0001-ldap-get_ppolicy_attributes.patch
| src/authentic2/backends/ldap_backend.py | ||
|---|---|---|
| 1041 | 1041 |
attributes.add(at_mapping[key]) |
| 1042 | 1042 |
return list(set(attribute.lower() for attribute in attributes)) |
| 1043 | 1043 | |
| 1044 |
@staticmethod |
|
| 1045 |
def get_ppolicy_attributes(conn, dn): |
|
| 1046 |
attributes = [ |
|
| 1047 |
'pwdChangedTime', |
|
| 1048 |
'pwdFailureTime', |
|
| 1049 |
'pwdGraceUseTime', |
|
| 1050 |
'pwdHistory', |
|
| 1051 |
'pwdReset', |
|
| 1052 |
'pwdUniqueAttempts', |
|
| 1053 |
] |
|
| 1054 |
try: |
|
| 1055 |
results = conn.search_s(dn, ldap.SCOPE_BASE, u'(objectclass=*)', attributes) |
|
| 1056 |
return results[0][1] |
|
| 1057 |
except ldap.LDAPError as e: |
|
| 1058 |
log.error('unable to retrieve attributes of dn %r: %r', dn, e)
|
|
| 1059 |
return None |
|
| 1060 | ||
| 1044 | 1061 |
@classmethod |
| 1045 | 1062 |
def get_ldap_attributes(cls, block, conn, dn): |
| 1046 | 1063 |
'''Retrieve some attributes from LDAP, add mandatory values then apply |
| tests/test_ldap.py | ||
|---|---|---|
| 1035 | 1035 |
assert 'account is locked' not in caplog.text |
| 1036 | 1036 | |
| 1037 | 1037 | |
| 1038 |
def test_get_ppolicy_attributes(slapd_ppolicy, settings, db): |
|
| 1039 |
settings.LDAP_AUTH_SETTINGS = [{
|
|
| 1040 |
'url': [slapd_ppolicy.ldap_url], |
|
| 1041 |
'basedn': u'o=ôrga', |
|
| 1042 |
'use_tls': False, |
|
| 1043 |
}] |
|
| 1044 | ||
| 1045 |
pwdMaxAge = 1 |
|
| 1046 |
pwdGraceAuthnLimit = 2 |
|
| 1047 |
slapd_ppolicy.add_ldif('''
|
|
| 1048 |
dn: cn=default,ou=ppolicies,o=ôrga |
|
| 1049 |
cn: default |
|
| 1050 |
objectclass: top |
|
| 1051 |
objectclass: device |
|
| 1052 |
objectclass: pwdPolicy |
|
| 1053 |
objectclass: pwdPolicyChecker |
|
| 1054 |
pwdAttribute: userPassword |
|
| 1055 |
pwdMinAge: 0 |
|
| 1056 |
pwdMaxAge: {pwdMaxAge}
|
|
| 1057 |
pwdInHistory: 1 |
|
| 1058 |
pwdCheckQuality: 0 |
|
| 1059 |
pwdMinLength: 0 |
|
| 1060 |
pwdExpireWarning: 0 |
|
| 1061 |
pwdGraceAuthnLimit: {pwdGraceAuthnLimit}
|
|
| 1062 |
pwdLockout: TRUE |
|
| 1063 |
pwdLockoutDuration: 0 |
|
| 1064 |
pwdMaxFailure: 0 |
|
| 1065 |
pwdMaxRecordedFailure: 0 |
|
| 1066 |
pwdFailureCountInterval: 0 |
|
| 1067 |
pwdMustChange: FALSE |
|
| 1068 |
pwdAllowUserChange: TRUE |
|
| 1069 |
pwdSafeModify: FALSE |
|
| 1070 |
'''.format(pwdMaxAge=pwdMaxAge, pwdGraceAuthnLimit=pwdGraceAuthnLimit)) |
|
| 1071 | ||
| 1072 |
user = authenticate(username=USERNAME, password=UPASS) |
|
| 1073 |
assert user.check_password(UPASS) |
|
| 1074 |
password = u'ogutOmyetew4' |
|
| 1075 |
user.set_password(password) |
|
| 1076 | ||
| 1077 |
time.sleep(pwdMaxAge * 3) |
|
| 1078 | ||
| 1079 |
conn = ldap_backend.LDAPBackend.get_connection(settings.LDAP_AUTH_SETTINGS[0]) |
|
| 1080 |
attributes = ldap_backend.LDAPBackend.get_ppolicy_attributes(conn, DN) |
|
| 1081 |
assert 'pwdChangedTime' in attributes |
|
| 1082 | ||
| 1083 | ||
| 1038 | 1084 |
def test_authenticate_ppolicy_pwdGraceAuthnLimit(slapd_ppolicy, settings, db, caplog): |
| 1039 | 1085 |
settings.LDAP_AUTH_SETTINGS = [{
|
| 1040 | 1086 |
'url': [slapd_ppolicy.ldap_url], |
| 1041 |
- |
|