tests: add LDAP+KRB5 DNS discovery and SASL tests#8647
tests: add LDAP+KRB5 DNS discovery and SASL tests#8647madhuriupadhye wants to merge 1 commit intoSSSD:masterfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces new system tests for SSSD's LDAP and Kerberos integration, specifically covering DNS SRV discovery, backup URI failover, and SASL canonicalization behavior with GSSAPI. The review feedback highlights a need to handle IPv6 addresses correctly in LDAP URIs by using square brackets and suggests reordering test logic to ensure the test skips appropriately when the environment cannot reproduce the specific canonicalization issue.
|
|
||
| client.sssd.common.krb5_auth(kdc) | ||
| client.sssd.domain["ldap_sasl_mech"] = "GSSAPI" | ||
| client.sssd.domain["ldap_uri"] = f"ldaps://{ldap_ip}" |
There was a problem hiding this comment.
The LDAP URI construction does not account for IPv6 addresses. If ldap_ip is an IPv6 address, it must be enclosed in square brackets (e.g., ldaps://[2001:db8::1]) to be a valid URI. Using a raw IPv6 address will cause SSSD or libldap to fail parsing the URI due to the ambiguous colons.
| client.sssd.domain["ldap_uri"] = f"ldaps://{ldap_ip}" | |
| ldap_uri = f"ldaps://[{ldap_ip}]" if ":" in ldap_ip else f"ldaps://{ldap_ip}" | |
| client.sssd.domain["ldap_uri"] = ldap_uri |
| broken = client.tools.id("puser1") is None | ||
|
|
||
| client.sssd.domain["ldap_sasl_canonicalize"] = "false" | ||
| client.sssd.restart(clean=True) | ||
| assert client.tools.id("puser1") is not None, "id should succeed with ldap_sasl_canonicalize=false" | ||
|
|
||
| if not broken: | ||
| pytest.skip( | ||
| "Reverse DNS for LDAP IP matches expected hostname; cannot reproduce BZ 732935 " | ||
| "canonicalize failure in this environment" | ||
| ) |
There was a problem hiding this comment.
The test logic for skipping when the environment cannot reproduce the issue is flawed. The check if not broken is performed after a second SSSD restart and an assertion. If the environment has a working reverse DNS (i.e., broken is False), the test should skip immediately after the first id call. Otherwise, if the second id call fails for unrelated reasons, the test will incorrectly report a failure instead of skipping.
broken = client.tools.id("puser1") is None
if not broken:
pytest.skip(
"Reverse DNS for LDAP IP matches expected hostname; cannot reproduce BZ 732935 "
"canonicalize failure in this environment"
)
client.sssd.domain["ldap_sasl_canonicalize"] = "false"
client.sssd.restart(clean=True)
assert client.tools.id("puser1") is not None, "id should succeed with ldap_sasl_canonicalize=false"
madhuriupadhye
force-pushed
the
tests/ldap-krb5-dns-sasl
branch
from
affec2e to
d29590d
Compare
madhuriupadhye
force-pushed
the
tests/ldap-krb5-dns-sasl
branch
from
d29590d to
77c482b
Compare
Add three pytest system tests to test_ldap_krb5.py: - DNS SRV discovery for LDAP (Trac 754): dns_discovery_domain without ldap_uri - BZ 700805: ldap_backup_uri when discovery domain has no _ldap._tcp SRV - BZ 732935: ldap_sasl_canonicalize vs reverse DNS with GSSAPI over ldaps://IP Uses client.tools.dig and client.tools.getent.ahostsv4 (sssd-test-framework). Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com>
madhuriupadhye
force-pushed
the
tests/ldap-krb5-dns-sasl
branch
from
77c482b to
3989df7
Compare
3 participants
Add three pytest system tests to test_ldap_krb5.py:
Uses client.tools.dig and client.tools.getent.ahostsv4 (sssd-test-framework).