diff options
Diffstat (limited to 'ipa-server/xmlrpc-server/test')
| -rw-r--r-- | ipa-server/xmlrpc-server/test/Makefile.am | 12 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/test/README | 60 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/test/test.py | 41 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/test/test_methods.py | 57 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/test/test_mod_python.py | 52 |
5 files changed, 222 insertions, 0 deletions
diff --git a/ipa-server/xmlrpc-server/test/Makefile.am b/ipa-server/xmlrpc-server/test/Makefile.am new file mode 100644 index 00000000..310d9d47 --- /dev/null +++ b/ipa-server/xmlrpc-server/test/Makefile.am @@ -0,0 +1,12 @@ +NULL = + +EXTRA_DIST = \ + README \ + test_methods.py \ + test_mod_python.py \ + test.py \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/ipa-server/xmlrpc-server/test/README b/ipa-server/xmlrpc-server/test/README new file mode 100644 index 00000000..544efa52 --- /dev/null +++ b/ipa-server/xmlrpc-server/test/README @@ -0,0 +1,60 @@ +Diagnosing Kerberos credentials cache problems is difficult. + +The first thing to try is to set LogLevel to debug in +/etc/httpd/conf/httpd.conf and restart Apache. + +Look in /var/log/httpd/error_log for any problems. + +Also check out /var/log/krb5kdc.log + +To simplify things and test just Kerberos ticket forwarding: + +The first test is with a CGI: + +- copy test.py /var/www/cgi-bin +- chmod +x /var/www/cgi-bin/test.py +- kinit admin (or some other existing user) +- curl -u : --negotiate http://yourhost.fqdn/cgi-bin/test.py + +For yourhost.fqdn use the fully-qualified hostname of your webserver. + +The output should look something like: + +KRB5CCNAME is FILE:/tmp/krb5cc_apache_TiMAbq +Sucessfully bound to LDAP using SASL mechanism GSSAPI + +This CGI uses the forwarded credentials to make an authenticated LDAP +connection. If this fails it means that Apache is not properly storing +the kerberos credentials. + +If that works, the second test more closely models the way that IPA works. + +- mkdir /usr/share/ipa/ipatest +- cp test_mod_python.py /usr/share/ipa/ipatest +- uncomment the entries for ipatest in /etc/httpd/conf.d/ipa.conf. There are + entries for ProxyPass and ProxyReversePass, an Alias and a Directory +- restart Apache +- curl -u : --negotiate http://yourhost.fqdn/ipatest/ + +For yourhost.fqdn use the fully-qualified hostname of your webserver. + +The output should look something like: + +KRB5CCNAME: FILE:/tmp/krb5cc_apache_c0MU9o<br> +GATEWAY_INTERFACE: CGI/1.1<br> +... +SCRIPT_FILENAME: /usr/share/ipa/ipaserver/<br> +REMOTE_PORT: 45691<br> +REMOTE_USER: rcrit@GREYOAK.COM<br> +AUTH_TYPE: Negotiate<br> +KRB5CCNAME is FILE:/tmp/krb5cc_apache_c0MU9o<br> +Sucessfully bound to LDAP using SASL mechanism GSSAPI<br> + +It should print all of the environment variables available to mod_python +and do a GSSAPI LDAP connection. + +A final test, which lists the capabilities of the XML-RPC server is +test_methods.py. This is more a sanity check that new functions added +to the server work as expected. + +Note that opts is added by the server itself and is not passed in by the user. diff --git a/ipa-server/xmlrpc-server/test/test.py b/ipa-server/xmlrpc-server/test/test.py new file mode 100644 index 00000000..7c05f8d2 --- /dev/null +++ b/ipa-server/xmlrpc-server/test/test.py @@ -0,0 +1,41 @@ +#!/usr/bin/python + +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +# A test CGI that tests that the Kerberos credentials cache was created +# properly in Apache. + +import ldap +import ldap.sasl +import os + +sasl_auth = ldap.sasl.sasl({}, "GSSAPI") +conn = ldap.initialize("ldap://localhost:389/") +conn.protocol_version = 3 + +print "Content-type: text/plain" +print "" + +try: + print "KRB5CCNAME is", os.environ["KRB5CCNAME"] + + try: + conn.sasl_interactive_bind_s("", sasl_auth) + except ldap.LDAPError,e: + print "Error using SASL mechanism", sasl_auth.mech, str(e) + else: + print "Sucessfully bound to LDAP using SASL mechanism", sasl_auth.mech + conn.unbind() +except KeyError,e: + print "not set." diff --git a/ipa-server/xmlrpc-server/test/test_methods.py b/ipa-server/xmlrpc-server/test/test_methods.py new file mode 100644 index 00000000..88fcd933 --- /dev/null +++ b/ipa-server/xmlrpc-server/test/test_methods.py @@ -0,0 +1,57 @@ +#!/usr/bin/python + +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +# Simple program to interrogate the XML-RPC server for information on what +# it can do. + +import sys +import xmlrpclib +from ipa.krbtransport import KerbTransport +import ipa +from ipa import config + +ipa.config.init_config() + +serverlist = config.config.get_server() +url = "http://" + serverlist[0] + "/ipa" +s = xmlrpclib.Server(url, KerbTransport()) + +print "A list of all methods available on the server." +print "system.listMethods: ", s.system.listMethods() +print "" + +print "Signatures are not supported." +print "system.methodSignature: ", s.system.methodSignature("get_user_by_uid") +print "" + +print "Help on a specific method" +print "system.methodHelp: ", s.system.methodHelp("get_user_by_uid") + +print "The entire API:" +result = s._listapi() +for item in result: + print item['name'], + print "(", + i = len(item['args']) + p = 0 + for a in item['args']: + if isinstance(a, list): + print "%s=%s" % (a[0], a[1]), + else: + print a, + if p < i - 1: + print ",", + p = p + 1 + print ")" diff --git a/ipa-server/xmlrpc-server/test/test_mod_python.py b/ipa-server/xmlrpc-server/test/test_mod_python.py new file mode 100644 index 00000000..6136b541 --- /dev/null +++ b/ipa-server/xmlrpc-server/test/test_mod_python.py @@ -0,0 +1,52 @@ +#!/usr/bin/python + +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +# A test CGI that tests that the Kerberos credentials cache was created +# properly in Apache. + +import ldap +import ldap.sasl +import os +from mod_python import apache + +def handler(req): + req.content_type = "text/plain" + req.send_http_header() + do_request(req) + return apache.OK + +def do_request(req): + sasl_auth = ldap.sasl.sasl({}, "GSSAPI") + conn = ldap.initialize("ldap://localhost:389/") + conn.protocol_version = 3 + + req.add_common_vars() + + for e in req.subprocess_env: + req.write("%s: %s<br>\n" % (e, req.subprocess_env[e])) + + try: + req.write("KRB5CCNAME is %s<br>\n" % req.subprocess_env["KRB5CCNAME"]) + os.environ["KRB5CCNAME"] = req.subprocess_env["KRB5CCNAME"] + + try: + conn.sasl_interactive_bind_s("", sasl_auth) + except ldap.LDAPError,e: + req.write("Error using SASL mechanism %s %s<br>\n" % (sasl_auth.mech, str(e))) + else: + req.write("Sucessfully bound to LDAP using SASL mechanism %s<br>\n" % sasl_auth.mech) + conn.unbind() + except KeyError,e: + req.write("KRB5CCNAME is not set.") |