From Fedora Project Wiki
(Update requirements) |
(revise somewhat for use as a release validation test case) |
||
Line 1: | Line 1: | ||
{{Template:Associated_release_criterion|Beta|domain-access-control}} | |||
{{QA/Test_Case | {{QA/Test_Case | ||
|description= | |description=This test case checks that a system enrolled in a FreeIPA domain honors the domain controller's host-based access control (HBAC) rules. | ||
|setup= | |setup= | ||
{{FreeIPA server client setup}} | |||
# The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser") | # The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser") | ||
# Make sure you have freeipa-admintools installed | # Make sure you have freeipa-admintools installed | ||
Line 20: | Line 20: | ||
#: You will be prompted to enter a new password here | #: You will be prompted to enter a new password here | ||
| | |actions= | ||
# On the system that joined the domain, switch to another VT (press <code>Ctrl-Alt-F4</code>). | # On the system that joined the domain, switch to another VT (press <code>Ctrl-Alt-F4</code>). | ||
# | # Try to log in as the admin user. | ||
#: <pre>host login: admin@ipa.example.org</pre> | #: <pre>host login: admin@ipa.example.org</pre> | ||
# Now try to log in as test user. | |||
# Now log in as test user | |||
#: <pre>host login: testuser@ipa.example.org</pre> | #: <pre>host login: testuser@ipa.example.org</pre> | ||
# | |||
|results= | |||
# Log in as the admin user must fail, and log in as the test user must succeed. | |||
}} | }} | ||
Line 43: | Line 43: | ||
== Clean-up after the test == | == Clean-up after the test == | ||
Enable the ''allow_all'' rule again to avoid interference with other | Enable the ''allow_all'' rule again to avoid interference with other tests: | ||
$ kinit admin | $ kinit admin | ||
$ ipa hbacrule-enable allow_all | $ ipa hbacrule-enable allow_all | ||
[[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]] [[Category:Server Acceptance Test Cases]] | |||
[[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]] |
Revision as of 22:53, 21 November 2014
Description
This test case checks that a system enrolled in a FreeIPA domain honors the domain controller's host-based access control (HBAC) rules.
Setup
- Deploy a correctly-configured FreeIPA domain controller (you can follow QA:Testcase_Server_role_deploy with the Domain Controller role to do this on Fedora 28 or earlier, or QA:Testcase_freeipa_trust_server_installation to do this on Fedora 29 or later)
- Enrol a test system in the FreeIPA domain (several of the other Category:Server Acceptance Test Cases cover different mechanisms for doing this, you can follow any of those)
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Make sure you have freeipa-admintools installed
# yum install freeipa-admintools
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
- On the system that joined the domain, change the testuser password for the first time.
$ kinit testuser@IPA.EXAMPLE.ORG
- You will be prompted to enter a new password here
How to test
- On the system that joined the domain, switch to another VT (press
Ctrl-Alt-F4
). - Try to log in as the admin user.
host login: admin@ipa.example.org
- Now try to log in as test user.
host login: testuser@ipa.example.org
Expected Results
- Log in as the admin user must fail, and log in as the test user must succeed.
More testing - offline logins
- Before the test, make sure that credential caching is enabled on the client
- open
/etc/sssd/sssd.conf
in your editor of choice - Make sure that
cache_credentials=True
is present in the[domain]
section of sssd.conf - Restart the SSSD if you modified the config file:
service sssd restart
- open
- Perform one more login online to cache the credentials
- Disconnect the client from the network. As root, shut down the NM service:
# service NetworkManager stop
- Log in as the test user again. The login should succeed.
- Don't forget to start the networking again to make sure you're able to run the cleanup
Clean-up after the test
Enable the allow_all rule again to avoid interference with other tests:
$ kinit admin $ ipa hbacrule-enable allow_all