tests: ldap change password tests

Dan Lavu · Dan Lavu · commit 20248d2ab656 · 2025-03-15T16:05:20.000-04:00
* ldap now edits the aci by default allowing users to change their
  passwords
* removed su from test_ldap__password_change_no_grace_logins_left
* test_ldap__shadow_policy_change_password has been parametrized in
  test_authentication.py, only test shadow policy now, renamed to match
  test_authentication
diff --git a/src/tests/system/tests/test_ldap.py b/src/tests/system/tests/test_ldap.py
@@ -113,16 +113,14 @@ def test_ldap__authenticate_user_with_whitespace_prefix_in_userid(client: Client
 @pytest.mark.ticket(bz=1507035)
 @pytest.mark.topology(KnownTopology.LDAP)
 @pytest.mark.parametrize("method", ["su", "ssh"])
-def test_ldap__change_password_when_ldap_pwd_policy_is_set_to_shadow(client: Client, ldap: LDAP, method: str):
+def test_ldap__shadow_policy_change_password(client: Client, ldap: LDAP, method: str):
     """
     :title: Change password with shadow ldap password policy is set to shadow
     :description: Changing a password when the password policy is managed by the shadowAccount objectclass.
     :setup:
-        1. Configure the LDAP ACI to permit user password changes
-        2. Create user with shadowLastChange = 0, shadowMin = 0, shadowMax = 99999 and shadowWarning = 7
-        3. Set "ldap_pwd_policy = shadow"
-        4. Set "ldap_chpass_update_last_change = True"
-        5. Start SSSD
+        1. Create user with shadowLastChange = 0, shadowMin = 0, shadowMax = 99999 and shadowWarning = 7
+        2. Set "ldap_pwd_policy = shadow" and "ldap_chpass_update_last_change = True"
+        4. Start SSSD
     :steps:
         1. Authenticate as "tuser" with old password
         2. Authenticate as "tuser" with new password
@@ -131,7 +129,6 @@ def test_ldap__change_password_when_ldap_pwd_policy_is_set_to_shadow(client: Cli
         2. Authentication with new password was successful
     :customerscenario: True
     """
-    ldap.aci.add('(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)')
     ldap.user("tuser").add(
         uid=999011, gid=999011, shadowMin=0, shadowMax=99999, shadowWarning=7, shadowLastChange=0, password="Secret123"
     )
@@ -342,10 +339,9 @@ def test_ldap__lookup_and_authenticate_as_user_with_different_object_search_base
     "modify_mode, expected, err_msg",
     [("exop", 1, "Expected login failure"), ("exop_force", 3, "Expected password change request")],
 )
-@pytest.mark.parametrize("method", ["su", "ssh"])
 @pytest.mark.topology(KnownTopology.LDAP)
 def test_ldap__password_change_no_grace_logins_left(
-    client: Client, ldap: LDAP, modify_mode: str, expected: int, err_msg: str, method: str
+    client: Client, ldap: LDAP, modify_mode: str, expected: int, err_msg: str
 ):
     """
     :title: Password change when no grace logins left
@@ -382,7 +378,7 @@ def test_ldap__password_change_no_grace_logins_left(
     client.sssd.domain["ldap_pwmodify_mode"] = modify_mode
     client.sssd.start()
 
-    rc, _, _, _ = client.auth.parametrize(method).password_with_output("user1", "Secret123")
+    rc, _, _, _ = client.auth.ssh.password_with_output("user1", "Secret123")
     assert rc == expected, err_msg
 
 
