User in staging area must be unable to login by design. Test should cover all possible methods and verify that none can be used to successfully login.
Any bind mechanism (simple, gssapi, cert-mapping) selecting a staging entry (cn=provisioning container), should get nsaccountlock=Yes. Because of the following COS definition
dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,<suffix> objectClass: ldapSubEntry objectClass: top objectClass: cosSuperDefinition objectClass: cosPointerDefinition costemplatedn: cn=Inactivation cos template,cn=accounts,cn=provisioning,<suffix> cn: provisioning accounts lock cosAttribute: nsaccountlock operational dn: cn=Inactivation cos template,cn=accounts,cn=provisioning,<suffix> objectClass: cosTemplate objectClass: top objectClass: extensibleObject cosPriority: 1 cn: Inactivation cos template nsAccountLock: true
The expected result is that BIND should fail on that entry
Metadata Update from @dkupka: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @rcritten: - Issue close_status updated to: None - Issue tagged with: tests
Login to comment on this ticket.