Jump to: navigation, search

V4/Certs in ID overrides/Test Plan

Name: V4/Certs in ID overrides/Test Plan
Target version: 4.4.0
Design: V4/Certs_in_ID_overrides
Reviewer: Incomplete.png missing
Last updated: 2016-10-25 by Ofayans

Overview

Idviews are placeholders for storing external user identities (coming from the Active Directory domains with which a trust is established). By default, when a Trust is established, no user records are created for AD users in the IPA. If an admin wants to setup per-user attributes for AD users such as public ssh keys or ssl certificates, he needs to explicitly create an idoverrideuser entity for the external user in either the default idview for trust, "Default Trust View", or some custom idview. These entities can then be used to store keys and certs.

Test Plan

Test case: Manipulate certificate in ID override entry

Autotest

{{{autotest}}}

Setup

No setup is necessary.

Actions

{{{actions}}}

Expected results

{{{results}}}

|setup=

  1. Setup ipa master and create a trust with existing AD.
  2. Create an ID view in IPA and add an AD user. Make sure the id view is applied to ipa master host
  3. Create a new certificate profile for users:
    ipa certprofile-show caIPAserviceCert --out=caIPAuserCert.txt
    sed -i "s/profileId=caIPAserviceCert/profileId=caIPAuserCert/" caIPAuserCert.txt
    ipa certprofile-import caIPAuserCert --file=caIPAuserCert.txt --store=True
  4. Create a certificate database folder and a password file:
    mkdir certs
    touch certs/pwd
  5. Generate a new certificate for the AD user
    certutil -d certs -N -f
    certutil -S -s "cn=testuser,dc=ad,dc=test" -n MyCert -x -t "CT,C,C" -v 120 -m 1234 -d certs -f certs/pwd
    certutil -L -d certs -n MyCert -a > mycert.crt
  6. Repeat previous step to generate one more certificate for the same user

|actions=

  1. Create an idoverrideuser for AD user:
    ipa idoverrideuser-add "Default Trust View" testuser@%ad.domain_name%
  2. Add a certificate you created during step 5 of the Setup to this idoverrideuser:
    ipa idoverrideuser-add-cert 'Default Trust View' testuser@%ad.domain_name% --certificate="$(openssl x509 -outform der -in mycert.crt | base64 -w 0)"
  3. Try to add the same cert again to the same user
  4. Add second certificate to the same idoverrideuser.
  5. Remove this cert from the user
    ipa idoverrideuser-remove-cert %username% --certificate="$saved_certificate_text"
  6. Remove the first certificate as well

|results=

  1. The step should succeed
  2. The step should succeed
  3. The step should fail
    ipa: ERROR: 'usercertificate;binary' already contains one or more values
  4. The step should succeed
  5. The step should succeed
  6. The step should succeed

}}

Test case: User lookup by certificate

Autotest

{{{autotest}}}

Setup

  1. Install sssd-dbus
  2. Edit /etc/sssd/sssd.conf so that the "services" line looks like this:
    services = nss, sudo, pam, ssh, ifp
  3. Restart sssd
  4. Follow previous testcase to create an idoverride for a windows user and add a certificate to it.
  5. Run the command and copy the stdout to the clipboard:
    openssl x509 -in %cert_file% -outform pem

Actions

  1. Run the command:
    dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:%clipboard_content%
    , copy the user path from the command output to the clipboard
  2. Run the command:
    dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe %clipboard_content% org.freedesktop.DBus.Properties.Get string:"org.freedesktop.sssd.infopipe.Users.User" string:"name"
  3. Run the command:
    dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe %clipboard_content% org.freedesktop.DBus.Properties.GetAll string:"org.freedesktop.sssd.infopipe.Users.User"

Expected results

  1. The output should contain the dbus user path, something like "/org/freedesktop/sssd/infopipe/Users/ipa_2edevel/240600004"
  2. The output should contain username in the format "%username%@%AD_domain%"
  3. The ouput should contain an array of user properties, for the format please refer to Lookup Users By Certificate