Testing IPA Trusts

To test setup with IPA server and trusted Active Directory or Samba domain, you can use the following topologies:

• sssd_test_framework.topology.KnownTopology.IPATrustAD

• sssd_test_framework.topology.KnownTopology.IPATrustSamba

• sssd_test_framework.topology.KnownTopologyGroup.IPATrust (parametrized)

The topology provides trusted fixture, which is the reference to the trusted domain role object (either AD or Samba). You can use GenericADProvider generic class for parametrized tests.

Example usage

@pytest.mark.topology(KnownTopologyGroup.IPATrust)
def test_trust__example(ipa: IPA, trusted: GenericADProvider):
    username = trusted.fqn("administrator")
    external = ipa.group("external-group").add(external=True).add_member(username)
    ipa.group("posix-group").add(gid=5001).add_member(external)

    ipa.sssd.clear(db=True, memcache=True, logs=True)
    ipa.sssd.restart()

    # Cache trusted user
    result = ipa.tools.id(username)
    assert result is not None
    assert result.user.name == username
    assert result.memberof("posix-group")

    # Expire the user and resolve it again, this will trigger the affected code path
    ipa.sssctl.cache_expire(user=username)
    result = ipa.tools.id(username)
    assert result is not None
    assert result.user.name == username
    assert result.memberof("posix-group")

    # Check that SSSD did not go offline
    result = ipa.sssctl.domain_status(trusted.domain, online=True)
    assert "online status: offline" not in result.stdout.lower()
    assert "online status: online" in result.stdout.lower()