#6615 [tests] Verify that stageuser can not login using any method
Opened 4 years ago by dkupka. Modified 2 years ago

User in staging area must be unable to login by design.
Test should cover all possible methods and verify that none can be used to successfully login.

Any bind mechanism (simple, gssapi, cert-mapping) selecting a staging entry (cn=provisioning container), should get nsaccountlock=Yes. Because of the following COS definition

dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,<suffix>
objectClass: ldapSubEntry
objectClass: top
objectClass: cosSuperDefinition
objectClass: cosPointerDefinition
costemplatedn: cn=Inactivation cos template,cn=accounts,cn=provisioning,<suffix>
cn: provisioning accounts lock
cosAttribute: nsaccountlock operational

dn: cn=Inactivation cos template,cn=accounts,cn=provisioning,<suffix>
objectClass: cosTemplate
objectClass: top
objectClass: extensibleObject
cosPriority: 1
cn: Inactivation cos template
nsAccountLock: true

The expected result is that BIND should fail on that entry

Metadata Update from @dkupka:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

3 years ago

Metadata Update from @rcritten:
- Issue close_status updated to: None
- Issue tagged with: tests

2 years ago

Login to comment on this ticket.