8:31 a.m.
HI!
slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in
python-ldap0 tests (see test output below).
Tests:
https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py
When working with Ondřej for solving ITS#9279 I finally "fixed" ldap0
tests to accomodate the behaviour of OpenLDAP 2.4.x. I did not feel
comfortable back then because it was not clear to me whether it was the
correct fix.
Do you have any tests you could run against 2.4 and 2.5 to verify
whether both have same behaviour?
Ciao, Michael.
======================================================================
FAIL: test003_ppolicy_grace_logins (tests.test_ppolicy.TestPPolicy)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 235, in test003_ppolicy_grace_logins
self.assertEqual(
AssertionError: 'Password expired! 1 grace logins left.' != 'Password
expired! 2 grace logins left.'
- Password expired! 1 grace logins left.
? ^
+ Password expired! 2 grace logins left.
? ^
======================================================================
FAIL: test001_pwdpolicy_expiration (tests.test_ppolicy.TestPwdPolicy)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 285, in test001_pwdpolicy_expiration
self.assertIsInstance(bind_res.ctrls[0], PasswordExpiringControl)
AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object
at 0x7efc9d8ca760> is not an instance of <class
'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
======================================================================
FAIL: test002_pwdpolicy_expired (tests.test_ppolicy.TestPwdPolicy)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 306, in test002_pwdpolicy_expired
l.simple_bind_s(self.user_dn, user_password.encode('utf-8'))
AssertionError: INVALID_CREDENTIALS not raised
8:39 a.m.
From: "Michael Ströder" <michael(a)stroeder.com>
Do you have any tests you could run against 2.4 and 2.5 to verify
whether both have same behaviour?
Hey Michael,
I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
[PswdPolicyMgrImplTest](https://github.com/apache/directory-fortress-core/...
The only functional difference that I found was 2.5 now requires sending the RelaxControl
("1.3.6.1.4.1.4203.666.5.12") on the following ops:
- lock/unlock
- mods of user's pwdPolicySubentry attribute
Other than that, everything else worked the same, besides no longer including the
pwpolicy.schema in the server config of course.
--
Shawn
8:57 a.m.
On 5/3/21 5:39 PM, smckinney(a)symas.com wrote:
> From: "Michael Ströder" <michael(a)stroeder.com>
> Do you have any tests you could run against 2.4 and 2.5 to verify
> whether both have same behaviour?
I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
Do you also look at the decreasing grace login counter in diagnostic
message?
The only functional difference that I found was 2.5 now requires
sending the RelaxControl ("1.3.6.1.4.1.4203.666.5.12") on the
following ops:>
- lock/unlock
- mods of user's pwdPolicySubentry attribute
Currently not relevant for my tests.
Other than that, everything else worked the same, besides no longer
including the pwpolicy.schema in the server config of course.
This is already
covered since quite a while by checking whether file
ppolicy.ldif exists in the schema/ directory or not.
Ciao, Michael.
9:06 a.m.
Do you also look at the decreasing grace login counter in diagnostic
message?
The AF tests evaluate grace / ensure it maintains proper count, locks when it reaches
zero. Not evaluating the diagnostic message.
--
Shawn
----- Original Message -----
From: "Michael Ströder" <michael(a)stroeder.com>
To: "openldap-devel" <openldap-devel(a)openldap.org>
Sent: Monday, May 3, 2021 10:57:44 AM
Subject: Re: slapo-ppolicy 2.4 vs. 2.5
On 5/3/21 5:39 PM, smckinney(a)symas.com wrote:
> From: "Michael Ströder" <michael(a)stroeder.com>
> Do you have any tests you could run against 2.4 and 2.5 to verify
> whether both have same behaviour?
I have tested 2.4 and 2.5 pw policies using Apache Fortress tests:
Do you also look at the decreasing grace login counter in diagnostic
message?
The only functional difference that I found was 2.5 now requires
sending the RelaxControl ("1.3.6.1.4.1.4203.666.5.12") on the
following ops:>
- lock/unlock
- mods of user's pwdPolicySubentry attribute
Currently not relevant for my tests.
Other than that, everything else worked the same, besides no longer
including the pwpolicy.schema in the server config of course.
This is already
covered since quite a while by checking whether file
ppolicy.ldif exists in the schema/ directory or not.
Ciao, Michael.
12:47 a.m.
On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote:
HI!
slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in
python-ldap0 tests (see test output below).
Tests:
https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py
When working with Ondřej for solving ITS#9279 I finally "fixed" ldap0
tests to accomodate the behaviour of OpenLDAP 2.4.x. I did not feel
comfortable back then because it was not clear to me whether it was the
correct fix.
Do you have any tests you could run against 2.4 and 2.5 to verify
whether both have same behaviour?
Ciao, Michael.
======================================================================
FAIL: test003_ppolicy_grace_logins (tests.test_ppolicy.TestPPolicy)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 235, in test003_ppolicy_grace_logins
self.assertEqual(
AssertionError: 'Password expired! 1 grace logins left.' != 'Password
expired! 2 grace logins left.'
- Password expired! 1 grace logins left.
? ^
+ Password expired! 2 grace logins left.
? ^
Does the count reported match the wording of the draft in section 6.2?
"""
The graceAuthNsRemaining warning specifies the remaining number of times
a user will be allowed to authenticate with an expired password.
"""
If not, please reopen ITS#7596 with a test case.
Thanks,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
3:07 a.m.
On 5/4/21 9:47 AM, Ondřej Kuzník wrote:
On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote:
> slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in
> python-ldap0 tests (see test output below).
> [..]
> AssertionError: 'Password expired! 1 grace logins left.' != 'Password
> expired! 2 grace logins left.'
Does the count reported match the wording of the draft in section 6.2?
[..]
If not, please reopen ITS#7596 with a test case.
Thanks for pointing out ITS#7596. I've now updated my test to match the
new behaviour when running on OpenLDAP 2.5.
Still I have failures in my draft-vchu-ldap-pwd-policy tests (see
below). These might be related to ITS#9279, though I'm not sure. Any
changes in this area?
Ciao, Michael.
======================================================================
FAIL: test001_pwdpolicy_expiration (tests.test_ppolicy.TestPwdPolicy)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 287, in test001_pwdpolicy_expiration
self.assertIsInstance(bind_res.ctrls[0], PasswordExpiringControl)
AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object
at 0x7f3066e5a9a0> is not an instance of <class
'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
======================================================================
FAIL: test002_pwdpolicy_expired (tests.test_ppolicy.TestPwdPolicy)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 308, in test002_pwdpolicy_expired
l.simple_bind_s(self.user_dn, user_password.encode('utf-8'))
AssertionError: INVALID_CREDENTIALS not raised
8:31 a.m.
On Tue, May 04, 2021 at 12:07:20PM +0200, Michael Ströder wrote:
Still I have failures in my draft-vchu-ldap-pwd-policy tests (see
below). These might be related to ITS#9279, though I'm not sure. Any
changes in this area?
Don't know, my guess is compare it with tests/scripts/test022-ppolicy
to see what the difference is between it and what you're doing.
Don't think this applies here, but a lot of ppolicy behaviour changes
based on whether you're classed as a "password administrator" (having
"manage" access to the password attribute on the entry), see ITS#7084
and the ppolicy draft. It it makes a difference, it's possible that some
of this is interfering, or that it's intentional, will probably have to
decide on a case by case basis.
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
943
days inactive
946
days old
6 comments
3 participants
participants (3)
-
Michael Ströder -
Ondřej Kuzník -
smckinney@symas.com