configure.ac ldap/admin Makefile.am
by William Brown
Makefile.am | 5
configure.ac | 31 +++--
ldap/admin/src/scripts/DSCreate.pm.in | 136 ++++++++++++++----------
ldap/admin/src/scripts/ds_selinux_enabled.in | 23 ++++
ldap/admin/src/scripts/ds_selinux_port_query.in | 69 ++++++++++++
5 files changed, 201 insertions(+), 63 deletions(-)
New commits:
commit 8269288d987e8372c4ce03e97d41dcac2ce3da4d
Author: William Brown <firstyear(a)redhat.com>
Date: Wed May 18 09:41:23 2016 +1000
Ticket 48336 - setup-ds should detect if port is already defined
Bug Description: Previously setup-ds.pl could not detect if a port was defined
in selinux policy or not.
Fix Description: This adds a set of selinux helpers that can query selinux port
in policy. Using these, setup-ds.pl can now make better decisions about whether
to label ports, or if they should be removed from policy during removal.
https://fedorahosted.org/389/ticket/48336
Author: wibrown
Review by: vashirov and nhosoi (Thank you!)
diff --git a/Makefile.am b/Makefile.am
index e715fba..824b745 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -154,6 +154,7 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \
ldap/admin/src/scripts/ns-inactivate.pl ldap/admin/src/scripts/ns-newpwpolicy.pl \
ldap/admin/src/scripts/schema-reload.pl ldap/admin/src/scripts/syntax-validate.pl \
ldap/admin/src/scripts/usn-tombstone-cleanup.pl ldap/admin/src/scripts/verify-db.pl \
+ ldap/admin/src/scripts/ds_selinux_port_query ldap/admin/src/scripts/ds_selinux_enabled \
ldap/admin/src/scripts/dbverify \
$(NULL)
@@ -617,6 +618,8 @@ sbin_SCRIPTS = ldap/admin/src/scripts/setup-ds.pl \
ldap/admin/src/scripts/dbverify \
ldap/admin/src/scripts/upgradedb \
ldap/admin/src/scripts/dbmon.sh \
+ ldap/admin/src/scripts/ds_selinux_enabled \
+ ldap/admin/src/scripts/ds_selinux_port_query \
wrappers/ldap-agent
bin_SCRIPTS = ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl \
@@ -1822,6 +1825,7 @@ fixupcmd = sed \
-e 's,@with_selinux\@,@with_selinux@,g' \
-e 's,@with_tmpfiles_d\@,@with_tmpfiles_d@,g' \
-e 's,@perlexec\@,@perlexec@,g' \
+ -e 's,@pythonexec\@,@pythonexec@,g' \
-e 's,@sttyexec\@,@sttyexec@,g' \
-e 's,@initconfigdir\@,$(initconfigdir),g'\
-e 's,@updatedir\@,$(updatedir),g' \
@@ -1890,6 +1894,7 @@ fixupcmd = sed \
-e 's,@with_selinux\@,@with_selinux@,g' \
-e 's,@with_tmpfiles_d\@,@with_tmpfiles_d@,g' \
-e 's,@perlexec\@,@perlexec@,g' \
+ -e 's,@pythonexec\@,@pythonexec@,g' \
-e 's,@sttyexec\@,@sttyexec@,g' \
-e 's,@initconfigdir\@,$(initconfigdir),g' \
-e 's,@updatedir\@,$(updatedir),g' \
diff --git a/configure.ac b/configure.ac
index 85e99f0..a7f0bbf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -396,21 +396,21 @@ else
with_perldir=
fi
-AC_MSG_CHECKING(for --with-pythondir)
-AC_ARG_WITH([pythondir],
- AS_HELP_STRING([--with-pythondir=PATH],
- [Directory for python)])
+AC_MSG_CHECKING(for --with-pythonexec)
+AC_ARG_WITH([pythonexec],
+ AS_HELP_STRING([--with-pythonexec=PATH],
+ [Path to executable for python)])
)
-if test -n "$with_pythondir"; then
- if test "$with_pythondir" = yes ; then
- AC_MSG_ERROR([You must specify --with-pythondir=/full/path/to/python])
- elif test "$with_pythondir" = no ; then
- with_pythondir=
+if test -n "$with_pythonexec"; then
+ if test "$with_pythonexec" = yes ; then
+ AC_MSG_ERROR([You must specify --with-pythonexec=/full/path/to/python])
+ elif test "$with_pythonexec" = no ; then
+ with_pythonexec=/usr/bin/python2
else
- AC_MSG_RESULT([$with_pythondir])
+ AC_MSG_RESULT([$with_pythonexec])
fi
else
- with_pythondir=
+ with_pythonexec=/usr/bin/python2
fi
AC_SUBST(configdir)
@@ -483,6 +483,14 @@ if test -n "$with_perldir"; then
else
perlexec='/usr/bin/env perl'
fi
+
+# This will let us change over the python version easier in the future.
+if test -n "$with_pythonexec"; then
+ pythonexec="$with_pythonexec"
+else
+ pythonexec='/usr/bin/env python2'
+fi
+
# we use stty in perl scripts to disable password echo
# this doesn't work unless the full absolute path of the
# stty command is used e.g. system("stty -echo") does not
@@ -622,6 +630,7 @@ fi
# sysv init scripts not used when systemd is used
AC_SUBST(initdir)
AC_SUBST(perlexec)
+AC_SUBST(pythonexec)
AC_SUBST(sttyexec)
# set default initconfigdir if not already set
diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in
index cdbad35..bf5fc5c 100644
--- a/ldap/admin/src/scripts/DSCreate.pm.in
+++ b/ldap/admin/src/scripts/DSCreate.pm.in
@@ -1009,8 +1009,10 @@ sub updateSelinuxPolicy {
my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL ");
# if selinux is not available, do nothing
- if ((getLogin() eq 'root') and "@with_selinux@" and
- -f "@sbindir@/sestatus" and !system ("@sbindir@/sestatus | egrep -i \"selinux status:\\s*enabled\" > $mydevnull 2>&1")) {
+ # In perl, exit(1) is 256 from system. ds_selinux_enable returns 1 on true, 0 on false.
+ if ((getLogin() eq 'root') and "@with_selinux@" and system("$inf->{slapd}->{sbindir}/ds_selinux_enabled") == 256 ) {
+ debug(1, "Selinux is enabled or permissive, fixing contexts\n");
+ # -f "@sbindir@/sestatus" and !system ("@sbindir@/sestatus | egrep -i \"selinux status:\\s*enabled\" > $mydevnull 2>&1")) {
my $localstatedir = $inf->{slapd}->{localstatedir};
# run restorecon on all of the parent directories we
@@ -1036,36 +1038,35 @@ sub updateSelinuxPolicy {
}
# label the selected port as ldap_port_t
+ # We should be doing this for secure port too .....
if ($inf->{slapd}->{ServerPort} != 0) {
- my $need_label = 1;
-
- # check if the port is already labeled properly
- my $portline = `semanage port -l | grep ldap_port_t | grep tcp`;
- chomp($portline);
- $portline =~ s/ldap_port_t\s+tcp\s+//g;
- my @labeledports = split(/,\s+/, $portline);
- foreach my $labeledport (@labeledports) {
- if (index($labeledport, "-") == -1) {
- # this is not a range of ports
- if ($inf->{slapd}->{ServerPort} == $labeledport) {
- $need_label = 0;
- last;
- }
- } else {
- # this is a range of ports like '<portMin>-<portMax>'
- my @range = split(/-/, $labeledport);
- if ((@range[0] <= $inf->{slapd}->{ServerPort}) && ($inf->{slapd}->{ServerPort} <= @range[1])) {
- $need_label = 0;
- last;
- }
- }
+ my $port_query_cmd = ("$inf->{slapd}->{sbindir}/ds_selinux_port_query $inf->{slapd}->{ServerPort} ldap_port_t 2> $mydevnull");
+ my $need_label = 0;
+ my $result = system($port_query_cmd);
+
+ # 0 is false, 1 is true. True means 'already in policy'.
+ if ($result == 0) {
+ debug(1, "Port $inf->{slapd}->{ServerPort} must be labeled as ldap_port_t \n");
+ $need_label = 1;
+ }
+ if ($result == 512) {
+ $need_label = 0;
+ debug(0, "Port $inf->{slapd}->{ServerPort} already belongs to another selinux type.\n");
+ debug(0, " The command below will show you the current type that owns the port.\n");
+ debug(0, "sudo $inf->{slapd}->{sbindir}/ds_selinux_port_query $inf->{slapd}->{ServerPort} ldap_port_t\n");
+ debug(0, " It is highly likely your server will fail to start ... \n");
+ }
+ if ($result == 131072) {
+ $need_label = 0;
+ debug(0, "An error occured running ds_selinux_port_query. This is probably a bug\n");
+ debug(0, "$port_query_cmd \n");
}
if ($need_label == 1) {
my $semanage_err;
my $rc;
# 60 is a bit excessive, we should fail faster.
- my $retry = 5;
+ my $retry = 2;
$ENV{LANG} = "C";
while (($retry > 0) && ($semanage_err = `semanage port -a -t ldap_port_t -p tcp $inf->{slapd}->{ServerPort} 2>&1`) && ($rc = $?)) {
debug(1, "Adding port $inf->{slapd}->{ServerPort} to selinux policy failed - $semanage_err (return code: $rc, $retry attempts remain).\n");
@@ -1461,52 +1462,83 @@ sub removeDSInstance {
# remove the selinux label from the ports if needed
my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL ");
- if ((getLogin() eq 'root') and "@with_selinux@" and
- -f "@sbindir@/sestatus" and !system ("@sbindir@/sestatus | egrep -i \"selinux status:\\s*enabled\" > $mydevnull 2>&1")) {
+ if ((getLogin() eq 'root') and "@with_selinux@" and system("@sbindir@/ds_selinux_enabled") == 256 ) {
foreach my $port (@{$entry->{"nsslapd-port"}})
{
+
+ my $need_remove_label = 0;
+ my $port_query_cmd = ("@sbindir@/ds_selinux_port_query $port ldap_port_t 2> $mydevnull");
+ my $result = system($port_query_cmd);
+
+ if ($result == 256) {
+ debug(1, "Port $port may be removed as ldap_port_t \n");
+ $need_remove_label = 1;
+ }
+ if ($result == 131072) {
+ $need_remove_label = 0;
+ debug(0, "An error occured running ds_selinux_port_query. This is probably a bug\n");
+ debug(0, "$port_query_cmd \n");
+ }
+
my $semanage_err;
my $rc;
my $retry = 5;
$ENV{LANG} = "C";
- while (($retry > 0) && ($semanage_err = `semanage port -d -t ldap_port_t -p tcp $port 2>&1`) && ($rc = $?)) {
- if (($semanage_err =~ /defined in policy, cannot be deleted/) || ($semanage_err =~ /is not defined/)) {
- $retry = -1;
- } else {
- debug(1, "Warning: Port $port not removed from selinux policy correctly, $retry attempts remain. Error: $semanage_err\n");
- debug(1, "Retrying in 5 seconds\n");
- sleep(5);
- $retry--;
+ if ($need_remove_label) {
+ while (($retry > 0) && ($semanage_err = `semanage port -d -t ldap_port_t -p tcp $port 2>&1`) && ($rc = $?)) {
+ if (($semanage_err =~ /defined in policy, cannot be deleted/) || ($semanage_err =~ /is not defined/)) {
+ $retry = -1;
+ } else {
+ debug(1, "Warning: Port $port not removed from selinux policy correctly, $retry attempts remain. Error: $semanage_err\n");
+ debug(1, "Retrying in 5 seconds\n");
+ sleep(5);
+ $retry--;
+ }
+ }
+ if (0 == $retry) {
+ push @errs, [ 'error_removing_port_label', $port, $semanage_err];
+ debug(1, "Warning: Port $port not removed from selinux policy correctly. Error: $semanage_err\n");
+ debug(1, "Reached time limit.\n");
}
- }
- if (0 == $retry) {
- push @errs, [ 'error_removing_port_label', $port, $semanage_err];
- debug(1, "Warning: Port $port not removed from selinux policy correctly. Error: $semanage_err\n");
- debug(1, "Reached time limit.\n");
}
}
foreach my $secureport (@{$entry->{"nsslapd-secureport"}})
{
+ my $need_remove_label = 0;
+ my $port_query_cmd = ("@sbindir@/ds_selinux_port_query $secureport ldap_port_t 2> $mydevnull");
+ my $result = system($port_query_cmd);
+
+ if ($result == 256) {
+ debug(1, "Port $secureport may be removed as ldap_port_t \n");
+ $need_remove_label = 1;
+ }
+ if ($result == 131072) {
+ $need_remove_label = 0;
+ debug(0, "An error occured running ds_selinux_port_query. This is probably a bug\n");
+ debug(0, "$port_query_cmd \n");
+ }
my $semanage_err;
my $rc;
my $retry = 60;
$ENV{LANG} = "C";
- while (($retry > 0) && ($semanage_err = `semanage port -d -t ldap_port_t -p tcp $secureport 2>&1`) && ($rc = $?)) {
- if (($semanage_err =~ /defined in policy, cannot be deleted/) || ($semanage_err =~ /is not defined/)) {
- $retry = -1;
- } else {
+ if ($need_remove_label) {
+ while (($retry > 0) && ($semanage_err = `semanage port -d -t ldap_port_t -p tcp $secureport 2>&1`) && ($rc = $?)) {
+ if (($semanage_err =~ /defined in policy, cannot be deleted/) || ($semanage_err =~ /is not defined/)) {
+ $retry = -1;
+ } else {
+ debug(1, "Warning: Port $secureport not removed from selinux policy correctly. Error: $semanage_err\n");
+ debug(1, "Retrying in 5 seconds\n");
+ sleep(5);
+ $retry--;
+ }
+ }
+ if (0 == $retry) {
+ push @errs, [ 'error_removing_port_label', $secureport, $semanage_err];
debug(1, "Warning: Port $secureport not removed from selinux policy correctly. Error: $semanage_err\n");
- debug(1, "Retrying in 5 seconds\n");
- sleep(5);
- $retry--;
+ debug(1, "Reached time limit.\n");
}
}
- if (0 == $retry) {
- push @errs, [ 'error_removing_port_label', $secureport, $semanage_err];
- debug(1, "Warning: Port $secureport not removed from selinux policy correctly. Error: $semanage_err\n");
- debug(1, "Reached time limit.\n");
- }
}
}
diff --git a/ldap/admin/src/scripts/ds_selinux_enabled.in b/ldap/admin/src/scripts/ds_selinux_enabled.in
new file mode 100755
index 0000000..54a79b0
--- /dev/null
+++ b/ldap/admin/src/scripts/ds_selinux_enabled.in
@@ -0,0 +1,23 @@
+#!@pythonexec@
+
+# BEGIN COPYRIGHT BLOCK
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# END COPYRIGHT BLOCK
+#
+
+# These are python 3 capable, but el7 doesn't have libsemanage-python3
+
+
+import sys
+import selinux
+import semanage
+
+# Returns 1 for true, 0 for false.
+
+sys.exit(selinux.is_selinux_enabled())
+
+
diff --git a/ldap/admin/src/scripts/ds_selinux_port_query.in b/ldap/admin/src/scripts/ds_selinux_port_query.in
new file mode 100644
index 0000000..006f978
--- /dev/null
+++ b/ldap/admin/src/scripts/ds_selinux_port_query.in
@@ -0,0 +1,69 @@
+#!@pythonexec@
+
+# BEGIN COPYRIGHT BLOCK
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# END COPYRIGHT BLOCK
+#
+
+import sys
+import selinux
+import semanage
+
+# These are python 3 capable, but el7 doesn't have libsemanage-python3
+
+# Given a port number as the first argument, determine if it's already part of the policy.
+# The second (optional) argument is a label type to check.
+
+# 0 for does not exist in policy. 1 mean exists (with no label)
+# or if a lable is given, exists AND inside of label type.
+# 2 means port exists but belongs to a different type.
+
+if len(sys.argv) <= 1:
+ sys.stderr.write("Must provide port to query\n")
+ sys.exit(512)
+
+port = int(sys.argv[1])
+label = None
+try:
+ label = sys.argv[2]
+except:
+ pass
+
+# Get the arguments
+
+# Fail if they are not set correctly.
+
+# Check the port in policy
+h = semanage.semanage_handle_create()
+semanage.semanage_connect(h)
+# This could check high / low values, but eh.
+(r, k) = semanage.semanage_port_key_create(h, port, port, semanage.SEMANAGE_PROTO_TCP)
+
+# Do I need to check _local too?
+(t, e) = semanage.semanage_port_exists(h, k)
+
+if label is None:
+ sys.exit(e)
+
+# See if it has a specifc label
+
+if (e == 0):
+ # No point checking the label, it doesn't exist
+ sys.exit(e)
+
+(t, sp) = semanage.semanage_port_query(h, k)
+
+# do we need to check if this is none? We already know that the port exists, so it must have a context ...
+r = semanage.semanage_port_get_con(sp)
+
+if label == semanage.semanage_context_get_type(r):
+ sys.exit(1)
+
+else:
+ sys.stderr.write('Port belongs to %s\n' % semanage.semanage_context_get_type(r))
+ sys.exit(2)
+
7 years, 11 months
ldap/servers
by William Brown
ldap/servers/slapd/modify.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
New commits:
commit a441a58e9ee3f9fb5cb64da97f0d735b1f166e4f
Author: William Brown <firstyear(a)redhat.com>
Date: Tue May 31 15:12:19 2016 +1000
Ticket 48858 - Segfault changing nsslapd-rootpw
Bug Description: py.ldap has a bug where it will send empty change lists. This
trigged a segfault in Directory Server where hash_rootpw expected there to be
at least a single value to act upon
Fix Description: Check that mod_bvalues is not NULL
https://fedorahosted.org/389/ticket/48858
Author: wibrown
Review by: nhosoi (Thank you!)
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 438c925..4a5faa0 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -1436,22 +1436,24 @@ hash_rootpw (LDAPMod **mods)
if (strcasecmp (mod->mod_type, CONFIG_ROOTPW_ATTRIBUTE) != 0)
continue;
- for (j = 0; mod->mod_bvalues[j] != NULL; j++) {
- char *val = mod->mod_bvalues[j]->bv_val;
- char *hashedval = NULL;
- struct pw_scheme *pws = pw_val2scheme (val, NULL, 0);
- if (pws) {
- free_pw_scheme(pws);
- /* Value is pre-hashed, no work to do for this value */
- continue;
- } else if (! slapd_nss_is_initialized() ) {
- /* We need to hash a value but NSS is not initialized; bail */
- return -1;
+ if (mod->mod_bvalues != NULL) {
+ for (j = 0; mod->mod_bvalues[j] != NULL; j++) {
+ char *val = mod->mod_bvalues[j]->bv_val;
+ char *hashedval = NULL;
+ struct pw_scheme *pws = pw_val2scheme (val, NULL, 0);
+ if (pws) {
+ free_pw_scheme(pws);
+ /* Value is pre-hashed, no work to do for this value */
+ continue;
+ } else if (! slapd_nss_is_initialized() ) {
+ /* We need to hash a value but NSS is not initialized; bail */
+ return -1;
+ }
+ hashedval=(slapdFrontendConfig->rootpwstoragescheme->pws_enc)(val);
+ slapi_ch_free_string (&val);
+ mod->mod_bvalues[j]->bv_val = hashedval;
+ mod->mod_bvalues[j]->bv_len = strlen (hashedval);
}
- hashedval=(slapdFrontendConfig->rootpwstoragescheme->pws_enc)(val);
- slapi_ch_free_string (&val);
- mod->mod_bvalues[j]->bv_val = hashedval;
- mod->mod_bvalues[j]->bv_len = strlen (hashedval);
}
}
return 0;
7 years, 11 months
dirsrvtests/tests
by William Brown
dirsrvtests/tests/suites/password/pwdPolicy_test.py | 115 ++++++++++++++++----
1 file changed, 92 insertions(+), 23 deletions(-)
New commits:
commit 005850477362e6304fa06448309d7c588e9601ce
Author: William Brown <firstyear(a)redhat.com>
Date: Mon May 30 13:33:41 2016 +1000
Ticket 48855 - Add basic pwdPolicy tests
Bug Description: There were no password policy tests in the features section.
Fix Description: Add the initial test that checks for password syntax enforcment
https://fedorahosted.org/389/ticket/48855
Author: wibrown
Review by: mreynolds (Thanks!)
diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_test.py
index 9ceb62c..653d033 100644
--- a/dirsrvtests/tests/suites/password/pwdPolicy_test.py
+++ b/dirsrvtests/tests/suites/password/pwdPolicy_test.py
@@ -21,23 +21,38 @@ from lib389.tasks import *
logging.getLogger(__name__).setLevel(logging.DEBUG)
log = logging.getLogger(__name__)
-installation1_prefix = None
+from lib389.config import RSA, Encryption, Config
+
+DEBUGGING = False
+
+USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+
+
+log = logging.getLogger(__name__)
class TopologyStandalone(object):
+ """The DS Topology Class"""
def __init__(self, standalone):
+ """Init"""
standalone.open()
self.standalone = standalone
@pytest.fixture(scope="module")
def topology(request):
- global installation1_prefix
- if installation1_prefix:
- args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+ """Create DS Deployment"""
# Creating standalone instance ...
- standalone = DirSrv(verbose=False)
+ if DEBUGGING:
+ standalone = DirSrv(verbose=True)
+ else:
+ standalone = DirSrv(verbose=False)
args_instance[SER_HOST] = HOST_STANDALONE
args_instance[SER_PORT] = PORT_STANDALONE
args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
@@ -50,33 +65,87 @@ def topology(request):
standalone.create()
standalone.open()
+ # Deploy certs
+ # This is a trick. The nss db that ships with DS is broken
+ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
+ try:
+ os.remove("%s/%s" % (topology.standalone.confdir, f ))
+ except:
+ pass
+
+ assert(standalone.nss_ssl.reinit() is True)
+ assert(standalone.nss_ssl.create_rsa_ca() is True)
+ assert(standalone.nss_ssl.create_rsa_key_and_cert() is True)
+
+ # Say that we accept the cert
+ # Connect again!
+
+ # Enable the SSL options
+ standalone.rsa.create()
+ standalone.rsa.set('nsSSLPersonalitySSL', 'Server-Cert')
+ standalone.rsa.set('nsSSLToken', 'internal (software)')
+ standalone.rsa.set('nsSSLActivation', 'on')
+
+ standalone.config.set('nsslapd-secureport', PORT_STANDALONE2)
+ standalone.config.set('nsslapd-security', 'on')
+
+ standalone.restart()
+
+
+ def fin():
+ """If we are debugging just stop the instances, otherwise remove
+ them
+ """
+ if DEBUGGING:
+ standalone.stop()
+ else:
+ standalone.delete()
+
+ request.addfinalizer(fin)
+
# Clear out the tmp dir
standalone.clearTmpDir(__file__)
return TopologyStandalone(standalone)
+def _create_user(inst):
+ inst.add_s(Entry((
+ USER_DN, {
+ 'objectClass': 'top account simplesecurityobject'.split(),
+ 'uid': 'user',
+ 'userpassword': 'password'
+ })))
+
-def test_pwdPolicy_init(topology):
+def test_pwdPolicy_constraint(topology):
'''
- Init the test suite (if necessary)
+ Password policy test: Ensure that on a password change, the policy is
+ enforced correctly.
'''
- return
-
-def test_pwdPolicy_final(topology):
- topology.standalone.delete()
- log.info('Password Policy test suite PASSED')
-
-
-def run_isolated():
- global installation1_prefix
- installation1_prefix = None
-
- topo = topology(True)
- test_pwdPolicy_init(topo)
- test_pwdPolicy_final(topo)
+ # Create a user
+ _create_user(topology.standalone)
+ # Set the password policy globally
+ topology.standalone.config.set('passwordMinLength', '10')
+ topology.standalone.config.set('passwordMinDigits', '2')
+ topology.standalone.config.set('passwordCheckSyntax', 'on')
+ topology.standalone.config.set('nsslapd-pwpolicy-local', 'off')
+ # Now open a new ldap connection with TLS
+ userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
+ userconn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap. OPT_X_TLS_NEVER )
+ userconn.start_tls_s()
+ userconn.simple_bind_s(USER_DN, 'password')
+ # This should have an exception!
+ try:
+ userconn.passwd_s(USER_DN, 'password', 'password1')
+ assert(False)
+ except ldap.CONSTRAINT_VIOLATION:
+ assert(True)
+ # Change the password to something invalid!
if __name__ == '__main__':
- run_isolated()
-
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
7 years, 11 months
Changes to 'refs/tags/389-admin-console-1.1.11'
by Noriko Hosoi
Changes since the dawn of time:
Endi S. Dewata (1):
Bug 368481 - Unable to change Admin Server log paths in Console
Ludwig (1):
Ticket 47477 - Cannot restart SSL-admin server from console
Nathan Kinder (10):
Resolves: 247525
Resolves: 250699
Resolves: 251427
Related: 251427
Added ldapjdk default path as well as settable path.
Use less restrictive version of Open Publication License for online help docs.
Resolves: 379211
Bug 668950 - Add posix group support to Console
Ticket 362 - Directory Console generates insufficient key strength
Ticket 47467 - Improve online help for Add CRL dialog
Noriko Hosoi (13):
[191832] Admin Server password always remembers initial password on (part 2)
Resolves: #379191
Resolves: #159011
Resolves: #416311
Resolves: #400341
Bug 151705 - Need to update Console Cipher Preferences with new ciphers
Bug 211296 - Clean up all HTML pages (Admin Express, Repl Monitor, etc)
Bug 476925 - Admin Server: Do not allow 8-bit passwords for
bump version to 1.1.9
Bug 1022104 - Remove versioned jarfiles from _javadir
bump version to 1.1.10
Bug 1234441 - Security info from Help should be removed
bump version to 1.1.11
Rich Megginson (26):
Initial import of admin server console into its own module
use admserv instead of as for jar file names
remove improperly added binary files
correctly add binary files
bump version to 1.0.3
fix symlinks
Resolves: bug 400361
updated spec for Fedora DS 1.1 release
Resolves: bug 428364
Bug 428364
bump version to 1.1.2 - disable sslv2 in the ui
this is the 1.1.2 release
Resolves: bug 452596
Resolves: bug 429514
Resolves: bug 166230
change version to 1.1.3
for the 1.1.3 release
Rename to 389
these files should be mode 644
change version to 1.1.4 - add doc subpackage - relicense under plain gplv2
bump version to 1.1.5
bump version to 1.1.6
bump version to 1.1.7
admin-version is unused
Bug 723126 - Configure Admin Server -> Connection Restriction --> Add Screen is flicking consistently.
bump version to 1.1.8
7 years, 11 months
2 commits - build.properties help/en
by Noriko Hosoi
build.properties | 2 +-
help/en/help/administration_express_server_information.html | 3 ---
help/en/help/server_information.html | 3 ---
3 files changed, 1 insertion(+), 7 deletions(-)
New commits:
commit ac3b45df213ce086d6b92e8a3f2f0db4e02f2fbe
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Jun 1 11:50:28 2016 -0700
bump version to 1.1.11
diff --git a/build.properties b/build.properties
index eea269a..6f9718c 100644
--- a/build.properties
+++ b/build.properties
@@ -21,7 +21,7 @@
lang=en
admservconsole.root=..
-admservconsole.version=1.1.10
+admservconsole.version=1.1.11
admservconsole.gen.version=1.1
brand=389
admservconsole.name=${brand}-admin-${admservconsole.version}
commit e88bfdb33510ab909383feab54340f58434147ed
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Jun 1 11:49:14 2016 -0700
Bug 1234441 - Security info from Help should be removed
Files:
help/en/help/administration_express_server_information.html
help/en/help/server_information.html
diff --git a/help/en/help/administration_express_server_information.html b/help/en/help/administration_express_server_information.html
index 582e8b4..df2b6cd 100644
--- a/help/en/help/administration_express_server_information.html
+++ b/help/en/help/administration_express_server_information.html
@@ -27,8 +27,5 @@ Administration Express - Server Information
<b>Build Number.</b> Uniquely identifies a particular release of a server version.
</p>
<p class="text">
-<b>Security Level.</b> Indicates whether the server uses domestic (US based, 128-bit ciphers) or export (non-US based, 40-bit ciphers) encryption levels.
-</p>
-<p class="text">
<b>Additional Information.</b> Lists any special server requirements and links to other important information.
</p>
diff --git a/help/en/help/server_information.html b/help/en/help/server_information.html
index c0cf07c..dc35c39 100644
--- a/help/en/help/server_information.html
+++ b/help/en/help/server_information.html
@@ -42,9 +42,6 @@ You can view, but not edit, the following information about the selected server:
<b>Revision.</b> Indicates whether this server has been upgraded or patched. If no value is present, this is an unpatched installation.
</p>
<p class="text">
-<b>Security Level.</b> Indicates whether the server uses domestic (128-bit ciphers) or export (40-bit ciphers) encryption levels.
-</p>
-<p class="text">
<b>Server Status.</b> Indicates whether the server is on or off.
</p>
<p class="text">
7 years, 11 months