mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-26 16:16:31 -06:00
Use secure LDAP connection in tests
Integration tests are now using StartTLS with IPA's CA cert instead of plain text connections. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
a3934a211d
commit
1a2ceb1557
@ -19,9 +19,11 @@
|
||||
|
||||
"""Host class for integration testing"""
|
||||
import subprocess
|
||||
import tempfile
|
||||
|
||||
import pytest_multihost.host
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython import ipaldap
|
||||
|
||||
|
||||
@ -45,11 +47,25 @@ class Host(pytest_multihost.host.Host):
|
||||
"""Return an LDAPClient authenticated to this host as directory manager
|
||||
"""
|
||||
self.log.info('Connecting to LDAP at %s', self.external_hostname)
|
||||
ldap = ipaldap.LDAPClient.from_hostname_secure(self.external_hostname)
|
||||
binddn = self.config.dirman_dn
|
||||
self.log.info('LDAP bind as %s' % binddn)
|
||||
ldap.simple_bind(binddn, self.config.dirman_password)
|
||||
return ldap
|
||||
# get IPA CA cert to establish a secure connection
|
||||
cacert = self.get_file_contents(paths.IPA_CA_CRT)
|
||||
with tempfile.NamedTemporaryFile() as f:
|
||||
f.write(cacert)
|
||||
f.flush()
|
||||
|
||||
conn = ipaldap.LDAPClient.from_hostname_secure(
|
||||
self.external_hostname,
|
||||
cacert=f.name
|
||||
)
|
||||
|
||||
binddn = self.config.dirman_dn
|
||||
self.log.info('LDAP bind as %s', binddn)
|
||||
conn.simple_bind(binddn, self.config.dirman_password)
|
||||
|
||||
# The CA cert file has been loaded into the SSL_CTX and is no
|
||||
# longer required.
|
||||
|
||||
return conn
|
||||
|
||||
@classmethod
|
||||
def from_env(cls, env, domain, hostname, role, index, domain_index):
|
||||
|
@ -303,7 +303,7 @@ def enable_replication_debugging(host, log_level=0):
|
||||
replace: nsslapd-errorlog-level
|
||||
nsslapd-errorlog-level: {log_level}
|
||||
""".format(log_level=log_level))
|
||||
host.run_command(['ldapmodify', '-x',
|
||||
host.run_command(['ldapmodify', '-x', '-ZZ',
|
||||
'-D', str(host.config.dirman_dn),
|
||||
'-w', host.config.dirman_password,
|
||||
],
|
||||
|
@ -815,6 +815,7 @@ class TestReplicaInstallAfterRestore(IntegrationTest):
|
||||
|
||||
# disable replication agreement
|
||||
arg = ['ldapmodify',
|
||||
'-ZZ',
|
||||
'-h', master.hostname,
|
||||
'-p', '389', '-D',
|
||||
str(master.config.dirman_dn), # pylint: disable=no-member
|
||||
|
@ -140,6 +140,7 @@ class TestIPACommand(IntegrationTest):
|
||||
original_passwd=original_passwd)
|
||||
master.put_file_contents(ldif_file, entry_ldif)
|
||||
arg = ['ldapmodify',
|
||||
'-ZZ',
|
||||
'-h', master.hostname,
|
||||
'-p', '389', '-D',
|
||||
str(master.config.dirman_dn), # pylint: disable=no-member
|
||||
@ -173,7 +174,9 @@ class TestIPACommand(IntegrationTest):
|
||||
master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
|
||||
# Retrieve krblastpwdchange and krbpasswordexpiration
|
||||
search_cmd = [
|
||||
'ldapsearch', '-x',
|
||||
'ldapsearch', '-x', '-ZZ',
|
||||
'-h', master.hostname,
|
||||
'-p', '389',
|
||||
'-D', 'cn=directory manager',
|
||||
'-w', master.config.dirman_password,
|
||||
'-s', 'base',
|
||||
@ -208,6 +211,7 @@ class TestIPACommand(IntegrationTest):
|
||||
new_passwd=new_passwd)
|
||||
master.put_file_contents(ldif_file, entry_ldif)
|
||||
arg = ['ldapmodify',
|
||||
'-ZZ',
|
||||
'-h', master.hostname,
|
||||
'-p', '389', '-D',
|
||||
str(master.config.dirman_dn), # pylint: disable=no-member
|
||||
|
@ -133,8 +133,9 @@ class TestExternalCA(IntegrationTest):
|
||||
result = self.master.run_command([
|
||||
'ldapsearch',
|
||||
'-x',
|
||||
'-D',
|
||||
'cn=directory manager',
|
||||
'-ZZ',
|
||||
'-h', self.master.hostname,
|
||||
'-D', 'cn=directory manager',
|
||||
'-w', self.master.config.dirman_password,
|
||||
'-b', 'cn=mapping tree,cn=config',
|
||||
'(cn=replica)',
|
||||
|
@ -403,6 +403,7 @@ class TestReplicaInstallWithExistingEntry(IntegrationTest):
|
||||
realm=replica.domain.name.upper())
|
||||
master.put_file_contents(ldif_file, entry_ldif)
|
||||
arg = ['ldapmodify',
|
||||
'-ZZ',
|
||||
'-h', master.hostname,
|
||||
'-p', '389', '-D',
|
||||
str(master.config.dirman_dn), # pylint: disable=no-member
|
||||
|
@ -996,6 +996,7 @@ class TestDeniedBindWithExpiredPrincipal(XMLRPC_test):
|
||||
cls.connection = ldap_initialize(
|
||||
'ldap://{host}'.format(host=api.env.host)
|
||||
)
|
||||
cls.connection.start_tls_s()
|
||||
|
||||
@classmethod
|
||||
def teardown_class(cls):
|
||||
|
Loading…
Reference in New Issue
Block a user