should not be
- running after this)
+ 2. Restart sssd (sssd should not be running after this)
3. Modify existing local user usermod -a -G wheel user1
4. This message
- [sss_cache] [confdb_get_domains] (0x0010):
- No domains configured, fatal error!
- must not appear in console
+ '[sss_cache] [confdb_get_domains] (0x0010):
+ No domains configured, fatal error!'
+ must not appear in console
:expectedresults:
1. Should succeed
2. Should succeed
=====================================
src/tests/multihost/ipa/test_misc.py
=====================================
@@ -192,16 +192,15 @@ class Testipabz(object):
4. Enable SSSD debug logs
5. Switch to 'admin' user
6. obtain Kerberos ticket and check that it
- was obtained using SPAKE pre-authentication.
+ was obtained using SPAKE pre-authentication.
7. Create sudo configuration that allows an admin to
- run SUDO rules
+ run SUDO rules
8. Try 'sudo -l' as admin
9. As root, check content of sssd_pam.log
- 10. Check if acquired service ticket has
- req. indicators: 0
- 11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf
- 12. Check if acquired service ticket has req.
- indicators: 2
+ 10. Check if acquired service ticket has req. indicators: 0
+ 11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf
+ 12. Check if acquired service ticket has req.
+ indicators: 2
:expectedresults:
1. Should succeed
2. Should succeed
@@ -212,9 +211,9 @@ class Testipabz(object):
7. Should succeed
8. Should succeed
9. Should succeed
- 10. Should succeed
- 11. Should succeed
- 12. Should succeed
+ 10. Should succeed
+ 11. Should succeed
+ 12. Should succeed
"""
client = sssdTools(multihost.client[0])
domain_params = {'pam_gssapi_services': 'sudo, sudo-i',
@@ -314,7 +313,7 @@ class Testipabz(object):
3. Configure /etc/pam.d/sudo
4. Configur /etc/pam.d/sudo-i
5. Create IPA sudo rule of /usr/sbin/sssctl
- for user admin
+ for user admin
6. Check user admin can use sudo command
7. Restore of files
:expectedresults:
@@ -412,7 +411,9 @@ class Testipabz(object):
r"/pubconf"
r"/known_hosts")
- if server_host in known_hosts.stdout_text:
+ print(f'cat /var/lib/sss/pubconf/known_hosts\n'
+ f'{known_hosts.stdout_text}')
+ if re.search(fr'^{server_host}', known_hosts.stdout_text):
return 0 # hostname not hashed
return 1 # hostname hashed
# ssh_hash_known_hosts is not used, default value is False
@@ -451,8 +452,7 @@ class Testipabz(object):
3. Successfully set the option in sssd.conf.
4. Successfully logged in to IPA user.
5. Successfully get a ccache file with the FAST armor ticket
- :bugzilla:
- https://bugzilla.redhat.com/show_bug.cgi?id=1859751
+ :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1859751
"""
sssd_client = sssdTools(multihost.client[0])
domain_name = f'domain/{sssd_client.get_domain_section_name()}'
=====================================
src/util/usertools.c
=====================================
@@ -321,7 +321,7 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name(
return dom;
}
- return find_domain_by_name(dom, dmatch, true);
+ return find_domain_by_name_ex(dom, dmatch, true, SSS_GND_SUBDOMAINS);
}
int sss_parse_name_for_domains(TALLOC_CTX *memctx,
=====================================
version.m4
=====================================
@@ -1,5 +1,5 @@
# Primary version number
-m4_define([VERSION_NUMBER], [2.7.1])
+m4_define([VERSION_NUMBER], [2.7.2])
# If the PRERELEASE_VERSION_NUMBER is set, we'll append
# it to the release tag when creating an RPM or SRPM
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/4c02953f909d60efa46cca4dc83d0d202ea35e08...ef79966be2cc168d999987b7ba7c50af6e7554be
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/4c02953f909d60efa46cca4dc83d0d202ea35e08...ef79966be2cc168d999987b7ba7c50af6e7554be
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20220622/73b77f4b/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list