Use secure LDAP connection in tests

Integration tests are now using StartTLS with IPA's CA cert instead of
plain text connections.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Christian Heimes 2018-11-30 17:14:41 +01:00 committed by Rob Crittenden
parent a3934a211d
commit 1a2ceb1557
7 changed files with 33 additions and 9 deletions

View File

@ -19,9 +19,11 @@
"""Host class for integration testing"""
import subprocess
import tempfile
import pytest_multihost.host
from ipaplatform.paths import paths
from ipapython import ipaldap
@ -45,11 +47,25 @@ class Host(pytest_multihost.host.Host):
"""Return an LDAPClient authenticated to this host as directory manager
"""
self.log.info('Connecting to LDAP at %s', self.external_hostname)
ldap = ipaldap.LDAPClient.from_hostname_secure(self.external_hostname)
binddn = self.config.dirman_dn
self.log.info('LDAP bind as %s' % binddn)
ldap.simple_bind(binddn, self.config.dirman_password)
return ldap
# get IPA CA cert to establish a secure connection
cacert = self.get_file_contents(paths.IPA_CA_CRT)
with tempfile.NamedTemporaryFile() as f:
f.write(cacert)
f.flush()
conn = ipaldap.LDAPClient.from_hostname_secure(
self.external_hostname,
cacert=f.name
)
binddn = self.config.dirman_dn
self.log.info('LDAP bind as %s', binddn)
conn.simple_bind(binddn, self.config.dirman_password)
# The CA cert file has been loaded into the SSL_CTX and is no
# longer required.
return conn
@classmethod
def from_env(cls, env, domain, hostname, role, index, domain_index):

View File

@ -303,7 +303,7 @@ def enable_replication_debugging(host, log_level=0):
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: {log_level}
""".format(log_level=log_level))
host.run_command(['ldapmodify', '-x',
host.run_command(['ldapmodify', '-x', '-ZZ',
'-D', str(host.config.dirman_dn),
'-w', host.config.dirman_password,
],

View File

@ -815,6 +815,7 @@ class TestReplicaInstallAfterRestore(IntegrationTest):
# disable replication agreement
arg = ['ldapmodify',
'-ZZ',
'-h', master.hostname,
'-p', '389', '-D',
str(master.config.dirman_dn), # pylint: disable=no-member

View File

@ -140,6 +140,7 @@ class TestIPACommand(IntegrationTest):
original_passwd=original_passwd)
master.put_file_contents(ldif_file, entry_ldif)
arg = ['ldapmodify',
'-ZZ',
'-h', master.hostname,
'-p', '389', '-D',
str(master.config.dirman_dn), # pylint: disable=no-member
@ -173,7 +174,9 @@ class TestIPACommand(IntegrationTest):
master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
# Retrieve krblastpwdchange and krbpasswordexpiration
search_cmd = [
'ldapsearch', '-x',
'ldapsearch', '-x', '-ZZ',
'-h', master.hostname,
'-p', '389',
'-D', 'cn=directory manager',
'-w', master.config.dirman_password,
'-s', 'base',
@ -208,6 +211,7 @@ class TestIPACommand(IntegrationTest):
new_passwd=new_passwd)
master.put_file_contents(ldif_file, entry_ldif)
arg = ['ldapmodify',
'-ZZ',
'-h', master.hostname,
'-p', '389', '-D',
str(master.config.dirman_dn), # pylint: disable=no-member

View File

@ -133,8 +133,9 @@ class TestExternalCA(IntegrationTest):
result = self.master.run_command([
'ldapsearch',
'-x',
'-D',
'cn=directory manager',
'-ZZ',
'-h', self.master.hostname,
'-D', 'cn=directory manager',
'-w', self.master.config.dirman_password,
'-b', 'cn=mapping tree,cn=config',
'(cn=replica)',

View File

@ -403,6 +403,7 @@ class TestReplicaInstallWithExistingEntry(IntegrationTest):
realm=replica.domain.name.upper())
master.put_file_contents(ldif_file, entry_ldif)
arg = ['ldapmodify',
'-ZZ',
'-h', master.hostname,
'-p', '389', '-D',
str(master.config.dirman_dn), # pylint: disable=no-member

View File

@ -996,6 +996,7 @@ class TestDeniedBindWithExpiredPrincipal(XMLRPC_test):
cls.connection = ldap_initialize(
'ldap://{host}'.format(host=api.env.host)
)
cls.connection.start_tls_s()
@classmethod
def teardown_class(cls):