Jump to: navigation, search

V4/Kerberos principal aliases/Test Plan

Name: V4/Kerberos principal aliases/Test Plan
Target version: 4.4.0
Design: V4/Kerberos_principal_aliases
Reviewer: Incomplete.png missing
Last updated: 2016-07-28 by Milan Kubik

Kerberos principal aliases support

The test cases cover basic manipulation with the aliases for service, host and user entries. Authentication against aliased service as well as authentication of an user with an alias. The test also covers several scenarios that are not allowed and tests for correct denial of the request.

Test case: Create User Principal alias

Autotest

{{{autotest}}}

Setup

test_user user exists

Actions

$ ipa user-add-principal test_user test_user_alias@REALM.COM
$ kinit -c test_user_alias@REALM.COM

Expected results

1. Alias is added
2. User can authenticate with the alias

Test case: Create Service Principal alias

Autotest

{{{autotest}}}

Setup

test_service exists

Actions

$ ipa service-add-principal test_service http/test_service_alias.domain.com@REALM.COM
$ ipa-getkeytab -s http/test_service_alias.domain.com -k test-service.keytab
$ kinit -c -k -t test-service.keytab http/test_service_alias.domain.com@REALM.COM

Expected results

1. Alias is added
2. Keytab can be retrieved for the alias
3. Service alias principal can authenticate with the alias against the KDC

Test case: Create Host Principal alias

Autotest

{{{autotest}}}

Setup

host entry used for test exists

Actions

$ ipa host-add-principal test_host.domain.com host/test_host_alias.domain.com@REALM.COM
$ ipa-getkeytab -s host/test_host_alias.domain.com -k test-host.keytab
$ kinit -c -k -t test-host.keytab host/test_host_alias.domain.com@REALM.COM

Expected results

1. Alias is added
2. Keytab can be retrieved for the alias
3. Host alias principal can authenticate with the alias against the KDC

Test case: Authenticate against aliased service

Autotest

{{{autotest}}}

Setup

a test service entry exists

Actions

1. Add an alias for a service

$ ipa service-add-principal test_service http/test_service_alias.domain.com

2. Get a TGT for ordinary user

$ kinit test_user

3. Get a service ticket from the aliased service

$ kvno http/test_service_alias.comain.com

Expected results

1. Alias is added
3. The service ticket contains the aliased principal. https://tools.ietf.org/html/rfc6806.html#section-6

Test case: Create an user that conflicts with an alias

Autotest

{{{autotest}}}

Setup

user test1 with alias test2 exists

Actions

1. Add user test2

Expected results

1. user-add should fail

Test case: Add the same alias to two different entries

Autotest

{{{autotest}}}

Setup

user test1 and test2 exists

Actions

1. Add alias test-alias to test1
2. Add alias test-alias to test2

Expected results

1. First alias is created
2. Second alias is refused

Test case: Remove an alias that corresponds to canonical name

Autotest

{{{autotest}}}

Setup

Actions

1. Add user 'tuser'
2. Remove alias 'tuser' from user 'tuser'

Expected results

2. Operation fails

Test case: Enterprise principal shouldn't overlap trusted domain's UPN

Autotest

{{{autotest}}}

Setup

Create domain entry in LDAP database - 'trusted.domain.upn'

Actions

1. Create test user 'tuser@realm.com'
2. Add principal alias 'tuser\@trusted.domain.upn@REALM.COM'

Expected results

2. Operation fails.

Test case: Enterprise principal shouldn't overlap trusted domain's realm

Autotest

{{{autotest}}}

Setup

Create domain entry in LDAP database - 'trusted.domain.tld'

Actions

1. Create test user 'tuser@realm.com'
2. Add principal alias 'tuser\@trusted.domain.tld@REALM.COM'

Expected results

2. Operation fails.

Test case: Enterprise principal shouldn't overlap trusted domain's NETBIOS name

Autotest

{{{autotest}}}

Setup

Create domain entry in LDAP database - 'trusted.domain.tld'

Actions

1. Create test user 'tuser@realm.com'
2. Add principal alias 'tuser\@TRUSTED@REALM.COM'

Expected results

2. Operation fails.


Test case: Adding an alias to entry lacking krbcanonicalname attribute populates this with krbprincipalname value

Autotest

{{{autotest}}}

Setup

Actions

1. Create test user 'tuser@realm.com'
2. Via ldap mod operation delete the krbcanonicalname attribute from the user entry
3. Add a principal alias to the user entry.
4. Check for the value of krbcanonicalname

Expected results

4. The krbcanonicalname is populated with krbprincipalname value.