Ctrl+K

Test_Plan

Test_Plan#

Overview#

Idviews are placeholders for storing external user identities (coming from the Active Directory domains with which a trust is established). By default, when a Trust is established, no user records are created for AD users in the IPA. If an admin wants to setup per-user attributes for AD users such as public ssh keys or ssl certificates, he needs to explicitly create an idoverrideuser entity for the external user in either the default idview for trust, “Default Trust View”, or some custom idview. These entities can then be used to store keys and certs.

Test Plan#

|setup=

  1. Setup ipa master and create a trust with existing AD.

  2. Create an ID view in IPA and add an AD user. Make sure the id view is applied to ipa master host

  3. Create a new certificate profile for users:

    ipa certprofile-show caIPAserviceCert --out=caIPAuserCert.txt

    sed -i "s/profileId=caIPAserviceCert/profileId=caIPAuserCert/" caIPAuserCert.txt

    ipa certprofile-import caIPAuserCert --file=caIPAuserCert.txt --store=True

  4. Create a certificate database folder and a password file:

    mkdir certs

    touch certs/pwd

  5. Generate a new certificate for the AD user

    certutil -d certs -N -f

    certutil -S -s "cn=testuser,dc=ad,dc=test" -n MyCert -x -t "CT,C,C" -v 120 -m 1234 -d certs -f certs/pwd

    certutil -L -d certs -n MyCert -a > mycert.crt

  6. Repeat previous step to generate one more certificate for the same user

|actions=

  1. Create an idoverrideuser for AD user:

    ipa idoverrideuser-add "Default Trust View" testuser@%ad.domain_name%

  2. Add a certificate you created during step 5 of the Setup to this idoverrideuser:

    ipa idoverrideuser-add-cert 'Default Trust View' testuser@%ad.domain_name% --certificate="$(openssl x509 -outform der -in mycert.crt | base64 -w 0)"

  3. Try to add the same cert again to the same user

  4. Add second certificate to the same idoverrideuser.

  5. Remove this cert from the user

    ipa idoverrideuser-remove-cert %username% --certificate="$saved_certificate_text"

  6. Remove the first certificate as well

|results=

  1. The step should succeed

  2. The step should succeed

  3. The step should fail

    ipa: ERROR: 'usercertificate;binary' already contains one or more values

  4. The step should succeed

  5. The step should succeed

  6. The step should succeed

}}

Category:FreeIPA V4 Test Plan Category:FreeIPA Test Plan

Contents