Most of test_xmlrpc tests that rely on a comparison of the user/group results cannot tolerate running in an environment where trust to Active Directory support is enabled. Originally, I started adding fixes for these problems but it quickly escalated to several hundred failed tests. The main issue is a dictionary comparison feature that doesn't allow to specify an attribute to be optional. When trust to AD is enabled, all POSIX users and groups in IPA will get ipaNTSecurityIdentifier attribute and ipantuserattrs/ipantgroupattrs object class added at a creation time.
Dictionary comparison in tests will fail:
- a tracker-maintained dictionary would not have ipantuserattrs/ipantgroupattrs objectclasses
- a result returned from user-add / group-add commands might contain the objectclasses and ipaNTSecurityIdentifier or might not, depending on how powerful is the test machine so that sidgen plugin is able to add the attributes before user-add / group-add command would retrieve the entry
- if we would add ipaNTSecurityIdentifier into the tracker-maintained dictionary, the result comparison code will have no logic to understand that if ipaNTSecurityIdentifier is missing in the result, it is not a failure: fuzzy_sid class allows for None value.
- for group-finding tests, it is impossible to get just a subset of required groups. This prevents from any additional configuration on the test machines. An attempt to search by a wildcard with ipa group-find --description="Test desc*" fails because we escape "*" and that filter doesn't match. We need to refactor search code to allow a wildcard search to reduce the number of expected groups in such tests.
ipa group-find --description="Test desc*"
to comment on this ticket.