Fwd: Filter does not work with Anonymous connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

We have recently implemented Filter and Anonymous to lib389  . But it seems like Filter does not work with Anonymous connection .
It actually does not work with any kind of connection whether ACI allow or not  rather than root  .

My suspense is it is related to this issue which is not yet fixed: https://pagure.io/389-ds-base/issue/50137

Please check attached test case .

Regards
Anuj Borah
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 RED Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ----

import pytest, os, ldap
from lib389._constants import DEFAULT_SUFFIX, PW_DM
from lib389.idm.user import UserAccount, UserAccounts
from lib389.idm.account import Anonymous, Accounts
from lib389.idm.organization import Organization
from lib389.idm.organizationalunit import OrganizationalUnit
from lib389.idm.group import Groups
from lib389.topologies import topology_st as topo
from lib389.idm.domain import Domain



USER_MIC = "cn=Anuj,ou=product development,{}".format(DEFAULT_SUFFIX)
ANUJBORAH = "cn=Anuj Borah, {}".format(DEFAULT_SUFFIX)
ANANADABORAH = "cn=Ananda Borah, ou=Accounting, {}".format(DEFAULT_SUFFIX)
RED = "o=RED.com,{}".format(DEFAULT_SUFFIX)
PEOPLE = "ou=PEOPLE,{}".format(RED)
DYNGROUP = "cn=DYNGROUP,{}".format(PEOPLE)
STEVE = "cn=STEVE,{}".format(PEOPLE)
HARRY = "cn=HARRY,{}".format(PEOPLE)
TEST_ORG = "o=test,{}".format(DEFAULT_SUFFIX)
TEST_USER1 = "cn=test1,{}".format(DEFAULT_SUFFIX)
TEST_USER2 = "cn=test2,{}".format(DEFAULT_SUFFIX)
CONTAINER_1_DELADD = "ou=Product Development,{}".format(DEFAULT_SUFFIX)
CONTAINER_2_DELADD = "ou=Accounting,{}".format(DEFAULT_SUFFIX)


@pytest.fixture(scope="function")
def aci_of_user(request, topo):
    aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')

    def finofaci():
        domain = Domain(topo.standalone, DEFAULT_SUFFIX)
        domain.set('aci', None)
        for i in aci_list:
            domain.add("aci", i)

    request.addfinalizer(finofaci)


@pytest.fixture(scope="function")
def test_user(request, topo):
    for i in ['Product Development', 'Accounting']:
        ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX))
        ou.create(properties={'ou': i})

    properties = {
        'uid': 'Anuj',
        'cn': 'Anuj',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'Anuj',
        "givenname;subattr1": 'Anuj',
        "givenname;subattr2": 'Anuj',
        "givenname;subattr3": 'Anuj',
        "givenname;subattr4": 'Anuj',
        "secretary": "cn=Santa Clara,{}".format(DEFAULT_SUFFIX),
        "mail": "anuj@xxxxxx",
        "telephonenumber": "12345",
        "roomnumber": "12345",
        "facsimiletelephonenumber": "12345",
        "l": "sadada",
        "userPassword": "password"
    }
    user = UserAccount(topo.standalone, "cn=Anuj,ou=product development,{}".format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    properties = {
        'uid': 'Anuj Borah',
        'cn': 'Anuj Borah',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'AnujBorah',
        'mail': "ANUJBORAH@xxxxxxxx",
        "userPassword": "password"
    }
    user = UserAccount(topo.standalone, "cn=Anuj Borah,{}".format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    properties = {
        'uid': 'Ananda Borah',
        'cn': 'Ananda Borah',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'AnandaBorah',
        'mail': "AB@xxxxxxxx",
        "userPassword": "password"
    }
    user = UserAccount(topo.standalone, ANANADABORAH)
    user.create(properties=properties)

    

def test_only_allow_some_targetattr(topo, test_user, aci_of_user):
    """
    Misc Test 5 only allow some targetattr (1/2)
    :id:9d27f048-7db8-11e8-a71c-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    Domain(topo.standalone, DEFAULT_SUFFIX).replace("aci", '(target="ldap:///{}";)(targetattr="mail")(version 3.0; acl "Test";allow (read,search,compare) (userdn = "ldap:///anyone";); )'.format(DEFAULT_SUFFIX))
    
    conn = Anonymous(topo.standalone).bind()
    # filter does not works with Anonymous
    assert 3 == Accounts(conn, DEFAULT_SUFFIX).filter('(mail=*)')
    assert 3 == len(conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "mail=*"))
    # but it works with root
    assert 3 == Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(mail=*)')
    assert 3 == len(topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "mail=*"))


if __name__ == "__main__":
    CURRENT_FILE = os.path.realpath(__file__)
    pytest.main("-s -v %s" % CURRENT_FILE)


_______________________________________________
389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux