QA:Testcase SSSD LDAP Identity and LDAP Authentication with TLS
This test is designed to validate the feature Features/SSSDByDefault. The test involves configuring a system for LDAP identity and authentication with TLS, and performing several actions on the system.
How to test
- Prepare your system by configuring
to start on boot. As an authorized user, run the commands listed below. Once complete, reboot your system.
- rm -f /etc/sysconfig/firstboot
- /sbin/chkconfig firstboot on
- At firstboot, proceed to the Create User step and select Use Network Login... to start the Authentication Configuration. See (Image:Screenshot-firstboot.png)
- In the Authentication Configuration application, under the Identity & Authentication tab set User Account Database to LDAP and make the configuration changes listed below.
- Enter a valid Search Base DN
- Enter a LDAP server in the field Server. Use the format
- Enable Use TLS to encrypt connections. See (Image:Screenshot-LDAP TLS Authentication Configuration.png)
- Click on Download CA Certificate and specify your CA certificate path if you have not set the CA certificate by other means and enter the certificate URL. See (Image:Screenshot-jlaska CA Certificate.png)
- Also in the Authentication Configuration application, under the Identity & Authentication tab set Authentication Method to LDAP password.
- When finished, select Apply and complete the remaining steps in
- When the graphical login screen appears, login to the system using a valid LDAP username and password.
- Open a terminal application, and check whether you can query for information about other LDAP users. For example, if using the Test Day login information you might run a commands similar to:
- getent passwd sssdtest10002
- getent group sssdgroup20002
- finger sssdtest10002
- Change the password for the logged in LDAP user. This can be accomplished by starting System → Preferences → About me, then selecting Change Password. Or you can run the command
passwdfrom a terminal application. After changing the password, logout of the desktop.
- Let's confirm the password change by logging into using the same LDAP user, but with the new password. Once logged in, use the same procedure to revert the LDAP user password to the original value.
- Finally, login to your system over the network. For example, use
sshto login to your local system by typing:
- Firstboot is configured to start without error
- and starts on boot
- The Authentication Configuration application starts and completes without error
- The Authentication Configuration writes configuration information to
/etc/sssd/sssd.confthat includes the following details:
- ldap_id_use_start_tls = True
- cache_credentials = True
- auth_provider = ldap
- debug_level = 0
- krb5_realm = EXAMPLE.COM
- ldap_search_base = dc=fedoraproject,dc=org
- chpass_provider = ldap
- id_provider = ldap
- min_id = 1000
- ldap_uri = ldap://publictest9.fedoraproject.org/
- krb5_kdcip = kerberos.example.com
- Login to the graphical desktop is successful using a valid LDAP username and password
- The commands
fingerreturn information about LDAP users. Sample output appears below.
- getent passwd sssdtest10001
- sssdtest10001:*:10001:20001:SSSD 10001 test user:/home/sssdtest10001:/bin/bash
- finger sssdtest10001
- Login: sssdtest10001 Name: SSSD 10001 test user
- Directory: /home/sssdtest10001 Shell: /bin/bash
- On since Mon Mar 29 15:57 (IST) on pts/2 from localhost
- Whether using a graphical utility, or the command
passwd, the password is successfully changed
- The new password is accepted when logging into the desktop
- You are able to login to your system using a remote shell command such as