diff options
author | Stefan Metzmacher <metze@samba.org> | 2010-06-30 11:09:10 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2010-06-30 11:10:28 +0200 |
commit | 14f8953aa4f000173a051b8010252063db5295c1 (patch) | |
tree | e599a4c86d34306e3d6de8ddc806033ae1e72641 /source4/lib/ldb/tests/python/acl.py | |
parent | 19d93c6a1e810dbd634f35cf440412c1ff958448 (diff) | |
download | samba-14f8953aa4f000173a051b8010252063db5295c1.tar.gz samba-14f8953aa4f000173a051b8010252063db5295c1.tar.bz2 samba-14f8953aa4f000173a051b8010252063db5295c1.zip |
s4:dsdb: move dsdb python tests from lib/ldb/ to dsdb/
metze
Diffstat (limited to 'source4/lib/ldb/tests/python/acl.py')
-rwxr-xr-x | source4/lib/ldb/tests/python/acl.py | 1042 |
1 files changed, 0 insertions, 1042 deletions
diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py deleted file mode 100755 index 5bf3ff9b1b..0000000000 --- a/source4/lib/ldb/tests/python/acl.py +++ /dev/null @@ -1,1042 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -# This is unit with tests for LDAP access checks - -import optparse -import sys -import base64 -import re - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -import samba.getopt as options - -from ldb import ( - SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS) - -from samba.ndr import ndr_pack, ndr_unpack -from samba.dcerpc import security - -from samba.auth import system_session -from samba import gensec -from samba.samdb import SamDB -from samba.credentials import Credentials -import samba.tests -from subunit.run import SubunitTestRunner -import unittest - -parser = optparse.OptionParser("ldap [options] <host>") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) - -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -host = args[0] - -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) -creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) - -# -# Tests start here -# - -class AclTests(samba.tests.TestCase): - - def delete_force(self, ldb, dn): - try: - ldb.delete(dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["defaultNamingContext"][0] - - def find_domain_sid(self, ldb): - res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) - return ndr_unpack(security.dom_sid,res[0]["objectSid"][0]) - - def setUp(self): - super(AclTests, self).setUp() - self.ldb_admin = ldb - self.base_dn = self.find_basedn(self.ldb_admin) - self.domain_sid = self.find_domain_sid(self.ldb_admin) - self.user_pass = "samba123@" - print "baseDN: %s" % self.base_dn - - def get_user_dn(self, name): - return "CN=%s,CN=Users,%s" % (name, self.base_dn) - - def modify_desc(self, object_dn, desc): - """ Modify security descriptor using either SDDL string - or security.descriptor object - """ - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - mod = """ -dn: """ + object_dn + """ -changetype: modify -replace: nTSecurityDescriptor -""" - if isinstance(desc, str): - mod += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - self.ldb_admin.modify_ldif(mod) - - def add_group_member(self, _ldb, group_dn, member_dn): - """ Modify user to ge member of a group - e.g. User to be 'Doamin Admin' group member - """ - ldif = """ -dn: """ + group_dn + """ -changetype: modify -add: member -member: """ + member_dn - _ldb.modify_ldif(ldif) - - def create_ou(self, _ldb, ou_dn, desc=None): - ldif = """ -dn: """ + ou_dn + """ -ou: """ + ou_dn.split(",")[0][3:] + """ -objectClass: organizationalUnit -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def create_active_user(self, _ldb, user_dn): - ldif = """ -dn: """ + user_dn + """ -sAMAccountName: """ + user_dn.split(",")[0][3:] + """ -objectClass: user -unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """ -url: www.example.com -""" - _ldb.add_ldif(ldif) - - def create_test_user(self, _ldb, user_dn, desc=None): - ldif = """ -dn: """ + user_dn + """ -sAMAccountName: """ + user_dn.split(",")[0][3:] + """ -objectClass: user -userPassword: """ + self.user_pass + """ -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def create_group(self, _ldb, group_dn, desc=None): - ldif = """ -dn: """ + group_dn + """ -objectClass: group -sAMAccountName: """ + group_dn.split(",")[0][3:] + """ -groupType: 2147483650 -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def read_desc(self, object_dn): - res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - return ndr_unpack(security.descriptor, desc) - - def get_ldb_connection(self, target_username, target_password): - creds_tmp = Credentials() - creds_tmp.set_username(target_username) - creds_tmp.set_password(target_password) - creds_tmp.set_domain(creds.get_domain()) - creds_tmp.set_realm(creds.get_realm()) - creds_tmp.set_workstation(creds.get_workstation()) - creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() - | gensec.FEATURE_SEAL) - ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) - return ldb_target - - def get_object_sid(self, object_dn): - res = self.ldb_admin.search(object_dn) - return ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) - - def dacl_add_ace(self, object_dn, ace): - desc = self.read_desc(object_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - if ace in desc_sddl: - return - if desc_sddl.find("(") >= 0: - desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] - else: - desc_sddl = desc_sddl + ace - self.modify_desc(object_dn, desc_sddl) - - def get_desc_sddl(self, object_dn): - """ Return object nTSecutiryDescriptor in SDDL format - """ - desc = self.read_desc(object_dn) - return desc.as_sddl(self.domain_sid) - - # Test if we have any additional groups for users than default ones - def assert_user_no_group_member(self, username): - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % self.get_user_dn(username)) - try: - self.assertEqual(res[0]["memberOf"][0], "") - except KeyError: - pass - else: - self.fail() - - def create_enable_user(self, username): - self.create_active_user(self.ldb_admin, self.get_user_dn(username)) - self.ldb_admin.enable_account("(sAMAccountName=" + username + ")") - -#tests on ldap add operations -class AclAddTests(AclTests): - - def setUp(self): - super(AclAddTests, self).setUp() - # Domain admin that will be creator of OU parent-child structure - self.usr_admin_owner = "acl_add_user1" - # Second domain admin that will not be creator of OU parent-child structure - self.usr_admin_not_owner = "acl_add_user2" - # Regular user - self.regular_user = "acl_add_user3" - self.create_enable_user(self.usr_admin_owner) - self.create_enable_user(self.usr_admin_not_owner) - self.create_enable_user(self.regular_user) - - # add admins to the Domain Admins group - self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \ - self.get_user_dn(self.usr_admin_owner)) - self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \ - self.get_user_dn(self.usr_admin_not_owner)) - - self.ldb_owner = self.get_ldb_connection(self.usr_admin_owner, self.user_pass) - self.ldb_notowner = self.get_ldb_connection(self.usr_admin_not_owner, self.user_pass) - self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) - - def tearDown(self): - super(AclAddTests, self).tearDown() - self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_owner)) - self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_not_owner)) - self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) - - # Make sure top OU is deleted (and so everything under it) - def assert_top_ou_deleted(self): - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s,%s)" % ( - "OU=test_add_ou1", self.base_dn)) - self.assertEqual(res, []) - - def test_add_u1(self): - """Testing OU with the rights of Doman Admin not creator of the OU """ - self.assert_top_ou_deleted() - # Change descriptor for top level OU - self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) - self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - user_sid = self.get_object_sid(self.get_user_dn(self.usr_admin_not_owner)) - mod = "(D;CI;WPCC;;;%s)" % str(user_sid) - self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) - # Test user and group creation with another domain admin's credentials - self.create_test_user(self.ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.create_group(self.ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - # Make sure we HAVE created the two objects -- user and group - # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE - # !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertTrue(len(res) > 0) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertTrue(len(res) > 0) - - def test_add_u2(self): - """Testing OU with the regular user that has no rights granted over the OU """ - self.assert_top_ou_deleted() - # Create a parent-child OU structure with domain admin credentials - self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) - self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - # Test user and group creation with regular user credentials - try: - self.create_test_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - # Make sure we HAVEN'T created any of two objects -- user or group - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertEqual(res, []) - - def test_add_u3(self): - """Testing OU with the rights of regular user granted the right 'Create User child objects' """ - self.assert_top_ou_deleted() - # Change descriptor for top level OU - self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) - user_sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) - self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - # Test user and group creation with granted user only to one of the objects - self.create_test_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - try: - self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - # Make sure we HAVE created the one of two objects -- user - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s,%s)" % - ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", - self.base_dn)) - self.assertNotEqual(len(res), 0) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s,%s)" % - ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", - self.base_dn) ) - self.assertEqual(res, []) - - def test_add_u4(self): - """ 4 Testing OU with the rights of Doman Admin creator of the OU""" - self.assert_top_ou_deleted() - self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) - self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.create_test_user(self.ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.create_group(self.ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - # Make sure we have successfully created the two objects -- user and group - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertTrue(len(res) > 0) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertTrue(len(res) > 0) - -#tests on ldap modify operations -class AclModifyTests(AclTests): - - def setUp(self): - super(AclModifyTests, self).setUp() - self.user_with_wp = "acl_mod_user1" - self.user_with_sm = "acl_mod_user2" - self.user_with_group_sm = "acl_mod_user3" - self.create_enable_user(self.user_with_wp) - self.create_enable_user(self.user_with_sm) - self.create_enable_user(self.user_with_group_sm) - self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass) - self.ldb_user2 = self.get_ldb_connection(self.user_with_sm, self.user_pass) - self.ldb_user3 = self.get_ldb_connection(self.user_with_group_sm, self.user_pass) - self.user_sid = self.get_object_sid( self.get_user_dn(self.user_with_wp)) - self.create_group(self.ldb_admin, "CN=test_modify_group2,CN=Users," + self.base_dn) - self.create_group(self.ldb_admin, "CN=test_modify_group3,CN=Users," + self.base_dn) - self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user2")) - - def tearDown(self): - super(AclModifyTests, self).tearDown() - self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1")) - self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_modify_group2,CN=Users," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_modify_group3,CN=Users," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp)) - self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_sm)) - self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_group_sm)) - self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user2")) - - def test_modify_u1(self): - """5 Modify one attribute if you have DS_WRITE_PROPERTY for it""" - mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid) - # First test object -- User - print "Testing modify on User object" - self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) - self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) - ldif = """ -dn: """ + self.get_user_dn("test_modify_user1") + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % self.get_user_dn("test_modify_user1")) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Second test object -- Group - print "Testing modify on Group object" - self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) - self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) - ldif = """ -dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("CN=test_modify_group1,CN=Users," + self.base_dn)) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Third test object -- Organizational Unit - print "Testing modify on OU object" - #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) - ldif = """ -dn: OU=test_modify_ou1,""" + self.base_dn + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("OU=test_modify_ou1," + self.base_dn)) - self.assertEqual(res[0]["displayName"][0], "test_changed") - - def _test_modify_u2(self): - """6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them""" - mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid) - # First test object -- User - print "Testing modify on User object" - #self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1")) - self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) - self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) - # Modify on attribute you have rights for - ldif = """ -dn: """ + self.get_user_dn("test_modify_user1") + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % - self.get_user_dn("test_modify_user1")) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Modify on attribute you do not have rights for granted - ldif = """ -dn: """ + self.get_user_dn("test_modify_user1") + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - # Second test object -- Group - print "Testing modify on Group object" - self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) - self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) - ldif = """ -dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % - str("CN=test_modify_group1,CN=Users," + self.base_dn)) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Modify on attribute you do not have rights for granted - ldif = """ -dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - # Second test object -- Organizational Unit - print "Testing modify on OU object" - self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) - ldif = """ -dn: OU=test_modify_ou1,""" + self.base_dn + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % str("OU=test_modify_ou1," - + self.base_dn)) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Modify on attribute you do not have rights for granted - ldif = """ -dn: OU=test_modify_ou1,""" + self.base_dn + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - def test_modify_u3(self): - """7 Modify one attribute as you have no what so ever rights granted""" - # First test object -- User - print "Testing modify on User object" - self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) - # Modify on attribute you do not have rights for granted - ldif = """ -dn: """ + self.get_user_dn("test_modify_user1") + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - # Second test object -- Group - print "Testing modify on Group object" - self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) - # Modify on attribute you do not have rights for granted - ldif = """ -dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - # Second test object -- Organizational Unit - print "Testing modify on OU object" - #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - # Modify on attribute you do not have rights for granted - ldif = """ -dn: OU=test_modify_ou1,""" + self.base_dn + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - - def test_modify_u4(self): - """11 Grant WP to PRINCIPAL_SELF and test modify""" - ldif = """ -dn: """ + self.get_user_dn(self.user_with_wp) + """ -changetype: modify -add: adminDescription -adminDescription: blah blah blah""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)" - self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod) - # Modify on attribute you have rights for - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" \ - % self.get_user_dn(self.user_with_wp), attrs=["adminDescription"] ) - self.assertEqual(res[0]["adminDescription"][0], "blah blah blah") - - def test_modify_u5(self): - """12 test self membership""" - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: """ + self.get_user_dn(self.user_with_sm) -#the user has no rights granted, this should fail - try: - self.ldb_user2.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - -#grant self-membership, should be able to add himself - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm)) - mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) - self.ldb_user2.modify_ldif(ldif) - res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ - % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) - self.assertEqual(res[0]["Member"][0], self.get_user_dn(self.user_with_sm)) -#but not other users - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: CN=test_modify_user2,CN=Users,""" + self.base_dn - try: - self.ldb_user2.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - - def test_modify_u6(self): - """13 test self membership""" - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: """ + self.get_user_dn(self.user_with_sm) + """ -Member: CN=test_modify_user2,CN=Users,""" + self.base_dn - -#grant self-membership, should be able to add himself but not others at the same time - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm)) - mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) - try: - self.ldb_user2.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - - def test_modify_u7(self): - """13 User with WP modifying Member""" -#a second user is given write property permission - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp)) - mod = "(OA;;WP;;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: """ + self.get_user_dn(self.user_with_wp) - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ - % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) - self.assertEqual(res[0]["Member"][0], self.get_user_dn(self.user_with_wp)) - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -delete: Member""" - self.ldb_user.modify_ldif(ldif) - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: CN=test_modify_user2,CN=Users,""" + self.base_dn - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ - % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) - self.assertEqual(res[0]["Member"][0], "CN=test_modify_user2,CN=Users," + self.base_dn) - -#enable these when we have search implemented -class AclSearchTests(AclTests): - - def setUp(self): - super(AclTests, self).setUp() - self.regular_user = "acl_search_user1" - self.create_enable_user(self.regular_user) - self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) - - def tearDown(self): - super(AclSearchTests, self).tearDown() - self.delete_force(self.ldb_admin, "CN=test_search_user1,OU=test_search_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) - - def test_search_u1(self): - """See if can prohibit user to read another User object""" - ou_dn = "OU=test_search_ou1," + self.base_dn - user_dn = "CN=test_search_user1," + ou_dn - # Create clean OU - self.delete_force(self.ldb_admin, ou_dn) - self.create_ou(self.ldb_admin, ou_dn) - desc = self.read_desc(ou_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - # Parse descriptor's SDDL and remove all inherited ACEs reffering - # to 'Registered Users' or 'Authenticated Users' - desc_aces = re.findall("\(.*?\)", desc_sddl) - for ace in desc_aces: - if ("I" in ace) and (("RU" in ace) or ("AU" in ace)): - desc_sddl = desc_sddl.replace(ace, "") - # Add 'P' in the DACL so it breaks further inheritance - desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(") - # Create a security descriptor object and OU with that descriptor - desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) - self.delete_force(self.ldb_admin, ou_dn) - self.create_ou(self.ldb_admin, ou_dn, desc) - # Create clean user - self.delete_force(self.ldb_admin, user_dn) - self.create_test_user(self.ldb_admin, user_dn) - desc = self.read_desc(user_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - # Parse security descriptor SDDL and remove all 'Read' ACEs - # reffering to AU - desc_aces = re.findall("\(.*?\)", desc_sddl) - for ace in desc_aces: - if ("AU" in ace) and ("R" in ace): - desc_sddl = desc_sddl.replace(ace, "") - # Create user with the edited descriptor - desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) - self.delete_force(self.ldb_admin, user_dn) - self.create_test_user(self.ldb_admin, user_dn, desc) - - res = self.ldb_user.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - - def test_search_u2(self): - """User's group ACEs cleared and after that granted RIGHT_DS_READ_PROPERTY to another User object""" - ou_dn = "OU=test_search_ou1," + self.base_dn - user_dn = "CN=test_search_user1," + ou_dn - # Create clean OU - self.delete_force(self.ldb_admin, ou_dn) - self.create_ou(self.ldb_admin, ou_dn) - desc = self.read_desc(ou_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - # Parse descriptor's SDDL and remove all inherited ACEs reffering - # to 'Registered Users' or 'Authenticated Users' - desc_aces = re.findall("\(.*?\)", desc_sddl) - for ace in desc_aces: - if ("I" in ace) and (("RU" in ace) or ("AU" in ace)): - desc_sddl = desc_sddl.replace(ace, "") - # Add 'P' in the DACL so it breaks further inheritance - desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(") - # Create a security descriptor object and OU with that descriptor - desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) - self.delete_force(self.ldb_admin, ou_dn) - self.create_ou(self.ldb_admin, ou_dn, desc) - # Create clean user - self.delete_force(self.ldb_admin, user_dn) - self.create_test_user(self.ldb_admin, user_dn) - # Parse security descriptor SDDL and remove all 'Read' ACEs - # reffering to AU - desc_aces = re.findall("\(.*?\)", desc_sddl) - for ace in desc_aces: - if ("AU" in ace) and ("R" in ace): - desc_sddl = desc_sddl.replace(ace, "") - #mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" - mod = "(A;;RP;;;AU)" - self.dacl_add_ace(user_dn, mod) - res = self.ldb_user.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertNotEqual(res, []) - -#tests on ldap delete operations -class AclDeleteTests(AclTests): - - def setUp(self): - super(AclDeleteTests, self).setUp() - self.regular_user = "acl_delete_user1" - # Create regular user - self.create_enable_user(self.regular_user) - self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) - - def tearDown(self): - super(AclDeleteTests, self).tearDown() - self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user1")) - self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) - - def test_delete_u1(self): - """User is prohibited by default to delete another User object""" - # Create user that we try to delete - self.create_test_user(self.ldb_admin, self.get_user_dn("test_delete_user1")) - # Here delete User object should ALWAYS through exception - try: - self.ldb_user.delete(self.get_user_dn("test_delete_user1")) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - - def test_delete_u2(self): - """User's group has RIGHT_DELETE to another User object""" - user_dn = self.get_user_dn("test_delete_user1") - # Create user that we try to delete - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;SD;;;AU)" - self.dacl_add_ace(user_dn, mod) - # Try to delete User object - self.ldb_user.delete(user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - - def test_delete_u3(self): - """User indentified by SID has RIGHT_DELETE to another User object""" - user_dn = self.get_user_dn("test_delete_user1") - # Create user that we try to delete - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;SD;;;%s)" % self.get_object_sid(self.get_user_dn(self.regular_user)) - self.dacl_add_ace(user_dn, mod) - # Try to delete User object - self.ldb_user.delete(user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - -#tests on ldap rename operations -class AclRenameTests(AclTests): - - def setUp(self): - super(AclRenameTests, self).setUp() - self.regular_user = "acl_rename_user1" - - # Create regular user - self.create_enable_user(self.regular_user) - self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) - - def tearDown(self): - super(AclRenameTests, self).tearDown() - # Rename OU3 - self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) - # Rename OU2 - self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_rename_ou2," + self.base_dn) - # Rename OU1 - self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) - - def test_rename_u1(self): - """Regular user fails to rename 'User object' within single OU""" - # Create OU structure - self.create_ou(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn) - self.create_test_user(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn) - try: - self.ldb_user.rename("CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn, \ - "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - - def test_rename_u2(self): - """Grant WRITE_PROPERTY to AU so regular user can rename 'User object' within single OU""" - ou_dn = "OU=test_rename_ou1," + self.base_dn - user_dn = "CN=test_rename_user1," + ou_dn - rename_user_dn = "CN=test_rename_user5," + ou_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou_dn) - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;WP;;;AU)" - self.dacl_add_ace(user_dn, mod) - # Rename 'User object' having WP to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u3(self): - """Test rename with rights granted to 'User object' SID""" - ou_dn = "OU=test_rename_ou1," + self.base_dn - user_dn = "CN=test_rename_user1," + ou_dn - rename_user_dn = "CN=test_rename_user5," + ou_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou_dn) - self.create_test_user(self.ldb_admin, user_dn) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(A;;WP;;;%s)" % str(sid) - self.dacl_add_ace(user_dn, mod) - # Rename 'User object' having WP to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u4(self): - """Rename 'User object' cross OU with WP, SD and CC right granted on reg. user to AU""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + self.base_dn - user_dn = "CN=test_rename_user2," + ou1_dn - rename_user_dn = "CN=test_rename_user5," + ou2_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;WPSD;;;AU)" - self.dacl_add_ace(user_dn, mod) - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou2_dn, mod) - # Rename 'User object' having SD and CC to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u5(self): - """Test rename with rights granted to 'User object' SID""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + self.base_dn - user_dn = "CN=test_rename_user2," + ou1_dn - rename_user_dn = "CN=test_rename_user5," + ou2_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - self.create_test_user(self.ldb_admin, user_dn) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(A;;WPSD;;;%s)" % str(sid) - self.dacl_add_ace(user_dn, mod) - mod = "(A;;CC;;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) - # Rename 'User object' having SD and CC to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u6(self): - """Rename 'User object' cross OU with WP, DC and CC right granted on OU & user to AU""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + self.base_dn - user_dn = "CN=test_rename_user2," + ou1_dn - rename_user_dn = "CN=test_rename_user2," + ou2_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - #mod = "(A;CI;DCWP;;;AU)" - mod = "(A;;DC;;;AU)" - self.dacl_add_ace(ou1_dn, mod) - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou2_dn, mod) - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;WP;;;AU)" - self.dacl_add_ace(user_dn, mod) - # Rename 'User object' having SD and CC to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u7(self): - """Rename 'User object' cross OU (second level) with WP, DC and CC right granted on OU to AU""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + self.base_dn - ou3_dn = "OU=test_rename_ou3," + ou2_dn - user_dn = "CN=test_rename_user2," + ou1_dn - rename_user_dn = "CN=test_rename_user5," + ou3_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - self.create_ou(self.ldb_admin, ou3_dn) - mod = "(A;CI;WPDC;;;AU)" - self.dacl_add_ace(ou1_dn, mod) - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou3_dn, mod) - self.create_test_user(self.ldb_admin, user_dn) - # Rename 'User object' having SD and CC to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u8(self): - """Test rename on an object with and without modify access on the RDN attribute""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + ou1_dn - ou3_dn = "OU=test_rename_ou3," + ou1_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) - mod = "(OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) - try: - self.ldb_user.rename(ou2_dn, ou3_dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) - self.ldb_user.rename(ou2_dn, ou3_dn) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou2_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou3_dn) - self.assertNotEqual(res, []) - -# Important unit running information - -if not "://" in host: - host = "ldap://%s" % host -ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp) - -runner = SubunitTestRunner() -rc = 0 -if not runner.run(unittest.makeSuite(AclAddTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(AclModifyTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(AclDeleteTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(AclRenameTests)).wasSuccessful(): - rc = 1 -sys.exit(rc) |