HI!
slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in python-ldap0 tests (see test output below).
Tests: https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py
When working with Ondřej for solving ITS#9279 I finally "fixed" ldap0 tests to accomodate the behaviour of OpenLDAP 2.4.x. I did not feel comfortable back then because it was not clear to me whether it was the correct fix.
Do you have any tests you could run against 2.4 and 2.5 to verify whether both have same behaviour?
Ciao, Michael.
====================================================================== FAIL: test003_ppolicy_grace_logins (tests.test_ppolicy.TestPPolicy) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", line 235, in test003_ppolicy_grace_logins self.assertEqual( AssertionError: 'Password expired! 1 grace logins left.' != 'Password expired! 2 grace logins left.' - Password expired! 1 grace logins left. ? ^ + Password expired! 2 grace logins left. ? ^
====================================================================== FAIL: test001_pwdpolicy_expiration (tests.test_ppolicy.TestPwdPolicy) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", line 285, in test001_pwdpolicy_expiration self.assertIsInstance(bind_res.ctrls[0], PasswordExpiringControl) AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7efc9d8ca760> is not an instance of <class 'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
====================================================================== FAIL: test002_pwdpolicy_expired (tests.test_ppolicy.TestPwdPolicy) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", line 306, in test002_pwdpolicy_expired l.simple_bind_s(self.user_dn, user_password.encode('utf-8')) AssertionError: INVALID_CREDENTIALS not raised
From: "Michael Ströder" michael@stroeder.com Do you have any tests you could run against 2.4 and 2.5 to verify whether both have same behaviour?
Hey Michael,
I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
[PswdPolicyMgrImplTest](https://github.com/apache/directory-fortress-core/blob/master/src/test/java/...)
The only functional difference that I found was 2.5 now requires sending the RelaxControl ("1.3.6.1.4.1.4203.666.5.12") on the following ops:
- lock/unlock - mods of user's pwdPolicySubentry attribute
Other than that, everything else worked the same, besides no longer including the pwpolicy.schema in the server config of course.
-- Shawn
On 5/3/21 5:39 PM, smckinney@symas.com wrote:
From: "Michael Ströder" michael@stroeder.com Do you have any tests you could run against 2.4 and 2.5 to verify whether both have same behaviour?
I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
Do you also look at the decreasing grace login counter in diagnostic message?
The only functional difference that I found was 2.5 now requires sending the RelaxControl ("1.3.6.1.4.1.4203.666.5.12") on the following ops:>
- lock/unlock
- mods of user's pwdPolicySubentry attribute
Currently not relevant for my tests.
Other than that, everything else worked the same, besides no longer including the pwpolicy.schema in the server config of course.
This is already covered since quite a while by checking whether file ppolicy.ldif exists in the schema/ directory or not.
Ciao, Michael.
Do you also look at the decreasing grace login counter in diagnostic message?
The AF tests evaluate grace / ensure it maintains proper count, locks when it reaches zero. Not evaluating the diagnostic message.
-- Shawn
----- Original Message ----- From: "Michael Ströder" michael@stroeder.com To: "openldap-devel" openldap-devel@openldap.org Sent: Monday, May 3, 2021 10:57:44 AM Subject: Re: slapo-ppolicy 2.4 vs. 2.5
On 5/3/21 5:39 PM, smckinney@symas.com wrote:
From: "Michael Ströder" michael@stroeder.com Do you have any tests you could run against 2.4 and 2.5 to verify whether both have same behaviour?
I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
Do you also look at the decreasing grace login counter in diagnostic message?
The only functional difference that I found was 2.5 now requires sending the RelaxControl ("1.3.6.1.4.1.4203.666.5.12") on the following ops:>
- lock/unlock
- mods of user's pwdPolicySubentry attribute
Currently not relevant for my tests.
Other than that, everything else worked the same, besides no longer including the pwpolicy.schema in the server config of course.
This is already covered since quite a while by checking whether file ppolicy.ldif exists in the schema/ directory or not.
Ciao, Michael.
On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote:
HI!
slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in python-ldap0 tests (see test output below).
Tests: https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py
When working with Ondřej for solving ITS#9279 I finally "fixed" ldap0 tests to accomodate the behaviour of OpenLDAP 2.4.x. I did not feel comfortable back then because it was not clear to me whether it was the correct fix.
Do you have any tests you could run against 2.4 and 2.5 to verify whether both have same behaviour?
Ciao, Michael.
====================================================================== FAIL: test003_ppolicy_grace_logins (tests.test_ppolicy.TestPPolicy)
Traceback (most recent call last): File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", line 235, in test003_ppolicy_grace_logins self.assertEqual( AssertionError: 'Password expired! 1 grace logins left.' != 'Password expired! 2 grace logins left.'
- Password expired! 1 grace logins left.
? ^
- Password expired! 2 grace logins left.
? ^
Does the count reported match the wording of the draft in section 6.2?
""" The graceAuthNsRemaining warning specifies the remaining number of times a user will be allowed to authenticate with an expired password. """
If not, please reopen ITS#7596 with a test case.
Thanks,
On 5/4/21 9:47 AM, Ondřej Kuzník wrote:
On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote:
slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in python-ldap0 tests (see test output below). [..] AssertionError: 'Password expired! 1 grace logins left.' != 'Password expired! 2 grace logins left.'
Does the count reported match the wording of the draft in section 6.2? [..] If not, please reopen ITS#7596 with a test case.
Thanks for pointing out ITS#7596. I've now updated my test to match the new behaviour when running on OpenLDAP 2.5.
Still I have failures in my draft-vchu-ldap-pwd-policy tests (see below). These might be related to ITS#9279, though I'm not sure. Any changes in this area?
Ciao, Michael.
====================================================================== FAIL: test001_pwdpolicy_expiration (tests.test_ppolicy.TestPwdPolicy) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", line 287, in test001_pwdpolicy_expiration self.assertIsInstance(bind_res.ctrls[0], PasswordExpiringControl) AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7f3066e5a9a0> is not an instance of <class 'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
====================================================================== FAIL: test002_pwdpolicy_expired (tests.test_ppolicy.TestPwdPolicy) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", line 308, in test002_pwdpolicy_expired l.simple_bind_s(self.user_dn, user_password.encode('utf-8')) AssertionError: INVALID_CREDENTIALS not raised
On Tue, May 04, 2021 at 12:07:20PM +0200, Michael Ströder wrote:
Still I have failures in my draft-vchu-ldap-pwd-policy tests (see below). These might be related to ITS#9279, though I'm not sure. Any changes in this area?
Don't know, my guess is compare it with tests/scripts/test022-ppolicy to see what the difference is between it and what you're doing.
Don't think this applies here, but a lot of ppolicy behaviour changes based on whether you're classed as a "password administrator" (having "manage" access to the password attribute on the entry), see ITS#7084 and the ppolicy draft. It it makes a difference, it's possible that some of this is interfering, or that it's intentional, will probably have to decide on a case by case basis.
-
Michael Ströder -
Ondřej Kuzník -
smckinney@symas.com