Closed jnweiger closed 2 years ago
objectguid
with 0.16.0 -> occ user:sync succeeds to import all ldap users. OKobjectsid
with 0.16.0 -> occ user:sync fails (only groups are imported, no users). OKobjectguid
with 0.16.1-rc.1 -> occ user:sync succeeds to import all ldap users. OKobjectsid
with 0.16.1-rc.1 -> occ user:sync succeeds to import all ldap users. OKhetzner_deploy/openldap_server.sh creates ~/ldif/45-lem1000.ldif with 1000 lemmings and 1000 rabbits in two groups.
time occ user:sync "OCA\User_LDAP\User_Proxy" --showCount --re-enable --missing-account-action=disable
AD Server with 1700 user via 10.7.0.2 internal hetzner network
QA passed.
User_Ldap Test Plan
Template: https://github.com/owncloud/QA/blob/master/Server/Test_Plan_user_ldap.md FIXME:
Setup
Setup details (click to view)
* vi tasks/user_ldap.sh -> ldap_server=95.217.210.161 (small server from below) * `bash ./oc10.sh user_ldap=0.16.0 windows_network_drive oauth2` (for testing old behaviour and upgrade testing) - https://oc10110-ldap-0160-20221107.jw-qa.owncloud.works * `bash ./oc10.sh user_ldap windows_network_drive oauth2` (for testing new features without upgrade) - https://oc10110-ldap-0161rc1-20221108.jw-qa.owncloud.works #### external storages: - windows_network_drive - SFTP #### Mircosoft AD: 1. Replacement server for fsweb.test.owncloud.works - available in a private 10.7.0.2 network at hetzner - there is also the corresponding WND server at 10.7.0.3 #### OpenLDAP: 3. small openldap server - less than 1000 users, less than 40 groups - two base DNs (we initially configure only one to owncloud) (outdated: https://github.com/owncloud/docker-servers/tree/owncloud-openldap)Testing functionality
Upgrade
ldap:test-config
ldap:test-config
with a valid configIDldap:test-config
with a wrong host~ldap:test-config
with empty password~ldap:test-config
with invalid configIDldap:show-config
ldap:show-config
with no parametersldap:show-config
with valid configIDldap:show-config
with invalid configIDldap:show-config
with show-password flagldap:show-config
without show-password flagldap:set-config
ldap:set-config
with invalid configIDldap:set-config
with valid configIDldap:search
ldap:search
with valid configuration and longer limitldap:search
with offset multiple of limit (both positive)ldap:search
name (default configuration)ldap:search
name (fixed configuration – added “displayName” and/or other attributes in the User Search Attributes field in the wizard)ldap:search --group
group (fixed configuration – added “displayName” and/or other attributes in the Group Search Attributes field in the wizard)occ ldap:search --group ''
ldap:check-user
ldap:check-user
with a good oC user id (the lengthy guuid string)ldap:check-user
with a wrong oC user idldap:check-user
with a good oC user id + disabled "Configuration Active" in Advanced->Connection settingsldap:check-user
Good oc user id + 1 disabled configuration (another one active) + force optionldap:check-user
Good oc user id + all disabled configuration + force option; then enable the configuration and recheckldap:create-empty-config
ldap:create-empty-config
ldap:delete-config
ldap:delete-config
user:sync
sudo -u www-data ./occ user:sync "OCA\User_LDAP\User_Proxy"
LDAP quota
If both LDAP quota field and default LDAP quota are set
The LDAP quota field is empty and the default LDAP quota is set
If the LDAP quota field isn't empty and the LDAP default quota isn't set
If neither the LDAP quota field nor the default LDAP quota is set
Several LDAP servers
Test LDAP properties
LDAP Scenarios integrated with external Storage
User account table integration
occ user:sync -l
occ user:sync "OCA\User_LDAP\User_Proxy"
occ user:sync "OCA\User_LDAP\User_Proxy"
choosing disabling accounts optionocc user:sync "OCA\User_LDAP\User_Proxy"
choosing deleting accounts optionWizard General
occ user:sync "OCA\User_LDAP\User_Proxy" -m disable -r
updates enabled/disabled usersocc app:enable oauth2
-> The tabs do not overlap with user_ldapWizard Configuration Server
2. Click “Detect Base DN”
2. Base DN is found and appears in the corresponding text area
2. Click “Detect Base DN”
2. Base DN is found and appears in the corresponding text area
2. Click “Test Base DN”
2. Message “More then 1.000 directory entries available.” is shown. If total entries are less than 1k, the actual amount is shown
2. “Manually enter LDAP filters” is disabled
3. Move to Users tab
2. If the server does not support memberof, the group field is disabled and a message appears.
If it does and with more than 40 groups available, a different group selection tool is presented
3. A filter is created and shown next to “LDAP Filter:” (read only)
2. “Manually enter LDAP filters” is enabled
3. Move to Users tab
2. The multi select box elements are disabled
3. i.e. Neither object classes nor groups are being detected
Wizard Configuration Users
2. The input field for manually writing LDAP filter is shown (“raw mode”)
3. Click on “Edit LDAP Query”
2. Subsqeuent action is coherent with button click (either switch or stay)
1b. or “Manually enter LDAP filters” is disabled
3. Click on “Edit LDAP Query”
2. If assisted mode is activated for the first time, object class and groups detection is run once
2. Click again in the “edit LDAP query”
3. Select another object class keeping the old class
2. Open object class multiselect
3. Change values up to your choice and close it
2. The filter contains exactly all selected object classes
2. Open group multiselect
3. Change values up to your choice and close it
2. The filter contains exactly all selected groups. If primary groups are supported (AD only) for every group there is also a primaryGroupID= part
2. Perform search with the search input field
2. Select one or more groups in the “available groups” list
3. Click the “>” / "<" buttons.
2. Select one or more groups in the “available groups” list
3. Click the “<” button
2. The selected groups are added to the available groups list
2. Click on “Verify settings and count users”
2. When done, a label appears saying “xx users found”, if more then 1000 users are available “> 1000 users found“ is shown
2. Click on “Verify settings and count users”
2. When done, a label appears saying “0 users found”
Wizard Configuration login
2. “Manually enter LDAP filters” is disabled
3. Move to Login Attributes tab
2. A filter is created and shown next to “LDAP Filter:” (read only)
2. “Manually enter LDAP filters” is enabled
3. Move to Login Attributes tab
2. The multi select box element for attribute is disabled
3. i.e. Attributes are not detected
2. The input field for manually writing LDAP filter is shown (“raw mode”)
3. Click on “Edit LDAP Query”
2. Subsqeuent action is coherent with button click (either switch or stay)
1b. or “Manually enter LDAP filters” is disabled
3. Click on “Edit LDAP Query”
2. If assisted mode is activated for the first time, object class and groups detection is run once
2. Click again in the “edit LDAP query”
3. Select another attribute keeping the old attribute
2. Open other attributes multiselect
3. Change values up to your choice and close it
2. The filter contains all selected attributes (and maybe more if checkboxes above are selected)
2. (Un)check LDAP / AD Username
2. (Un)check LDAP / AD Email address
2. Enter a valid “Test Loginname”
3. Click on “Verify settings”
2. A message shows the positive result: “User found and settings verified.”
2. Enter an invalid “Test Loginname”
3. Click on “Verify settings”
2. A failure message is shown containing the effective filter for manual testing: “User not found. Please check your login attributes and username. Effective filter (to copy-and-paste for command line validation): $FILTER“
Wizard Configuration groups
2. “Manually enter LDAP filters” is disabled
3. Move to Groups tab
2.If more than 40 groups available, a different group selection tool is presented (not the known multiselect)
3. No filter is created initially, no text next to “LDAP Filter:”
2. “Manually enter LDAP filters” is enabled
3. Move to Groups tab
2. The multi select box elements are disabled
3. i.e. Neither object classes nor groups are being detected
2. The input field for manually writing LDAP filter is shown (“raw mode”)
3. Click on “Edit LDAP Query”
2. Subsequent action is coherent with button click (either switch or stay)
1b. or “Manually enter LDAP filters” is disabled
3. Click on “Edit LDAP Query”
2. If assisted mode is activated for the first time, object class and groups detection is run once
2. Open object class multiselect
3. Change values up to your choice and close it
2. The filter contains exactly all selected object classes
2. Open group multiselect
3. Change values up to your choice and close it
2. The filter contains exactly all selected groups.
2. Perform search with the search input field
2. Select one or more groups in the “selected groups” list
3. Click the “<” button
2. Click on “Verify settings and count groups”
2. When done, a label appears saying “xx groups found”, if more then 1000 groups are available “> 1000 groups found“ is shown
2. Click on “Verify settings and count groups”
2. When done, a label appears saying “0 groups found”
Wizard Configuration Advanced
2. Go to Advanced Tab
3. Be in Connection Settings
2. Go to Advanced Tab
3. Open Directory Settings
2. Group-Member-Associtation should be correct (depends on OpenLDAP, AD typically has “member (AD)”)
2. Go to Advanced Tab
3. Open Special Attributes
2. The database table ldap_user_mapping is emptied (needs to be filled before of course, e.g. by going to Users page)
2. The database table ldap_group_mapping is emptied (needs to be filled before of course, e.g. by going to Users page)
Wizard Configuration Chooser
2a) Click on No: deletion was cancelled
2b) Click on Yes: configuration was deleted and switched to first configuration
2. The status is updated accordingly
Maintenance Commands
occ ldap:invalidate-cache
occ group:list-members <group name>
occ user:list-groups <user id>
XXXXocc file:scan --group <group>
occ backround:queue:ex ...
TODO: find expected behacviour[x]
occ ldap:search --group