[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Oleg Fayans
ofayans at redhat.com
Fri Oct 14 13:48:25 UTC 2016
So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch
might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?
On 09/15/2016 10:32 AM, Martin Basti wrote:
>
>
> On 15.09.2016 10:10, Oleg Fayans wrote:
>> Hi Martin,
>>
>> The file was renamed. Did I understand correctly that for now we are
>> leaving the test as is and are planning to extend it later?
>
> I would like to have there SSSD check involved, please use what Summit
> recommends. No new test cases.
>
> And this can be done by separate patch, I want to have API/CLI
> certificate override tests for non-AD idview (extending current tests I
> posted in this thread)
>
> Martin^2
>>
>> On 09/15/2016 09:49 AM, Martin Basti wrote:
>>>
>>>
>>> On 14.09.2016 18:53, Sumit Bose wrote:
>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
>>>>>
>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>
>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>> 1)
>>>>>>>>> I still don't see the reason why AD trust is needed. Default
>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding
>>>>>>>>> trust is not needed for current implementation. You don't
>>>>>>>>> need AD for this, IDviews is generic feature not just for
>>>>>>>>> AD. Is that user configured on AD side?
>>>>>>>> You cannot add non-AD user to 'default trust view', so you will
>>>>>>>> not be
>>>>>>>> able to set up certificates to ID override which does not exist.
>>>>>>>>
>>>>>>>> For non-'default trust view' you can add both IPA and AD users,
>>>>>>>> so using
>>>>>>>> some other view and then assign certificate for a ID override in
>>>>>>>> that
>>>>>>>> one.
>>>>>>>>
>>>>>>> Ok then, but anyway I would like to see API/CLI tests for this
>>>>>>> feature with proper output validation.
>>>>>>>
>>>>>>>
>>>>>>> How can be this tested with SSSD?
>>>>>> You need to log into the system with a certificate...
>>>>> Is this possible from test? We are logged remotely as root, is
>>>>> there any
>>>>> cmdline util which allows us to test certificate against AD user?
>>>>
>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should
>>>> return the ssh key derived from the public key in the certificate. This
>>>> should work for certificate stored in AD as well as for overrides.
>>>>
>>>> You can also you the DBus lookup by certificate as described in
>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
>>>> .
>>>>
>>>> HTH
>>>>
>>>> bye,
>>>> Sumit
>>>
>>> Thank you Alexander and Summit for hints.
>>>
>>> Oleg I realized we don't have any other idviews integration tests
>>>
>>> So I propose to rename test file you are adding to test_idviews.py. We
>>> can add more testcases for idviews there later
>>>
>>> Martin^2
>>>>> Martin^2
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>>
>>
>>
>>
>
>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
More information about the Freeipa-devel
mailing list