From 648b5afa2f2d01d99c1cf2d1f4a87a5da4461246 Mon Sep 17 00:00:00 2001
From: Lenka Doudova <ldoudova@redhat.com>
Date: Jul 25 2016 10:22:21 +0000
Subject: Tests: IPA user can kinit using enterprise principal with IPA domain


Providing missing test case verifying authentication as IPA user, namely:
"kinit -E ipauser@IPADOMAIN".

https://fedorahosted.org/freeipa/ticket/6036

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index e3fe9c8..d0b8e58 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -161,6 +161,26 @@ class TestBasicADTrust(ADTrustBase):
 
         assert re.search(testuser_regex, result.stdout_text)
 
+    def test_ipauser_authentication(self):
+        ipauser = u'tuser'
+        original_passwd = 'Secret123'
+        new_passwd = 'userPasswd123'
+
+        # create an ipauser for this test
+        self.master.run_command(['ipa', 'user-add', ipauser, '--first=Test',
+                                 '--last=User', '--password'],
+                                stdin_text=original_passwd)
+
+        # change password for the user to be able to kinit
+        util.ldappasswd_user_change(ipauser, original_passwd, new_passwd,
+                                    self.master)
+
+        # try to kinit as ipauser
+        self.master.run_command(
+            ['kinit', '-E', '{0}@{1}'.format(ipauser,
+                                             self.master.domain.name)],
+            stdin_text=new_passwd)
+
     def test_remove_nonposix_trust(self):
         tasks.remove_trust_with_ad(self.master, self.ad_domain)
         tasks.clear_sssd_cache(self.master)
diff --git a/ipatests/test_integration/util.py b/ipatests/test_integration/util.py
index 594737b..179f672 100644
--- a/ipatests/test_integration/util.py
+++ b/ipatests/test_integration/util.py
@@ -20,6 +20,8 @@
 import time
 import re
 
+from ipaplatform.paths import paths
+from ipalib.constants import DEFAULT_CONFIG
 
 def run_repeatedly(host, command, assert_zero_rc=True, test=None,
                 timeout=30, **kwargs):
@@ -75,3 +77,14 @@ def get_host_ip_with_hostmask(host):
 
     if match:
         return match.group('full_ip')
+
+
+def ldappasswd_user_change(user, oldpw, newpw, master):
+    container_user = dict(DEFAULT_CONFIG)['container_user']
+    basedn = master.domain.basedn
+
+    userdn = "uid={},{},{}".format(user, container_user, basedn)
+
+    args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
+            '-s', newpw, '-x']
+    master.run_command(args)