Tests: ldap search base does not fully limit the Netgroup search base

ldap search base does not fully limit the Netgroup search base

Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Jakub Vávra <[email protected]>

src/tests/system/tests/test_ldap.py

@@ -538,3 +538,58 @@ def test_ldap__empty_attribute(client: Client, ldap: LDAP):
     for grp in ["Group_1", "Group_2"]:
         assert client.tools.getent.group(grp) is not None
     assert client.auth.ssh.password(user.name, "Secret123"), "User login failed!"
+
+
+@pytest.mark.importance("low")
+@pytest.mark.ticket(bz=785908)
+@pytest.mark.topology(KnownTopology.LDAP)
+def test_ldap__limit_search_base_group(client: Client, provider: LDAP):
+    """
+    :title: SSSD limits search base to 'ldap_search_base' DN for groups
+    :setup:
+        1. Create two ous
+        2. Netgroups are created in different ous
+        3. Members from different ous are added to netgroup
+    :steps:
+        1. Lookup netgroup with members from different ous
+        2. Set "ldap_search_base" to ou1 in the configuration and cleanly restart SSSD
+        3. Lookup netgroup with members from different ous
+    :expectedresults:
+        1. Netgroup exists and it contains members from both ous
+        2. SSSD is configured and cleanly restarted
+        3. Netgroup exists and it contains members only from ou1 in ldap_search_base
+    :customerscenario: True
+    """
+    ou1 = provider.ou("OU1").add()
+    ou2 = provider.ou("OU2").add()
+
+    ou1_grp1 = provider.netgroup("ou1_grp1", basedn=ou1).add()
+    ou1_grp1.add_member(host="h1", user="ou1_usr1", domain="ldap.test")
+
+    ou2_grp1 = provider.netgroup("ou2_grp1", basedn=ou2).add()
+    ou2_grp1.add_member(host="h2", user="ou2_usr1", domain="ldap.test")
+
+    ou2_grp2 = provider.netgroup("ou2_grp2", basedn=ou2).add()
+    ou2_grp2.add_member(ng=ou2_grp1)
+
+    ou1_grp2 = provider.netgroup("ou1_grp2", basedn=ou1).add()
+    ou1_grp2.add_member(ng=ou2_grp2)
+    ou1_grp2.add_member(ng=ou1_grp1)
+
+    client.sssd.start()
+    result = client.tools.getent.netgroup("ou1_grp2")
+    assert result is not None and result.name == "ou1_grp2", "Netgroup ou1_grp2 was not found!"
+    assert len(result.members) == 2
+    assert "(h1,ou1_usr1,ldap.test)" in result.members, "Member of ou1 'h1, ou1_usr1' is missing from 'ou1_grp2'."
+    assert "(h2,ou2_usr1,ldap.test)" in result.members, "Member of ou2 'h2, ou2_usr1' is missing from 'ou1_grp2'."
+
+    client.sssd.dom("test")["ldap_search_base"] = "ou=OU1,dc=ldap,dc=test"
+    client.sssd.restart(clean=True)
+
+    result = client.tools.getent.netgroup("ou1_grp2")
+    assert result is not None and result.name == "ou1_grp2", "Netgroup ou1_grp2 was not found!"
+    assert len(result.members) == 1
+    assert "(h1,ou1_usr1,ldap.test)" in result.members, "Member of ou1 'h1, ou1_usr1' is missing from 'ou1_grp2'."
+    assert (
+        "(h2,ou2_usr1,ldap.test)" not in result.members
+    ), "'ou1_grp2' members did not match the expected ones when search base is limited."