diff options
Diffstat (limited to 'src/tests/t_kdb.py')
-rwxr-xr-x | src/tests/t_kdb.py | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 03ee70f..caa7e9d 100755 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -319,19 +319,43 @@ realm.klist(realm.user_princ, realm.host_princ) mark('LDAP auth indicator') -# Test auth indicator support +# Test require_auth normalization. realm.addprinc('authind', password('authind')) realm.run([kadminl, 'setstr', 'authind', 'require_auth', 'otp radius']) +# Check that krbPrincipalAuthInd attributes are set when the string +# attribute it set. out = ldap_search('(krbPrincipalName=authind*)') if 'krbPrincipalAuthInd: otp' not in out: fail('Expected krbPrincipalAuthInd value not in output') if 'krbPrincipalAuthInd: radius' not in out: fail('Expected krbPrincipalAuthInd value not in output') +# Check that the string attribute still appears when the principal is +# loaded. realm.run([kadminl, 'getstrs', 'authind'], expected_msg='require_auth: otp radius') +# Modify the LDAP attributes and check that the change is reflected in +# the string attribute. +ldap_modify('dn: krbPrincipalName=authind@KRBTEST.COM,cn=t1,cn=krb5\n' + 'changetype: modify\n' + 'replace: krbPrincipalAuthInd\n' + 'krbPrincipalAuthInd: radius\n' + 'krbPrincipalAuthInd: pkinit\n') +realm.run([kadminl, 'getstrs', 'authind'], + expected_msg='require_auth: radius pkinit') + +# Regression test for #8877: remove the string attribute and check +# that it is reflected in the LDAP attributes and by getstrs. +realm.run([kadminl, 'delstr', 'authind', 'require_auth']) +out = ldap_search('(krbPrincipalName=authind*)') +if 'krbPrincipalAuthInd' in out: + fail('krbPrincipalAuthInd attribute still present after delstr') +out = realm.run([kadminl, 'getstrs', 'authind']) +if 'require_auth' in out: + fail('require_auth string attribute still visible after delstr') + mark('LDAP service principal aliases') # Test service principal aliases. |