Jump to: navigation, search

V4/One-way trust/Test Plan

Name: V4/One-way trust/Test Plan
Target version: 4.2.0
Design: [[1]]
Reviewer: Incomplete.png missing
Last updated: 2016-12-7 by Lryznaro

Contents

Test Plan

Common setup

Running IPA installation with freeipa-server-trust-ad package (example domain ipatest.com)

Running AD installations - root domain (adtest.com), subdomain (sub.adtest.com), tree root domain (adtree.com).

Test case: Try to retrieve a nonexistent trust

Autotest

{{{autotest}}}

Setup

Trust 'nonexistent.com' does not exist.

Actions

 $ ipa trust-show nonexistent.com

Expected results

No matching entry found.

Test case: Try to search for a nonexistent trust

Autotest

{{{autotest}}}

Setup

Trust 'nonexistent.com' does not exist.

Actions

 $ ipa trust-find nonexistent.com

Expected results

No entries found.

Test case: Try to delete a nonexistent trust

Autotest

{{{autotest}}}

Setup

Trust 'nonexistent.com' does not exist.

Actions

 $ ipa trust-del nonexistent.com

Expected results

No matching entry found.

Test case: Try to create a trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com does not exist.

Actions

 $ ipa trust-add --type=ad "adtest.com" --admin Administrator --password

Insert adtest.com administrator password.

Expected results

Trust is successfully established.

Test case: Try to delete an existing trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-del adtest.com 

Expected results

Trust is successfully deleted.

Test case: Try to search for an existing trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-find adtest.com

Expected results

Trust is found.

Test case: Try to search for an existing trust with --all

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-find adtest.com --all

Expected results

Trust is found.

Test case: Try to search for an existing trust with --raw

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-find adtest.com --raw

Expected results

Trust is found.

Test case: Try to search for an existing trust with --realm

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-find --realm=adtest.com

Expected results

Trust is found.

Test case: Try to retrieve an existing trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-show adtest.com

Expected results

Trust is retrieved.

Test case: Try to retrieve an existing trust with --all

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-show adtest.com --all

Expected results

Trust is retrieved.

Test case: Try to retrieve an existing trust with --raw

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-show adtest.com --raw

Expected results

Trust is retrieved.

Test case: Try to retrieve an existing trust -- rights --all

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-show adtest.com --rights --all

Expected results

Trust is retrieved.

Test case: Try to retrieve global trust configuration

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trustconfig-show --type ad

Expected results

Trust configuration is displayed.

Test case: Try to change fallback primary group in global trust configuration

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established. Group 'alternative AD group' exists.

Actions

 $ ipa trustconfig-mod --type=ad --fallback-primary-group="alternative AD group"

Expected results

Fallback primary group is now 'alternative AD group'.

Test case: Try to change fallback primary group to nonexistent group in global trust configuration

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established. Group 'nonexistent group' does not exists.

Actions

 $ ipa trustconfig-mod --type=ad --fallback-primary-group="nonexistent group"

Expected results

Should fail: group not found.

Test case: Try to modify a trust using setattr

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-mod adtest.com --setattr="uidnumber=666"

Expected results

Attribute 'uidnumber' is updated.

Test case: Try to modify a trust using setattr on invalid attribute

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-mod adtest.com --setattr="invalid=666"

Expected results

Should fail: attribute "invalid" not allowed.

Test case: Try to modify a trust using addattr

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-mod adtest.com --addattr="gidnumber=666"

Expected results

Attribute is added and set.

Test case: Try to modify a trust using addattr with invalid attribute

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-mod adtest.com --addattr="invalid=666"

Expected results

Should fail: attribute "invalid" not allowed.

Test case: Try to modify a trust using delattr with nonexistent attribute

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-mod adtest.com --delattr="invalid=666"

Expected results

Should fail: invalid 'invalid': No such attribute on this entry

Test case: Try to modify a trust using delattr

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established. Attribute 'gidnumber' with value of 666 has been added to the trust.

Actions

 $ ipa trust-mod adtest.com --delattr="gidnumber=666"

Expected results

Attribute 'gidnumber' is deleted.

Test case: Try to fetch domains associated with trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trust-fetch-domains adtest.com

Expected results

List of domains associated with the trust is succesfully refreshed.

Test case: Try to remove information about a domain associated with trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established. Domain 'domain.com' is associated with the trust.

Actions

 $ ipa trustdomain-del adtest.com domain.com

Expected results

Information about domain 'domain.com' is removed.

Test case: Try to disable use of IPA resources by domain of a trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established. Domain 'domain.com' is associated with the trust.

Actions

 $ ipa trustdomain-disable adtest.com domain.com

Expected results

Use of IPA resources by domain 'domain.com' is disabled.

Test case: Try to allow use of IPA resources by domain of a trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established. Domain 'domain.com' is associated with the trust.

Actions

 $ ipa trustdomain-enable adtest.com domain.com

Expected results

Use of IPA resources by domain 'domain.com' is enabled.

Test case: Try to find domain of a trust

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

 $ ipa trustdomain-find adtest.com

Expected results

All domains associated with the trust are found: root domain, subdomain and tree root domain.

Test case: Try to access AD LDAP as IPA user

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

Kinit as IPA user. Try to access AD LDAP.

Expected results

Should not be able to access AD LDAP.

Test case: Try to resolve AD user via SSSD

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

Try to resolve AD user via SSSD.

Expected results

Should be successfull.

Test case: Try to authenticate to AD

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

Try to kinit using keytab in /var/lib/sss/keytabs/adtest.com.keytab and Kerberos principal IPATEST$@ADTEST.COM (where IPATEST is IPA domain's NetBIOS name). Try to access AD LDAP using these credentials.

Expected results

Both steps should be successfull.

Test case: Try to obtain ticket to IPA domain

Autotest

{{{autotest}}}

Setup

Trust between ipatest.com and adtest.com is established.

Actions

Enable/disable subdomain or a trust. Try to obtain host/ipamaster.ipatest.com@IPATEST.COM as User@CHILD.ADTEST.COM using kvno command.

Expected results

If AD subdomain is disabled, you should not be able to obtain the ticket.

External trust test cases

Test case: Verify that nonexternal trust cannot be established with subdomain

Autotest

{{{autotest}}}

Setup

Actions

 $ ipa trust-add --type-ad "sub.adtest.com" --admin Administrator --password

Expected results

Should not establish trust.

Test case: Verify that external trust can be established with subdomain

Autotest

{{{autotest}}}

Setup

Actions

 $ ipa trust-add --type-ad "sub.adtest.com" --admin Administrator --password --external

Expected results

Trust should be established.

Test case: Verify that nonexternal trust cannot be established with tree root domain

Autotest

{{{autotest}}}

Setup

Actions

 $ ipa trust-add --type-ad "adtree.com" --admin Administrator --password

Expected results

Should not establish trust.

Test case: Verify that external trust can be established with subdomain

Autotest

{{{autotest}}}

Setup

Actions

 $ ipa trust-add --type-ad "adtree.com" --admin Administrator --password --external

Expected results

Trust should be established.

Test case: Verify that external trust can be established with root domain

Autotest

{{{autotest}}}

Setup

Actions

 $ ipa trust-add --type-ad "adtest.com" --admin Administrator --password --external

Expected results

Trust should be established.

Test case: Verify that external trust with root domain is limited to root domain only

Autotest

{{{autotest}}}

Setup

External trust between root AD domain and IPA server is established.

Actions

 $ipa trustdomain-find adtest.com 

Expected results

Only root domain should be listed.

Test case: Verify that users in AD domains with which external trust is established can be resolved

Autotest

{{{autotest}}}

Setup

External trust between AD domain and IPA server is established

Actions

Try to resolve AD users that belong to trusted domain using getent command.

Expected results

Users should be resolved.

Test case: Verify that users in AD domain with which external trust is established can authenticate

Autotest

{{{autotest}}}

Setup

External trust between AD domain and IPA server is established

Actions

Try to kinit as AD users that belong to trusted domain.

Expected results

Users should be able to authenticate.

Test case: Remove external trust

Autotest

{{{autotest}}}

Setup

External trust between AD domain and IPA server is established

Actions

Delete the trust using trust-del command.

Expected results

Trust should be deleted.

Trust with UPN test cases

Test case: Resolve a user with UPN

Autotest

{{{autotest}}}

Setup

Trust between root AD domain is established. User with UPN (testuser@upnuser.com) must exist in the root AD domain.

Actions

Try to resolve the user with UPN using getent command.

Expected results

User should be resolved.

Test case: Authenticate as user with UPN

Autotest

{{{autotest}}}

Setup

Trust between root AD domain is established. User with UPN (testuser@upnuser.com) must exist in the root AD domain.

Actions

Try to kinit as user with UPN.

Expected results

Authentication should be successful.