When PSOs exist in the DB, there is some extra overhead involved in user
logins (an extra expand-nested-groups operation for every user login).
Currently password_lockout tests are quite query-intensive - each call
to _check_account() does ~6 RPC operations/LDB searches (plus sleeps for
20 millisecs). Plus the actual user login attempt being tested. It looks
like the current test needs to do 3 login attempts/_check_account()
calls within a 2-second window. While the PSO test cases usually work
OK, sometimes they fail (presumably they take slightly longer and fall
outside this 2-second window). Presumably this is due to the cloud
instance's CPU being slightly more loaded when the test is run.
Long-term the plan is to refactor the user login so that the extra
expand-nested-groups operation is unnecessary for PSOs. In the
short-term, increase the window the test uses from 2 seconds to 3
seconds.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
def use_pso_lockout_settings(self, creds):
# create a PSO with the lockout settings the test cases normally expect
pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3,
- lockout_duration=2)
+ lockout_duration=3)
self.addCleanup(self.ldb.delete, pso.dn)
+ # the test cases should sleep() for the PSO's lockoutDuration/obsvWindow
+ self.account_lockout_duration = 3
+ self.lockout_observation_window = 3
+
userdn = "cn=%s,cn=users,%s" % (creds.get_username(), self.base_dn)
pso.apply_to(userdn)