From 9e31295e3136cc7d81d026b3d334816201d58f37 Mon Sep 17 00:00:00 2001 From: Dan Lavu Date: Thu, 26 Sep 2024 00:13:52 -0400 Subject: [PATCH] tests: adding gpo customer test scenario to use the ldap attribute name --- src/tests/system/tests/test_gpo.py | 44 ++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/src/tests/system/tests/test_gpo.py b/src/tests/system/tests/test_gpo.py index 0bc54e329a1..fb11197fa40 100644 --- a/src/tests/system/tests/test_gpo.py +++ b/src/tests/system/tests/test_gpo.py @@ -1025,3 +1025,47 @@ def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts( "user1", password="Secret123" ), "Allowed user authentication failed!" assert not client.auth.parametrize(method).password("deny_user1", password="Secret123"), "Denied user logged in!" + + +@pytest.mark.importance("critical") +@pytest.mark.parametrize("method", ["ssh", "su"]) +@pytest.mark.topology(KnownTopologyGroup.AnyAD) +@pytest.mark.ticket(gh=7591) +def test_gpo__ldap_user_name_attribute_mapping(client: Client, provider: GenericADProvider, method: str): + """ + :title: GPO evaluation fails when the LDAP attribute "name" is used instead of default sAMAccountName attribute + :setup: + 1. Create the following user 'user1' and 'deny_user1' with uids and gids + 2. Create and link the GPO 'site policy' and add 'user1' and 'Domain Admins' to + SeInteractiveLogonRight key. Add 'deny_user1 to SeDenyInteractiveLogonRight key' + 3. Configure sssd.conf with 'ad_gpo_access_control = enforcing', + 'auto_private_groups = false', 'ldap_user_name = name' and 'ldap_id_mapping = false' + 4. Start SSSD + :steps: + 1. Authenticate as 'user1' + 2. Authenticate as 'deny_user1' + :expectedresults: + 1. Authentication is successful + 2. Authenticated user is unsuccessful + :customerscenario: True + """ + user1 = provider.user("user1").add(uid=10000, gid=10000) + deny_user1 = provider.user("deny_user1").add(uid=10001, gid=10001) + + provider.gpo("site policy").add().policy( + { + "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")], + "SeDenyInteractiveLogonRight": [deny_user1], + } + ).link() + + client.sssd.domain["ad_gpo_access_control"] = "enforcing" + client.sssd.domain["auto_private_groups"] = "false" + client.sssd.domain["ldap_user_name"] = "name" + client.sssd.domain["ldap_id_mapping"] = "false" + client.sssd.start() + + assert client.auth.parametrize(method).password( + "user1", password="Secret123" + ), "Allowed user authentication failed!" + assert not client.auth.parametrize(method).password("deny_user1", password="Secret123"), "Denied user logged in!"