From 5b3d0f568a0015370438e3f589cad393f5c48c91 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 9 Sep 2010 16:24:12 -0400 Subject: Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. --- ipaserver/plugins/ldap2.py | 2 +- tests/test_ipaserver/test_ldap.py | 118 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 tests/test_ipaserver/test_ldap.py diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index cc635b66c..15b602457 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -121,7 +121,7 @@ def get_schema(url, conn=None): tmpdir = None has_conn = conn is not None - if (not api.env.in_server or api.env.context not in ['lite', 'server'] + if ((not api.env.in_server or api.env.context not in ['lite', 'server']) and conn is None): # The schema is only needed on the server side return None diff --git a/tests/test_ipaserver/test_ldap.py b/tests/test_ipaserver/test_ldap.py new file mode 100644 index 000000000..464fc3e8a --- /dev/null +++ b/tests/test_ipaserver/test_ldap.py @@ -0,0 +1,118 @@ +# Authors: +# Rob Crittenden +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Test some simple LDAP requests using the ldap2 backend + +# This fetches a certificate from a host principal so we can ensure that the +# schema is working properly. We know this because the schema will tell the +# encoder not to utf-8 encode binary attributes. + +# The DM password needs to be set in ~/.ipa/.dmpw + +import nose +import os +from ipaserver.plugins.ldap2 import ldap2 +from ipalib.plugins.service import service, service_show +import nss.nss as nss +from ipalib import api, x509, create_api +from ipapython import ipautil + +class test_ldap(object): + """ + Test various LDAP client bind methods. + """ + + def setUp(self): + self.conn = None + self.ldapuri = 'ldap://%s' % api.env.host + self.ccache = '/tmp/krb5cc_%d' % os.getuid() + nss.nss_init_nodb() + self.dn = 'krbprincipalname=ldap/%s@%s,cn=services,cn=accounts,%s' % (api.env.host, api.env.realm, api.env.basedn) + + def tearDown(self): + if self.conn: + self.conn.disconnect() + + def test_anonymous(self): + """ + Test an anonymous LDAP bind using ldap2 + """ + self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri) + self.conn.connect() + (dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate']) + cert = entry_attrs.get('usercertificate') + cert = cert[0] + serial = unicode(x509.get_serial_number(cert, x509.DER)) + assert serial is not None + + def test_GSSAPI(self): + """ + Test a GSSAPI LDAP bind using ldap2 + """ + if not ipautil.file_exists(self.ccache): + raise nose.SkipTest('Missing ccache %s' % self.ccache) + self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri) + self.conn.connect(ccache='FILE:%s' % self.ccache) + (dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate']) + cert = entry_attrs.get('usercertificate') + cert = cert[0] + serial = unicode(x509.get_serial_number(cert, x509.DER)) + assert serial is not None + + def test_simple(self): + """ + Test a simple LDAP bind using ldap2 + """ + pwfile = api.env.dot_ipa + os.sep + ".dmpw" + if ipautil.file_exists(pwfile): + fp = open(pwfile, "r") + dm_password = fp.read().rstrip() + fp.close() + else: + raise nose.SkipTest("No directory manager password in %s" % pwfile) + self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri) + self.conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) + (dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate']) + cert = entry_attrs.get('usercertificate') + cert = cert[0] + serial = unicode(x509.get_serial_number(cert, x509.DER)) + assert serial is not None + + def test_Backend(self): + """ + Test using the ldap2 Backend directly (ala ipa-server-install) + """ + + # Create our own api because the one generated for the tests is + # a client-only api. Then we register in the commands and objects + # we need for the test. + myapi = create_api(mode=None) + myapi.bootstrap(context='cli', in_server=True, in_tree=True) + myapi.register(ldap2) + myapi.register(service) + myapi.register(service_show) + myapi.finalize() + myapi.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw='password') + + result = myapi.Command['service_show']('ldap/%s@%s' % (myapi.env.host, myapi.env.realm,)) + entry_attrs = result['result'] + cert = entry_attrs.get('usercertificate') + cert = cert[0] + serial = unicode(x509.get_serial_number(cert, x509.DER)) + assert serial is not None -- cgit