kcm.rst revision e10d56ed715df64fbb0883aa73563fed56bd0238
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenExamples of testing KCM
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen=======================
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen* For testing KCM ccache, minimal requirements is to have a Kerberos
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen server. sssd-testlib provides `libkrb5` module to setup Kerberos server.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen* `sssd-testlib` now contains `utils` module which now contains functions to
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen enable `sssd-kcm`
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen* Below are some of the examples of using it in pytest
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenExample1: Using single host to test sssd-kcm
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen--------------------------------------------
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen* create a single host running Directory Server, krb5 server and configure
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen client to authenticate to LDAP and Kerberos server using SSSD and enable KCM
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen * create a multihost config file mhc.yaml as below::
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen root_password: 'redhat'
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen external_hostname: idm1.example.test
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen * create a conftest.py to specify namespace hook::
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen from sssd.testlib.common.qe_class import session_multihost,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen from sssd.testlib.common.qe_class import create_testdir
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen import pytest
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen def pytest_namespace():
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen num_replicas': 0, 'num_clients':1, 'num_others': 0}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen * create fixture to run Authconfig to authenticate to SSSD::
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen @pytest.fixture(scope="session")
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen def config_authconfig(session_multihost, request):
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen """ Run authconfig to configure Kerberos and
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen SSSD auth on remote host
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen authconfig = RedHatAuthConfig(session_multihost.master[0])
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen session_multihost.master[0].log.info("Take backup of current authconfig")
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen kerberos_server = session_multihost.master[0].sys_hostname
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen authconfig.add_parameter("krb5kdc", kerberos_server)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen authconfig.add_parameter("krb5adminserver", kerberos_server)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen authconfig.add_parameter("krb5realm", krbrealm)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen def restore_authconfig():
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen """ Restore authconfig """
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen request.addfinalizer(restore_authconfig)
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen * add a fixture to configure Directory Server::
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen from sssd.testlib.common.libdirsrv import DirSrvWrap
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen from sssd.testlib.common.utils import sssdTools, PkiTools
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen from sssd.testlib.common.exceptions import PkiLibException
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen @pytest.fixture(scope=session)
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen def setup_ldap(session_multihost, request):
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen serverList = [session_multihost.master[0].sys_hostname]
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen pki_inst = PkiTools()
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen certdb = pki_inst.createselfsignedcerts(serverList)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen except PkiLibException as err:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ssldb=certdb)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ds_obj.create_ds_instance('example1', 'dc=example,dc=test')
8fcff4c5b52f24d9c681805fdf06b486f1d0fcbeTimo Sirainen def remove_ldap():
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen * add a fixture to configure Kerberos server::
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen @pytest.fixture(scope='class')
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen def setup_kerberos(session_multihost, request):
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen tools = sssdTools(session_multihost.master[0])
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen def remove_kerberos():
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen * add a fixture to setup SSSD conf::
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen @pytest.fixture(scope='class', autouse=True)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen def setup_sssd(session_multihost, request):
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen domain_section = 'domain/EXAMPLE.TEST'
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ldap_uri = 'ldap://%s' %
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen krb5_server = session_multihost.master[0].sys_hostname
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen cacert_loc = '/etc/openldap/cacerts/cacert.pem'
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set('sssd', 'domains', 'EXAMPLE.TEST')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set('sssd', 'config_file_version', '2')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set('sssd', 'services', 'nss, pam, ifp')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'enumerate', 'false')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'id_provider', 'ldap')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'ldap_uri', ldap_uri)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'ldap_search_base',
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen 'dc=example,dc=test')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'ldap_tls_cacert', cacert_loc)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'auth_provider', 'krb5')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'krb5_server', krb5_server)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'krb5_kpasswd', krb5_server)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'krb5_realm', 'EXAMPLE.TEST')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen sssdConfig.set(domain_section, 'debug_level', '9')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen temp_fd, temp_file_path = tempfile.mkstemp(suffix='conf',
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen prefix='sssd')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen with open(temp_file_path, "wb") as outfile:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen session_multihost.master[0].run_command(['cp', '-f',
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen session_multihost.master[0].transport.put_file(temp_file_path,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen session_multihost.master[0].service_sssd('restart')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen except Exception:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen journalctl_cmd = "journalctl -x -n 50 --no-pager"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen session_multihost.master[0].run_command(journalctl_cmd)
f5672f838a62a3ae6cdf41641abecdddf1340f83Timo Sirainen * add fixture to create some POSIX users and also create Kerberos users with
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen @pytest.fixture(scope='class', autouse=True)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen def create_posix_usersgroups(session_multihost):
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ds_rootdn = 'cn=Directory Manager'
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ds_rootpw = 'Secret123'
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen for i in range(10):
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen user_info = {'cn': 'foo%d' % i,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen 'uid': 'foo%d' % i,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen 'uidNumber': '1458310%d' % i,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen 'gidNumber': '14564100'}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen krb.add_principal('foo%d' % i, 'user', 'Secret123')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen print("Unable to add ldap User %s" % (user_info))
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0')
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen group_info = {'cn': 'ldapusers',
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen 'gidNumber': '14564100',
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen 'uniqueMember': memberdn}
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen except Exception:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test'
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen for i in range(1, 11):
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen add_member = [(ldap.MOD_ADD, 'uniqueMember',user_dn)]
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen (ret, return_value) = ldap_inst.modify_ldap(group_dn, add_member)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen assert ret == 'Success'
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen * create a session fixture which calls config_authconfig, setup_ldap,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen setup_kerberos::
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen @pytest.fixture(scope="session", autouse=True)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen def setup_session(request, session_multihost,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen config_authconfig,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen setup_kerberos):
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen print("\n............Session Setup...............")
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen def teardown():
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen print("\n............Session teardown...............")
request.addfinalizer(teardown)
* create a test suite file called test1.py, to test KCM as user, or
`SSHClient` module from `sssd.testlib.common.utils` module::
from sssd.testlib.common.utils import SSHClient
from sssd.testlib.common.uilts import sssdTools
tools = sssdTools(session_multihost.master[0])
multihost.master[0].run_command(['systemctl', 'start',
cmd = multihost.master[0].run_command(['ls', '-l', kcm_sock_link],
assert cmd.returncode == 0
ssh = SSHClient(multihost.master[0].sys_hostname,
assert ssh.connstatus
ssh = SSHClient(multihost.master[0].sys_hostname,
assert ssh.connstatus
(stdout, stderr, exit_status) = ssh.execute_cmd(args='kinit',
(stdout, stderr, exit_status) = ssh.execute_cmd('klist')
for line in stdout.readlines():
ssh = SSHClient(multihost.master[0].sys_hostname,
assert ssh.connstatus
(out, err, status) = ssh.execute_cmd('KRB5CCNAME=KCM:; kinit',
(out, err, status) = ssh.execute_cmd('KRB5CCNAME=KCM:; klist')
for line in stdout.readlines():
if 'Ticket cache: KCM:14583103' in str(line.strip()):