xref: /openbmc/openbmc-test-automation/redfish/account_service/test_ldap_configuration.robot (revision d7fb41d29eb109318caf2dbadc2c9c48c3b47014) 
1*** Settings ***
2Documentation    Test Redfish LDAP user configuration.
3
4Library          ../../lib/gen_robot_valid.py
5Resource         ../../lib/resource.robot
6Resource         ../../lib/bmc_redfish_resource.robot
7Resource         ../../lib/openbmc_ffdc.robot
8Library          ../../lib/gen_robot_valid.py
9
10Suite Setup      Suite Setup Execution
11Suite Teardown   Run Keywords  Restore LDAP Privilege  AND  Redfish.Logout
12Test Teardown    FFDC On Test Case Fail
13
14Force Tags       LDAP_Test
15
16*** Variables ***
17${old_ldap_privilege}   ${EMPTY}
18&{old_account_service}  &{EMPTY}
19&{old_ldap_config}      &{EMPTY}
20${hostname}             ${EMPTY}
21
22** Test Cases **
23
24Verify LDAP Configuration Created
25    [Documentation]  Verify that LDAP configuration created.
26    [Tags]  Verify_LDAP_Configuration_Created
27
28    Create LDAP Configuration
29    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
30    Get LDAP Configuration  ${LDAP_TYPE}
31    Sleep  10s
32    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
33    Redfish.Logout
34    Redfish.Login
35
36
37Verify LDAP Service Disable
38    [Documentation]  Verify that LDAP is disabled and that LDAP user cannot
39    ...  login.
40    [Tags]  Verify_LDAP_Service_Disable
41
42    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
43    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${False}}}
44    Sleep  15s
45    ${resp}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
46    ...  ${LDAP_USER_PASSWORD}
47    Should Be Equal  ${resp}  ${False}
48    ...  msg=LDAP user was able to login even though the LDAP service was disabled.
49    Redfish.Logout
50    Redfish.Login
51    # Enabling LDAP so that LDAP user works.
52    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
53    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
54    Redfish.Logout
55    Redfish.Login
56
57
58Verify LDAP Login With ServiceEnabled
59    [Documentation]  Verify that LDAP Login with ServiceEnabled.
60    [Tags]  Verify_LDAP_Login_With_ServiceEnabled
61
62    Disable Other LDAP
63    # Actual service enablement.
64    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
65    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
66    Sleep  15s
67    # After update, LDAP login.
68    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
69    Redfish.Logout
70    Redfish.Login
71
72
73Verify LDAP Login With Correct AuthenticationType
74    [Documentation]  Verify that LDAP Login with right AuthenticationType.
75    [Tags]  Verify_LDAP_Login_With_Correct_AuthenticationType
76
77    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
78    ...  body={'${ldap_type}': {'Authentication': {'AuthenticationType':'UsernameAndPassword'}}}
79    Sleep  15s
80    # After update, LDAP login.
81    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
82    Redfish.Logout
83    Redfish.Login
84
85
86Verify LDAP Config Update With Incorrect AuthenticationType
87    [Documentation]  Verify that invalid AuthenticationType is not updated.
88    [Tags]  Verify_LDAP_Update_With_Incorrect_AuthenticationType
89
90    ${body}=  Catenate  {'${ldap_type}': {'Authentication': {'AuthenticationType':'KerberosKeytab'}}}
91
92    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
93    ...  body=${body}  valid_status_codes=[400]
94
95
96Verify LDAP Login With Correct LDAP URL
97    [Documentation]  Verify LDAP Login with right LDAP URL.
98    [Tags]  Verify_LDAP_Login_With_Correct_LDAP_URL
99
100    Config LDAP URL  ${LDAP_SERVER_URI}
101
102
103Verify LDAP Config Update With Incorrect LDAP URL
104    [Documentation]  Verify that LDAP Login fails with invalid LDAP URL.
105    [Tags]  Verify_LDAP_Config_Update_With_Incorrect_LDAP_URL
106    [Teardown]  Run Keywords  Restore LDAP URL  AND
107    ...  FFDC On Test Case Fail
108
109    Config LDAP URL  ldap://1.2.3.4/  ${FALSE}
110
111Verify LDAP Configuration Exist
112    [Documentation]  Verify that LDAP configuration is available.
113    [Tags]  Verify_LDAP_Configuration_Exist
114
115    ${resp}=  Redfish.Get Attribute  ${REDFISH_BASE_URI}AccountService
116    ...  ${LDAP_TYPE}  default=${EMPTY}
117    Should Not Be Empty  ${resp}  msg=LDAP configuration is not defined.
118
119
120Verify LDAP User Login
121    [Documentation]  Verify that LDAP user able to login into BMC.
122    [Tags]  Verify_LDAP_User_Login
123
124    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
125    Redfish.Logout
126    Redfish.Login
127
128
129Verify LDAP Service Available
130    [Documentation]  Verify that LDAP service is available.
131    [Tags]  Verify_LDAP_Service_Available
132
133    @{ldap_configuration}=  Get LDAP Configuration  ${LDAP_TYPE}
134    Should Contain  ${ldap_configuration}  LDAPService
135    ...  msg=LDAPService is not available.
136
137
138Verify LDAP Login Works After BMC Reboot
139    [Documentation]  Verify that LDAP login works after BMC reboot.
140    [Tags]  Verify_LDAP_Login_Works_After_BMC_Reboot
141
142    Redfish OBMC Reboot (off)
143    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
144    Redfish.Logout
145    Redfish.Login
146
147
148Verify LDAP User With Admin Privilege Able To Do BMC Reboot
149    [Documentation]  Verify that LDAP user with administrator privilege able to do BMC reboot.
150    [Tags]  Verify_LDAP_User_With_Admin_Privilege_Able_To_Do_BMC_Reboot
151
152
153    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
154    ...  ${GROUP_PRIVILEGE}  ${GROUP_NAME}
155    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
156    # With LDAP user and with right privilege trying to do BMC reboot.
157    Redfish OBMC Reboot (off)
158    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
159    Redfish.Logout
160    Redfish.Login
161
162
163Verify LDAP User With Operator Privilege Able To Do Host Poweroff
164    [Documentation]  Verify that LDAP user with operator privilege can do host
165    ...  power off.
166    [Tags]  Verify_LDAP_User_With_Operator_Privilege_Able_To_Do_Host_Poweroff
167    [Teardown]  Restore LDAP Privilege
168
169    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
170    ...  Operator  ${GROUP_NAME}
171
172    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
173    # Verify that the LDAP user with operator privilege is able to power the system off.
174    Redfish.Post  ${REDFISH_POWER_URI}
175    ...  body={'ResetType': 'ForceOff'}   valid_status_codes=[200]
176    Redfish.Logout
177    Redfish.Login
178
179
180Verify AccountLockout Attributes Set To Zero
181    [Documentation]  Verify that attribute AccountLockoutDuration and
182    ...  AccountLockoutThreshold are set to 0.
183    [Teardown]  Run Keywords  Restore AccountLockout Attributes  AND
184    ...  FFDC On Test Case Fail
185    [Tags]  Verify_AccountLockout_Attributes_Set_To_Zero
186
187    ${old_account_service}=  Redfish.Get Properties
188    ...  ${REDFISH_BASE_URI}AccountService
189    Rprint Vars  old_account_service
190    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
191    ...  body=[('AccountLockoutDuration', 0)]
192    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
193    ...  body=[('AccountLockoutThreshold', 0)]
194
195
196Verify LDAP User With Read Privilege Able To Check Inventory
197    [Documentation]  Verify that LDAP user with read privilege able to
198    ...  read firmware inventory.
199    [Tags]  Verify_LDAP_User_With_Read_Privilege_Able_To_Check_Inventory
200    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
201    [Template]  Set Read Privilege And Check Firmware Inventory
202
203    User
204    Callback
205
206
207Verify LDAP User With Read Privilege Should Not Do Host Poweron
208    [Documentation]  Verify that LDAP user with read privilege should not be
209    ...  allowed to power on the host.
210    [Tags]  Verify_LDAP_User_With_Read_Privilege_Should_Not_Do_Host_Poweron
211    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND  Restore LDAP Privilege
212    [Template]  Set Read Privilege And Check Poweron
213
214    User
215    Callback
216
217
218Update LDAP Group Name And Verify Operations
219    [Documentation]  Verify that LDAP group name update and able to do right
220    ...  operations.
221    [Tags]  Update_LDAP_Group_Name_And_Verify_Operations
222    [Template]  Update LDAP Config And Verify Set Host Name
223    [Teardown]  Restore LDAP Privilege
224
225    # group_name             group_privilege  valid_status_codes
226    ${GROUP_NAME}            Administrator    [${HTTP_OK}]
227    ${GROUP_NAME}            Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
228    ${GROUP_NAME}            User             [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
229    ${GROUP_NAME}            Callback         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
230    Invalid_LDAP_Group_Name  Administrator    [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
231    Invalid_LDAP_Group_Name  Operator         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
232    Invalid_LDAP_Group_Name  User             [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
233    Invalid_LDAP_Group_Name  Callback         [${HTTP_UNAUTHORIZED}, ${HTTP_FORBIDDEN}]
234
235
236Verify LDAP BaseDN Update And LDAP Login
237    [Documentation]  Update LDAP BaseDN of LDAP configuration and verify
238    ...  that LDAP login works.
239    [Tags]  Verify_LDAP_BaseDN_Update_And_LDAP_Login
240
241
242    ${body}=  Catenate  {'${LDAP_TYPE}': { 'LDAPService': {'SearchSettings':
243    ...   {'BaseDistinguishedNames': ['${LDAP_BASE_DN}']}}}}
244    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
245    Sleep  15s
246    Redfish Verify LDAP Login
247
248
249Verify LDAP BindDN Update And LDAP Login
250    [Documentation]  Update LDAP BindDN of LDAP configuration and verify
251    ...  that LDAP login works.
252    [Tags]  Verify_LDAP_BindDN_Update_And_LDAP_Login
253
254    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
255    ...   {'AuthenticationType':'UsernameAndPassword', 'Username':
256    ...  '${LDAP_BIND_DN}'}}}
257    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
258    Sleep  15s
259    Redfish Verify LDAP Login
260
261
262Verify LDAP BindDN Password Update And LDAP Login
263    [Documentation]  Update LDAP BindDN password of LDAP configuration and
264    ...  verify that LDAP login works.
265    [Tags]  Verify_LDAP_BindDN_Passsword_Update_And_LDAP_Login
266
267
268    ${body}=  Catenate  {'${LDAP_TYPE}': { 'Authentication':
269    ...   {'AuthenticationType':'UsernameAndPassword', 'Password':
270    ...  '${LDAP_BIND_DN_PASSWORD}'}}}
271    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
272    Sleep  15s
273    Redfish Verify LDAP Login
274
275
276Verify LDAP Type Update And LDAP Login
277    [Documentation]  Update LDAP type of LDAP configuration and verify
278    ...  that LDAP login works.
279    [Tags]  Verify_LDAP_Type_Update_And_LDAP_Login
280
281    Disable Other LDAP
282    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
283    ...  body={'${LDAP_TYPE}': {'ServiceEnabled': ${True}}}
284    Sleep  15s
285    Redfish Verify LDAP Login
286
287
288Verify Authorization With Null Privilege
289    [Documentation]  Verify the failure of LDAP authorization with empty
290    ...  privilege.
291    [Tags]  Verify_LDAP_Authorization_With_Null_Privilege
292    [Teardown]  Restore LDAP Privilege
293
294    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}  ${EMPTY}
295    ...  [${HTTP_FORBIDDEN}]
296
297
298Verify Authorization With Invalid Privilege
299    [Documentation]  Verify that LDAP user authorization with wrong privilege
300    ...  fails.
301    [Tags]  Verify_LDAP_Authorization_With_Invalid_Privilege
302    [Teardown]  Restore LDAP Privilege
303
304    Update LDAP Config And Verify Set Host Name  ${GROUP_NAME}
305    ...  Invalid_Privilege  [${HTTP_FORBIDDEN}]
306
307
308Verify LDAP Login With Invalid Data
309    [Documentation]  Verify that LDAP login with Invalid LDAP data and
310    ...  right LDAP user fails.
311    [Tags]  Verify_LDAP_Login_With_Invalid_Data
312    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
313    ...  Create LDAP Configuration
314
315    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
316    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD
317    ...  Invalid_LDAP_BASE_DN
318    Sleep  15s
319    Redfish Verify LDAP Login  ${False}
320
321
322Verify LDAP Config Creation Without BASE_DN
323    [Documentation]  Verify that LDAP login with LDAP configuration
324    ...  created without BASE_DN fails.
325    [Tags]  Verify_LDAP_Config_Creation_Without_BASE_DN
326    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
327    ...  Create LDAP Configuration
328
329    Create LDAP Configuration  ${LDAP_TYPE}  Invalid_LDAP_Server_URI
330    ...  Invalid_LDAP_BIND_DN  LDAP_BIND_DN_PASSWORD  ${EMPTY}
331    Sleep  15s
332    Redfish Verify LDAP Login  ${False}
333
334
335Verify LDAP Authentication Without Password
336    [Documentation]  Verify that LDAP user authentication without LDAP
337    ...  user password fails.
338    [Tags]  Verify_LDAP_Authentication_Without_Password
339
340    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
341    Valid Value  status  [${False}]
342
343
344Verify LDAP Login With Invalid BASE_DN
345    [Documentation]  Verify that LDAP login with invalid BASE_DN and
346    ...  valid LDAP user fails.
347    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN
348    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
349    ...  Create LDAP Configuration
350
351    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
352    ...  ${LDAP_BIND_DN}  ${LDAP_BIND_DN_PASSWORD}  Invalid_LDAP_BASE_DN
353    Sleep  15s
354    Redfish Verify LDAP Login  ${False}
355
356
357Verify LDAP Login With Invalid BIND_DN_PASSWORD
358    [Documentation]  Verify that LDAP login with invalid BIND_DN_PASSWORD and
359    ...  valid LDAP user fails.
360    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN_PASSWORD
361    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
362    ...  Create LDAP Configuration
363
364    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
365    ...  ${LDAP_BIND_DN}  INVALID_LDAP_BIND_DN_PASSWORD  ${LDAP_BASE_DN}
366    Sleep  15s
367    Redfish Verify LDAP Login  ${False}
368
369
370Verify LDAP Login With Invalid BASE_DN And Invalid BIND_DN
371    [Documentation]  Verify that LDAP login with invalid BASE_DN and invalid
372    ...  BIND_DN and valid LDAP user fails.
373    [Tags]  Verify_LDAP_Login_With_Invalid_BASE_DN_And_Invalid_BIND_DN
374    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
375    ...  Create LDAP Configuration
376
377    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
378    ...  INVALID_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  INVALID_LDAP_BASE_DN
379    Sleep  15s
380    Redfish Verify LDAP Login  ${False}
381
382
383Verify Group Name And Group Privilege Able To Modify
384    [Documentation]  Verify that LDAP group name and group privilege able to
385    ...  modify.
386    [Tags]  Verify_Group_Name_And_Group_Privilege_Able_To_Modify
387    [Setup]  Update LDAP Configuration with LDAP User Role And Group
388    ...  ${LDAP_TYPE}  Operator  ${GROUP_NAME}
389
390    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
391    ...  Administrator  ${GROUP_NAME}
392
393
394Verify LDAP Login With Invalid BIND_DN
395    [Documentation]  Verify that LDAP login with invalid BIND_DN and
396    ...  valid LDAP user fails.
397    [Tags]  Verify_LDAP_Login_With_Invalid_BIND_DN
398    [Teardown]  Run Keywords  FFDC On Test Case Fail  AND
399    ...  Create LDAP Configuration
400
401    Create LDAP Configuration  ${LDAP_TYPE}  ${LDAP_SERVER_URI}
402    ...  Invalid_LDAP_BIND_DN  ${LDAP_BIND_DN_PASSWORD}  ${LDAP_BASE_DN}
403    Sleep  15s
404    Redfish Verify LDAP Login  ${False}
405
406
407Verify LDAP Authentication With Invalid LDAP User
408    [Documentation]  Verify that LDAP user authentication for user not exist
409    ...  in LDAP server and fails.
410    [Tags]  Verify_LDAP_Authentication_With_Invalid_LDAP_User
411
412    ${status}=  Run Keyword And Return Status  Redfish.Login  INVALID_LDAP_USER
413    ...  ${LDAP_USER_PASSWORD}
414    Valid Value  status  [${False}]
415
416
417*** Keywords ***
418
419Redfish Verify LDAP Login
420    [Documentation]  LDAP user log into BMC.
421    [Arguments]  ${valid_status}=${True}
422
423    # Description of argument(s):
424    # valid_status  Expected status of LDAP login ("True" or "False").
425
426    # According to our repo coding rules, Redfish.Login is to be done in Suite
427    # Setup and Redfish.Logout is to be done in Suite Teardown.  For any
428    # deviation from this rule (such as in this keyword), the deviant code
429    # must take steps to restore us to our original logged-in state.
430
431    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}
432    ...  ${LDAP_USER_PASSWORD}
433    Valid Value  status  [${valid_status}]
434    Redfish.Logout
435    Redfish.Login
436
437
438Update LDAP Config And Verify Set Host Name
439    [Documentation]  Update LDAP config and verify by attempting to set host name.
440    [Arguments]  ${group_name}  ${group_privilege}=Administrator
441    ...  ${valid_status_codes}=[${HTTP_OK}]
442
443    # Description of argument(s):
444    # group_name                    The group name of user.
445    # group_privilege               The group privilege ("Administrator",
446    #                               "Operator", "User" or "Callback").
447    # valid_status_codes            Expected return code(s) from patch
448    #                               operation (e.g. "200") used to update
449    #                               HostName.  See prolog of rest_request
450    #                               method in redfish_plut.py for details.
451    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
452    ...  ${group_privilege}  ${group_name}
453    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
454    # Verify that the LDAP user in ${group_name} with the given privilege is
455    # allowed to change the hostname.
456    Redfish.Patch  ${REDFISH_NW_PROTOCOL_URI}  body={'HostName': '${hostname}'}
457    ...  valid_status_codes=${valid_status_codes}
458    Redfish.Logout
459    Redfish.Login
460
461
462Disable Other LDAP
463    [Documentation]  Disable other LDAP configuration.
464
465    # First disable other LDAP.
466    ${inverse_ldap_type}=  Set Variable If  '${LDAP_TYPE}' == 'LDAP'  ActiveDirectory  LDAP
467    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
468    ...  body={'${inverse_ldap_type}': {'ServiceEnabled': ${False}}}
469    Sleep  15s
470
471
472Create LDAP Configuration
473    [Documentation]  Create LDAP configuration.
474    [Arguments]  ${ldap_type}=${LDAP_TYPE}  ${ldap_server_uri}=${LDAP_SERVER_URI}
475    ...  ${ldap_bind_dn}=${LDAP_BIND_DN}  ${ldap_bind_dn_password}=${LDAP_BIND_DN_PASSWORD}
476    ...  ${ldap_base_dn}=${LDAP_BASE_DN}
477
478    # Description of argument(s):
479    # ldap_type              The LDAP type ("ActiveDirectory" or "LDAP").
480    # ldap_server_uri        LDAP server uri (e.g. ldap://XX.XX.XX.XX).
481    # ldap_bind_dn           The LDAP bind distinguished name.
482    # ldap_bind_dn_password  The LDAP bind distinguished name password.
483    # ldap_base_dn           The LDAP base distinguished name.
484
485    ${body}=  Catenate  {'${ldap_type}':
486    ...  {'ServiceEnabled': ${True},
487    ...   'ServiceAddresses': ['${ldap_server_uri}'],
488    ...   'Authentication':
489    ...       {'AuthenticationType': 'UsernameAndPassword',
490    ...        'Username':'${ldap_bind_dn}',
491    ...        'Password': '${ldap_bind_dn_password}'},
492    ...   'LDAPService':
493    ...       {'SearchSettings':
494    ...           {'BaseDistinguishedNames': ['${ldap_base_dn}']}}}}
495
496    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=${body}
497    Sleep  15s
498
499
500Config LDAP URL
501    [Documentation]  Config LDAP URL.
502    [Arguments]  ${ldap_server_uri}=${LDAP_SERVER_URI}  ${expected_status}=${TRUE}
503
504    # Description of argument(s):
505    # ldap_server_uri LDAP server uri (e.g. "ldap://XX.XX.XX.XX/").
506
507    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
508    ...  body={'${ldap_type}': {'ServiceAddresses': ['${ldap_server_uri}']}}
509    Sleep  15s
510    # After update, LDAP login.
511    ${status}=  Run Keyword And Return Status  Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
512    Valid Value  status  [${expected_status}]
513
514    Redfish.Logout
515    Redfish.Login
516
517
518Restore LDAP URL
519    [Documentation]  Restore LDAP URL.
520
521    # Restoring the working LDAP server uri.
522    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
523    ...  body={'${ldap_type}': {'ServiceAddresses': ['${LDAP_SERVER_URI}']}}
524    Sleep  15s
525
526
527Restore AccountLockout Attributes
528    [Documentation]  Restore AccountLockout Attributes.
529
530    Return From Keyword If  &{old_account_service} == &{EMPTY}
531    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
532    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutDuration']})]
533    Redfish.Patch  ${REDFISH_BASE_URI}AccountService
534    ...  body=[('AccountLockoutDuration', ${old_account_service['AccountLockoutThreshold']})]
535
536
537Suite Setup Execution
538    [Documentation]  Do suite setup tasks.
539
540    Valid Value  LDAP_TYPE  valid_values=["ActiveDirectory", "LDAP"]
541    Valid Value  LDAP_USER
542    Valid Value  LDAP_USER_PASSWORD
543    Valid Value  GROUP_PRIVILEGE
544    Valid Value  GROUP_NAME
545    Valid Value  LDAP_SERVER_URI
546    Valid Value  LDAP_BIND_DN_PASSWORD
547    Valid Value  LDAP_BIND_DN
548    Valid Value  LDAP_BASE_DN
549
550    Redfish.Login
551    # Call 'Get LDAP Configuration' to verify that LDAP configuration exists.
552    Get LDAP Configuration  ${LDAP_TYPE}
553    ${old_ldap_privilege}=  Get LDAP Privilege
554    Disable Other LDAP
555    Create LDAP Configuration
556    ${hostname}=  Redfish.Get Attribute  ${REDFISH_NW_PROTOCOL_URI}  HostName
557
558
559Set Read Privilege And Check Firmware Inventory
560    [Documentation]  Set read privilege and check firmware inventory.
561    [Arguments]  ${read_privilege}
562
563    # Description of argument(s):
564    # read_privilege  The read privilege role (e.g. "User" / "Callback").
565
566    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
567    ...  ${read_privilege}  ${GROUP_NAME}
568
569    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
570    # Verify that the LDAP user with read privilege is able to read inventory.
571    ${resp}=  Redfish.Get  /redfish/v1/UpdateService/FirmwareInventory
572    Should Be True  ${resp.dict["Members@odata.count"]} >= ${1}
573    Length Should Be  ${resp.dict["Members"]}  ${resp.dict["Members@odata.count"]}
574    Redfish.Logout
575    Redfish.Login
576
577
578Set Read Privilege And Check Poweron
579    [Documentation]  Set read privilege and power on should not be possible.
580    [Arguments]  ${read_privilege}
581
582    # Description of argument(s):
583    # read_privilege  The read privilege role (e.g. "User" / "Callback").
584
585    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
586    ...  ${read_privilege}  ${GROUP_NAME}
587    Redfish.Login  ${LDAP_USER}  ${LDAP_USER_PASSWORD}
588    Redfish.Post  ${REDFISH_POWER_URI}
589    ...  body={'ResetType': 'On'}   valid_status_codes=[401, 403]
590    Redfish.Logout
591    Redfish.Login
592
593
594Get LDAP Configuration
595    [Documentation]  Retrieve LDAP Configuration.
596    [Arguments]   ${ldap_type}
597
598    # Description of argument(s):
599    # ldap_type  The LDAP type ("ActiveDirectory" or "LDAP").
600
601    ${ldap_config}=  Redfish.Get Properties  ${REDFISH_BASE_URI}AccountService
602    [Return]  ${ldap_config["${ldap_type}"]}
603
604
605Update LDAP Configuration with LDAP User Role And Group
606    [Documentation]  Update LDAP configuration update with LDAP user Role and group.
607    [Arguments]   ${ldap_type}  ${group_privilege}  ${group_name}
608
609    # Description of argument(s):
610    # ldap_type        The LDAP type ("ActiveDirectory" or "LDAP").
611    # group_privilege  The group privilege ("Administrator", "Operator", "User" or "Callback").
612    # group_name       The group name of user.
613
614    ${local_role_remote_group}=  Create Dictionary  LocalRole=${group_privilege}  RemoteGroup=${group_name}
615    ${remote_role_mapping}=  Create List  ${local_role_remote_group}
616    ${ldap_data}=  Create Dictionary  RemoteRoleMapping=${remote_role_mapping}
617    ${payload}=  Create Dictionary  ${ldap_type}=${ldap_data}
618    Redfish.Patch  ${REDFISH_BASE_URI}AccountService  body=&{payload}
619    # Provide adequate time for LDAP daemon to restart after the update.
620    Sleep  15s
621
622
623Get LDAP Privilege
624    [Documentation]  Get LDAP privilege and return it.
625
626    ${ldap_config}=  Get LDAP Configuration  ${LDAP_TYPE}
627    ${num_list_entries}=  Get Length  ${ldap_config["RemoteRoleMapping"]}
628    Return From Keyword If  ${num_list_entries} == ${0}  @{EMPTY}
629
630    [Return]  ${ldap_config["RemoteRoleMapping"][0]["LocalRole"]}
631
632
633Restore LDAP Privilege
634    [Documentation]  Restore the LDAP privilege to its original value.
635
636    Return From Keyword If  '${old_ldap_privilege}' == '${EMPTY}'
637    # Log back in to restore the original privilege.
638    Update LDAP Configuration with LDAP User Role And Group  ${LDAP_TYPE}
639    ...  ${old_ldap_privilege}  ${GROUP_NAME}
640