s4:descriptor LDB module - make the "nTSecurityDescriptor" attribute fully behave as in AD

- fix crash when provided "nTSecurityDescriptor" attribute is empty - print out the correct error codes if it's provided multi-valued - simplify the "recalculate_sd" control handling
author: Matthias Dieter Wallnöfer <mdw@samba.org> 2010-11-01 17:51:36 +0100
committer: Matthias Dieter Wallnöfer <mdw@samba.org> 2010-11-07 19:09:29 +0100
commit: 9057e603cf58b2fac5473df2999d6d0a704686b1 (patch)
tree: dbc1d4aaf2ec2ec90be169f1a78cf9a1b1571a17 /source4/dsdb/tests
parent: 786a76720c10c01a9636c6cf892cce42d05d647d (diff)
download: samba-9057e603cf58b2fac5473df2999d6d0a704686b1.tar.gz
samba-9057e603cf58b2fac5473df2999d6d0a704686b1.tar.bz2
samba-9057e603cf58b2fac5473df2999d6d0a704686b1.zip
1 files changed, 56 insertions, 5 deletions
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index b4fe8cd2ee..18af214fd7 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -1437,7 +1437,7 @@ objectClass: container
 
         res = self.ldb.search(base=("<WKGUID=ab1d30f3768811d1aded00c04fd8d5cd,%s>" % self.base_dn), scope=SCOPE_BASE, attrs=[])
         self.assertEquals(len(res), 1)
-        
+
         res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd:%s" % res[0].dn))
         self.assertEquals(len(res2), 1)
 
@@ -2343,10 +2343,23 @@ objectClass: posixAccount"""% (self.base_dn))
         user_name = "testdescriptoruser1"
         user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
         #
-        # Test add_ldif() with SDDL security descriptor input
+        # Test an empty security descriptor (naturally this shouldn't work)
         #
         self.delete_force(self.ldb, user_dn)
         try:
+            self.ldb.add({ "dn": user_dn,
+                           "objectClass": "user",
+                           "sAMAccountName": user_name,
+                           "nTSecurityDescriptor": [] })
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+        finally:
+            self.delete_force(self.ldb, user_dn)
+        #
+        # Test add_ldif() with SDDL security descriptor input
+        #
+        try:
             sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
             self.ldb.add_ldif("""
 dn: """ + user_dn + """
@@ -2407,11 +2420,49 @@ nTSecurityDescriptor:: """ + desc_base64)
         user_name = "testdescriptoruser2"
         user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
         #
-        # Delete user object and test modify_ldif() with SDDL security descriptor input
+        # Test an empty security descriptor (naturally this shouldn't work)
+        #
+        self.delete_force(self.ldb, user_dn)
+        self.ldb.add({ "dn": user_dn,
+                       "objectClass": "user",
+                       "sAMAccountName": user_name })
+
+        m = Message()
+        m.dn = Dn(ldb, user_dn)
+        m["nTSecurityDescriptor"] = MessageElement([], FLAG_MOD_ADD,
+                                                   "nTSecurityDescriptor")
+        try:
+            self.ldb.modify(m)
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+        m = Message()
+        m.dn = Dn(ldb, user_dn)
+        m["nTSecurityDescriptor"] = MessageElement([], FLAG_MOD_REPLACE,
+                                                   "nTSecurityDescriptor")
+        try:
+            self.ldb.modify(m)
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+        m = Message()
+        m.dn = Dn(ldb, user_dn)
+        m["nTSecurityDescriptor"] = MessageElement([], FLAG_MOD_DELETE,
+                                                   "nTSecurityDescriptor")
+        try:
+            self.ldb.modify(m)
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+        self.delete_force(self.ldb, user_dn)
+        #
+        # Test modify_ldif() with SDDL security descriptor input
         # Add ACE to the original descriptor test
         #
         try:
-            self.delete_force(self.ldb, user_dn)
             self.ldb.add_ldif("""
 dn: """ + user_dn + """
 objectclass: user
@@ -2585,7 +2636,7 @@ class BaseDnTests(unittest.TestCase):
         res = self.ldb.search("", scope=SCOPE_BASE,
                 attrs=["namingContexts", "defaultNamingContext", "schemaNamingContext", "configurationNamingContext"])
         self.assertEquals(len(res), 1)
-        
+
         ncs = set([])
         for nc in res[0]["namingContexts"]:
             self.assertTrue(nc not in ncs)
author	Matthias Dieter Wallnöfer <mdw@samba.org>	2010-11-01 17:51:36 +0100
committer	Matthias Dieter Wallnöfer <mdw@samba.org>	2010-11-07 19:09:29 +0100
commit	9057e603cf58b2fac5473df2999d6d0a704686b1 (patch)
tree	dbc1d4aaf2ec2ec90be169f1a78cf9a1b1571a17 /source4/dsdb/tests
parent	786a76720c10c01a9636c6cf892cce42d05d647d (diff)
download	samba-9057e603cf58b2fac5473df2999d6d0a704686b1.tar.gz samba-9057e603cf58b2fac5473df2999d6d0a704686b1.tar.bz2 samba-9057e603cf58b2fac5473df2999d6d0a704686b1.zip