sssd_test_framework.utils.sssd

Manage and configure SSSD.

Classes

SSSDCommonConfiguration(sssd)	Setup common SSSD configurations.
SSSDLogsPath(sssd)
SSSDUtils(*args, **kwargs)	Manage and configure SSSD.

class sssd_test_framework.utils.sssd.SSSDCommonConfiguration(sssd: SSSDUtils)

Bases: object

Setup common SSSD configurations.

This class provides shortcuts to setup SSSD for common scenarios.

sssd: SSSDUtils

SSSD utils.

local() → None

Create local SSSD domain for local users.

This is a proxy domain that uses nss_files and PAM system-auth service.

krb_provider(backend: KDC | GenericProvider) → None

Set auth_provider to krb5 and populate krb5 options.

This method sets auth_provider=krb5 and configures krb5_realm, krb5_server, and krb5_kpasswd based on the provided backend (KDC, IPA, or AD).

Parameters:

backend (KDC | GenericProvider) – Backend role object (KDC, IPA, or AD).

krb5_auth(kdc: KDC, domain: str | None = None) → None

Configure auth_provider to krb5, using the KDC from the multihost configuration.

1. Merge KDC configuration into the given domain (or default domain)

2. Generate /etc/krb5.conf from given KDC role

Parameters:

• kdc (KDC) – KDC role object.

• domain (str | None, optional) – Existing domain name, defaults to None (= default domain)

Raises:

ValueError – if invalid domain is given.

kcm(kdc: KDC, *, local_domain: bool = True) → None

Configure Kerberos to allow KCM tests.

1. Generate /etc/krb5.conf from given KDC role

2. If local_domain is True, create an SSSD domain local for local users

Parameters:

• kdc (KDC) – KDC role object.

• local_domain – Create local SSSD domain for local users, defaults to True

sudo() → None

Configure SSSD with sudo.

1. Select authselect sssd profile with ‘with-sudo’

2. Enable sudo responder

gssapi() → None

Configure SSSD with gssapi.

1. Select authselect sssd profile with “with-gssapi” and “with-sudo”

2. Configure SSSD pam_gssapi_services in SSSD configuration

autofs() → None

Configure SSSD with autofs.

1. Select authselect sssd profile

2. Enable autofs responder

mkhomedir() → None

Configure SSSD with mkhomedir and oddjobd.

1. Select authselect sssd profile with ‘with-mkhomedir’

2. Start oddjobd.service

dyndns(device: str = 'dummy0') → None

Configure SSSD for dynamic DNS.

Parameters:

device (str) – Network device, defaults to ‘dummy0’

ldap_provider(server: str, naming_context: str, bind_user_dn: str, bind_password: str, subids: bool = False, cacert: str = '/etc/ipa/ca.crt', tls_reqcert: str = 'demand', ssl: bool = False, config: dict[str, str] | None = None) → None

Configure SSSD to use the ldap_provider to connect to IPA or AD. This is an alternate configuration and should rarely be used. LDAP provider test cases should cover these scenarios.

Parameters:

• server (str) – LDAP server.

• naming_context (str) – Naming context

• bind_user_dn (str) – Bind user distinguished name.

• bind_password (str) – Bind password.

• subids (bool) – Enable subids, optional

• cacert (str) – CA certificate, defaults to’/etc/ipa/ca.crt’

• tls_reqcert (str) – Force TLS, defaults to ‘demand’

• ssl (bool) – Enable SSL, defaults to ‘False’

• config (dict[str, str] | None) – Additional configuration, optional

proxy(proxy: Literal['files', 'ldap'] = 'files', provider: str | list[str] = 'id', proxy_pam_target: str | None = None, proxy_pam_stack: str | None = None, server_hostname: str | None = None, domain: str | None = None)

Configure files or ldap proxy domain.

Parameters:

• proxy (Literal["files", "ldap"]) – ldap or files, defaults to files

• provider (str | list[str]) – SSSD providers (id, auth, chpass, …), defaults to id

• proxy_pam_target (str | None) – SSSD option proxy_pam_target, defaults to None (= system-auth (files), sssdproxyldap (ldap))

• proxy_pam_stack (str | None) – Custom PAM stack written to /etc/pam.d/@proxy_pam_target, defaults to None (= ignored (files), pam_ldap.so (ldap))

• server_hostname (str | None) – LDAP server hostname for ldap proxy (ldap), ignored (files), defaults to None

• domain (str | None, optional) – Proxy domain name, defaults to None (= default domain)

pam(features: list[str] | None = None) → None

Configure SSSD with pam.

1. Select authselect sssd profile

2. Enable pam responder in sssd profile

Parameters:

features (list[str], optional) – list of authselect features

socket_responders(responders: list[str] | None = None) → None

Configure SSSD for socket-activated responders.

Removes specified responders from the services line in sssd.conf to enable socket activation, while keeping other services running as traditional services.

Parameters:

responders (list[str] | None) – List of responders to enable via socket activation. If None, enables all known socket responders.

Raises:

RuntimeError – If starting a socket unit fails.

subid() → None

Configure SSSD for subid.

smartcard_with_softhsm(smartcard: SmartCardUtils) → None

Configure SSSD for smart card authentication with SoftHSM multi-token support.

Parameters:

smartcard (SmartCardUtils) – SmartCardUtils instance.

class sssd_test_framework.utils.sssd.SSSDLogsPath(sssd: SSSDUtils)

Bases: object

property monitor: str

Return path to SSSD monitor logs.

property autofs: str

Return path to SSSD autofs logs.

property ifp: str

Return path to SSSD ifp logs.

property kcm: str

Return path to SSSD kcm logs.

property nss: str

Return path to SSSD nss logs.

property pac: str

Return path to SSSD pac logs.

property pam: str

Return path to SSSD pam logs.

property ssh: str

Return path to SSSD ssh logs.

property sudo: str

Return path to SSSD sudo logs.

domain(name: str | None = None) → str

Return path to SSSD domain log for given domain. If the domain name is not set then SSSDUtils.default_domain is used.

Parameters:

name (str | None, optional) – Domain name, defaults to None (=:attr:SSSDUtils.default_domain)

Returns:

Path to SSSD domain log.

Return type:

str

class sssd_test_framework.utils.sssd.SSSDUtils(*args, **kwargs)

Bases: MultihostUtility[MultihostHost]

Manage and configure SSSD.

Note

All changes are automatically reverted when a test is finished.

Parameters:

• host (MultihostHost) – Multihost host.

• fs (LinuxFileSystem) – File system utils.

• svc (SystemdServices) – Systemd utils.

• authselect (AuthselectUtils) – Authselect utils.

• load_config (bool, optional) – If True, existing configuration is loaded to config, otherwise default configuration is generated, defaults to False

authselect: AuthselectUtils

Authselect utils.

fs: LinuxFileSystem

Filesystem utils.

svc: SystemdServices

Systemd utils.

config: configparser.ConfigParser

SSSD configuration object.

default_domain: str | None

Default SSSD domain.

common: SSSDCommonConfiguration

Shortcuts to setup common SSSD configurations.

logs: SSSDLogsPath

Shortcuts to SSSD log paths.

async_start(service='sssd', service_user='sssd', *, apply_config: bool = True, check_config: bool = True, debug_level: str | None = '0xfff0', clean: bool = False) → Process

Start the SSSD and KCM services. Non-blocking call.

Parameters:

• service (str, optional) – Service to start, defaults to ‘sssd’

• service_user (str, optional) – User used to start the service, defaults to ‘sssd’

• apply_config (bool, optional) – Apply current configuration, defaults to True

• check_config (bool, optional) – Check configuration for typos, defaults to True

• debug_level (str | None, optional) – Automatically set debug level to the given value, defaults to 0xfff0

• clean (bool, defaults to False) – Does a clean restart, clearing the cache, defaults to False

Returns:

Running SSH process.

Return type:

Process

start(service='sssd', service_user='sssd', *, raise_on_error: bool = True, apply_config: bool = True, check_config: bool = True, debug_level: str | None = '0xfff0', clean: bool = False) → ProcessResult

Start the SSSD and KCM services. The call will wait until the operation is finished.

Parameters:

• service (str, optional) – Service to start, defaults to ‘sssd’

• service_user (str, optional) – User used to start the service, defaults to ‘sssd’

• raise_on_error (bool, optional) – Raise exception on error, defaults to True

• apply_config (bool, optional) – Apply current configuration, defaults to True

• check_config (bool, optional) – Check configuration for typos, defaults to True

• debug_level (str | None, optional) – Automatically set debug level to the given value, defaults to 0xfff0

• clean (bool, defaults to False) – Does a clean restart, clearing the cache, defaults to False

Returns:

SSH process result.

Return type:

ProcessResult

async_stop(service='sssd') → Process

Stop the SSSD and KCM services. Non-blocking call.

Parameters:

service (str, optional) – Service to start, defaults to ‘sssd’

Returns:

Running SSH process.

Return type:

Process

stop(service='sssd', *, raise_on_error: bool = True) → ProcessResult

Stop the SSSD and KCM services. The call will wait until the operation is finished.

Parameters:

• service (str, optional) – Service to start, defaults to ‘sssd’

• raise_on_error (bool, optional) – Raise exception on error, defaults to True

Returns:

SSH process result.

Return type:

Process

async_restart(service='sssd', *, apply_config: bool = True, check_config: bool = True, debug_level: str | None = '0xfff0', clean: bool = False) → Process

Restart the SSSD and KCM services. Non-blocking call.

Parameters:

• service (str, optional) – Service to start, defaults to ‘sssd’

• apply_config (bool, optional) – Apply current configuration, defaults to True

• check_config (bool, optional) – Check configuration for typos, defaults to True

• debug_level (str | None, optional) – Automatically set debug level to the given value, defaults to 0xfff0

• clean (bool, defaults to False) – Does a clean restart, clearing the cache, defaults to False

Returns:

Running SSH process.

Return type:

Process

restart(service='sssd', *, raise_on_error: bool = True, apply_config: bool = True, check_config: bool = True, debug_level: str | None = '0xfff0', clean: bool = False) → ProcessResult

Restart the SSSD and KCM services. The call will wait until the operation is finished.

Parameters:

• service (str, optional) – Service to start, defaults to ‘sssd’

• raise_on_error (bool, optional) – Raise exception on error, defaults to True

• apply_config (bool, optional) – Apply current configuration, defaults to True

• check_config (bool, optional) – Check configuration for typos, defaults to True

• debug_level (str | None, optional) – Automatically set debug level to the given value, defaults to 0xfff0

• clean (bool, defaults to False) – Does a clean restart, clearing the cache, defaults to False

Returns:

SSH process result.

Return type:

ProcessResult

clear(*, db: bool = True, memcache: bool = True, config: bool = False, logs: bool = False)

Clear SSSD data.

Parameters:

• db (bool, optional) – Remove cache and database, defaults to True

• memcache (bool, optional) – Remove in-memory cache, defaults to True

• config (bool, optional) – Remove configuration files, defaults to False

• logs (bool, optional) – Remove logs, defaults to False

set_service_user(user: str) → None

Reconfigures ‘sssd.service’ systemd service description to run SSSD service under ‘user’ (only ‘root’ or ‘sssd’ are supported by SSSD). Take a note, this currently doesn’t handle reconfiguration of socket activated services.

Parameters:

user (str) – Option value to set.

Raises:

ValueError – in case error happens.

set_server(provider: GenericProvider) → None

Set the correct ‘ldap_server | ipa_server | ad_server’ parameter and value for the role.

Parameters:

provider (GenericProvider) – Generic provider object.

set_invalid_primary_server(provider: GenericProvider) → None

Sets an non working server value for ‘ldap_server | ipa_server | ad_server’ parameter and a working server value for ‘ldap_backup_server | ipa_backup_server | ad_backup_server’ for failover testing.

Parameters:

provider (GenericProvider) – Generic provider object.

enable_responder(responder: str) → None

Include the responder in the [sssd]/service option.

Parameters:

responder (str) – Responder to enable.

import_domain(name: str, role: MultihostRole) → None

Import SSSD domain from role object.

Parameters:

• name (str) – SSSD domain name.

• role (MultihostRole) – Provider role object to use for import.

Raises:

ValueError – If unsupported provider is given.

merge_domain(name: str, role: BaseRole) → None

Merge SSSD domain configuration from role object into the domain.

If domain name is not provided then the default domain is used.

Parameters:

• name (str) – Target SSSD domain name

• role (BaseRole) – Provider role object to use for import.

Raises:

ValueError – If unsupported provider is given.

config_dumps() → str

Get current SSSD configuration.

Returns:

SSSD configuration.

Return type:

str

config_load() → None

Load remote SSSD configuration.

config_apply(check_config: bool = True, debug_level: str | None = '0xfff0') → None

Apply current configuration on remote host.

Parameters:

• check_config (bool, optional) – Check configuration for typos, defaults to True

• debug_level (str | None, optional) – Automatically set debug level to the given value, defaults to 0xfff0

genconf(section: str | None = None) → ProcessResult

Exec sssd --genconf or sssd --genconf-section=section if section is not None.

Parameters:

section (str | None, optional) – Section that will be refreshed. Defaults to None.

Returns:

Result of the ran command.

Return type:

ProcessResult

bring_offline() → None

Send SIGUSR1 to SSSD process in order to bring it offline and terminate existing connections.

bring_online() → None

Send SIGUSR2 to SSSD process in order to bring it back online.

section(name: str) → SectionProxy

Get sssd.conf section.

Parameters:

name (str) – Section name.

Returns:

Section configuration object.

Return type:

configparser.SectionProxy

dom(name: str) → SectionProxy

Get sssd.conf domain section.

Parameters:

name (str) – Domain name.

Returns:

Section configuration object.

Return type:

configparser.SectionProxy

subdom(domain: str, subdomain: str) → SectionProxy

Get sssd.conf subdomain section.

Parameters:

• domain (str) – Domain name.

• subdomain (str) – Subdomain name.

Returns:

Section configuration object.

Return type:

configparser.SectionProxy

property domain: SectionProxy

Default domain section configuration object.

Default domain is the first domain imported by import_domain().

Raises:

ValueError – If no default domain is set.

Returns:

Section configuration object.

Return type:

configparser.SectionProxy

property sssd: SectionProxy

Configuration of the sssd section of sssd.conf.

property autofs: SectionProxy

Configuration of the autofs section of sssd.conf.

property ifp: SectionProxy

Configuration of the ifp section of sssd.conf.

property kcm: SectionProxy

Configuration of the kcm section of sssd.conf.

property nss: SectionProxy

Configuration of the nss section of sssd.conf.

property pac: SectionProxy

Configuration of the pac section of sssd.conf.

property pam: SectionProxy

Configuration of the pam section of sssd.conf.

property ssh: SectionProxy

Configuration of the ssh section of sssd.conf.

property sudo: SectionProxy

Configuration of the sudo section of sssd.conf.