0001-ldap-get_ppolicy_attributes.patch
src/authentic2/backends/ldap_backend.py | ||
---|---|---|
1041 | 1041 |
attributes.add(at_mapping[key]) |
1042 | 1042 |
return list(set(attribute.lower() for attribute in attributes)) |
1043 | 1043 | |
1044 |
@staticmethod |
|
1045 |
def get_ppolicy_attributes(conn, dn): |
|
1046 |
attributes = [ |
|
1047 |
'pwdChangedTime', |
|
1048 |
'pwdFailureTime', |
|
1049 |
'pwdGraceUseTime', |
|
1050 |
'pwdHistory', |
|
1051 |
'pwdReset', |
|
1052 |
'pwdUniqueAttempts', |
|
1053 |
] |
|
1054 |
try: |
|
1055 |
results = conn.search_s(dn, ldap.SCOPE_BASE, u'(objectclass=*)', attributes) |
|
1056 |
return results[0][1] |
|
1057 |
except ldap.LDAPError as e: |
|
1058 |
log.error('unable to retrieve attributes of dn %r: %r', dn, e) |
|
1059 |
return None |
|
1060 | ||
1044 | 1061 |
@classmethod |
1045 | 1062 |
def get_ldap_attributes(cls, block, conn, dn): |
1046 | 1063 |
'''Retrieve some attributes from LDAP, add mandatory values then apply |
tests/test_ldap.py | ||
---|---|---|
1035 | 1035 |
assert 'account is locked' not in caplog.text |
1036 | 1036 | |
1037 | 1037 | |
1038 |
def test_get_ppolicy_attributes(slapd_ppolicy, settings, db): |
|
1039 |
settings.LDAP_AUTH_SETTINGS = [{ |
|
1040 |
'url': [slapd_ppolicy.ldap_url], |
|
1041 |
'basedn': u'o=ôrga', |
|
1042 |
'use_tls': False, |
|
1043 |
}] |
|
1044 | ||
1045 |
pwdMaxAge = 1 |
|
1046 |
pwdGraceAuthnLimit = 2 |
|
1047 |
slapd_ppolicy.add_ldif(''' |
|
1048 |
dn: cn=default,ou=ppolicies,o=ôrga |
|
1049 |
cn: default |
|
1050 |
objectclass: top |
|
1051 |
objectclass: device |
|
1052 |
objectclass: pwdPolicy |
|
1053 |
objectclass: pwdPolicyChecker |
|
1054 |
pwdAttribute: userPassword |
|
1055 |
pwdMinAge: 0 |
|
1056 |
pwdMaxAge: {pwdMaxAge} |
|
1057 |
pwdInHistory: 1 |
|
1058 |
pwdCheckQuality: 0 |
|
1059 |
pwdMinLength: 0 |
|
1060 |
pwdExpireWarning: 0 |
|
1061 |
pwdGraceAuthnLimit: {pwdGraceAuthnLimit} |
|
1062 |
pwdLockout: TRUE |
|
1063 |
pwdLockoutDuration: 0 |
|
1064 |
pwdMaxFailure: 0 |
|
1065 |
pwdMaxRecordedFailure: 0 |
|
1066 |
pwdFailureCountInterval: 0 |
|
1067 |
pwdMustChange: FALSE |
|
1068 |
pwdAllowUserChange: TRUE |
|
1069 |
pwdSafeModify: FALSE |
|
1070 |
'''.format(pwdMaxAge=pwdMaxAge, pwdGraceAuthnLimit=pwdGraceAuthnLimit)) |
|
1071 | ||
1072 |
user = authenticate(username=USERNAME, password=UPASS) |
|
1073 |
assert user.check_password(UPASS) |
|
1074 |
password = u'ogutOmyetew4' |
|
1075 |
user.set_password(password) |
|
1076 | ||
1077 |
time.sleep(pwdMaxAge * 3) |
|
1078 | ||
1079 |
conn = ldap_backend.LDAPBackend.get_connection(settings.LDAP_AUTH_SETTINGS[0]) |
|
1080 |
attributes = ldap_backend.LDAPBackend.get_ppolicy_attributes(conn, DN) |
|
1081 |
assert 'pwdChangedTime' in attributes |
|
1082 | ||
1083 | ||
1038 | 1084 |
def test_authenticate_ppolicy_pwdGraceAuthnLimit(slapd_ppolicy, settings, db, caplog): |
1039 | 1085 |
settings.LDAP_AUTH_SETTINGS = [{ |
1040 | 1086 |
'url': [slapd_ppolicy.ldap_url], |
1041 |
- |