diff options
author | Nadezhda Ivanova <nivanova@samba.org> | 2010-07-05 00:17:38 +0300 |
---|---|---|
committer | Nadezhda Ivanova <nivanova@samba.org> | 2010-07-05 00:17:38 +0300 |
commit | 81240b13b365400e2da903a7fc0af1f501bc1249 (patch) | |
tree | ddab559c7cf442bc862322f891f6ac198f53404a /source4/dsdb/tests/python | |
parent | 343e9320ba4446635a50a0fa3849888f3b265e23 (diff) | |
download | samba-81240b13b365400e2da903a7fc0af1f501bc1249.tar.gz samba-81240b13b365400e2da903a7fc0af1f501bc1249.tar.bz2 samba-81240b13b365400e2da903a7fc0af1f501bc1249.zip |
s4-dsdb: Implementation of User-Change-Password and User-Force-Password-Change
These CARs need to be checked on password change and password reset operations.
Apparently the password attributes are not influenced by Write Property.
Single detele operations and modifications of dBCSPwd are let through to the
password_hash module. This is determined experimentally.
Diffstat (limited to 'source4/dsdb/tests/python')
-rwxr-xr-x | source4/dsdb/tests/python/acl.py | 70 |
1 files changed, 64 insertions, 6 deletions
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 0f8fd0cdee..31bcd31ae2 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -15,7 +15,8 @@ samba.ensure_external_module("testtools", "testtools") import samba.getopt as options from ldb import ( - SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS) + SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, + ERR_UNWILLING_TO_PERFORM, ERR_INSUFFICIENT_ACCESS_RIGHTS) from ldb import ERR_CONSTRAINT_VIOLATION from ldb import Message, MessageElement, Dn from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE @@ -1077,7 +1078,7 @@ unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) desc = self.read_desc(self.get_user_dn(self.user_with_wp)) sddl = desc.as_sddl(self.domain_sid) try: - self.ldb_user2.modify_ldif(""" + self.ldb_user.modify_ldif(""" dn: """ + self.get_user_dn(self.user_with_wp) + """ changetype: modify delete: unicodePwd @@ -1093,14 +1094,11 @@ unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) def test_change_password3(self): """Make sure WP has no influence""" - desc = self.read_desc(self.get_user_dn(self.user_with_wp)) - sddl = desc.as_sddl(self.domain_sid) - self.modify_desc(self.get_user_dn(self.user_with_wp), sddl) mod = "(D;;WP;;;PS)" self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod) desc = self.read_desc(self.get_user_dn(self.user_with_wp)) sddl = desc.as_sddl(self.domain_sid) - self.ldb_user2.modify_ldif(""" + self.ldb_user.modify_ldif(""" dn: """ + self.get_user_dn(self.user_with_wp) + """ changetype: modify delete: unicodePwd @@ -1109,6 +1107,64 @@ add: unicodePwd unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ """) + def test_change_password5(self): + """Make sure rights have no influence on dBCSPwd""" + desc = self.read_desc(self.get_user_dn(self.user_with_wp)) + sddl = desc.as_sddl(self.domain_sid) + sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)", "") + sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)", "") + self.modify_desc(self.get_user_dn(self.user_with_wp), sddl) + mod = "(D;;WP;;;PS)" + self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod) + try: + self.ldb_user.modify_ldif(""" +dn: """ + self.get_user_dn(self.user_with_wp) + """ +changetype: modify +delete: dBCSPwd +dBCSPwd: XXXXXXXXXXXXXXXX +add: dBCSPwd +dBCSPwd: YYYYYYYYYYYYYYYY +""") + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + else: + self.fail() + + def test_change_password6(self): + """Test uneven delete/adds""" + try: + self.ldb_user.modify_ldif(""" +dn: """ + self.get_user_dn(self.user_with_wp) + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + self.fail() + mod = "(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS)" + self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod) + try: + self.ldb_user.modify_ldif(""" +dn: """ + self.get_user_dn(self.user_with_wp) + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + else: + self.fail() + def test_reset_password1(self): """Try a user password reset operation (unicodePwd) before and after granting CAR""" try: @@ -1259,6 +1315,8 @@ if not runner.run(unittest.makeSuite(AclDeleteTests)).wasSuccessful(): rc = 1 if not runner.run(unittest.makeSuite(AclRenameTests)).wasSuccessful(): rc = 1 +if not runner.run(unittest.makeSuite(AclCARTests)).wasSuccessful(): + rc = 1 # Reset the "dSHeuristics" as they were before m = Message() |