sssd_test_framework.roles.ad

Active Directory multihost role.

Classes

`AD`(args, *kwargs)	AD service management.
`ADAutomount`(role)	AD automount management.
`ADAutomountKey`(role, name, map)	AD automount key management.
`ADAutomountMap`(role, name[, basedn])	AD automount map management.
`ADCertificateAuthority`(host)	AD Certificate Authority server management.
`ADComputer`(role, name[, basedn])	AD computer management.
`ADDNSServer`(role)	AD DNS server management.
`ADDNSZone`(role, name)	AD DNS zone management.
`ADGroup`(role, name[, basedn])	AD group management.
`ADNetgroup`(role, name[, basedn])	AD netgroup management.
`ADObject`(role, command_group, name, rdn[, ...])	Base class for Active Directory object management.
`ADOrganizationalUnit`(role, name[, basedn])	AD organizational unit management.
`ADPasswordPolicy`(role)	AD domain password policy management.
`ADSite`(role, name[, basedn])	AD site management.
`ADSudoRule`(role, name[, basedn])	AD sudo rule management.
`ADUser`(role, name[, basedn])	AD user management.
`GPO`(role, name)	Group policy object management.

class sssd_test_framework.roles.ad.AD(*args, **kwargs)

Bases: BaseWindowsRole[ADHost]

AD service management.

domain: str: Active Directory domain name.

realm: str: Kerberos realm.

name: str: Generic provider name.

server: str: Generic server name.

auto_ou: dict[str, bool]: Organizational units that were automatically created.

automount: ADAutomount

Manage automount maps and keys.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example_autofs(client: Client, ad: AD, nfs: NFS):
    nfs_export1 = nfs.export('export1').add()
    nfs_export2 = nfs.export('export2').add()
    nfs_export3 = nfs.export('sub/export3').add()

    # Create automount maps
    auto_master = ad.automount.map('auto.master').add()
    auto_home = ad.automount.map('auto.home').add()
    auto_sub = ad.automount.map('auto.sub').add()

    # Create mount points
    auto_master.key('/ehome').add(info=auto_home)
    auto_master.key('/esub/sub1/sub2').add(info=auto_sub)

    # Create mount keys
    key1 = auto_home.key('export1').add(info=nfs_export1)
    key2 = auto_home.key('export2').add(info=nfs_export2)
    key3 = auto_sub.key('export3').add(info=nfs_export3)

    # Start SSSD
    client.sssd.common.autofs()
    client.sssd.start()

    # Reload automounter in order to fetch updated maps
    client.automount.reload()

    # Check that we can mount all directories on correct locations
    assert client.automount.mount('/ehome/export1', nfs_export1)
    assert client.automount.mount('/ehome/export2', nfs_export2)
    assert client.automount.mount('/esub/sub1/sub2/export3', nfs_export3)

    # Check that the maps are correctly fetched
    assert client.automount.dumpmaps() == {
        '/ehome': {
            'map': 'auto.home',
            'keys': [str(key1), str(key2)]
        },
        '/esub/sub1/sub2': {
            'map': 'auto.sub',
            'keys': [str(key3)]
        },
    }

property password_policy: ADPasswordPolicy

Domain password policy management.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example(client: Client, ad: AD):
    # Enable password complexity
    ad.password_policy.complexity(enable=True)

    # Set 2 login attempts and 30 lockout duration
    ad.password_policy.lockout(attempts=2, duration=30)

property naming_context: str: Naming context.

fqn(name: str) → str

Return fully qualified name in form name@domain.

Parameters:: name (str) – Username.
Returns:: Fully qualified name.
Return type:: str

user(name: str, basedn: ADObject | str | None = 'cn=users') → ADUser

Get user object.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example(client: Client, ad: AD):
    # Create user
    ad.user('user-1').add()

    # Start SSSD
    client.sssd.start()

    # Call `id user-1` and assert the result
    result = client.tools.id('user-1')
    assert result is not None
    assert result.user.name == 'user-1'
    assert result.group.name == 'domain users'

Parameters:

name (str) – User name.
basedn (ADObject | str | None, optional) – Base dn, defaults to cn=users

Returns:

New user object.

Return type:

ADUser

group(name: str, basedn: ADObject | str | None = 'cn=users') → ADGroup

Get group object.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example_group(client: Client, ad: AD):
    # Create user
    user = ad.user('user-1').add()

    # Create secondary group and add user as a member
    ad.group('group-1').add().add_member(user)

    # Start SSSD
    client.sssd.start()

    # Call `id user-1` and assert the result
    result = client.tools.id('user-1')
    assert result is not None
    assert result.user.name == 'user-1'
    assert result.group.name == 'domain users'
    assert result.memberof('group-1')

Parameters:

name (str) – Group name.
basedn (ADObject | str | None, optional) – Base dn, defaults to cn=users

Returns:

New group object.

Return type:

ADGroup

netgroup(name: str, basedn: ADObject | str | None = 'ou=netgroups') → ADNetgroup

Get netgroup object.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example_netgroup(client: Client, ad: AD):
    # Create user
    user = ad.user("user-1").add()

    # Create two netgroups
    ng1 = ad.netgroup("ng-1").add()
    ng2 = ad.netgroup("ng-2").add()

    # Add user and ng2 as members to ng1
    ng1.add_member(user=user)
    ng1.add_member(ng=ng2)

    # Add host as member to ng2
    ng2.add_member(host="client")

    # Start SSSD
    client.sssd.start()

    # Call `getent netgroup ng-1` and assert the results
    result = client.tools.getent.netgroup("ng-1")
    assert result is not None
    assert result.name == "ng-1"
    assert len(result.members) == 2
    assert "(-,user-1,)" in result.members
    assert "(client,-,)" in result.members

Parameters:

name (str) – Netgroup name.
basedn (ADObject | str | None, optional) – Base dn, defaults to ou=netgroups

Returns:

New netgroup object.

Return type:

ADNetgroup

ou(name: str, basedn: ADObject | str | None = None) → ADOrganizationalUnit

Get organizational unit object.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example(client: Client, ad: AD):
    # Create organizational unit for sudo rules
    ou = ad.ou('mysudoers').add()

    # Create user
    ad.user('user-1').add()

    # Create sudo rule
    ad.sudorule('testrule', basedn=ou).add(user='ALL', host='ALL', command='/bin/ls')

    client.sssd.common.sudo()
    client.sssd.start()

    # Test that user can run /bin/ls
    assert client.auth.sudo.run('user-1', 'Secret123', command='/bin/ls')

Parameters:

name (str) – Unit name.
basedn (ADObject | str | None, optional) – Base dn, defaults to None

Returns:

New organizational unit object.

Return type:

ADOrganizationalUnit

site(name: str, basedn: ADObject | str | None = 'cn=sites,cn=configuration') → ADSite

Get site object.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example(client: Client, ad: AD):
    # Create New Site, this name cannot contain spaces
    site = ad.site('New-Site').add()

Parameters:

name (str, cannot contain spaces) – Site name.
basedn (ADObject | str | None, optional) – Base dn, defaults to “cn=sites,cn=configuration”

Returns:

New site object.

Return type:

ADSite

computer(name: str, basedn: ADObject | str | None = 'cn=computers') → ADComputer

Get computer object.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example(client: Client, ad: AD):
    # Create OU
    ou = ad.ou("test").add().dn
    # Move computer object
    ad.computer(client.host.hostname.split(".")[0]).move(ou)

    client.sssd.start()

Parameters:

name (str) – Computer name.
basedn (ADObject | str | None,) – Base dn, defaults to “cn=computers”

Returns:

New computer object.

Return type:

ADComputer

dns() → ADDNSServer

Get DNS server object.

Get methods use dig and is parsed by jc. The data from jc contains several nested dict, but two are returned as a tuple, answer, authority.

Example usage

# Create forward zone and add forward record
zone = ad.dns().zone("example.test").create()
zone.add_record("client", "172.16.200.15")

# Create reverse zone and add reverse record
zone = ad.dns().zone("10.0.10.in-addr.arpa").create()
zone.add_ptr_record("client.example.test", 15)

# Add forward record to default domain
ad.dns().zone(ad.domain).add_record("client", "1.2.3.4")

# Add a global forwarder
ad.dns().add_forwarder("1.1.1.1")

# Remove a global forwarder
ad.dns().remove_forwarder("1.1.1.1")

# Clear all forwarders
ad.dns().clear_forwarders()

gpo(name: str) → GPO

Get group policy object.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_ad__gpo_is_set_to_enforcing(client: Client, ad: AD):
    user = ad.user("user").add()
    allow_user = ad.user("allow_user").add()
    deny_user = ad.user("deny_user").add()

    ad.gpo("test policy").add().policy(
        {
        "SeInteractiveLogonRight": [allow_user, ad.group("Domain Admins")],
        "SeRemoteInteractiveLogonRight": [allow_user, ad.group("Domain Admins")],
        "SeDenyInteractiveLogonRight": [deny_user],
        "SeDenyRemoteInteractiveLogonRight": [deny_user],
        }
    ).link()

    client.sssd.domain["ad_gpo_access_control"] = "enforcing"
    client.sssd.start()

    assert client.auth.ssh.password(username="allow_user", password="Secret123")
    assert not client.auth.ssh.password(username="user", password="Secret123")
    assert not client.auth.ssh.password(username="deny_user", password="Secret123")

Parameters:: name (str) – Name of the GPO.

sudorule(name: str, basedn: ADObject | str | None = 'ou=sudoers') → ADSudoRule

Get sudo rule object.

Example usage

@pytest.mark.topology(KnownTopology.AD)
def test_example(client: Client, ad: AD):
    user = ad.user('user-1').add(password="Secret123")
    ad.sudorule('testrule').add(user=user, host='ALL', command='/bin/ls')

    client.sssd.common.sudo()
    client.sssd.start()

    # Test that user can run /bin/ls
    assert client.auth.sudo.run('user-1', 'Secret123', command='/bin/ls')

Parameters:

name (str) – Rule name.
basedn (ADObject | str | None, optional) – Base dn, defaults to ou=sudoers

Returns:

New sudo rule object.

Return type:

ADSudoRule

class sssd_test_framework.roles.ad.ADAutomount(role: AD)

Bases: GenericAutomount

AD automount management.

ADAutomount implements GenericAutomount for static typing and provider-agnostic tests. The optional basedn argument on map() is AD-specific and is not part of the generic API.

Parameters:: role (AD) – AD role object.

map(name: str, basedn: ADObject | str | None = 'ou=autofs') → ADAutomountMap

Get automount map object.

Implements GenericAutomount.map(); basedn selects the LDAP container for the map (defaults to ou=autofs).

Parameters:

name (str) – Automount map name.
basedn (ADObject | str | None, optional) – Base dn, defaults to ou=autofs

Returns:

New automount map object.

Return type:

ADAutomountMap

key(name: str, map: GenericAutomountMap) → ADAutomountKey

Get automount key object.

Implements GenericAutomount.key().

Parameters:

name (str) – Automount key name.
map (GenericAutomountMap) – Automount map that is a parent to this key.

Returns:

New automount key object.

Return type:

ADAutomountKey

class sssd_test_framework.roles.ad.ADAutomountMap(role: AD, name: str, basedn: ADObject | str | None = 'ou=autofs')

Bases: ADObject, GenericAutomountMap

AD automount map management.

ADAutomountMap implements GenericAutomountMap for static typing and provider-agnostic tests.

Parameters:

role (AD) – AD role object.
name (str) – Automount map name.
basedn (ADObject | str | None, optional) – Base dn, defaults to ou=autofs

add() → ADAutomountMap

Create new AD automount map.

Returns:: Self.
Return type:: ADAutomountMap

key(name: str) → ADAutomountKey

Get automount key object for this map.

Parameters:: name (str) – Automount key name.
Returns:: New automount key object.
Return type:: ADAutomountKey

class sssd_test_framework.roles.ad.ADGroup(role: AD, name: str, basedn: ADObject | str | None = 'cn=users')

Bases: ADObject, GenericGroup

AD group management.

ADGroup implements GenericGroup for static typing and provider-agnostic tests. AD-specific keyword arguments on add() are in addition to the generic API.

Parameters:

role (AD) – AD role object.
name (str) – Group name.
basedn (ADObject | str | None, optional) – Base dn, defaults to ‘cn=users’

add(*, gid: int | None = None, description: str | None = None, scope: str = 'Global', category: str = 'Security') → ADGroup

Create new AD group.

Parameters:

gid (int | None, optional) – Group id, defaults to None
description (str | None, optional) – Description, defaults to None
scope (str, optional) – Scope (‘Global’, ‘Universal’, ‘DomainLocal’), defaults to ‘Global’
category (str, optional) – Category (‘Distribution’, ‘Security’), defaults to ‘Security’

Returns:

Self.

Return type:

ADGroup

modify(*, gid: int | DeleteAttribute | None = None, description: str | DeleteAttribute | None = None) → ADGroup

Modify existing AD group.

Parameters that are not set are ignored. If needed, you can delete an attribute by setting the value to Delete.

Parameters:

gid (int | DeleteAttribute | None, optional) – Group id, defaults to None
description (str | DeleteAttribute | None, optional) – Description, defaults to None

Returns:

Self.

Return type:

ADGroup

add_member(member: GenericUser | GenericGroup | str) → ADGroup

Add group member.

Parameters:: member (GroupMemberField) – User or group to add as a member.
Returns:: Self.
Return type:: ADGroup

add_members(members: list[GenericUser | GenericGroup | str]) → ADGroup

Add multiple group members.

Parameters:: members (list[GroupMemberField]) – List of users or groups to add as members.
Returns:: Self.
Return type:: ADGroup

remove_member(member: GenericUser | GenericGroup | str) → ADGroup

Remove group member.

Parameters:: member (GroupMemberField) – User or group to remove from the group.
Returns:: Self.
Return type:: ADGroup

remove_members(members: list[GenericUser | GenericGroup | str]) → ADGroup

Remove multiple group members.

Parameters:: members (list[GroupMemberField]) – List of users or groups to remove from the group.
Returns:: Self.
Return type:: ADGroup

class sssd_test_framework.roles.ad.ADObject(role: AD, command_group: str, name: str, rdn: str, basedn: ADObject | str | None = None, default_ou: str | None = None)

Bases: BaseObject[ADHost, AD]

Base class for Active Directory object management.

Provides shortcuts for command execution and implementation of get() and delete() methods.

Parameters:

role (AD) – AD role object.
command_group (str) – AD command group.
name (str) – Object name.
rdn (str) – Relative distinguished name.
basedn (ADObject | str | None, optional) – Base dn, defaults to None
default_ou (str | None, optional) – Name of default organizational unit that is automatically created if basedn is set to ou=$default_ou, defaults to None.

command_group: str: Active Directory Powershell module command group.

rdn: str: Object relative DN.

basedn: ADObject | str | None: Object base DN.

dn: str: Object DN.

path: str: Object path (DN of the parent container).

default_ou: str | None: Default organizational unit that usually holds this object.

property name: str

delete() → None: Delete Active Directory object.

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get AD object attributes.

Parameters:

attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None
opattrs (bool, optional) – Ignored (LDAP-only); present for GenericUser API compatibility.

Returns:

Dictionary with attribute name as a key.

Return type:

dict[str, list[str]] | None

property sid: str | None

Gets AD Object’s SID.

Returns:: SID, or None if not available.
Return type:: str | None

class sssd_test_framework.roles.ad.ADOrganizationalUnit(role: AD, name: str, basedn: ADObject | str | None = None)

Bases: ADObject, GenericOrganizationalUnit

AD organizational unit management.

ADOrganizationalUnit implements GenericOrganizationalUnit for static typing and provider-agnostic tests.

Parameters:

role (AD) – AD role object.
name (str) – Unit name.
basedn (ADObject | str | None, optional) – Base dn, defaults to None

add(name: str | None = None) → ADOrganizationalUnit

Create new AD organizational unit.

Implements GenericOrganizationalUnit.add(). The optional name argument is accepted for API compatibility; the OU name is taken from AD.ou().

Parameters:: name (str | None) – Unused; OU name is set when the object is created.
Returns:: Self.
Return type:: ADOrganizationalUnit

class sssd_test_framework.roles.ad.ADComputer(role: AD, name: str, basedn: ADObject | str | None = 'cn=computers')

Bases: ADObject, GenericComputer

AD computer management.

ADComputer implements GenericComputer for static typing and provider-agnostic tests.

Parameters:

role (AD) – AD role object.
name (str) – Computer name.
basedn (ADObject | str | None, optional) – Base dn, defaults to ‘cn=computers’

move(target: str) → ADComputer

Move a computer object.

Implements GenericComputer.move().

Parameters:: target (str) – Target path.
Returns:: Self.
Return type:: ADComputer

class sssd_test_framework.roles.ad.ADSudoRule(role: AD, name: str, basedn: ADObject | str | None = 'ou=sudoers')

Bases: ADObject, GenericSudoRule

AD sudo rule management.

ADSudoRule implements GenericSudoRule for static typing and provider-agnostic tests. AD-specific int values (SID fragments as #N), notbefore / notafter, and DeleteAttribute on modify() are in addition to the generic API.

Parameters:

role (AD) – AD role object.
name (str) – Sudo rule name.
basedn (ADObject | str | None, optional) – Base dn, defaults to None

Create new sudo rule.

Parameters:

user (SudoRuleUserField | int | list[SudoRuleUserField | int], optional) – sudoUser attribute, defaults to None
host (SudoRuleHostField, optional) – sudoHost attribute, defaults to None
command (SudoRuleCommandField, optional) – sudoCommand attribute, defaults to None
option (str | list[str] | None, optional) – sudoOption attribute, defaults to None
runasuser (SudoRuleRunAsUserField | int | list[SudoRuleRunAsUserField | int] | None, optional) – sudoRunAsUser attribute, defaults to None
runasgroup (SudoRuleRunAsGroupField | int | list[SudoRuleRunAsGroupField | int] | None, optional) – sudoRunAsGroup attribute, defaults to None
notbefore (str | list[str] | None, optional) – sudoNotBefore attribute (AD only), defaults to None
notafter (str | list[str] | None, optional) – sudoNotAfter attribute (AD only), defaults to None
order (int | list[int] | None, optional) – sudoOrder attribute, defaults to None
nopasswd (bool | None, optional) – If true, no authentication is required (NOPASSWD), defaults to None (no change)

Returns:

Self.

Return type:

ADSudoRule

Modify existing sudo rule.

Parameters that are not set are ignored. If needed, you can delete an attribute by setting the value to Delete.

Parameters:

user (int | str | ADUser | ADGroup | list[int | str | ADUser | ADGroup] | DeleteAttribute | None, optional) – sudoUser attribute, defaults to None
host (str | list[str] | DeleteAttribute | None, optional) – sudoHost attribute, defaults to None
command (str | list[str] | DeleteAttribute | None, optional) – sudoCommand attribute, defaults to None
option (str | list[str] | DeleteAttribute | None, optional) – sudoOption attribute, defaults to None
runasuser (int | str | ADUser | ADGroup | list[int | str | ADUser | ADGroup] | DeleteAttribute | None, optional) – sudoRunAsUser attribute, defaults to None
runasgroup (int | str | ADGroup | list[int | str | ADGroup] | DeleteAttribute | None, optional) – sudoRunAsGroup attribute, defaults to None
notbefore (str | list[str] | DeleteAttribute | None, optional) – sudoNotBefore attribute, defaults to None
notafter (str | list[str] | DeleteAttribute | None, optional) – sudoNotAfter attribute, defaults to None
order (int | list[int] | DeleteAttribute | None, optional) – sudoOrder attribute, defaults to None
nopasswd (bool | None, optional) – If true, no authentication is required (NOPASSWD), defaults to None (no change)

Returns:

Self.

Return type:

ADSudoRule

class sssd_test_framework.roles.ad.ADUser(role: AD, name: str, basedn: ADObject | str | None = 'cn=users')

Bases: ADObject, GenericUser

AD user management.

ADUser implements GenericUser for static typing and provider-agnostic tests. AD-specific keyword arguments on add() and modify() are in addition to the generic API.

Parameters:

role (AD) – AD role object.
name (str) – Username.
basedn (ADObject | str | None, optional) – Base dn, defaults to ‘cn=users’

Create new AD user.

Parameters that are not set are ignored.

Parameters:

uid (int | None, optional) – User id, defaults to None
gid (int | None, optional) – Primary group id, defaults to None
password (str, optional) – Password (cannot be None), defaults to ‘Secret123’
home (str | None, optional) – Home directory, defaults to None
gecos (str | None, optional) – GECOS, defaults to None
shell (str | None, optional) – Login shell, defaults to None
email (str | None, optional) – Email, defaults to None (= user@domain)
upn (str | None, optional) – User principal name, defaults to None

Returns:

Self.

Return type:

ADUser

Modify existing AD user.

Parameters that are not set are ignored. If needed, you can delete an attribute by setting the value to Delete.

Parameters:

uid (int | DeleteAttribute | None, optional) – User id, defaults to None
gid (int | DeleteAttribute | None, optional) – Primary group id, defaults to None
password (str, optional) – Password (cannot be None), defaults to ‘Secret123’
home (str | DeleteAttribute | None, optional) – Home directory, defaults to None
gecos (str | DeleteAttribute | None, optional) – GECOS, defaults to None
shell (str | DeleteAttribute | None, optional) – Login shell, defaults to None
email (str | DeleteAttribute | None, optional) – Email address, defaults to None
givenname (str | DeleteAttribute | None, optional) – Given name of user, defaults to None
surname (str | DeleteAttribute | None, optional) – Sur name of user, defaults to None
upn (str | None, optional) – User principal name, defaults to None

Returns:

Self.

Return type:

ADUser

reset(password: str | None = 'Secret123') → ADUser

Reset user password.

Parameters:: password (str | None, optional) – Password, defaults to ‘Secret123’
Returns:: Self.
Return type:: ADUser

expire(expiration: str | None = '19700101000000') → ADUser

Set user password expiration date and time.

Parameters:: expiration (str | None, optional) – Date and time for user password expiration, defaults to 19700101000000
Returns:: Self.
Return type:: ADUser

password_change_at_logon(**kwargs) → ADUser

Force user to change password next logon.

Returns:: Self.
Return type:: ADUser

passkey_add(passkey_mapping: str) → ADUser

Add passkey mapping to the user.

Parameters:: passkey_mapping (str) – Passkey mapping generated by sssctl passkey-register
Returns:: Self.
Return type:: ADUser

passkey_remove(passkey_mapping: str) → ADUser

Remove passkey mapping from the user.

Parameters:: passkey_mapping (str) – Passkey mapping generated by sssctl passkey-register
Returns:: Self.
Return type:: ADUser

class sssd_test_framework.roles.ad.ADPasswordPolicy(role: AD)

Bases: GenericPasswordPolicy

AD domain password policy management.

ADPasswordPolicy implements GenericPasswordPolicy for static typing and provider-agnostic tests. Settings apply to the domain default password policy via Set-ADDefaultDomainPasswordPolicy.

Parameters:: role (AD) – AD role object.

complexity(enable: bool) → ADPasswordPolicy

Enable or disable password complexity.

Implements GenericPasswordPolicy.complexity().

Parameters:: enable (bool) – Enable or disable password complexity.
Returns:: Self.
Return type:: ADPasswordPolicy

lockout(duration: int, attempts: int) → ADPasswordPolicy

Set lockout duration and login attempts.

Implements GenericPasswordPolicy.lockout().

Parameters:

duration (int) – Duration of lockout in seconds.
attempts (int) – Number of login attempts.

Returns:

Self.

Return type:

ADPasswordPolicy

class sssd_test_framework.roles.ad.GPO(role: AD, name: str)

Bases: GenericGPO

Group policy object management.

GPO implements GenericGPO for static typing and provider-agnostic tests.

Parameters:

role (AD) – AD role object.
name (str) – GPO display name.

target: str | None: Group policy target.

search_base: str: Group policy search base.

dn: Group policy dn.

cn: Group policy cn.

property name: str

GPO display name.

Implements GenericGPO.name.

get(key: str) → str | None

Get group policy attributes.

This method is unique for the GPO class, unlike SambaGPO class, the ADObject class is not inherited.

Parameters:: key (str) – Attribute to get.
Returns:: Key value.
Return type:: str

delete() → None: Delete group policy object.

add() → GPO

Add a group policy object.

This creates an empty GPO, the security part of the policy cannot be configured using official GroupPolicy cmdlets, because the settings are actually stored in security database. The workaround, is to manually edit policy. First create the SecEdit directory path, ‘C:WindowsSYSVOLdomainPolicies{GUID}MachinesMicrosoftWindows NTSecEdit’.

Second, create and edit GptTmpl.inf file in this directory. Only the headers, are added at this time. The rest of the configuration is done by policy method.

Returns:: Group policy object
Return type:: GPO

link(target: str | None = None, enforced: bool | None = None, disabled: bool | None = False, order: int | None = 0) → GPO

Link the group policy to the target object inside the directory, a site, domain or an ou.

Parameters:

target (str, optional) – Group policy target
enforced (bool, optional) – Enforced the policy
disabled (bool, optional) – Disable the policy
order (int, optional) – Order number

Returns:

Group policy object

Return type:

GPO

unlink() → None

Unlink the group policy from the target.

Implements GenericGPO.unlink().

permissions(target: str, permission_level: str, target_type: str | None = 'Group') → GPO

Configure group policy object permissions.

Parameters:

target (str) – Target object
permission_level (str, 'GpoRead | GpoApply | GpoEdit | GpoEditDeleteModifySecurity | None') – Permission level
target_type (str, optional, values should be 'user | group | computer') – Target type, defaults to ‘group’

Returns:

Group policy object

Return type:

GPO

policy(logon_rights: dict[str, list[ADObject]], cfg: dict[str, Any] | None = None) → GPO

Group policy configuration.

This method does the remaining configuration of the group policy. It updates ‘GptTmpl.inf’ with security logon right keys with the SIDs of users and groups objects. The Remote keys can be omitted, in which the interactive key’s value will then be used.

To add users and groups to the policy, the SID must be used for the values. The values need to be prefixed with an ‘*’ and use a comma for a de-limiter, i.e. *SID1-2-3-4,*SID-5-6-7-8

Additionally, gPCMachineExtensionNames need to be updated in the directory so the GPO is readable to the client. The value is a list of Client Side Extensions (CSEs), that is an index of what part of the policy is pushed and processed by the client.

There is a test case where GptTmpl.inf contains invalid values. The parameter gpttmpl takes a dictionary that will modify the GptTmpl.inf for this scenario.

Parameters:

logon_rights (dict[str, list[ADObject]]) – List of logon rights.
cfg (dict[str, Any] | None, optional) – Extra configuration for GptTmpl.inf file, defaults to None

Returns:

Group policy object

Return type:

GPO

class sssd_test_framework.roles.ad.ADDNSServer(role: AD)

Bases: GenericDNSServer

AD DNS server management.

ADDNSServer implements GenericDNSServer for static typing and provider-agnostic tests.

Parameters:: role (AD) – AD role object.

domain: str: Domain name.

server: str: Server name.

zone(name: str) → ADDNSZone

Get DNS zone object.

Implements GenericDNSServer.zone().

Parameters:: name (str) – Zone name.
Returns:: DNS zone object.
Return type:: ADDNSZone

get_forwarders() → list[str]

Get DNS global forwarders.

Returns:: List of forwarder IP addresses (empty if none are configured).
Return type:: list[str]

add_forwarder(ip_address: str) → ADDNSServer

Add a DNS server forwarder.

Parameters:: ip_address (str) – IP address.
Returns:: Self.
Return type:: ADDNSServer

remove_forwarder(ip_address: str) → None

Remove a DNS server forwarder.

Parameters:: ip_address (str) – IP address.

clear_forwarders() → None

Clear all DNS server forwarders.

AD has about four global forwarders enabled by default.

list_zones() → list[str]: List zones. :return: List of zones. :rtype: list[str]

class sssd_test_framework.roles.ad.ADDNSZone(role: AD, name: str)

Bases: ADDNSServer, GenericDNSZone

AD DNS zone management.

ADDNSZone implements GenericDNSZone for static typing and provider-agnostic tests.

Parameters:

role (AD) – AD role object.
name (str) – DNS zone name.

zone_name: str: Zone name.

create() → ADDNSZone

Create new zone.

Returns:: Self.
Return type:: ADDNSZone

delete() → None: Delete zone.

add_record(name: str, data: str | int) → ADDNSZone

Add DNS record.

If data is a str, a forward record will be added. If an integer a reverse record will be added.

Parameters:

name (str) – Record name.
data (str) – Record data.

Returns:

ADDNSZone object.

Return type:

ADDNSZone

delete_record(name: str) → None

Delete DNS record, both forward and reverse records are deleted.

Parameters:: name (str) – Name or IP of the record.

print() → str

Prints all dns records in zone as text.

Returns:: Print zone data.
Return type:: str

class sssd_test_framework.roles.ad.ADCertificateAuthority(host: ADHost)

Bases: GenericCertificateAuthority

AD Certificate Authority server management.

ADCertificateAuthority implements GenericCertificateAuthority for static typing and provider-agnostic tests. It requests, revokes, places/removes certificate holds, and retrieves certificate information via certreq and certutil. request() requires AD-specific template and subject arguments; request_basic() is an additional AD helper without enrollment agent.

Initialize the AD Certificate Authority helper.

Parameters:: host (ADHost) – Remote AD host.

property is_available: bool

Check if AD Certificate Authority is available.

Returns:: True if AD CS is installed and running.
Return type:: bool

request_basic(template: str, subject: str, password: str = 'Secret123', key_size: int = 2048) → tuple[str, str, str]

Request a basic certificate from the AD CA without enrollment agent.

For smartcard testing, use request() instead which uses enrollment on behalf of functionality.

Parameters:

template (str) – Certificate template name (e.g., “User”).
subject (str) – Used for file naming only, not for certificate subject.
password (str, optional) – Password for PFX export, defaults to “Secret123”
key_size (int, optional) – RSA key size in bits, defaults to 2048

Returns:

A tuple of (certificate_path, pfx_path, csr_path).

Return type:

tuple[str, str, str]

request(template: str, subject: str, **kwargs: Any) → tuple[str, str, str]

Request a smartcard certificate using Enrollment Agent.

Implements GenericCertificateAuthority.request(). Uses “Enroll On Behalf Of” functionality to issue certificates with the correct subject for the target user. Extra **kwargs are ignored.

Parameters:

template (str) – Smartcard certificate template name (e.g., “SmartcardLogon”).
subject (str) – Certificate subject (e.g., “CN=testuser”).

Returns:

A tuple of (certificate_path, key_path, csr_path).

Return type:

tuple[str, str, str]

revoke(cert_path: str, reason: str = 'unspecified') → None

Revoke a certificate in AD CA.

Implements GenericCertificateAuthority.revoke().

Valid revocation reasons:

unspecified (default)
key_compromise
ca_compromise
affiliation_changed
superseded
cessation_of_operation
certificate_hold
remove_from_crl
privilege_withdrawn
aa_compromise

Parameters:

cert_path (str) – Path to the certificate file.
reason (str, optional) – Reason for revocation, defaults to “unspecified”

revoke_hold(cert_path: str) → None

Place a certificate on hold.

Implements GenericCertificateAuthority.revoke_hold().

Parameters:: cert_path (str) – Path to the certificate file.

revoke_hold_remove(cert_path: str) → None

Remove hold from a certificate.

Implements GenericCertificateAuthority.revoke_hold_remove().

Parameters:: cert_path (str) – Path to the certificate file.

get(cert_path: str) → dict[str, list[str]]

Retrieve certificate details from AD CA.

Implements GenericCertificateAuthority.get().

Parameters:: cert_path (str) – Path to the certificate file.
Returns:: A dictionary of certificate attributes.
Return type:: dict[str, list[str]]

export_pfx(cert_path: str, pfx_path: str, password: str = 'Secret123', include_chain: bool = False) → None

Export certificate as PFX file.

Parameters:

cert_path (str) – Path to the certificate file.
pfx_path (str) – Path where to save the PFX file.
password (str, optional) – Password for the PFX file, defaults to “Secret123”
include_chain (bool, optional) – Whether to include certificate chain, defaults to False

get_certificate_template(template_name: str) → dict[str, list[str]]

Get certificate template information.

Parameters:: template_name (str) – Name of the certificate template.
Returns:: Dictionary of template attributes.
Return type:: dict[str, list[str]]

cleanup() → None: Clean up temporary certificate directory.

get_ca_cert() → str

Get the CA certificate in PEM format.

Returns:: CA certificate in PEM format.
Return type:: str
Raises:: RuntimeError – If CA certificate cannot be retrieved.