summaryrefslogtreecommitdiff
path: root/source4/lib/ldb
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2010-06-30 11:09:10 +0200
committerStefan Metzmacher <metze@samba.org>2010-06-30 11:10:28 +0200
commit14f8953aa4f000173a051b8010252063db5295c1 (patch)
treee599a4c86d34306e3d6de8ddc806033ae1e72641 /source4/lib/ldb
parent19d93c6a1e810dbd634f35cf440412c1ff958448 (diff)
downloadsamba-14f8953aa4f000173a051b8010252063db5295c1.tar.gz
samba-14f8953aa4f000173a051b8010252063db5295c1.tar.bz2
samba-14f8953aa4f000173a051b8010252063db5295c1.zip
s4:dsdb: move dsdb python tests from lib/ldb/ to dsdb/
metze
Diffstat (limited to 'source4/lib/ldb')
-rwxr-xr-xsource4/lib/ldb/tests/python/acl.py1042
-rwxr-xr-xsource4/lib/ldb/tests/python/deletetest.py201
-rwxr-xr-xsource4/lib/ldb/tests/python/dsdb_schema_info.py213
-rwxr-xr-xsource4/lib/ldb/tests/python/ldap.py2688
-rwxr-xr-xsource4/lib/ldb/tests/python/ldap_schema.py556
-rwxr-xr-xsource4/lib/ldb/tests/python/passwords.py615
-rwxr-xr-xsource4/lib/ldb/tests/python/sec_descriptor.py1979
-rwxr-xr-xsource4/lib/ldb/tests/python/urgent_replication.py386
8 files changed, 0 insertions, 7680 deletions
diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py
deleted file mode 100755
index 5bf3ff9b1b..0000000000
--- a/source4/lib/ldb/tests/python/acl.py
+++ /dev/null
@@ -1,1042 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-# This is unit with tests for LDAP access checks
-
-import optparse
-import sys
-import base64
-import re
-
-sys.path.append("bin/python")
-import samba
-samba.ensure_external_module("subunit", "subunit/python")
-samba.ensure_external_module("testtools", "testtools")
-
-import samba.getopt as options
-
-from ldb import (
- SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS)
-
-from samba.ndr import ndr_pack, ndr_unpack
-from samba.dcerpc import security
-
-from samba.auth import system_session
-from samba import gensec
-from samba.samdb import SamDB
-from samba.credentials import Credentials
-import samba.tests
-from subunit.run import SubunitTestRunner
-import unittest
-
-parser = optparse.OptionParser("ldap [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
-
-#
-# Tests start here
-#
-
-class AclTests(samba.tests.TestCase):
-
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def find_domain_sid(self, ldb):
- res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
- return ndr_unpack(security.dom_sid,res[0]["objectSid"][0])
-
- def setUp(self):
- super(AclTests, self).setUp()
- self.ldb_admin = ldb
- self.base_dn = self.find_basedn(self.ldb_admin)
- self.domain_sid = self.find_domain_sid(self.ldb_admin)
- self.user_pass = "samba123@"
- print "baseDN: %s" % self.base_dn
-
- def get_user_dn(self, name):
- return "CN=%s,CN=Users,%s" % (name, self.base_dn)
-
- def modify_desc(self, object_dn, desc):
- """ Modify security descriptor using either SDDL string
- or security.descriptor object
- """
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- mod = """
-dn: """ + object_dn + """
-changetype: modify
-replace: nTSecurityDescriptor
-"""
- if isinstance(desc, str):
- mod += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- self.ldb_admin.modify_ldif(mod)
-
- def add_group_member(self, _ldb, group_dn, member_dn):
- """ Modify user to ge member of a group
- e.g. User to be 'Doamin Admin' group member
- """
- ldif = """
-dn: """ + group_dn + """
-changetype: modify
-add: member
-member: """ + member_dn
- _ldb.modify_ldif(ldif)
-
- def create_ou(self, _ldb, ou_dn, desc=None):
- ldif = """
-dn: """ + ou_dn + """
-ou: """ + ou_dn.split(",")[0][3:] + """
-objectClass: organizationalUnit
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def create_active_user(self, _ldb, user_dn):
- ldif = """
-dn: """ + user_dn + """
-sAMAccountName: """ + user_dn.split(",")[0][3:] + """
-objectClass: user
-unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
-url: www.example.com
-"""
- _ldb.add_ldif(ldif)
-
- def create_test_user(self, _ldb, user_dn, desc=None):
- ldif = """
-dn: """ + user_dn + """
-sAMAccountName: """ + user_dn.split(",")[0][3:] + """
-objectClass: user
-userPassword: """ + self.user_pass + """
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def create_group(self, _ldb, group_dn, desc=None):
- ldif = """
-dn: """ + group_dn + """
-objectClass: group
-sAMAccountName: """ + group_dn.split(",")[0][3:] + """
-groupType: 2147483650
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def read_desc(self, object_dn):
- res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- return ndr_unpack(security.descriptor, desc)
-
- def get_ldb_connection(self, target_username, target_password):
- creds_tmp = Credentials()
- creds_tmp.set_username(target_username)
- creds_tmp.set_password(target_password)
- creds_tmp.set_domain(creds.get_domain())
- creds_tmp.set_realm(creds.get_realm())
- creds_tmp.set_workstation(creds.get_workstation())
- creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
- | gensec.FEATURE_SEAL)
- ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
- return ldb_target
-
- def get_object_sid(self, object_dn):
- res = self.ldb_admin.search(object_dn)
- return ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
-
- def dacl_add_ace(self, object_dn, ace):
- desc = self.read_desc(object_dn)
- desc_sddl = desc.as_sddl(self.domain_sid)
- if ace in desc_sddl:
- return
- if desc_sddl.find("(") >= 0:
- desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
- else:
- desc_sddl = desc_sddl + ace
- self.modify_desc(object_dn, desc_sddl)
-
- def get_desc_sddl(self, object_dn):
- """ Return object nTSecutiryDescriptor in SDDL format
- """
- desc = self.read_desc(object_dn)
- return desc.as_sddl(self.domain_sid)
-
- # Test if we have any additional groups for users than default ones
- def assert_user_no_group_member(self, username):
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % self.get_user_dn(username))
- try:
- self.assertEqual(res[0]["memberOf"][0], "")
- except KeyError:
- pass
- else:
- self.fail()
-
- def create_enable_user(self, username):
- self.create_active_user(self.ldb_admin, self.get_user_dn(username))
- self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
-
-#tests on ldap add operations
-class AclAddTests(AclTests):
-
- def setUp(self):
- super(AclAddTests, self).setUp()
- # Domain admin that will be creator of OU parent-child structure
- self.usr_admin_owner = "acl_add_user1"
- # Second domain admin that will not be creator of OU parent-child structure
- self.usr_admin_not_owner = "acl_add_user2"
- # Regular user
- self.regular_user = "acl_add_user3"
- self.create_enable_user(self.usr_admin_owner)
- self.create_enable_user(self.usr_admin_not_owner)
- self.create_enable_user(self.regular_user)
-
- # add admins to the Domain Admins group
- self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn(self.usr_admin_owner))
- self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn(self.usr_admin_not_owner))
-
- self.ldb_owner = self.get_ldb_connection(self.usr_admin_owner, self.user_pass)
- self.ldb_notowner = self.get_ldb_connection(self.usr_admin_not_owner, self.user_pass)
- self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass)
-
- def tearDown(self):
- super(AclAddTests, self).tearDown()
- self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_owner))
- self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_not_owner))
- self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user))
-
- # Make sure top OU is deleted (and so everything under it)
- def assert_top_ou_deleted(self):
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s,%s)" % (
- "OU=test_add_ou1", self.base_dn))
- self.assertEqual(res, [])
-
- def test_add_u1(self):
- """Testing OU with the rights of Doman Admin not creator of the OU """
- self.assert_top_ou_deleted()
- # Change descriptor for top level OU
- self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn)
- self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- user_sid = self.get_object_sid(self.get_user_dn(self.usr_admin_not_owner))
- mod = "(D;CI;WPCC;;;%s)" % str(user_sid)
- self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
- # Test user and group creation with another domain admin's credentials
- self.create_test_user(self.ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.create_group(self.ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- # Make sure we HAVE created the two objects -- user and group
- # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE
- # !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn))
- self.assertTrue(len(res) > 0)
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn))
- self.assertTrue(len(res) > 0)
-
- def test_add_u2(self):
- """Testing OU with the regular user that has no rights granted over the OU """
- self.assert_top_ou_deleted()
- # Create a parent-child OU structure with domain admin credentials
- self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn)
- self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- # Test user and group creation with regular user credentials
- try:
- self.create_test_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- self.fail()
- # Make sure we HAVEN'T created any of two objects -- user or group
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn))
- self.assertEqual(res, [])
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn))
- self.assertEqual(res, [])
-
- def test_add_u3(self):
- """Testing OU with the rights of regular user granted the right 'Create User child objects' """
- self.assert_top_ou_deleted()
- # Change descriptor for top level OU
- self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn)
- user_sid = self.get_object_sid(self.get_user_dn(self.regular_user))
- mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
- self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- # Test user and group creation with granted user only to one of the objects
- self.create_test_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- try:
- self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- self.fail()
- # Make sure we HAVE created the one of two objects -- user
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s,%s)" %
- ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1",
- self.base_dn))
- self.assertNotEqual(len(res), 0)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s,%s)" %
- ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1",
- self.base_dn) )
- self.assertEqual(res, [])
-
- def test_add_u4(self):
- """ 4 Testing OU with the rights of Doman Admin creator of the OU"""
- self.assert_top_ou_deleted()
- self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn)
- self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.create_test_user(self.ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.create_group(self.ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- # Make sure we have successfully created the two objects -- user and group
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn))
- self.assertTrue(len(res) > 0)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn))
- self.assertTrue(len(res) > 0)
-
-#tests on ldap modify operations
-class AclModifyTests(AclTests):
-
- def setUp(self):
- super(AclModifyTests, self).setUp()
- self.user_with_wp = "acl_mod_user1"
- self.user_with_sm = "acl_mod_user2"
- self.user_with_group_sm = "acl_mod_user3"
- self.create_enable_user(self.user_with_wp)
- self.create_enable_user(self.user_with_sm)
- self.create_enable_user(self.user_with_group_sm)
- self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass)
- self.ldb_user2 = self.get_ldb_connection(self.user_with_sm, self.user_pass)
- self.ldb_user3 = self.get_ldb_connection(self.user_with_group_sm, self.user_pass)
- self.user_sid = self.get_object_sid( self.get_user_dn(self.user_with_wp))
- self.create_group(self.ldb_admin, "CN=test_modify_group2,CN=Users," + self.base_dn)
- self.create_group(self.ldb_admin, "CN=test_modify_group3,CN=Users," + self.base_dn)
- self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user2"))
-
- def tearDown(self):
- super(AclModifyTests, self).tearDown()
- self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
- self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_modify_group2,CN=Users," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_modify_group3,CN=Users," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp))
- self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_sm))
- self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_group_sm))
- self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user2"))
-
- def test_modify_u1(self):
- """5 Modify one attribute if you have DS_WRITE_PROPERTY for it"""
- mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid)
- # First test object -- User
- print "Testing modify on User object"
- self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
- self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
- ldif = """
-dn: """ + self.get_user_dn("test_modify_user1") + """
-changetype: modify
-replace: displayName
-displayName: test_changed"""
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % self.get_user_dn("test_modify_user1"))
- self.assertEqual(res[0]["displayName"][0], "test_changed")
- # Second test object -- Group
- print "Testing modify on Group object"
- self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
- self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
- ldif = """
-dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
-changetype: modify
-replace: displayName
-displayName: test_changed"""
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("CN=test_modify_group1,CN=Users," + self.base_dn))
- self.assertEqual(res[0]["displayName"][0], "test_changed")
- # Third test object -- Organizational Unit
- print "Testing modify on OU object"
- #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
- self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
- self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
- ldif = """
-dn: OU=test_modify_ou1,""" + self.base_dn + """
-changetype: modify
-replace: displayName
-displayName: test_changed"""
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("OU=test_modify_ou1," + self.base_dn))
- self.assertEqual(res[0]["displayName"][0], "test_changed")
-
- def _test_modify_u2(self):
- """6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them"""
- mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid)
- # First test object -- User
- print "Testing modify on User object"
- #self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
- self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
- self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
- # Modify on attribute you have rights for
- ldif = """
-dn: """ + self.get_user_dn("test_modify_user1") + """
-changetype: modify
-replace: displayName
-displayName: test_changed"""
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" %
- self.get_user_dn("test_modify_user1"))
- self.assertEqual(res[0]["displayName"][0], "test_changed")
- # Modify on attribute you do not have rights for granted
- ldif = """
-dn: """ + self.get_user_dn("test_modify_user1") + """
-changetype: modify
-replace: url
-url: www.samba.org"""
- try:
- self.ldb_user.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
- # Second test object -- Group
- print "Testing modify on Group object"
- self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
- self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
- ldif = """
-dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
-changetype: modify
-replace: displayName
-displayName: test_changed"""
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" %
- str("CN=test_modify_group1,CN=Users," + self.base_dn))
- self.assertEqual(res[0]["displayName"][0], "test_changed")
- # Modify on attribute you do not have rights for granted
- ldif = """
-dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
-changetype: modify
-replace: url
-url: www.samba.org"""
- try:
- self.ldb_user.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
- # Second test object -- Organizational Unit
- print "Testing modify on OU object"
- self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
- self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
- ldif = """
-dn: OU=test_modify_ou1,""" + self.base_dn + """
-changetype: modify
-replace: displayName
-displayName: test_changed"""
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % str("OU=test_modify_ou1,"
- + self.base_dn))
- self.assertEqual(res[0]["displayName"][0], "test_changed")
- # Modify on attribute you do not have rights for granted
- ldif = """
-dn: OU=test_modify_ou1,""" + self.base_dn + """
-changetype: modify
-replace: url
-url: www.samba.org"""
- try:
- self.ldb_user.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
-
- def test_modify_u3(self):
- """7 Modify one attribute as you have no what so ever rights granted"""
- # First test object -- User
- print "Testing modify on User object"
- self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
- # Modify on attribute you do not have rights for granted
- ldif = """
-dn: """ + self.get_user_dn("test_modify_user1") + """
-changetype: modify
-replace: url
-url: www.samba.org"""
- try:
- self.ldb_user.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
-
- # Second test object -- Group
- print "Testing modify on Group object"
- self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
- # Modify on attribute you do not have rights for granted
- ldif = """
-dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
-changetype: modify
-replace: url
-url: www.samba.org"""
- try:
- self.ldb_user.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
-
- # Second test object -- Organizational Unit
- print "Testing modify on OU object"
- #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
- self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
- # Modify on attribute you do not have rights for granted
- ldif = """
-dn: OU=test_modify_ou1,""" + self.base_dn + """
-changetype: modify
-replace: url
-url: www.samba.org"""
- try:
- self.ldb_user.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
-
-
- def test_modify_u4(self):
- """11 Grant WP to PRINCIPAL_SELF and test modify"""
- ldif = """
-dn: """ + self.get_user_dn(self.user_with_wp) + """
-changetype: modify
-add: adminDescription
-adminDescription: blah blah blah"""
- try:
- self.ldb_user.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
-
- mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)"
- self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
- # Modify on attribute you have rights for
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn(self.user_with_wp), attrs=["adminDescription"] )
- self.assertEqual(res[0]["adminDescription"][0], "blah blah blah")
-
- def test_modify_u5(self):
- """12 test self membership"""
- ldif = """
-dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """
-changetype: modify
-add: Member
-Member: """ + self.get_user_dn(self.user_with_sm)
-#the user has no rights granted, this should fail
- try:
- self.ldb_user2.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
-
-#grant self-membership, should be able to add himself
- user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm))
- mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
- self.ldb_user2.modify_ldif(ldif)
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"])
- self.assertEqual(res[0]["Member"][0], self.get_user_dn(self.user_with_sm))
-#but not other users
- ldif = """
-dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """
-changetype: modify
-add: Member
-Member: CN=test_modify_user2,CN=Users,""" + self.base_dn
- try:
- self.ldb_user2.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- self.fail()
-
- def test_modify_u6(self):
- """13 test self membership"""
- ldif = """
-dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """
-changetype: modify
-add: Member
-Member: """ + self.get_user_dn(self.user_with_sm) + """
-Member: CN=test_modify_user2,CN=Users,""" + self.base_dn
-
-#grant self-membership, should be able to add himself but not others at the same time
- user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm))
- mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
- try:
- self.ldb_user2.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- self.fail()
-
- def test_modify_u7(self):
- """13 User with WP modifying Member"""
-#a second user is given write property permission
- user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp))
- mod = "(OA;;WP;;;%s)" % str(user_sid)
- self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
- ldif = """
-dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """
-changetype: modify
-add: Member
-Member: """ + self.get_user_dn(self.user_with_wp)
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"])
- self.assertEqual(res[0]["Member"][0], self.get_user_dn(self.user_with_wp))
- ldif = """
-dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """
-changetype: modify
-delete: Member"""
- self.ldb_user.modify_ldif(ldif)
- ldif = """
-dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """
-changetype: modify
-add: Member
-Member: CN=test_modify_user2,CN=Users,""" + self.base_dn
- self.ldb_user.modify_ldif(ldif)
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"])
- self.assertEqual(res[0]["Member"][0], "CN=test_modify_user2,CN=Users," + self.base_dn)
-
-#enable these when we have search implemented
-class AclSearchTests(AclTests):
-
- def setUp(self):
- super(AclTests, self).setUp()
- self.regular_user = "acl_search_user1"
- self.create_enable_user(self.regular_user)
- self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass)
-
- def tearDown(self):
- super(AclSearchTests, self).tearDown()
- self.delete_force(self.ldb_admin, "CN=test_search_user1,OU=test_search_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user))
-
- def test_search_u1(self):
- """See if can prohibit user to read another User object"""
- ou_dn = "OU=test_search_ou1," + self.base_dn
- user_dn = "CN=test_search_user1," + ou_dn
- # Create clean OU
- self.delete_force(self.ldb_admin, ou_dn)
- self.create_ou(self.ldb_admin, ou_dn)
- desc = self.read_desc(ou_dn)
- desc_sddl = desc.as_sddl(self.domain_sid)
- # Parse descriptor's SDDL and remove all inherited ACEs reffering
- # to 'Registered Users' or 'Authenticated Users'
- desc_aces = re.findall("\(.*?\)", desc_sddl)
- for ace in desc_aces:
- if ("I" in ace) and (("RU" in ace) or ("AU" in ace)):
- desc_sddl = desc_sddl.replace(ace, "")
- # Add 'P' in the DACL so it breaks further inheritance
- desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(")
- # Create a security descriptor object and OU with that descriptor
- desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid)
- self.delete_force(self.ldb_admin, ou_dn)
- self.create_ou(self.ldb_admin, ou_dn, desc)
- # Create clean user
- self.delete_force(self.ldb_admin, user_dn)
- self.create_test_user(self.ldb_admin, user_dn)
- desc = self.read_desc(user_dn)
- desc_sddl = desc.as_sddl(self.domain_sid)
- # Parse security descriptor SDDL and remove all 'Read' ACEs
- # reffering to AU
- desc_aces = re.findall("\(.*?\)", desc_sddl)
- for ace in desc_aces:
- if ("AU" in ace) and ("R" in ace):
- desc_sddl = desc_sddl.replace(ace, "")
- # Create user with the edited descriptor
- desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid)
- self.delete_force(self.ldb_admin, user_dn)
- self.create_test_user(self.ldb_admin, user_dn, desc)
-
- res = self.ldb_user.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
-
- def test_search_u2(self):
- """User's group ACEs cleared and after that granted RIGHT_DS_READ_PROPERTY to another User object"""
- ou_dn = "OU=test_search_ou1," + self.base_dn
- user_dn = "CN=test_search_user1," + ou_dn
- # Create clean OU
- self.delete_force(self.ldb_admin, ou_dn)
- self.create_ou(self.ldb_admin, ou_dn)
- desc = self.read_desc(ou_dn)
- desc_sddl = desc.as_sddl(self.domain_sid)
- # Parse descriptor's SDDL and remove all inherited ACEs reffering
- # to 'Registered Users' or 'Authenticated Users'
- desc_aces = re.findall("\(.*?\)", desc_sddl)
- for ace in desc_aces:
- if ("I" in ace) and (("RU" in ace) or ("AU" in ace)):
- desc_sddl = desc_sddl.replace(ace, "")
- # Add 'P' in the DACL so it breaks further inheritance
- desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(")
- # Create a security descriptor object and OU with that descriptor
- desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid)
- self.delete_force(self.ldb_admin, ou_dn)
- self.create_ou(self.ldb_admin, ou_dn, desc)
- # Create clean user
- self.delete_force(self.ldb_admin, user_dn)
- self.create_test_user(self.ldb_admin, user_dn)
- # Parse security descriptor SDDL and remove all 'Read' ACEs
- # reffering to AU
- desc_aces = re.findall("\(.*?\)", desc_sddl)
- for ace in desc_aces:
- if ("AU" in ace) and ("R" in ace):
- desc_sddl = desc_sddl.replace(ace, "")
- #mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)"
- mod = "(A;;RP;;;AU)"
- self.dacl_add_ace(user_dn, mod)
- res = self.ldb_user.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertNotEqual(res, [])
-
-#tests on ldap delete operations
-class AclDeleteTests(AclTests):
-
- def setUp(self):
- super(AclDeleteTests, self).setUp()
- self.regular_user = "acl_delete_user1"
- # Create regular user
- self.create_enable_user(self.regular_user)
- self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass)
-
- def tearDown(self):
- super(AclDeleteTests, self).tearDown()
- self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user1"))
- self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user))
-
- def test_delete_u1(self):
- """User is prohibited by default to delete another User object"""
- # Create user that we try to delete
- self.create_test_user(self.ldb_admin, self.get_user_dn("test_delete_user1"))
- # Here delete User object should ALWAYS through exception
- try:
- self.ldb_user.delete(self.get_user_dn("test_delete_user1"))
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- self.fail()
-
- def test_delete_u2(self):
- """User's group has RIGHT_DELETE to another User object"""
- user_dn = self.get_user_dn("test_delete_user1")
- # Create user that we try to delete
- self.create_test_user(self.ldb_admin, user_dn)
- mod = "(A;;SD;;;AU)"
- self.dacl_add_ace(user_dn, mod)
- # Try to delete User object
- self.ldb_user.delete(user_dn)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
-
- def test_delete_u3(self):
- """User indentified by SID has RIGHT_DELETE to another User object"""
- user_dn = self.get_user_dn("test_delete_user1")
- # Create user that we try to delete
- self.create_test_user(self.ldb_admin, user_dn)
- mod = "(A;;SD;;;%s)" % self.get_object_sid(self.get_user_dn(self.regular_user))
- self.dacl_add_ace(user_dn, mod)
- # Try to delete User object
- self.ldb_user.delete(user_dn)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
-
-#tests on ldap rename operations
-class AclRenameTests(AclTests):
-
- def setUp(self):
- super(AclRenameTests, self).setUp()
- self.regular_user = "acl_rename_user1"
-
- # Create regular user
- self.create_enable_user(self.regular_user)
- self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass)
-
- def tearDown(self):
- super(AclRenameTests, self).tearDown()
- # Rename OU3
- self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
- # Rename OU2
- self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_rename_ou2," + self.base_dn)
- # Rename OU1
- self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user))
-
- def test_rename_u1(self):
- """Regular user fails to rename 'User object' within single OU"""
- # Create OU structure
- self.create_ou(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
- self.create_test_user(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
- try:
- self.ldb_user.rename("CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn, \
- "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- self.fail()
-
- def test_rename_u2(self):
- """Grant WRITE_PROPERTY to AU so regular user can rename 'User object' within single OU"""
- ou_dn = "OU=test_rename_ou1," + self.base_dn
- user_dn = "CN=test_rename_user1," + ou_dn
- rename_user_dn = "CN=test_rename_user5," + ou_dn
- # Create OU structure
- self.create_ou(self.ldb_admin, ou_dn)
- self.create_test_user(self.ldb_admin, user_dn)
- mod = "(A;;WP;;;AU)"
- self.dacl_add_ace(user_dn, mod)
- # Rename 'User object' having WP to AU
- self.ldb_user.rename(user_dn, rename_user_dn)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % rename_user_dn)
- self.assertNotEqual(res, [])
-
- def test_rename_u3(self):
- """Test rename with rights granted to 'User object' SID"""
- ou_dn = "OU=test_rename_ou1," + self.base_dn
- user_dn = "CN=test_rename_user1," + ou_dn
- rename_user_dn = "CN=test_rename_user5," + ou_dn
- # Create OU structure
- self.create_ou(self.ldb_admin, ou_dn)
- self.create_test_user(self.ldb_admin, user_dn)
- sid = self.get_object_sid(self.get_user_dn(self.regular_user))
- mod = "(A;;WP;;;%s)" % str(sid)
- self.dacl_add_ace(user_dn, mod)
- # Rename 'User object' having WP to AU
- self.ldb_user.rename(user_dn, rename_user_dn)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % rename_user_dn)
- self.assertNotEqual(res, [])
-
- def test_rename_u4(self):
- """Rename 'User object' cross OU with WP, SD and CC right granted on reg. user to AU"""
- ou1_dn = "OU=test_rename_ou1," + self.base_dn
- ou2_dn = "OU=test_rename_ou2," + self.base_dn
- user_dn = "CN=test_rename_user2," + ou1_dn
- rename_user_dn = "CN=test_rename_user5," + ou2_dn
- # Create OU structure
- self.create_ou(self.ldb_admin, ou1_dn)
- self.create_ou(self.ldb_admin, ou2_dn)
- self.create_test_user(self.ldb_admin, user_dn)
- mod = "(A;;WPSD;;;AU)"
- self.dacl_add_ace(user_dn, mod)
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(ou2_dn, mod)
- # Rename 'User object' having SD and CC to AU
- self.ldb_user.rename(user_dn, rename_user_dn)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % rename_user_dn)
- self.assertNotEqual(res, [])
-
- def test_rename_u5(self):
- """Test rename with rights granted to 'User object' SID"""
- ou1_dn = "OU=test_rename_ou1," + self.base_dn
- ou2_dn = "OU=test_rename_ou2," + self.base_dn
- user_dn = "CN=test_rename_user2," + ou1_dn
- rename_user_dn = "CN=test_rename_user5," + ou2_dn
- # Create OU structure
- self.create_ou(self.ldb_admin, ou1_dn)
- self.create_ou(self.ldb_admin, ou2_dn)
- self.create_test_user(self.ldb_admin, user_dn)
- sid = self.get_object_sid(self.get_user_dn(self.regular_user))
- mod = "(A;;WPSD;;;%s)" % str(sid)
- self.dacl_add_ace(user_dn, mod)
- mod = "(A;;CC;;;%s)" % str(sid)
- self.dacl_add_ace(ou2_dn, mod)
- # Rename 'User object' having SD and CC to AU
- self.ldb_user.rename(user_dn, rename_user_dn)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % rename_user_dn)
- self.assertNotEqual(res, [])
-
- def test_rename_u6(self):
- """Rename 'User object' cross OU with WP, DC and CC right granted on OU & user to AU"""
- ou1_dn = "OU=test_rename_ou1," + self.base_dn
- ou2_dn = "OU=test_rename_ou2," + self.base_dn
- user_dn = "CN=test_rename_user2," + ou1_dn
- rename_user_dn = "CN=test_rename_user2," + ou2_dn
- # Create OU structure
- self.create_ou(self.ldb_admin, ou1_dn)
- self.create_ou(self.ldb_admin, ou2_dn)
- #mod = "(A;CI;DCWP;;;AU)"
- mod = "(A;;DC;;;AU)"
- self.dacl_add_ace(ou1_dn, mod)
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(ou2_dn, mod)
- self.create_test_user(self.ldb_admin, user_dn)
- mod = "(A;;WP;;;AU)"
- self.dacl_add_ace(user_dn, mod)
- # Rename 'User object' having SD and CC to AU
- self.ldb_user.rename(user_dn, rename_user_dn)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % rename_user_dn)
- self.assertNotEqual(res, [])
-
- def test_rename_u7(self):
- """Rename 'User object' cross OU (second level) with WP, DC and CC right granted on OU to AU"""
- ou1_dn = "OU=test_rename_ou1," + self.base_dn
- ou2_dn = "OU=test_rename_ou2," + self.base_dn
- ou3_dn = "OU=test_rename_ou3," + ou2_dn
- user_dn = "CN=test_rename_user2," + ou1_dn
- rename_user_dn = "CN=test_rename_user5," + ou3_dn
- # Create OU structure
- self.create_ou(self.ldb_admin, ou1_dn)
- self.create_ou(self.ldb_admin, ou2_dn)
- self.create_ou(self.ldb_admin, ou3_dn)
- mod = "(A;CI;WPDC;;;AU)"
- self.dacl_add_ace(ou1_dn, mod)
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(ou3_dn, mod)
- self.create_test_user(self.ldb_admin, user_dn)
- # Rename 'User object' having SD and CC to AU
- self.ldb_user.rename(user_dn, rename_user_dn)
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % user_dn)
- self.assertEqual(res, [])
- res = self.ldb_admin.search(self.base_dn,
- expression="(distinguishedName=%s)" % rename_user_dn)
- self.assertNotEqual(res, [])
-
- def test_rename_u8(self):
- """Test rename on an object with and without modify access on the RDN attribute"""
- ou1_dn = "OU=test_rename_ou1," + self.base_dn
- ou2_dn = "OU=test_rename_ou2," + ou1_dn
- ou3_dn = "OU=test_rename_ou3," + ou1_dn
- # Create OU structure
- self.create_ou(self.ldb_admin, ou1_dn)
- self.create_ou(self.ldb_admin, ou2_dn)
- sid = self.get_object_sid(self.get_user_dn(self.regular_user))
- mod = "(OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
- self.dacl_add_ace(ou2_dn, mod)
- mod = "(OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
- self.dacl_add_ace(ou2_dn, mod)
- try:
- self.ldb_user.rename(ou2_dn, ou3_dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
- else:
- # This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
- self.fail()
- sid = self.get_object_sid(self.get_user_dn(self.regular_user))
- mod = "(A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
- self.dacl_add_ace(ou2_dn, mod)
- self.ldb_user.rename(ou2_dn, ou3_dn)
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou2_dn)
- self.assertEqual(res, [])
- res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou3_dn)
- self.assertNotEqual(res, [])
-
-# Important unit running information
-
-if not "://" in host:
- host = "ldap://%s" % host
-ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp)
-
-runner = SubunitTestRunner()
-rc = 0
-if not runner.run(unittest.makeSuite(AclAddTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(AclModifyTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(AclDeleteTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(AclRenameTests)).wasSuccessful():
- rc = 1
-sys.exit(rc)
diff --git a/source4/lib/ldb/tests/python/deletetest.py b/source4/lib/ldb/tests/python/deletetest.py
deleted file mode 100755
index aa93104c04..0000000000
--- a/source4/lib/ldb/tests/python/deletetest.py
+++ /dev/null
@@ -1,201 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-import optparse
-import sys
-import os
-
-sys.path.append("bin/python")
-import samba
-samba.ensure_external_module("subunit", "subunit/python")
-samba.ensure_external_module("testtools", "testtools")
-
-import samba.getopt as options
-
-from samba.auth import system_session
-from ldb import SCOPE_BASE, LdbError
-from ldb import ERR_NO_SUCH_OBJECT
-from samba import Ldb
-
-from subunit.run import SubunitTestRunner
-import unittest
-
-parser = optparse.OptionParser("deletetest.py [options] <host|file>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-class BasicDeleteTests(unittest.TestCase):
-
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def GUID_string(self, guid):
- return self.ldb.schema_format_value("objectGUID", guid)
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def setUp(self):
- self.ldb = ldb
- self.base_dn = self.find_basedn(ldb)
-
- def search_guid(self,guid):
- print "SEARCH by GUID %s" % self.GUID_string(guid)
-
- expression = "(objectGUID=%s)" % self.GUID_string(guid)
- res = ldb.search(expression=expression,
- controls=["show_deleted:1"])
- self.assertEquals(len(res), 1)
- return res[0]
-
- def search_dn(self,dn):
- print "SEARCH by DN %s" % dn
-
- res = ldb.search(expression="(objectClass=*)",
- base=dn,
- scope=SCOPE_BASE,
- controls=["show_deleted:1"])
- self.assertEquals(len(res), 1)
- return res[0]
-
- def del_attr_values(self, delObj):
- print "Checking attributes for %s" % delObj["dn"]
-
- self.assertEquals(delObj["isDeleted"][0],"TRUE")
- self.assertTrue(not("objectCategory" in delObj))
- self.assertTrue(not("sAMAccountType" in delObj))
-
- def preserved_attributes_list(self, liveObj, delObj):
- print "Checking for preserved attributes list"
-
- preserved_list = ["nTSecurityDescriptor", "attributeID", "attributeSyntax", "dNReferenceUpdate", "dNSHostName",
- "flatName", "governsID", "groupType", "instanceType", "lDAPDisplayName", "legacyExchangeDN",
- "isDeleted", "isRecycled", "lastKnownParent", "msDS-LastKnownRDN", "mS-DS-CreatorSID",
- "mSMQOwnerID", "nCName", "objectClass", "distinguishedName", "objectGUID", "objectSid",
- "oMSyntax", "proxiedObjectName", "name", "replPropertyMetaData", "sAMAccountName",
- "securityIdentifier", "sIDHistory", "subClassOf", "systemFlags", "trustPartner", "trustDirection",
- "trustType", "trustAttributes", "userAccountControl", "uSNChanged", "uSNCreated", "whenCreated"]
-
- for a in liveObj:
- if a in preserved_list:
- self.assertTrue(a in delObj)
-
- def check_rdn(self, liveObj, delObj, rdnName):
- print "Checking for correct rDN"
- rdn=liveObj[rdnName][0]
- rdn2=delObj[rdnName][0]
- name2=delObj[rdnName][0]
- guid=liveObj["objectGUID"][0]
- self.assertEquals(rdn2, rdn + "\nDEL:" + self.GUID_string(guid))
- self.assertEquals(name2, rdn + "\nDEL:" + self.GUID_string(guid))
-
- def delete_deleted(self, ldb, dn):
- print "Testing the deletion of the already deleted dn %s" % dn
-
- try:
- ldb.delete(dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def test_all(self):
- """Basic delete tests"""
-
- print self.base_dn
-
- dn1="cn=testuser,cn=users," + self.base_dn
- dn2="cn=testuser2,cn=users," + self.base_dn
- grp1="cn=testdelgroup1,cn=users," + self.base_dn
-
- self.delete_force(self.ldb, dn1)
- self.delete_force(self.ldb, dn2)
- self.delete_force(self.ldb, grp1)
-
- ldb.add({
- "dn": dn1,
- "objectclass": "user",
- "cn": "testuser",
- "description": "test user description",
- "samaccountname": "testuser"})
-
- ldb.add({
- "dn": dn2,
- "objectclass": "user",
- "cn": "testuser2",
- "description": "test user 2 description",
- "samaccountname": "testuser2"})
-
- ldb.add({
- "dn": grp1,
- "objectclass": "group",
- "cn": "testdelgroup1",
- "description": "test group",
- "samaccountname": "testdelgroup1",
- "member": [ dn1, dn2 ] })
-
- objLive1 = self.search_dn(dn1)
- guid1=objLive1["objectGUID"][0]
-
- objLive2 = self.search_dn(dn2)
- guid2=objLive2["objectGUID"][0]
-
- objLive3 = self.search_dn(grp1)
- guid3=objLive3["objectGUID"][0]
-
- ldb.delete(dn1)
- ldb.delete(dn2)
- ldb.delete(grp1)
-
- objDeleted1 = self.search_guid(guid1)
- objDeleted2 = self.search_guid(guid2)
- objDeleted3 = self.search_guid(guid3)
-
- self.del_attr_values(objDeleted1)
- self.del_attr_values(objDeleted2)
- self.del_attr_values(objDeleted3)
-
- self.preserved_attributes_list(objLive1, objDeleted1)
- self.preserved_attributes_list(objLive2, objDeleted2)
-
- self.check_rdn(objLive1, objDeleted1, "cn")
- self.check_rdn(objLive2, objDeleted2, "cn")
- self.check_rdn(objLive3, objDeleted3, "cn")
-
- self.delete_deleted(ldb, dn1)
- self.delete_deleted(ldb, dn2)
- self.delete_deleted(ldb, grp1)
-
-if not "://" in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
-
-ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
-
-runner = SubunitTestRunner()
-rc = 0
-if not runner.run(unittest.makeSuite(BasicDeleteTests)).wasSuccessful():
- rc = 1
-
-sys.exit(rc)
diff --git a/source4/lib/ldb/tests/python/dsdb_schema_info.py b/source4/lib/ldb/tests/python/dsdb_schema_info.py
deleted file mode 100755
index ff3c7f9b98..0000000000
--- a/source4/lib/ldb/tests/python/dsdb_schema_info.py
+++ /dev/null
@@ -1,213 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-#
-# Unix SMB/CIFS implementation.
-# Copyright (C) Kamen Mazdrashki <kamenim@samba.org> 2010
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-#
-# Usage:
-# export DC_SERVER=target_dc_or_local_samdb_url
-# export SUBUNITRUN=$samba4srcdir/scripting/bin/subunitrun
-# PYTHONPATH="$PYTHONPATH:$samba4srcdir/lib/ldb/tests/python" $SUBUNITRUN dsdb_schema_info -U"$DOMAIN/$DC_USERNAME"%"$DC_PASSWORD"
-#
-
-import sys
-import time
-import random
-import os
-
-sys.path.append("bin/python")
-import samba
-samba.ensure_external_module("subunit", "subunit/python")
-samba.ensure_external_module("testtools", "testtools")
-
-from samba.auth import system_session
-from ldb import SCOPE_BASE, LdbError
-from samba.samdb import SamDB
-
-import samba.tests
-import samba.dcerpc.drsuapi
-from samba.dcerpc.drsblobs import schemaInfoBlob
-from samba.ndr import ndr_unpack
-from samba.dcerpc.misc import GUID
-
-
-class SchemaInfoTestCase(samba.tests.TestCase):
-
- def setUp(self):
- super(SchemaInfoTestCase, self).setUp()
-
- # fetch rootDSE
- self.ldb = ldb
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.schema_dn = res[0]["schemaNamingContext"][0]
- self.base_dn = res[0]["defaultNamingContext"][0]
- self.forest_level = int(res[0]["forestFunctionality"][0])
-
- # get DC invocation_id
- self.invocation_id = GUID(ldb.get_invocation_id())
-
- def tearDown(self):
- super(SchemaInfoTestCase, self).tearDown()
-
- def _getSchemaInfo(self):
- try:
- schema_info_data = ldb.searchone(attribute="schemaInfo",
- basedn=self.schema_dn,
- expression="(objectClass=*)",
- scope=SCOPE_BASE)
- self.assertEqual(len(schema_info_data), 21)
- schema_info = ndr_unpack(schemaInfoBlob, schema_info_data)
- self.assertEqual(schema_info.marker, 0xFF)
- except KeyError:
- # create default schemaInfo if
- # attribute value is not created yet
- schema_info = schemaInfoBlob()
- schema_info.revision = 0
- schema_info.invocation_id = self.invocation_id
- return schema_info
-
- def _checkSchemaInfo(self, schi_before, schi_after):
- self.assertEqual(schi_before.revision + 1, schi_after.revision)
- self.assertEqual(schi_before.invocation_id, schi_after.invocation_id)
- self.assertEqual(schi_after.invocation_id, self.invocation_id)
-
- def _ldap_schemaUpdateNow(self):
- ldif = """
-dn:
-changetype: modify
-add: schemaUpdateNow
-schemaUpdateNow: 1
-"""
- self.ldb.modify_ldif(ldif)
-
- def _make_obj_names(self, prefix):
- obj_name = prefix + time.strftime("%s", time.gmtime())
- obj_ldap_name = obj_name.replace("-", "")
- obj_dn = "CN=%s,%s" % (obj_name, self.schema_dn)
- return (obj_name, obj_ldap_name, obj_dn)
-
- def _make_attr_ldif(self, attr_name, attr_dn):
- ldif = """
-dn: """ + attr_dn + """
-objectClass: top
-objectClass: attributeSchema
-adminDescription: """ + attr_name + """
-adminDisplayName: """ + attr_name + """
-cn: """ + attr_name + """
-attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940
-attributeSyntax: 2.5.5.12
-omSyntax: 64
-instanceType: 4
-isSingleValued: TRUE
-systemOnly: FALSE
-"""
- return ldif
-
- def test_AddModifyAttribute(self):
- # get initial schemaInfo
- schi_before = self._getSchemaInfo()
-
- # create names for an attribute to add
- (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("schemaInfo-Attr-")
- ldif = self._make_attr_ldif(attr_name, attr_dn)
-
- # add the new attribute
- self.ldb.add_ldif(ldif)
- self._ldap_schemaUpdateNow()
- # compare resulting schemaInfo
- schi_after = self._getSchemaInfo()
- self._checkSchemaInfo(schi_before, schi_after)
-
- # rename the Attribute
- attr_dn_new = attr_dn.replace(attr_name, attr_name + "-NEW")
- try:
- self.ldb.rename(attr_dn, attr_dn_new)
- except LdbError, (num, _):
- self.fail("failed to change lDAPDisplayName for %s: %s" % (attr_name, _))
-
- # compare resulting schemaInfo
- schi_after = self._getSchemaInfo()
- self._checkSchemaInfo(schi_before, schi_after)
- pass
-
-
- def _make_class_ldif(self, class_name, class_dn):
- ldif = """
-dn: """ + class_dn + """
-objectClass: top
-objectClass: classSchema
-adminDescription: """ + class_name + """
-adminDisplayName: """ + class_name + """
-cn: """ + class_name + """
-governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
-instanceType: 4
-objectClassCategory: 1
-subClassOf: organizationalPerson
-rDNAttID: cn
-systemMustContain: cn
-systemOnly: FALSE
-"""
- return ldif
-
- def test_AddModifyClass(self):
- # get initial schemaInfo
- schi_before = self._getSchemaInfo()
-
- # create names for a Class to add
- (class_name, class_ldap_name, class_dn) = self._make_obj_names("schemaInfo-Class-")
- ldif = self._make_class_ldif(class_name, class_dn)
-
- # add the new Class
- self.ldb.add_ldif(ldif)
- self._ldap_schemaUpdateNow()
- # compare resulting schemaInfo
- schi_after = self._getSchemaInfo()
- self._checkSchemaInfo(schi_before, schi_after)
-
- # rename the Class
- class_dn_new = class_dn.replace(class_name, class_name + "-NEW")
- try:
- self.ldb.rename(class_dn, class_dn_new)
- except LdbError, (num, _):
- self.fail("failed to change lDAPDisplayName for %s: %s" % (class_name, _))
-
- # compare resulting schemaInfo
- schi_after = self._getSchemaInfo()
- self._checkSchemaInfo(schi_before, schi_after)
-
-
-########################################################################################
-if not "DC_SERVER" in os.environ.keys():
- raise AssertionError("Please supply TARGET_DC in environment")
-ldb_url = os.environ["DC_SERVER"]
-
-ldb_options = []
-if not "://" in ldb_url:
- if os.path.isfile(ldb_url):
- ldb_url = "tdb://%s" % ldb_url
- else:
- ldb_url = "ldap://%s" % ldb_url
- # user 'paged_search' module when connecting remotely
- ldb_options = ["modules:paged_searches"]
-
-ldb = SamDB(url=ldb_url,
- lp=samba.tests.env_loadparm(),
- session_info=system_session(),
- credentials=samba.tests.cmdline_credentials,
- options=ldb_options)
diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py
deleted file mode 100755
index de8e89b7f8..0000000000
--- a/source4/lib/ldb/tests/python/ldap.py
+++ /dev/null
@@ -1,2688 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-# This is a port of the original in testprogs/ejs/ldap.js
-
-import optparse
-import sys
-import time
-import base64
-import os
-
-sys.path.append("bin/python")
-import samba
-samba.ensure_external_module("subunit", "subunit/python")
-samba.ensure_external_module("testtools", "testtools")
-
-import samba.getopt as options
-
-from samba.auth import system_session
-from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
-from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
-from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
-from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX
-from ldb import ERR_NO_SUCH_ATTRIBUTE
-from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
-from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION
-from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
-from ldb import Message, MessageElement, Dn
-from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
-from samba import Ldb
-from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT,
- UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT,
- ATYPE_WORKSTATION_TRUST)
-
-from subunit.run import SubunitTestRunner
-import unittest
-
-from samba.ndr import ndr_pack, ndr_unpack
-from samba.dcerpc import security
-
-parser = optparse.OptionParser("ldap [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-class BasicTests(unittest.TestCase):
-
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def find_configurationdn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["configurationNamingContext"][0]
-
- def find_schemadn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["schemaNamingContext"][0]
-
- def find_domain_sid(self):
- res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
- return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
-
- def setUp(self):
- super(BasicTests, self).setUp()
- self.ldb = ldb
- self.gc_ldb = gc_ldb
- self.base_dn = self.find_basedn(ldb)
- self.configuration_dn = self.find_configurationdn(ldb)
- self.schema_dn = self.find_schemadn(ldb)
- self.domain_sid = self.find_domain_sid()
-
- print "baseDN: %s\n" % self.base_dn
-
- self.delete_force(self.ldb, "cn=posixuser,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer2," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=entry1,cn=ldaptestcontainer," + self.base_dn)
- self.delete_force(self.ldb, "cn=entry2,cn=ldaptestcontainer," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn)
- self.delete_force(self.ldb, "cn=parentguidtest,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn)
- self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn)
- self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn)
-
- def test_objectclasses(self):
- """Test objectClass behaviour"""
- print "Test objectClass behaviour"""
-
- # Invalid objectclass specified
- try:
- self.ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectClass": "X" })
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
-
- # We cannot instanciate from an abstract objectclass
- try:
- self.ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectClass": "connectionPoint" })
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- self.ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectClass": "person" })
-
- # We can remove derivation classes of the structural objectclass
- # but they're going to be readded afterwards
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("top", FLAG_MOD_DELETE,
- "objectClass")
- ldb.modify(m)
-
- res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["objectClass"])
- self.assertTrue(len(res) == 1)
- self.assertTrue("top" in res[0]["objectClass"])
-
- # The top-most structural class cannot be deleted since there are
- # attributes of it in use
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("person", FLAG_MOD_DELETE,
- "objectClass")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- # We cannot delete classes which weren't specified
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("computer", FLAG_MOD_DELETE,
- "objectClass")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
-
- # An invalid class cannot be added
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("X", FLAG_MOD_ADD,
- "objectClass")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
-
- # The top-most structural class cannot be changed by adding another
- # structural one
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("user", FLAG_MOD_ADD,
- "objectClass")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- # An already specified objectclass cannot be added another time
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("person", FLAG_MOD_ADD,
- "objectClass")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- # Auxiliary classes can always be added
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD,
- "objectClass")
- ldb.modify(m)
-
- # It's only possible to replace with the same objectclass combination.
- # So the replace action on "objectClass" attributes is really useless.
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement(["top", "person", "bootableDevice"],
- FLAG_MOD_REPLACE, "objectClass")
- ldb.modify(m)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement(["person", "bootableDevice"],
- FLAG_MOD_REPLACE, "objectClass")
- ldb.modify(m)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement(["top", "person", "bootableDevice",
- "connectionPoint"], FLAG_MOD_REPLACE, "objectClass")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement(["top", "computer"], FLAG_MOD_REPLACE,
- "objectClass")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- # Classes can be removed unless attributes of them are used.
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE,
- "objectClass")
- ldb.modify(m)
-
- res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["objectClass"])
- self.assertTrue(len(res) == 1)
- self.assertFalse("bootableDevice" in res[0]["objectClass"])
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD,
- "objectClass")
- ldb.modify(m)
-
- # Add an attribute specific to the "bootableDevice" class
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["bootParameter"] = MessageElement("test", FLAG_MOD_ADD,
- "bootParameter")
- ldb.modify(m)
-
- # Classes can be removed unless attributes of them are used. Now there
- # exist such attributes on the entry.
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE,
- "objectClass")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- # Remove the previously specified attribute
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["bootParameter"] = MessageElement("test", FLAG_MOD_DELETE,
- "bootParameter")
- ldb.modify(m)
-
- # Classes can be removed unless attributes of them are used.
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE,
- "objectClass")
- ldb.modify(m)
-
- self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
-
- def test_system_only(self):
- """Test systemOnly objects"""
- print "Test systemOnly objects"""
-
- try:
- self.ldb.add({
- "dn": "cn=ldaptestobject," + self.base_dn,
- "objectclass": "configuration"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn)
-
- def test_invalid_parent(self):
- """Test adding an object with invalid parent"""
- print "Test adding an object with invalid parent"""
-
- try:
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=thisdoesnotexist123,"
- + self.base_dn,
- "objectclass": "group"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=thisdoesnotexist123,"
- + self.base_dn)
-
- try:
- self.ldb.add({
- "dn": "ou=testou,cn=users," + self.base_dn,
- "objectclass": "organizationalUnit"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NAMING_VIOLATION)
-
- self.delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn)
-
- def test_invalid_attribute(self):
- """Test invalid attributes on schema/objectclasses"""
- print "Test invalid attributes on schema/objectclasses"""
-
- # attributes not in schema test
-
- # add operation
-
- try:
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group",
- "thisdoesnotexist": "x"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
-
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- # modify operation
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["thisdoesnotexist"] = MessageElement("x", FLAG_MOD_REPLACE,
- "thisdoesnotexist")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- # attributes not in objectclasses and mandatory attributes missing test
- # Use here a non-SAM entry since it doesn't have special triggers
- # associated which have an impact on the error results.
-
- # add operations
-
- # mandatory attribute missing
- try:
- self.ldb.add({
- "dn": "cn=ldaptestobject," + self.base_dn,
- "objectclass": "ipProtocol"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- # inadequate but schema-valid attribute specified
- try:
- self.ldb.add({
- "dn": "cn=ldaptestobject," + self.base_dn,
- "objectclass": "ipProtocol",
- "ipProtocolNumber": "1",
- "uid" : "0"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- self.ldb.add({
- "dn": "cn=ldaptestobject," + self.base_dn,
- "objectclass": "ipProtocol",
- "ipProtocolNumber": "1"})
-
- # modify operations
-
- # inadequate but schema-valid attribute add trial
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn)
- m["uid"] = MessageElement("0", FLAG_MOD_ADD, "uid")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- # mandatory attribute delete trial
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn)
- m["ipProtocolNumber"] = MessageElement([], FLAG_MOD_DELETE,
- "ipProtocolNumber")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- # mandatory attribute delete trial
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn)
- m["ipProtocolNumber"] = MessageElement([], FLAG_MOD_REPLACE,
- "ipProtocolNumber")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn)
-
- def test_single_valued_attributes(self):
- """Test single-valued attributes"""
- print "Test single-valued attributes"""
-
- try:
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group",
- "sAMAccountName": ["nam1", "nam2"]})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["sAMAccountName"] = MessageElement(["nam1","nam2"], FLAG_MOD_REPLACE,
- "sAMAccountName")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["sAMAccountName"] = MessageElement("testgroupXX", FLAG_MOD_REPLACE,
- "sAMAccountName")
- ldb.modify(m)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["sAMAccountName"] = MessageElement("testgroupXX2", FLAG_MOD_ADD,
- "sAMAccountName")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_multi_valued_attributes(self):
- """Test multi-valued attributes"""
- print "Test multi-valued attributes"""
-
-# TODO: In this test I added some special tests where I got very unusual
-# results back from a real AD. s4 doesn't match them and I've no idea how to
-# implement those error cases (maybe there exists a special trigger for
-# "description" attributes which handle them)
-
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "description": "desc2",
- "objectclass": "group",
- "description": "desc1"})
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group",
- "description": ["desc1", "desc2"]})
-
-# m = Message()
-# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
-# "description")
-# try:
-# ldb.modify(m)
-# self.fail()
-# except LdbError, (num, _):
-# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
- "description")
- ldb.modify(m)
-
-# m = Message()
-# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-# m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
-# "description")
-# try:
-# ldb.modify(m)
-# self.fail()
-# except LdbError, (num, _):
-# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
- "description")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
- "description")
- ldb.modify(m)
-
-# m = Message()
-# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
-# "description")
-# try:
-# ldb.modify(m)
-# self.fail()
-# except LdbError, (num, _):
-# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
-# m = Message()
-# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-# m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
-# "description")
-# try:
-# ldb.modify(m)
-# self.fail()
-# except LdbError, (num, _):
-# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
- "description")
- ldb.modify(m)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_empty_messages(self):
- """Test empty messages"""
- print "Test empty messages"""
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- try:
- ldb.add(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_empty_attributes(self):
- """Test empty attributes"""
- print "Test empty attributes"""
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["objectClass"] = MessageElement("group", FLAG_MOD_ADD, "objectClass")
- m["description"] = MessageElement([], FLAG_MOD_ADD, "description")
-
- try:
- ldb.add(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["description"] = MessageElement([], FLAG_MOD_ADD, "description")
-
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["description"] = MessageElement([], FLAG_MOD_REPLACE, "description")
- ldb.modify(m)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["description"] = MessageElement([], FLAG_MOD_DELETE, "description")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_instanceType(self):
- """Tests the 'instanceType' attribute"""
- print "Tests the 'instanceType' attribute"""
-
- try:
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group",
- "instanceType": ["0", "1"]})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["instanceType"] = MessageElement("0", FLAG_MOD_REPLACE,
- "instanceType")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["instanceType"] = MessageElement([], FLAG_MOD_REPLACE,
- "instanceType")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["instanceType"] = MessageElement([], FLAG_MOD_DELETE, "instanceType")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_distinguished_name(self):
- """Tests the 'distinguishedName' attribute"""
- print "Tests the 'distinguishedName' attribute"""
-
- # a wrong "distinguishedName" attribute is obviously tolerated
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group",
- "distinguishedName": "cn=ldaptest,cn=users," + self.base_dn})
-
- # proof if the DN has been set correctly
- res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["distinguishedName"])
- self.assertTrue(len(res) == 1)
- self.assertTrue("distinguishedName" in res[0])
- self.assertTrue(Dn(ldb, res[0]["distinguishedName"][0])
- == Dn(ldb, "cn=ldaptestgroup, cn=users," + self.base_dn))
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["distinguishedName"] = MessageElement(
- "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_ADD,
- "distinguishedName")
-
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["distinguishedName"] = MessageElement(
- "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_REPLACE,
- "distinguishedName")
-
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["distinguishedName"] = MessageElement(
- "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_DELETE,
- "distinguishedName")
-
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_rdn_name(self):
- """Tests the RDN"""
- print "Tests the RDN"""
-
- try:
- self.ldb.add({
- "dn": "description=xyz,cn=users," + self.base_dn,
- "objectclass": "group"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NAMING_VIOLATION)
-
- self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn)
-
- # a wrong "name" attribute is obviously tolerated
- self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group",
- "name": "ldaptestgroupx"})
-
- # proof if the name has been set correctly
- res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["name"])
- self.assertTrue(len(res) == 1)
- self.assertTrue("name" in res[0])
- self.assertTrue(res[0]["name"][0] == "ldaptestgroup")
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["name"] = MessageElement("cn=ldaptestuser", FLAG_MOD_REPLACE,
- "name")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["cn"] = MessageElement("ldaptestuser",
- FLAG_MOD_REPLACE, "cn")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
-
- # this test needs to be disabled until we really understand
- # what the rDN length constraints are
- def DISABLED_test_largeRDN(self):
- """Testing large rDN (limit 64 characters)"""
- rdn = "CN=a012345678901234567890123456789012345678901234567890123456789012";
- self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
- ldif = """
-dn: %s,%s""" % (rdn,self.base_dn) + """
-objectClass: container
-"""
- self.ldb.add_ldif(ldif)
- self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
-
- rdn = "CN=a0123456789012345678901234567890123456789012345678901234567890120";
- self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
- try:
- ldif = """
-dn: %s,%s""" % (rdn,self.base_dn) + """
-objectClass: container
-"""
- self.ldb.add_ldif(ldif)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
- self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
-
- def test_rename(self):
- """Tests the rename operation"""
- print "Tests the rename operations"""
-
- try:
- # cannot rename to be a child of itself
- ldb.rename(self.base_dn, "dc=test," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- try:
- # inexistent object
- ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- self.ldb.add({
- "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
- "objectclass": ["user", "person"] })
-
- ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
- ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestUSER3,cn=users," + self.base_dn)
-
- try:
- # containment problem: a user entry cannot contain user entries
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser4,cn=ldaptestuser3,cn=users," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NAMING_VIOLATION)
-
- try:
- # invalid parent
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=people,cn=users," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OTHER)
-
- try:
- # invalid target DN syntax
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, ",cn=users," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INVALID_DN_SYNTAX)
-
- try:
- # invalid RDN name
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "ou=ldaptestuser3,cn=users," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
-
- def test_rename_twice(self):
- """Tests the rename operation twice - this corresponds to a past bug"""
- print "Tests the rename twice operation"""
-
- self.ldb.add({
- "dn": "cn=ldaptestuser5,cn=users," + self.base_dn,
- "objectclass": ["user", "person"] })
-
- ldb.rename("cn=ldaptestuser5,cn=users," + self.base_dn, "cn=ldaptestUSER5,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn)
- self.ldb.add({
- "dn": "cn=ldaptestuser5,cn=users," + self.base_dn,
- "objectclass": ["user", "person"] })
- ldb.rename("cn=ldaptestuser5,cn=Users," + self.base_dn, "cn=ldaptestUSER5,cn=users," + self.base_dn)
- res = ldb.search(expression="cn=ldaptestuser5")
- print "Found %u records" % len(res)
- self.assertEquals(len(res), 1, "Wrong number of hits for cn=ldaptestuser5")
- res = ldb.search(expression="(&(cn=ldaptestuser5)(objectclass=user))")
- print "Found %u records" % len(res)
- self.assertEquals(len(res), 1, "Wrong number of hits for (&(cn=ldaptestuser5)(objectclass=user))")
- self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn)
-
- def test_parentGUID(self):
- """Test parentGUID behaviour"""
- print "Testing parentGUID behaviour\n"
-
- # TODO: This seems to fail on Windows Server. Hidden attribute?
-
- self.ldb.add({
- "dn": "cn=parentguidtest,cn=users," + self.base_dn,
- "objectclass":"user",
- "samaccountname":"parentguidtest"});
- res1 = ldb.search(base="cn=parentguidtest,cn=users," + self.base_dn, scope=SCOPE_BASE,
- attrs=["parentGUID", "samaccountname"]);
- res2 = ldb.search(base="cn=users," + self.base_dn,scope=SCOPE_BASE,
- attrs=["objectGUID"]);
- res3 = ldb.search(base=self.base_dn, scope=SCOPE_BASE,
- attrs=["parentGUID"]);
-
- """Check if the parentGUID is valid """
- self.assertEquals(res1[0]["parentGUID"], res2[0]["objectGUID"]);
-
- """Check if it returns nothing when there is no parent object"""
- has_parentGUID = False
- for key in res3[0].keys():
- if key == "parentGUID":
- has_parentGUID = True
- break
- self.assertFalse(has_parentGUID);
-
- """Ensures that if you look for another object attribute after the constructed
- parentGUID, it will return correctly"""
- has_another_attribute = False
- for key in res1[0].keys():
- if key == "sAMAccountName":
- has_another_attribute = True
- break
- self.assertTrue(has_another_attribute)
- self.assertTrue(len(res1[0]["samaccountname"]) == 1)
- self.assertEquals(res1[0]["samaccountname"][0], "parentguidtest");
-
- print "Testing parentGUID behaviour on rename\n"
-
- self.ldb.add({
- "dn": "cn=testotherusers," + self.base_dn,
- "objectclass":"container"});
- res1 = ldb.search(base="cn=testotherusers," + self.base_dn,scope=SCOPE_BASE,
- attrs=["objectGUID"]);
- ldb.rename("cn=parentguidtest,cn=users," + self.base_dn,
- "cn=parentguidtest,cn=testotherusers," + self.base_dn);
- res2 = ldb.search(base="cn=parentguidtest,cn=testotherusers," + self.base_dn,
- scope=SCOPE_BASE,
- attrs=["parentGUID"]);
- self.assertEquals(res1[0]["objectGUID"], res2[0]["parentGUID"]);
-
- self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn)
- self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn)
-
- def test_groupType_int32(self):
- """Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparsion)"""
- print "Testing groupType (int32) behaviour\n"
-
- res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
- attrs=["groupType"], expression="groupType=2147483653");
-
- res2 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
- attrs=["groupType"], expression="groupType=-2147483643");
-
- self.assertEquals(len(res1), len(res2))
-
- self.assertTrue(res1.count > 0)
-
- self.assertEquals(res1[0]["groupType"][0], "-2147483643")
-
- def test_linked_attributes(self):
- """This tests the linked attribute behaviour"""
- print "Testing linked attribute behaviour\n"
-
- ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- # This should not work since "memberOf" is linked to "member"
- try:
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": ["user", "person"],
- "memberOf": "cn=ldaptestgroup,cn=users," + self.base_dn})
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": ["user", "person"]})
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn,
- FLAG_MOD_ADD, "memberOf")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
- FLAG_MOD_ADD, "member")
- ldb.modify(m)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn,
- FLAG_MOD_REPLACE, "memberOf")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn,
- FLAG_MOD_DELETE, "memberOf")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
- FLAG_MOD_DELETE, "member")
- ldb.modify(m)
-
- # This should yield no results since the member attribute for
- # "ldaptestuser" should have been deleted
- res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
- scope=SCOPE_BASE,
- expression="(member=cn=ldaptestuser,cn=users," + self.base_dn + ")",
- attrs=[])
- self.assertTrue(len(res1) == 0)
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group",
- "member": "cn=ldaptestuser,cn=users," + self.base_dn})
-
- self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
-
- # Make sure that the "member" attribute for "ldaptestuser" has been
- # removed
- res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["member"])
- self.assertTrue(len(res) == 1)
- self.assertFalse("member" in res[0])
-
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_groups(self):
- """This tests the group behaviour (setting, changing) of a user account"""
- print "Testing group behaviour\n"
-
- ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- ldb.add({
- "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["objectSID"])
- self.assertTrue(len(res1) == 1)
- group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID",
- res1[0]["objectSID"][0])).split()[1]
-
- res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["objectSID"])
- self.assertTrue(len(res1) == 1)
- group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID",
- res1[0]["objectSID"][0])).split()[1]
-
- # Try to create a user with an invalid primary group
- try:
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": ["user", "person"],
- "primaryGroupID": "0"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
- self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
-
- # Try to Create a user with a valid primary group
-# TODO Some more investigation needed here
-# try:
-# ldb.add({
-# "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
-# "objectclass": ["user", "person"],
-# "primaryGroupID": str(group_rid_1)})
-# self.fail()
-# except LdbError, (num, _):
-# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
-
- # Test to see how we should behave when the user account doesn't
- # exist
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
- "primaryGroupID")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- # Test to see how we should behave when the account isn't a user
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
- "primaryGroupID")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
-
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": ["user", "person"]})
-
- # We should be able to reset our actual primary group
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement("513", FLAG_MOD_REPLACE,
- "primaryGroupID")
- ldb.modify(m)
-
- # Try to add invalid primary group
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
- "primaryGroupID")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- # Try to make group 1 primary - should be denied since it is not yet
- # secondary
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement(str(group_rid_1),
- FLAG_MOD_REPLACE, "primaryGroupID")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- # Make group 1 secondary
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
- FLAG_MOD_REPLACE, "member")
- ldb.modify(m)
-
- # Make group 1 primary
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement(str(group_rid_1),
- FLAG_MOD_REPLACE, "primaryGroupID")
- ldb.modify(m)
-
- # Try to delete group 1 - should be denied
- try:
- ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
-
- # Try to add group 1 also as secondary - should be denied
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
- FLAG_MOD_ADD, "member")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
-
- # Try to add invalid member to group 1 - should be denied
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["member"] = MessageElement(
- "cn=ldaptestuser3,cn=users," + self.base_dn,
- FLAG_MOD_ADD, "member")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- # Make group 2 secondary
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
- m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
- FLAG_MOD_ADD, "member")
- ldb.modify(m)
-
- # Swap the groups
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement(str(group_rid_2),
- FLAG_MOD_REPLACE, "primaryGroupID")
- ldb.modify(m)
-
- # Old primary group should contain a "member" attribute for the user,
- # the new shouldn't contain anymore one
- res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["member"])
- self.assertTrue(len(res1) == 1)
- self.assertTrue(len(res1[0]["member"]) == 1)
- self.assertEquals(res1[0]["member"][0].lower(),
- ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
-
- res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["member"])
- self.assertTrue(len(res1) == 1)
- self.assertFalse("member" in res1[0])
-
- # Also this should be denied
- try:
- ldb.add({
- "dn": "cn=ldaptestuser1,cn=users," + self.base_dn,
- "objectclass": ["user", "person"],
- "primaryGroupID": "0"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
-
- def test_sam_attributes(self):
- """Test the behaviour of special attributes of SAM objects"""
- print "Testing the behaviour of special attributes of SAM objects\n"""
-
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": ["user", "person"]})
- ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["groupType"] = MessageElement("0", FLAG_MOD_ADD,
- "groupType")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["groupType"] = MessageElement([], FLAG_MOD_DELETE,
- "groupType")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement("0", FLAG_MOD_ADD,
- "primaryGroupID")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE,
- "primaryGroupID")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["userAccountControl"] = MessageElement("0", FLAG_MOD_ADD,
- "userAccountControl")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE,
- "userAccountControl")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD,
- "sAMAccountType")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE,
- "sAMAccountType")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE,
- "sAMAccountType")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_primary_group_token_constructed(self):
- """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
- print "Testing primary group token behaviour and other constructed attributes\n"
-
- try:
- ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group",
- "primaryGroupToken": "100"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": ["user", "person"]})
-
- ldb.add({
- "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
- "objectclass": "group"})
-
- # Testing for one invalid, and one valid operational attribute, but also the things they are built from
- res1 = ldb.search(self.base_dn,
- scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"])
- self.assertTrue(len(res1) == 1)
- self.assertFalse("primaryGroupToken" in res1[0])
- self.assertTrue("canonicalName" in res1[0])
- self.assertTrue("objectClass" in res1[0])
- self.assertTrue("objectSid" in res1[0])
-
- res1 = ldb.search(self.base_dn,
- scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"])
- self.assertTrue(len(res1) == 1)
- self.assertFalse("primaryGroupToken" in res1[0])
- self.assertFalse("objectSid" in res1[0])
- self.assertFalse("objectClass" in res1[0])
- self.assertTrue("canonicalName" in res1[0])
-
- res1 = ldb.search("cn=users,"+self.base_dn,
- scope=SCOPE_BASE, attrs=["primaryGroupToken"])
- self.assertTrue(len(res1) == 1)
- self.assertFalse("primaryGroupToken" in res1[0])
-
- res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["primaryGroupToken"])
- self.assertTrue(len(res1) == 1)
- self.assertFalse("primaryGroupToken" in res1[0])
-
- res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
- scope=SCOPE_BASE)
- self.assertTrue(len(res1) == 1)
- self.assertFalse("primaryGroupToken" in res1[0])
-
- res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
- self.assertTrue(len(res1) == 1)
- primary_group_token = int(res1[0]["primaryGroupToken"][0])
-
- rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
- self.assertEquals(primary_group_token, rid)
-
- m = Message()
- m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- m["primaryGroupToken"] = "100"
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-
- def test_tokenGroups(self):
- """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
- print "Testing tokenGroups behaviour\n"
-
- # The domain object shouldn't contain any "tokenGroups" entry
- res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"])
- self.assertTrue(len(res) == 1)
- self.assertFalse("tokenGroups" in res[0])
-
- # The domain administrator should contain "tokenGroups" entries
- # (the exact number depends on the domain/forest function level and the
- # DC software versions)
- res = ldb.search("cn=Administrator,cn=Users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["tokenGroups"])
- self.assertTrue(len(res) == 1)
- self.assertTrue("tokenGroups" in res[0])
-
- ldb.add({
- "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
- "objectclass": ["user", "person"]})
-
- # This testuser should contain at least two "tokenGroups" entries
- # (exactly two on an unmodified "Domain Users" and "Users" group)
- res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
- scope=SCOPE_BASE, attrs=["tokenGroups"])
- self.assertTrue(len(res) == 1)
- self.assertTrue(len(res[0]["tokenGroups"]) >= 2)
-
- # one entry which we need to find should point to domains "Domain Users"
- # group and another entry should point to the builtin "Users"group
- domain_users_group_found = False
- users_group_found = False
- for sid in res[0]["tokenGroups"]:
- rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1]
- if rid == 513:
- domain_users_group_found = True
- if rid == 545:
- users_group_found = True
-
- self.assertTrue(domain_users_group_found)
- self.assertTrue(users_group_found)
-
- self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
-
- def test_wkguid(self):
- """Test Well known GUID behaviours (including DN+Binary)"""
- print "Test Well known GUID behaviours (including DN+Binary)"""
-
- res = self.ldb.search(base=("<WKGUID=ab1d30f3768811d1aded00c04fd8d5cd,%s>" % self.base_dn), scope=SCOPE_BASE, attrs=[])
- self.assertEquals(len(res), 1)
-
- res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd:%s" % res[0].dn))
- self.assertEquals(len(res2), 1)
-
- # Prove that the matching rule is over the whole DN+Binary
- res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd"))
- self.assertEquals(len(res2), 0)
- # Prove that the matching rule is over the whole DN+Binary
- res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=%s") % res[0].dn)
- self.assertEquals(len(res2), 0)
-
- def test_subschemasubentry(self):
- """Test subSchemaSubEntry appears when requested, but not when not requested"""
- print "Test subSchemaSubEntry"""
-
- res = self.ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=["subSchemaSubEntry"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["subSchemaSubEntry"][0], "CN=Aggregate,"+self.schema_dn)
-
- res = self.ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertTrue("subScheamSubEntry" not in res[0])
-
- def test_subtree_delete(self):
- """Tests subtree deletes"""
-
- print "Test subtree deletes"""
-
- ldb.add({
- "dn": "cn=ldaptestcontainer," + self.base_dn,
- "objectclass": "container"})
- ldb.add({
- "dn": "cn=entry1,cn=ldaptestcontainer," + self.base_dn,
- "objectclass": "container"})
- ldb.add({
- "dn": "cn=entry2,cn=ldaptestcontainer," + self.base_dn,
- "objectclass": "container"})
-
- try:
- ldb.delete("cn=ldaptestcontainer," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF)
-
- ldb.delete("cn=ldaptestcontainer," + self.base_dn, ["tree_delete:0"])
-
- try:
- res = ldb.search("cn=ldaptestcontainer," + self.base_dn,
- scope=SCOPE_BASE, attrs=[])
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
- try:
- res = ldb.search("cn=entry1,cn=ldaptestcontainer," + self.base_dn,
- scope=SCOPE_BASE, attrs=[])
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
- try:
- res = ldb.search("cn=entry2,cn=ldaptestcontainer," + self.base_dn,
- scope=SCOPE_BASE, attrs=[])
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- self.delete_force(self.ldb, "cn=entry1,cn=ldaptestcontainer," + self.base_dn)
- self.delete_force(self.ldb, "cn=entry2,cn=ldaptestcontainer," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
-
- def test_all(self):
- """Basic tests"""
-
- print "Testing user add"
-
- ldb.add({
- "dn": "cn=ldaptestuser,cn=uSers," + self.base_dn,
- "objectclass": ["user", "person"],
- "cN": "LDAPtestUSER",
- "givenname": "ldap",
- "sn": "testy"})
-
- ldb.add({
- "dn": "cn=ldaptestgroup,cn=uSers," + self.base_dn,
- "objectclass": "group",
- "member": "cn=ldaptestuser,cn=useRs," + self.base_dn})
-
- ldb.add({
- "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
- "objectclass": "computer",
- "cN": "LDAPtestCOMPUTER"})
-
- ldb.add({"dn": "cn=ldaptest2computer,cn=computers," + self.base_dn,
- "objectClass": "computer",
- "cn": "LDAPtest2COMPUTER",
- "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT),
- "displayname": "ldap testy"})
-
- try:
- ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
- "objectClass": "computer",
- "cn": "LDAPtest2COMPUTER"
- })
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_INVALID_DN_SYNTAX)
-
- try:
- ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
- "objectClass": "computer",
- "cn": "ldaptestcomputer3",
- "sAMAccountType": str(ATYPE_NORMAL_ACCOUNT)
- })
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
- "objectClass": "computer",
- "cn": "LDAPtestCOMPUTER3"
- })
-
- print "Testing ldb.search for (&(cn=ldaptestcomputer3)(objectClass=user))";
- res = ldb.search(self.base_dn, expression="(&(cn=ldaptestcomputer3)(objectClass=user))");
- self.assertEquals(len(res), 1, "Found only %d for (&(cn=ldaptestcomputer3)(objectClass=user))" % len(res))
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer3,CN=Computers," + self.base_dn));
- self.assertEquals(res[0]["cn"][0], "ldaptestcomputer3");
- self.assertEquals(res[0]["name"][0], "ldaptestcomputer3");
- self.assertEquals(res[0]["objectClass"][0], "top");
- self.assertEquals(res[0]["objectClass"][1], "person");
- self.assertEquals(res[0]["objectClass"][2], "organizationalPerson");
- self.assertEquals(res[0]["objectClass"][3], "user");
- self.assertEquals(res[0]["objectClass"][4], "computer");
- self.assertTrue("objectGUID" in res[0])
- self.assertTrue("whenCreated" in res[0])
- self.assertEquals(res[0]["objectCategory"][0], ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn));
- self.assertEquals(int(res[0]["primaryGroupID"][0]), 513);
- self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT);
- self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE);
-
- self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
-
- print "Testing attribute or value exists behaviour"
- try:
- ldb.modify_ldif("""
-dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
-changetype: modify
-replace: servicePrincipalName
-servicePrincipalName: host/ldaptest2computer
-servicePrincipalName: host/ldaptest2computer
-servicePrincipalName: cifs/ldaptest2computer
-""")
- self.fail()
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- ldb.modify_ldif("""
-dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
-changetype: modify
-replace: servicePrincipalName
-servicePrincipalName: host/ldaptest2computer
-servicePrincipalName: cifs/ldaptest2computer
-""")
- try:
- ldb.modify_ldif("""
-dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
-changetype: modify
-add: servicePrincipalName
-servicePrincipalName: host/ldaptest2computer
-""")
- self.fail()
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- print "Testing ranged results"
- ldb.modify_ldif("""
-dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
-changetype: modify
-replace: servicePrincipalName
-""")
-
- ldb.modify_ldif("""
-dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
-changetype: modify
-add: servicePrincipalName
-servicePrincipalName: host/ldaptest2computer0
-servicePrincipalName: host/ldaptest2computer1
-servicePrincipalName: host/ldaptest2computer2
-servicePrincipalName: host/ldaptest2computer3
-servicePrincipalName: host/ldaptest2computer4
-servicePrincipalName: host/ldaptest2computer5
-servicePrincipalName: host/ldaptest2computer6
-servicePrincipalName: host/ldaptest2computer7
-servicePrincipalName: host/ldaptest2computer8
-servicePrincipalName: host/ldaptest2computer9
-servicePrincipalName: host/ldaptest2computer10
-servicePrincipalName: host/ldaptest2computer11
-servicePrincipalName: host/ldaptest2computer12
-servicePrincipalName: host/ldaptest2computer13
-servicePrincipalName: host/ldaptest2computer14
-servicePrincipalName: host/ldaptest2computer15
-servicePrincipalName: host/ldaptest2computer16
-servicePrincipalName: host/ldaptest2computer17
-servicePrincipalName: host/ldaptest2computer18
-servicePrincipalName: host/ldaptest2computer19
-servicePrincipalName: host/ldaptest2computer20
-servicePrincipalName: host/ldaptest2computer21
-servicePrincipalName: host/ldaptest2computer22
-servicePrincipalName: host/ldaptest2computer23
-servicePrincipalName: host/ldaptest2computer24
-servicePrincipalName: host/ldaptest2computer25
-servicePrincipalName: host/ldaptest2computer26
-servicePrincipalName: host/ldaptest2computer27
-servicePrincipalName: host/ldaptest2computer28
-servicePrincipalName: host/ldaptest2computer29
-""")
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE,
- attrs=["servicePrincipalName;range=0-*"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- #print len(res[0]["servicePrincipalName;range=0-*"])
- self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30)
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-19"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- # print res[0]["servicePrincipalName;range=0-19"].length
- self.assertEquals(len(res[0]["servicePrincipalName;range=0-19"]), 20)
-
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-30"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30)
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-40"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30)
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=30-40"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- self.assertEquals(len(res[0]["servicePrincipalName;range=30-*"]), 0)
-
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=10-40"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- self.assertEquals(len(res[0]["servicePrincipalName;range=10-*"]), 20)
- # pos_11 = res[0]["servicePrincipalName;range=10-*"][18]
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=11-40"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- self.assertEquals(len(res[0]["servicePrincipalName;range=11-*"]), 19)
- # print res[0]["servicePrincipalName;range=11-*"][18]
- # print pos_11
- # self.assertEquals((res[0]["servicePrincipalName;range=11-*"][18]), pos_11)
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=11-15"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- self.assertEquals(len(res[0]["servicePrincipalName;range=11-15"]), 5)
- # self.assertEquals(res[0]["servicePrincipalName;range=11-15"][4], pos_11)
-
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName"])
- self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
- # print res[0]["servicePrincipalName"][18]
- # print pos_11
- self.assertEquals(len(res[0]["servicePrincipalName"]), 30)
- # self.assertEquals(res[0]["servicePrincipalName"][18], pos_11)
-
- self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
- ldb.add({
- "dn": "cn=ldaptestuser2,cn=useRs," + self.base_dn,
- "objectClass": ["person", "user"],
- "cn": "LDAPtestUSER2",
- "givenname": "testy",
- "sn": "ldap user2"})
-
- print "Testing Ambigious Name Resolution"
- # Testing ldb.search for (&(anr=ldap testy)(objectClass=user))
- res = ldb.search(expression="(&(anr=ldap testy)(objectClass=user))")
- self.assertEquals(len(res), 3, "Found only %d of 3 for (&(anr=ldap testy)(objectClass=user))" % len(res))
-
- # Testing ldb.search for (&(anr=testy ldap)(objectClass=user))
- res = ldb.search(expression="(&(anr=testy ldap)(objectClass=user))")
- self.assertEquals(len(res), 2, "Found only %d of 2 for (&(anr=testy ldap)(objectClass=user))" % len(res))
-
- # Testing ldb.search for (&(anr=ldap)(objectClass=user))
- res = ldb.search(expression="(&(anr=ldap)(objectClass=user))")
- self.assertEquals(len(res), 4, "Found only %d of 4 for (&(anr=ldap)(objectClass=user))" % len(res))
-
- # Testing ldb.search for (&(anr==ldap)(objectClass=user))
- res = ldb.search(expression="(&(anr==ldap)(objectClass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(anr==ldap)(objectClass=user)). Found only %d for (&(anr=ldap)(objectClass=user))" % len(res))
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"][0], "ldaptestuser")
- self.assertEquals(str(res[0]["name"]), "ldaptestuser")
-
- # Testing ldb.search for (&(anr=testy)(objectClass=user))
- res = ldb.search(expression="(&(anr=testy)(objectClass=user))")
- self.assertEquals(len(res), 2, "Found only %d for (&(anr=testy)(objectClass=user))" % len(res))
-
- # Testing ldb.search for (&(anr=testy ldap)(objectClass=user))
- res = ldb.search(expression="(&(anr=testy ldap)(objectClass=user))")
- self.assertEquals(len(res), 2, "Found only %d for (&(anr=testy ldap)(objectClass=user))" % len(res))
-
- # Testing ldb.search for (&(anr==testy ldap)(objectClass=user))
-# this test disabled for the moment, as anr with == tests are not understood
-# res = ldb.search(expression="(&(anr==testy ldap)(objectClass=user))")
-# self.assertEquals(len(res), 1, "Found only %d for (&(anr==testy ldap)(objectClass=user))" % len(res))
-
-# self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
-# self.assertEquals(res[0]["cn"][0], "ldaptestuser")
-# self.assertEquals(res[0]["name"][0], "ldaptestuser")
-
- # Testing ldb.search for (&(anr==testy ldap)(objectClass=user))
-# res = ldb.search(expression="(&(anr==testy ldap)(objectClass=user))")
-# self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap)(objectClass=user))")
-
-# self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
-# self.assertEquals(res[0]["cn"][0], "ldaptestuser")
-# self.assertEquals(res[0]["name"][0], "ldaptestuser")
-
- # Testing ldb.search for (&(anr=testy ldap user)(objectClass=user))
- res = ldb.search(expression="(&(anr=testy ldap user)(objectClass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(anr=testy ldap user)(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
- self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
-
- # Testing ldb.search for (&(anr==testy ldap user2)(objectClass=user))
-# res = ldb.search(expression="(&(anr==testy ldap user2)(objectClass=user))")
-# self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap user2)(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
- self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
-
- # Testing ldb.search for (&(anr==ldap user2)(objectClass=user))
-# res = ldb.search(expression="(&(anr==ldap user2)(objectClass=user))")
-# self.assertEquals(len(res), 1, "Could not find (&(anr==ldap user2)(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
- self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
-
- # Testing ldb.search for (&(anr==not ldap user2)(objectClass=user))
-# res = ldb.search(expression="(&(anr==not ldap user2)(objectClass=user))")
-# self.assertEquals(len(res), 0, "Must not find (&(anr==not ldap user2)(objectClass=user))")
-
- # Testing ldb.search for (&(anr=not ldap user2)(objectClass=user))
- res = ldb.search(expression="(&(anr=not ldap user2)(objectClass=user))")
- self.assertEquals(len(res), 0, "Must not find (&(anr=not ldap user2)(objectClass=user))")
-
- # Testing ldb.search for (&(anr="testy ldap")(objectClass=user)) (ie, with quotes)
-# res = ldb.search(expression="(&(anr==\"testy ldap\")(objectClass=user))")
-# self.assertEquals(len(res), 0, "Found (&(anr==\"testy ldap\")(objectClass=user))")
-
- print "Testing Renames"
-
- attrs = ["objectGUID", "objectSid"]
- print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))"
- res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs)
- self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))")
-
- # Check rename works with extended/alternate DN forms
- ldb.rename("<SID=" + ldb.schema_format_value("objectSID", res_user[0]["objectSID"][0]) + ">" , "cn=ldaptestUSER3,cn=users," + self.base_dn)
-
- print "Testing ldb.search for (&(cn=ldaptestuser3)(objectClass=user))"
- res = ldb.search(expression="(&(cn=ldaptestuser3)(objectClass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser3)(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
- self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
-
- #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))"
- res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))")
- self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
- self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
-
- #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))"
- res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))")
- self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
- self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
-
- #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))"
- res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))")
- self.assertEquals(len(res), 0, "(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))")
-
- # This is a Samba special, and does not exist in real AD
- # print "Testing ldb.search for (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")"
- # res = ldb.search("(dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")")
- # if (res.error != 0 || len(res) != 1) {
- # print "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")"
- # self.assertEquals(len(res), 1)
- # }
- # self.assertEquals(res[0].dn, ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- # self.assertEquals(res[0].cn, "ldaptestUSER3")
- # self.assertEquals(res[0].name, "ldaptestUSER3")
-
- print "Testing ldb.search for (distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")"
- res = ldb.search(expression="(distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")")
- self.assertEquals(len(res), 1, "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")")
- self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
- self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
-
- # ensure we cannot add it again
- try:
- ldb.add({"dn": "cn=ldaptestuser3,cn=userS," + self.base_dn,
- "objectClass": ["person", "user"],
- "cn": "LDAPtestUSER3"})
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
-
- # rename back
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
-
- # ensure we cannot rename it twice
- try:
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn,
- "cn=ldaptestuser2,cn=users," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- # ensure can now use that name
- ldb.add({"dn": "cn=ldaptestuser3,cn=users," + self.base_dn,
- "objectClass": ["person", "user"],
- "cn": "LDAPtestUSER3"})
-
- # ensure we now cannot rename
- try:
- ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
- try:
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=configuration," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertTrue(num in (71, 64))
-
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser5,cn=users," + self.base_dn)
-
- ldb.delete("cn=ldaptestuser5,cn=users," + self.base_dn)
-
- self.delete_force(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
-
- ldb.rename("cn=ldaptestgroup,cn=users," + self.base_dn, "cn=ldaptestgroup2,cn=users," + self.base_dn)
-
- print "Testing subtree renames"
-
- ldb.add({"dn": "cn=ldaptestcontainer," + self.base_dn,
- "objectClass": "container"})
-
- ldb.add({"dn": "CN=ldaptestuser4,CN=ldaptestcontainer," + self.base_dn,
- "objectClass": ["person", "user"],
- "cn": "LDAPtestUSER4"})
-
- ldb.modify_ldif("""
-dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
-changetype: modify
-add: member
-member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """
-member: cn=ldaptestcomputer,cn=computers,""" + self.base_dn + """
-member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """
-""")
-
- print "Testing ldb.rename of cn=ldaptestcontainer," + self.base_dn + " to cn=ldaptestcontainer2," + self.base_dn
- ldb.rename("CN=ldaptestcontainer," + self.base_dn, "CN=ldaptestcontainer2," + self.base_dn)
-
- print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user))"
- res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser4)(objectClass=user))")
-
- print "Testing subtree ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn
- try:
- res = ldb.search("cn=ldaptestcontainer," + self.base_dn,
- expression="(&(cn=ldaptestuser4)(objectClass=user))",
- scope=SCOPE_SUBTREE)
- self.fail(res)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn
- try:
- res = ldb.search("cn=ldaptestcontainer," + self.base_dn,
- expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_ONELEVEL)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in renamed container"
- res = ldb.search("cn=ldaptestcontainer2," + self.base_dn, expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_SUBTREE)
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser4)(objectClass=user)) under cn=ldaptestcontainer2," + self.base_dn)
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn))
- self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
-
- time.sleep(4)
-
- print "Testing ldb.search for (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)) to check subtree renames and linked attributes"
- res = ldb.search(self.base_dn, expression="(&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group))", scope=SCOPE_SUBTREE)
- self.assertEquals(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistant with subtree renames?")
-
- print "Testing ldb.rename (into itself) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn
- try:
- ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- print "Testing ldb.rename (into non-existent container) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn
- try:
- ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertTrue(num in (ERR_UNWILLING_TO_PERFORM, ERR_OTHER))
-
- print "Testing delete (should fail, not a leaf node) of renamed cn=ldaptestcontainer2," + self.base_dn
- try:
- ldb.delete("cn=ldaptestcontainer2," + self.base_dn)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF)
-
- print "Testing base ldb.search for CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn
- res = ldb.search(expression="(objectclass=*)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE)
- self.assertEquals(len(res), 1)
- res = ldb.search(expression="(cn=ldaptestuser40)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE)
- self.assertEquals(len(res), 0)
-
- print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in cn=ldaptestcontainer2," + self.base_dn
- res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))", base=("cn=ldaptestcontainer2," + self.base_dn), scope=SCOPE_ONELEVEL)
- # FIXME: self.assertEquals(len(res), 0)
-
- print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in cn=ldaptestcontainer2," + self.base_dn
- res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))", base=("cn=ldaptestcontainer2," + self.base_dn), scope=SCOPE_SUBTREE)
- # FIXME: self.assertEquals(len(res), 0)
-
- print "Testing delete of subtree renamed "+("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn)
- ldb.delete(("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn))
- print "Testing delete of renamed cn=ldaptestcontainer2," + self.base_dn
- ldb.delete("cn=ldaptestcontainer2," + self.base_dn)
-
- ldb.add({"dn": "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn, "objectClass": "user"})
-
- ldb.add({"dn": "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn, "objectClass": "user"})
-
- print "Testing ldb.search for (&(cn=ldaptestuser)(objectClass=user))"
- res = ldb.search(expression="(&(cn=ldaptestuser)(objectClass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestuser")
- self.assertEquals(str(res[0]["name"]), "ldaptestuser")
- self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user"]))
- self.assertTrue("objectGUID" in res[0])
- self.assertTrue("whenCreated" in res[0])
- self.assertEquals(str(res[0]["objectCategory"]), ("CN=Person,CN=Schema,CN=Configuration," + self.base_dn))
- self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT)
- self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
- self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
- self.assertEquals(len(res[0]["memberOf"]), 1)
-
- print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))"
- res2 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))")
- self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))")
-
- self.assertEquals(res[0].dn, res2[0].dn)
-
- print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon))"
- res3 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))")
- self.assertEquals(len(res3), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)): matched %d" % len(res3))
-
- self.assertEquals(res[0].dn, res3[0].dn)
-
- if gc_ldb is not None:
- print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog"
- res3gc = gc_ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))")
- self.assertEquals(len(res3gc), 1)
-
- self.assertEquals(res[0].dn, res3gc[0].dn)
-
- print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in with 'phantom root' control"
-
- if gc_ldb is not None:
- res3control = gc_ldb.search(self.base_dn, expression="(&(cn=ldaptestuser)(objectCategory=PerSon))", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"])
- self.assertEquals(len(res3control), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog")
-
- self.assertEquals(res[0].dn, res3control[0].dn)
-
- ldb.delete(res[0].dn)
-
- print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectClass=user))"
- res = ldb.search(expression="(&(cn=ldaptestcomputer)(objectClass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer,CN=Computers," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestcomputer")
- self.assertEquals(str(res[0]["name"]), "ldaptestcomputer")
- self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user", "computer"]))
- self.assertTrue("objectGUID" in res[0])
- self.assertTrue("whenCreated" in res[0])
- self.assertEquals(str(res[0]["objectCategory"]), ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn))
- self.assertEquals(int(res[0]["primaryGroupID"][0]), 513)
- self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT)
- self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
- self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
- self.assertEquals(len(res[0]["memberOf"]), 1)
-
- print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))"
- res2 = ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))")
- self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))")
-
- self.assertEquals(res[0].dn, res2[0].dn)
-
- if gc_ldb is not None:
- print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + ")) in Global Catlog"
- res2gc = gc_ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))")
- self.assertEquals(len(res2gc), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + ")) in Global Catlog")
-
- self.assertEquals(res[0].dn, res2gc[0].dn)
-
- print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=compuTER))"
- res3 = ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=compuTER))")
- self.assertEquals(len(res3), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=compuTER))")
-
- self.assertEquals(res[0].dn, res3[0].dn)
-
- if gc_ldb is not None:
- print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=compuTER)) in Global Catalog"
- res3gc = gc_ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=compuTER))")
- self.assertEquals(len(res3gc), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=compuTER)) in Global Catalog")
-
- self.assertEquals(res[0].dn, res3gc[0].dn)
-
- print "Testing ldb.search for (&(cn=ldaptestcomp*r)(objectCategory=compuTER))"
- res4 = ldb.search(expression="(&(cn=ldaptestcomp*r)(objectCategory=compuTER))")
- self.assertEquals(len(res4), 1, "Could not find (&(cn=ldaptestcomp*r)(objectCategory=compuTER))")
-
- self.assertEquals(res[0].dn, res4[0].dn)
-
- print "Testing ldb.search for (&(cn=ldaptestcomput*)(objectCategory=compuTER))"
- res5 = ldb.search(expression="(&(cn=ldaptestcomput*)(objectCategory=compuTER))")
- self.assertEquals(len(res5), 1, "Could not find (&(cn=ldaptestcomput*)(objectCategory=compuTER))")
-
- self.assertEquals(res[0].dn, res5[0].dn)
-
- print "Testing ldb.search for (&(cn=*daptestcomputer)(objectCategory=compuTER))"
- res6 = ldb.search(expression="(&(cn=*daptestcomputer)(objectCategory=compuTER))")
- self.assertEquals(len(res6), 1, "Could not find (&(cn=*daptestcomputer)(objectCategory=compuTER))")
-
- self.assertEquals(res[0].dn, res6[0].dn)
-
- ldb.delete("<GUID=" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + ">")
-
- print "Testing ldb.search for (&(cn=ldaptest2computer)(objectClass=user))"
- res = ldb.search(expression="(&(cn=ldaptest2computer)(objectClass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptest2computer)(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), "CN=ldaptest2computer,CN=Computers," + self.base_dn)
- self.assertEquals(str(res[0]["cn"]), "ldaptest2computer")
- self.assertEquals(str(res[0]["name"]), "ldaptest2computer")
- self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user", "computer"])
- self.assertTrue("objectGUID" in res[0])
- self.assertTrue("whenCreated" in res[0])
- self.assertEquals(res[0]["objectCategory"][0], "CN=Computer,CN=Schema,CN=Configuration," + self.base_dn)
- self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_WORKSTATION_TRUST)
- self.assertEquals(int(res[0]["userAccountControl"][0]), UF_WORKSTATION_TRUST_ACCOUNT)
-
- ldb.delete("<SID=" + ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) + ">")
-
- attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "memberOf", "allowedAttributes", "allowedAttributesEffective"]
- print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))"
- res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs)
- self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))")
-
- self.assertEquals(str(res_user[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(str(res_user[0]["cn"]), "ldaptestuser2")
- self.assertEquals(str(res_user[0]["name"]), "ldaptestuser2")
- self.assertEquals(list(res_user[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"])
- self.assertTrue("objectSid" in res_user[0])
- self.assertTrue("objectGUID" in res_user[0])
- self.assertTrue("whenCreated" in res_user[0])
- self.assertTrue("nTSecurityDescriptor" in res_user[0])
- self.assertTrue("allowedAttributes" in res_user[0])
- self.assertTrue("allowedAttributesEffective" in res_user[0])
- self.assertEquals(res_user[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
-
- ldaptestuser2_sid = res_user[0]["objectSid"][0]
- ldaptestuser2_guid = res_user[0]["objectGUID"][0]
-
- attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "member", "allowedAttributes", "allowedAttributesEffective"]
- print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group))"
- res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestgroup2")
- self.assertEquals(str(res[0]["name"]), "ldaptestgroup2")
- self.assertEquals(list(res[0]["objectClass"]), ["top", "group"])
- self.assertTrue("objectGUID" in res[0])
- self.assertTrue("objectSid" in res[0])
- self.assertTrue("whenCreated" in res[0])
- self.assertTrue("nTSecurityDescriptor" in res[0])
- self.assertTrue("allowedAttributes" in res[0])
- self.assertTrue("allowedAttributesEffective" in res[0])
- memberUP = []
- for m in res[0]["member"]:
- memberUP.append(m.upper())
- self.assertTrue(("CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP)
-
- res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs, controls=["extended_dn:1:1"])
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
-
- print res[0]["member"]
- memberUP = []
- for m in res[0]["member"]:
- memberUP.append(m.upper())
- print ("<GUID=" + ldb.schema_format_value("objectGUID", ldaptestuser2_guid) + ">;<SID=" + ldb.schema_format_value("objectSid", ldaptestuser2_sid) + ">;CN=ldaptestuser2,CN=Users," + self.base_dn).upper()
-
- self.assertTrue(("<GUID=" + ldb.schema_format_value("objectGUID", ldaptestuser2_guid) + ">;<SID=" + ldb.schema_format_value("objectSid", ldaptestuser2_sid) + ">;CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP)
-
- print "Quicktest for linked attributes"
- ldb.modify_ldif("""
-dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
-changetype: modify
-replace: member
-member: CN=ldaptestuser2,CN=Users,""" + self.base_dn + """
-member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
-""")
-
- ldb.modify_ldif("""
-dn: <GUID=""" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + """>
-changetype: modify
-replace: member
-member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
-""")
-
- ldb.modify_ldif("""
-dn: <SID=""" + ldb.schema_format_value("objectSid", res[0]["objectSid"][0]) + """>
-changetype: modify
-delete: member
-""")
-
- ldb.modify_ldif("""
-dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
-changetype: modify
-add: member
-member: <GUID=""" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + """>
-member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
-""")
-
- ldb.modify_ldif("""
-dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
-changetype: modify
-replace: member
-""")
-
- ldb.modify_ldif("""
-dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
-changetype: modify
-add: member
-member: <SID=""" + ldb.schema_format_value("objectSid", res_user[0]["objectSid"][0]) + """>
-member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
-""")
-
- ldb.modify_ldif("""
-dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: member
-member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
-""")
-
- res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["member"][0], ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(len(res[0]["member"]), 1)
-
- ldb.delete(("CN=ldaptestuser2,CN=Users," + self.base_dn))
-
- time.sleep(4)
-
- attrs = ["cn", "name", "objectClass", "objectGUID", "whenCreated", "nTSecurityDescriptor", "member"]
- print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete"
- res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
- self.assertTrue("member" not in res[0])
-
- print "Testing ldb.search for (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))"
-# TODO UTF8 users don't seem to work fully anymore
-# res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
- res = ldb.search(expression="(&(cn=ldaptestutf8user èùéìòà)(objectclass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
-
- self.assertEquals(str(res[0].dn), ("CN=ldaptestutf8user èùéìòà,CN=Users," + self.base_dn))
- self.assertEquals(str(res[0]["cn"]), "ldaptestutf8user èùéìòà")
- self.assertEquals(str(res[0]["name"]), "ldaptestutf8user èùéìòà")
- self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"])
- self.assertTrue("objectGUID" in res[0])
- self.assertTrue("whenCreated" in res[0])
-
- ldb.delete(res[0].dn)
-
- print "Testing ldb.search for (&(cn=ldaptestutf8user2*)(objectClass=user))"
- res = ldb.search(expression="(&(cn=ldaptestutf8user2*)(objectClass=user))")
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user2*)(objectClass=user))")
-
- ldb.delete(res[0].dn)
-
- ldb.delete(("CN=ldaptestgroup2,CN=Users," + self.base_dn))
-
- print "Testing ldb.search for (&(cn=ldaptestutf8user2 ÈÙÉÌÒÀ)(objectClass=user))"
-# TODO UTF8 users don't seem to work fully anymore
-# res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
-# self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
-
- print "Testing that we can't get at the configuration DN from the main search base"
- res = ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertEquals(len(res), 0)
-
- print "Testing that we can get at the configuration DN from the main search base on the LDAP port with the 'phantom root' search_options control"
- res = ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"])
- self.assertTrue(len(res) > 0)
-
- if gc_ldb is not None:
- print "Testing that we can get at the configuration DN from the main search base on the GC port with the search_options control == 0"
-
- res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:0"])
- self.assertTrue(len(res) > 0)
-
- print "Testing that we do find configuration elements in the global catlog"
- res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0)
-
- print "Testing that we do find configuration elements and user elements at the same time"
- res = gc_ldb.search(self.base_dn, expression="(|(objectClass=crossRef)(objectClass=person))", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0)
-
- print "Testing that we do find configuration elements in the global catlog, with the configuration basedn"
- res = gc_ldb.search(self.configuration_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0)
-
- print "Testing that we can get at the configuration DN on the main LDAP port"
- res = ldb.search(self.configuration_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0)
-
- print "Testing objectCategory canonacolisation"
- res = ldb.search(self.configuration_dn, expression="objectCategory=ntDsDSA", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=ntDsDSA")
- self.assertTrue(len(res) != 0)
-
- res = ldb.search(self.configuration_dn, expression="objectCategory=CN=ntDs-DSA," + self.schema_dn, scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=CN=ntDs-DSA," + self.schema_dn)
- self.assertTrue(len(res) != 0)
-
- print "Testing objectClass attribute order on "+ self.base_dn
- res = ldb.search(expression="objectClass=domain", base=self.base_dn,
- scope=SCOPE_BASE, attrs=["objectClass"])
- self.assertEquals(len(res), 1)
-
- self.assertEquals(list(res[0]["objectClass"]), ["top", "domain", "domainDNS"])
-
- # check enumeration
-
- print "Testing ldb.search for objectCategory=person"
- res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0)
-
- print "Testing ldb.search for objectCategory=person with domain scope control"
- res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
- self.assertTrue(len(res) > 0)
-
- print "Testing ldb.search for objectCategory=user"
- res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0)
-
- print "Testing ldb.search for objectCategory=user with domain scope control"
- res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
- self.assertTrue(len(res) > 0)
-
- print "Testing ldb.search for objectCategory=group"
- res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"])
- self.assertTrue(len(res) > 0)
-
- print "Testing ldb.search for objectCategory=group with domain scope control"
- res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
- self.assertTrue(len(res) > 0)
-
- print "Testing creating a user with the posixAccount objectClass"
- self.ldb.add_ldif("""dn: cn=posixuser,CN=Users,%s
-objectClass: top
-objectClass: person
-objectClass: posixAccount
-objectClass: user
-objectClass: organizationalPerson
-cn: posixuser
-uid: posixuser
-sn: posixuser
-uidNumber: 10126
-gidNumber: 10126
-homeDirectory: /home/posixuser
-loginShell: /bin/bash
-gecos: Posix User;;;
-description: A POSIX user"""% (self.base_dn))
-
- print "Testing removing the posixAccount objectClass from an existing user"
- self.ldb.modify_ldif("""dn: cn=posixuser,CN=Users,%s
-changetype: modify
-delete: objectClass
-objectClass: posixAccount"""% (self.base_dn))
-
- print "Testing adding the posixAccount objectClass to an existing user"
- self.ldb.modify_ldif("""dn: cn=posixuser,CN=Users,%s
-changetype: modify
-add: objectClass
-objectClass: posixAccount"""% (self.base_dn))
-
- self.delete_force(self.ldb, "cn=posixuser,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer2," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
- self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn)
-
- def test_security_descriptor_add(self):
- """ Testing ldb.add_ldif() for nTSecurityDescriptor """
- user_name = "testdescriptoruser1"
- user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
- #
- # Test add_ldif() with SDDL security descriptor input
- #
- self.delete_force(self.ldb, user_dn)
- try:
- sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
- self.ldb.add_ldif("""
-dn: """ + user_dn + """
-objectclass: user
-sAMAccountName: """ + user_name + """
-nTSecurityDescriptor: """ + sddl)
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack( security.descriptor, desc )
- desc_sddl = desc.as_sddl( self.domain_sid )
- self.assertEqual(desc_sddl, sddl)
- finally:
- self.delete_force(self.ldb, user_dn)
- #
- # Test add_ldif() with BASE64 security descriptor
- #
- try:
- sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
- desc = security.descriptor.from_sddl(sddl, self.domain_sid)
- desc_binary = ndr_pack(desc)
- desc_base64 = base64.b64encode(desc_binary)
- self.ldb.add_ldif("""
-dn: """ + user_dn + """
-objectclass: user
-sAMAccountName: """ + user_name + """
-nTSecurityDescriptor:: """ + desc_base64)
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack(security.descriptor, desc)
- desc_sddl = desc.as_sddl(self.domain_sid)
- self.assertEqual(desc_sddl, sddl)
- finally:
- self.delete_force(self.ldb, user_dn)
-
- def test_security_descriptor_add_neg(self):
- """Test add_ldif() with BASE64 security descriptor input using WRONG domain SID
- Negative test
- """
- user_name = "testdescriptoruser1"
- user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
- self.delete_force(self.ldb, user_dn)
- try:
- sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
- desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21'))
- desc_base64 = base64.b64encode( ndr_pack(desc) )
- self.ldb.add_ldif("""
-dn: """ + user_dn + """
-objectclass: user
-sAMAccountName: """ + user_name + """
-nTSecurityDescriptor:: """ + desc_base64)
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- self.assertTrue("nTSecurityDescriptor" in res[0])
- finally:
- self.delete_force(self.ldb, user_dn)
-
- def test_security_descriptor_modify(self):
- """ Testing ldb.modify_ldif() for nTSecurityDescriptor """
- user_name = "testdescriptoruser2"
- user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
- #
- # Delete user object and test modify_ldif() with SDDL security descriptor input
- # Add ACE to the original descriptor test
- #
- try:
- self.delete_force(self.ldb, user_dn)
- self.ldb.add_ldif("""
-dn: """ + user_dn + """
-objectclass: user
-sAMAccountName: """ + user_name)
- # Modify descriptor
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack(security.descriptor, desc)
- desc_sddl = desc.as_sddl(self.domain_sid)
- sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
- mod = """
-dn: """ + user_dn + """
-changetype: modify
-replace: nTSecurityDescriptor
-nTSecurityDescriptor: """ + sddl
- self.ldb.modify_ldif(mod)
- # Read modified descriptor
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack(security.descriptor, desc)
- desc_sddl = desc.as_sddl(self.domain_sid)
- self.assertEqual(desc_sddl, sddl)
- finally:
- self.delete_force(self.ldb, user_dn)
- #
- # Test modify_ldif() with SDDL security descriptor input
- # New desctiptor test
- #
- try:
- self.ldb.add_ldif("""
-dn: """ + user_dn + """
-objectclass: user
-sAMAccountName: """ + user_name)
- # Modify descriptor
- sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
- mod = """
-dn: """ + user_dn + """
-changetype: modify
-replace: nTSecurityDescriptor
-nTSecurityDescriptor: """ + sddl
- self.ldb.modify_ldif(mod)
- # Read modified descriptor
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack(security.descriptor, desc)
- desc_sddl = desc.as_sddl(self.domain_sid)
- self.assertEqual(desc_sddl, sddl)
- finally:
- self.delete_force(self.ldb, user_dn)
- #
- # Test modify_ldif() with BASE64 security descriptor input
- # Add ACE to the original descriptor test
- #
- try:
- self.ldb.add_ldif("""
-dn: """ + user_dn + """
-objectclass: user
-sAMAccountName: """ + user_name)
- # Modify descriptor
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack(security.descriptor, desc)
- desc_sddl = desc.as_sddl(self.domain_sid)
- sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
- desc = security.descriptor.from_sddl(sddl, self.domain_sid)
- desc_base64 = base64.b64encode(ndr_pack(desc))
- mod = """
-dn: """ + user_dn + """
-changetype: modify
-replace: nTSecurityDescriptor
-nTSecurityDescriptor:: """ + desc_base64
- self.ldb.modify_ldif(mod)
- # Read modified descriptor
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack(security.descriptor, desc)
- desc_sddl = desc.as_sddl(self.domain_sid)
- self.assertEqual(desc_sddl, sddl)
- finally:
- self.delete_force(self.ldb, user_dn)
- #
- # Test modify_ldif() with BASE64 security descriptor input
- # New descriptor test
- #
- try:
- self.delete_force(self.ldb, user_dn)
- self.ldb.add_ldif("""
-dn: """ + user_dn + """
-objectclass: user
-sAMAccountName: """ + user_name)
- # Modify descriptor
- sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
- desc = security.descriptor.from_sddl(sddl, self.domain_sid)
- desc_base64 = base64.b64encode(ndr_pack(desc))
- mod = """
-dn: """ + user_dn + """
-changetype: modify
-replace: nTSecurityDescriptor
-nTSecurityDescriptor:: """ + desc_base64
- self.ldb.modify_ldif(mod)
- # Read modified descriptor
- res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- desc = ndr_unpack(security.descriptor, desc)
- desc_sddl = desc.as_sddl(self.domain_sid)
- self.assertEqual(desc_sddl, sddl)
- finally:
- self.delete_force(self.ldb, user_dn)
-
-
-class BaseDnTests(unittest.TestCase):
-
- def setUp(self):
- super(BaseDnTests, self).setUp()
- self.ldb = ldb
-
- def test_rootdse_attrs(self):
- """Testing for all rootDSE attributes"""
- res = self.ldb.search(scope=SCOPE_BASE, attrs=[])
- self.assertEquals(len(res), 1)
-
- def test_highestcommittedusn(self):
- """Testing for highestCommittedUSN"""
- res = self.ldb.search("", scope=SCOPE_BASE, attrs=["highestCommittedUSN"])
- self.assertEquals(len(res), 1)
- self.assertTrue(int(res[0]["highestCommittedUSN"][0]) != 0)
-
- def test_netlogon(self):
- """Testing for netlogon via LDAP"""
- res = self.ldb.search("", scope=SCOPE_BASE, attrs=["netlogon"])
- self.assertEquals(len(res), 0)
-
- def test_netlogon_highestcommitted_usn(self):
- """Testing for netlogon and highestCommittedUSN via LDAP"""
- res = self.ldb.search("", scope=SCOPE_BASE,
- attrs=["netlogon", "highestCommittedUSN"])
- self.assertEquals(len(res), 0)
-
- def test_namingContexts(self):
- """Testing for namingContexts in rootDSE"""
- res = self.ldb.search("", scope=SCOPE_BASE,
- attrs=["namingContexts", "defaultNamingContext", "schemaNamingContext", "configurationNamingContext"])
- self.assertEquals(len(res), 1)
-
- ncs = set([])
- for nc in res[0]["namingContexts"]:
- self.assertTrue(nc not in ncs)
- ncs.add(nc)
-
- self.assertTrue(res[0]["defaultNamingContext"][0] in ncs)
- self.assertTrue(res[0]["configurationNamingContext"][0] in ncs)
- self.assertTrue(res[0]["schemaNamingContext"][0] in ncs)
-
-
-if not "://" in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
-
-ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
-if not "tdb://" in host:
- gc_ldb = Ldb("%s:3268" % host, credentials=creds,
- session_info=system_session(), lp=lp)
-else:
- gc_ldb = None
-
-runner = SubunitTestRunner()
-rc = 0
-if not runner.run(unittest.makeSuite(BaseDnTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(BasicTests)).wasSuccessful():
- rc = 1
-sys.exit(rc)
diff --git a/source4/lib/ldb/tests/python/ldap_schema.py b/source4/lib/ldb/tests/python/ldap_schema.py
deleted file mode 100755
index 270e22adb1..0000000000
--- a/source4/lib/ldb/tests/python/ldap_schema.py
+++ /dev/null
@@ -1,556 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-# This is a port of the original in testprogs/ejs/ldap.js
-
-import optparse
-import sys
-import time
-import random
-import os
-
-sys.path.append("bin/python")
-import samba
-samba.ensure_external_module("subunit", "subunit/python")
-samba.ensure_external_module("testtools", "testtools")
-
-import samba.getopt as options
-
-from samba.auth import system_session
-from ldb import SCOPE_ONELEVEL, SCOPE_BASE, LdbError
-from ldb import ERR_NO_SUCH_OBJECT
-from ldb import ERR_UNWILLING_TO_PERFORM
-from ldb import ERR_CONSTRAINT_VIOLATION
-from ldb import Message, MessageElement, Dn
-from ldb import FLAG_MOD_REPLACE
-from samba import Ldb
-from samba.dsdb import DS_DOMAIN_FUNCTION_2003
-
-from subunit.run import SubunitTestRunner
-import unittest
-
-parser = optparse.OptionParser("ldap [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-
-class SchemaTests(unittest.TestCase):
-
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def find_schemadn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["schemaNamingContext"][0]
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def setUp(self):
- super(SchemaTests, self).setUp()
- self.ldb = ldb
- self.schema_dn = self.find_schemadn(ldb)
- self.base_dn = self.find_basedn(ldb)
-
- def test_generated_schema(self):
- """Testing we can read the generated schema via LDAP"""
- res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE,
- attrs=["objectClasses", "attributeTypes", "dITContentRules"])
- self.assertEquals(len(res), 1)
- self.assertTrue("dITContentRules" in res[0])
- self.assertTrue("objectClasses" in res[0])
- self.assertTrue("attributeTypes" in res[0])
-
- def test_generated_schema_is_operational(self):
- """Testing we don't get the generated schema via LDAP by default"""
- res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE,
- attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertFalse("dITContentRules" in res[0])
- self.assertFalse("objectClasses" in res[0])
- self.assertFalse("attributeTypes" in res[0])
-
- def test_schemaUpdateNow(self):
- """Testing schemaUpdateNow"""
- attr_name = "test-Attr" + time.strftime("%s", time.gmtime())
- attr_ldap_display_name = attr_name.replace("-", "")
-
- ldif = """
-dn: CN=%s,%s""" % (attr_name, self.schema_dn) + """
-objectClass: top
-objectClass: attributeSchema
-adminDescription: """ + attr_name + """
-adminDisplayName: """ + attr_name + """
-cn: """ + attr_name + """
-attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940
-attributeSyntax: 2.5.5.12
-omSyntax: 64
-instanceType: 4
-isSingleValued: TRUE
-systemOnly: FALSE
-"""
- self.ldb.add_ldif(ldif)
-
- # Search for created attribute
- res = []
- res = self.ldb.search("cn=%s,%s" % (attr_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_display_name)
- self.assertTrue("schemaIDGUID" in res[0])
-
- # Samba requires a "schemaUpdateNow" here.
- # TODO: remove this when Samba is fixed
- ldif = """
-dn:
-changetype: modify
-add: schemaUpdateNow
-schemaUpdateNow: 1
-"""
- self.ldb.modify_ldif(ldif)
-
- class_name = "test-Class" + time.strftime("%s", time.gmtime())
- class_ldap_display_name = class_name.replace("-", "")
-
- # First try to create a class with a wrong "defaultObjectCategory"
- ldif = """
-dn: CN=%s,%s""" % (class_name, self.schema_dn) + """
-objectClass: top
-objectClass: classSchema
-defaultObjectCategory: CN=_
-adminDescription: """ + class_name + """
-adminDisplayName: """ + class_name + """
-cn: """ + class_name + """
-governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
-instanceType: 4
-objectClassCategory: 1
-subClassOf: organizationalPerson
-systemFlags: 16
-rDNAttID: cn
-systemMustContain: cn
-systemMustContain: """ + attr_ldap_display_name + """
-systemOnly: FALSE
-"""
- try:
- self.ldb.add_ldif(ldif)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- ldif = """
-dn: CN=%s,%s""" % (class_name, self.schema_dn) + """
-objectClass: top
-objectClass: classSchema
-adminDescription: """ + class_name + """
-adminDisplayName: """ + class_name + """
-cn: """ + class_name + """
-governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
-instanceType: 4
-objectClassCategory: 1
-subClassOf: organizationalPerson
-systemFlags: 16
-rDNAttID: cn
-systemMustContain: cn
-systemMustContain: """ + attr_ldap_display_name + """
-systemOnly: FALSE
-"""
- self.ldb.add_ldif(ldif)
-
- # Search for created objectclass
- res = []
- res = self.ldb.search("cn=%s,%s" % (class_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["lDAPDisplayName"][0], class_ldap_display_name)
- self.assertEquals(res[0]["defaultObjectCategory"][0], res[0]["distinguishedName"][0])
- self.assertTrue("schemaIDGUID" in res[0])
-
- ldif = """
-dn:
-changetype: modify
-add: schemaUpdateNow
-schemaUpdateNow: 1
-"""
- self.ldb.modify_ldif(ldif)
-
- object_name = "obj" + time.strftime("%s", time.gmtime())
-
- ldif = """
-dn: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """
-objectClass: organizationalPerson
-objectClass: person
-objectClass: """ + class_ldap_display_name + """
-objectClass: top
-cn: """ + object_name + """
-instanceType: 4
-objectCategory: CN=%s,%s"""% (class_name, self.schema_dn) + """
-distinguishedName: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """
-name: """ + object_name + """
-""" + attr_ldap_display_name + """: test
-"""
- self.ldb.add_ldif(ldif)
-
- # Search for created object
- res = []
- res = self.ldb.search("cn=%s,cn=Users,%s" % (object_name, self.base_dn), scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- # Delete the object
- self.delete_force(self.ldb, "cn=%s,cn=Users,%s" % (object_name, self.base_dn))
-
-
-class SchemaTests_msDS_IntId(unittest.TestCase):
-
- def setUp(self):
- super(SchemaTests_msDS_IntId, self).setUp()
- self.ldb = ldb
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.schema_dn = res[0]["schemaNamingContext"][0]
- self.base_dn = res[0]["defaultNamingContext"][0]
- self.forest_level = int(res[0]["forestFunctionality"][0])
-
- def _ldap_schemaUpdateNow(self):
- ldif = """
-dn:
-changetype: modify
-add: schemaUpdateNow
-schemaUpdateNow: 1
-"""
- self.ldb.modify_ldif(ldif)
-
- def _make_obj_names(self, prefix):
- class_name = prefix + time.strftime("%s", time.gmtime())
- class_ldap_name = class_name.replace("-", "")
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- return (class_name, class_ldap_name, class_dn)
-
- def _is_schema_base_object(self, ldb_msg):
- """Test systemFlags for SYSTEM_FLAG_SCHEMA_BASE_OBJECT (16)"""
- systemFlags = 0
- if "systemFlags" in ldb_msg:
- systemFlags = int(ldb_msg["systemFlags"][0])
- return (systemFlags & 16) != 0
-
- def _make_attr_ldif(self, attr_name, attr_dn):
- ldif = """
-dn: """ + attr_dn + """
-objectClass: top
-objectClass: attributeSchema
-adminDescription: """ + attr_name + """
-adminDisplayName: """ + attr_name + """
-cn: """ + attr_name + """
-attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940
-attributeSyntax: 2.5.5.12
-omSyntax: 64
-instanceType: 4
-isSingleValued: TRUE
-systemOnly: FALSE
-"""
- return ldif
-
- def test_msDS_IntId_on_attr(self):
- """Testing msDs-IntId creation for Attributes.
- See MS-ADTS - 3.1.1.Attributes
-
- This test should verify that:
- - Creating attribute with 'msDS-IntId' fails with ERR_UNWILLING_TO_PERFORM
- - Adding 'msDS-IntId' on existing attribute fails with ERR_CONSTRAINT_VIOLATION
- - Creating attribute with 'msDS-IntId' set and FLAG_SCHEMA_BASE_OBJECT flag
- set fails with ERR_UNWILLING_TO_PERFORM
- - Attributes created with FLAG_SCHEMA_BASE_OBJECT not set have
- 'msDS-IntId' attribute added internally
- """
-
- # 1. Create attribute without systemFlags
- # msDS-IntId should be created if forest functional
- # level is >= DS_DOMAIN_FUNCTION_2003
- # and missing otherwise
- (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-1-")
- ldif = self._make_attr_ldif(attr_name, attr_dn)
-
- # try to add msDS-IntId during Attribute creation
- ldif_fail = ldif + "msDS-IntId: -1993108831\n"
- try:
- self.ldb.add_ldif(ldif_fail)
- self.fail("Adding attribute with preset msDS-IntId should fail")
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- # add the new attribute and update schema
- self.ldb.add_ldif(ldif)
- self._ldap_schemaUpdateNow()
-
- # Search for created attribute
- res = []
- res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name)
- if self.forest_level >= DS_DOMAIN_FUNCTION_2003:
- if self._is_schema_base_object(res[0]):
- self.assertTrue("msDS-IntId" not in res[0])
- else:
- self.assertTrue("msDS-IntId" in res[0])
- else:
- self.assertTrue("msDS-IntId" not in res[0])
-
- msg = Message()
- msg.dn = Dn(self.ldb, attr_dn)
- msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId")
- try:
- self.ldb.modify(msg)
- self.fail("Modifying msDS-IntId should return error")
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- # 2. Create attribute with systemFlags = FLAG_SCHEMA_BASE_OBJECT
- # msDS-IntId should be created if forest functional
- # level is >= DS_DOMAIN_FUNCTION_2003
- # and missing otherwise
- (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-2-")
- ldif = self._make_attr_ldif(attr_name, attr_dn)
- ldif += "systemFlags: 16\n"
-
- # try to add msDS-IntId during Attribute creation
- ldif_fail = ldif + "msDS-IntId: -1993108831\n"
- try:
- self.ldb.add_ldif(ldif_fail)
- self.fail("Adding attribute with preset msDS-IntId should fail")
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- # add the new attribute and update schema
- self.ldb.add_ldif(ldif)
- self._ldap_schemaUpdateNow()
-
- # Search for created attribute
- res = []
- res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name)
- if self.forest_level >= DS_DOMAIN_FUNCTION_2003:
- if self._is_schema_base_object(res[0]):
- self.assertTrue("msDS-IntId" not in res[0])
- else:
- self.assertTrue("msDS-IntId" in res[0])
- else:
- self.assertTrue("msDS-IntId" not in res[0])
-
- msg = Message()
- msg.dn = Dn(self.ldb, attr_dn)
- msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId")
- try:
- self.ldb.modify(msg)
- self.fail("Modifying msDS-IntId should return error")
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
-
- def _make_class_ldif(self, class_dn, class_name):
- ldif = """
-dn: """ + class_dn + """
-objectClass: top
-objectClass: classSchema
-adminDescription: """ + class_name + """
-adminDisplayName: """ + class_name + """
-cn: """ + class_name + """
-governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
-instanceType: 4
-objectClassCategory: 1
-subClassOf: organizationalPerson
-rDNAttID: cn
-systemMustContain: cn
-systemOnly: FALSE
-"""
- return ldif
-
- def test_msDS_IntId_on_class(self):
- """Testing msDs-IntId creation for Class
- Reference: MS-ADTS - 3.1.1.2.4.8 Class classSchema"""
-
- # 1. Create Class without systemFlags
- # msDS-IntId should be created if forest functional
- # level is >= DS_DOMAIN_FUNCTION_2003
- # and missing otherwise
- (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-1-")
- ldif = self._make_class_ldif(class_dn, class_name)
-
- # try to add msDS-IntId during Class creation
- ldif_add = ldif + "msDS-IntId: -1993108831\n"
- self.ldb.add_ldif(ldif_add)
- self._ldap_schemaUpdateNow()
-
- res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["msDS-IntId"][0], "-1993108831")
-
- # add a new Class and update schema
- (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-2-")
- ldif = self._make_class_ldif(class_dn, class_name)
-
- self.ldb.add_ldif(ldif)
- self._ldap_schemaUpdateNow()
-
- # Search for created Class
- res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertFalse("msDS-IntId" in res[0])
-
- msg = Message()
- msg.dn = Dn(self.ldb, class_dn)
- msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId")
- try:
- self.ldb.modify(msg)
- self.fail("Modifying msDS-IntId should return error")
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- # 2. Create Class with systemFlags = FLAG_SCHEMA_BASE_OBJECT
- # msDS-IntId should be created if forest functional
- # level is >= DS_DOMAIN_FUNCTION_2003
- # and missing otherwise
- (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-3-")
- ldif = self._make_class_ldif(class_dn, class_name)
- ldif += "systemFlags: 16\n"
-
- # try to add msDS-IntId during Class creation
- ldif_add = ldif + "msDS-IntId: -1993108831\n"
- self.ldb.add_ldif(ldif_add)
-
- res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["msDS-IntId"][0], "-1993108831")
-
- # add the new Class and update schema
- (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-4-")
- ldif = self._make_class_ldif(class_dn, class_name)
- ldif += "systemFlags: 16\n"
-
- self.ldb.add_ldif(ldif)
- self._ldap_schemaUpdateNow()
-
- # Search for created Class
- res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertFalse("msDS-IntId" in res[0])
-
- msg = Message()
- msg.dn = Dn(self.ldb, class_dn)
- msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId")
- try:
- self.ldb.modify(msg)
- self.fail("Modifying msDS-IntId should return error")
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
- res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertFalse("msDS-IntId" in res[0])
-
-
- def test_verify_msDS_IntId(self):
- """Verify msDS-IntId exists only on attributes without FLAG_SCHEMA_BASE_OBJECT flag set"""
- count = 0
- res = self.ldb.search(self.schema_dn, scope=SCOPE_ONELEVEL,
- expression="objectClass=attributeSchema",
- attrs=["systemFlags", "msDS-IntId", "attributeID", "cn"])
- self.assertTrue(len(res) > 1)
- for ldb_msg in res:
- if self.forest_level >= DS_DOMAIN_FUNCTION_2003:
- if self._is_schema_base_object(ldb_msg):
- self.assertTrue("msDS-IntId" not in ldb_msg)
- else:
- # don't assert here as there are plenty of
- # attributes under w2k8 that are not part of
- # Base Schema (SYSTEM_FLAG_SCHEMA_BASE_OBJECT flag not set)
- # has not msDS-IntId attribute set
- #self.assertTrue("msDS-IntId" in ldb_msg, "msDS-IntId expected on: %s" % ldb_msg.dn)
- if "msDS-IntId" not in ldb_msg:
- count = count + 1
- print "%3d warning: msDS-IntId expected on: %-30s %s" % (count, ldb_msg["attributeID"], ldb_msg["cn"])
- else:
- self.assertTrue("msDS-IntId" not in ldb_msg)
-
-
-class SchemaTests_msDS_isRODC(unittest.TestCase):
-
- def setUp(self):
- super(SchemaTests_msDS_isRODC, self).setUp()
- self.ldb = ldb
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.base_dn = res[0]["defaultNamingContext"][0]
-
- def test_objectClass_ntdsdsa(self):
- res = self.ldb.search(self.base_dn, expression="objectClass=nTDSDSA",
- attrs=["msDS-isRODC"], controls=["search_options:1:2"])
- for ldb_msg in res:
- self.assertTrue("msDS-isRODC" in ldb_msg)
-
- def test_objectClass_server(self):
- res = self.ldb.search(self.base_dn, expression="objectClass=server",
- attrs=["msDS-isRODC"], controls=["search_options:1:2"])
- for ldb_msg in res:
- ntds_search_dn = "CN=NTDS Settings,%s" % ldb_msg['dn']
- try:
- res_check = self.ldb.search(ntds_search_dn, attrs=["objectCategory"])
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
- print("Server entry %s doesn't have a NTDS settings object" % res[0]['dn'])
- else:
- self.assertTrue("objectCategory" in res_check[0])
- self.assertTrue("msDS-isRODC" in ldb_msg)
-
- def test_objectClass_computer(self):
- res = self.ldb.search(self.base_dn, expression="objectClass=computer",
- attrs=["serverReferenceBL","msDS-isRODC"], controls=["search_options:1:2"])
- for ldb_msg in res:
- if "serverReferenceBL" not in ldb_msg:
- print("Computer entry %s doesn't have a serverReferenceBL attribute" % ldb_msg['dn'])
- else:
- self.assertTrue("msDS-isRODC" in ldb_msg)
-
-if not "://" in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
-
-ldb_options = []
-if host.startswith("ldap://"):
- # user 'paged_search' module when connecting remotely
- ldb_options = ["modules:paged_searches"]
-
-ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=ldb_options)
-if not "tdb://" in host:
- gc_ldb = Ldb("%s:3268" % host, credentials=creds,
- session_info=system_session(), lp=lp)
-else:
- gc_ldb = None
-
-runner = SubunitTestRunner()
-rc = 0
-if not runner.run(unittest.makeSuite(SchemaTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(SchemaTests_msDS_IntId)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(SchemaTests_msDS_isRODC)).wasSuccessful():
- rc = 1
-
-sys.exit(rc)
diff --git a/source4/lib/ldb/tests/python/passwords.py b/source4/lib/ldb/tests/python/passwords.py
deleted file mode 100755
index fd2ed1c105..0000000000
--- a/source4/lib/ldb/tests/python/passwords.py
+++ /dev/null
@@ -1,615 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-# This tests the password changes over LDAP for AD implementations
-#
-# Copyright Matthias Dieter Wallnoefer 2010
-#
-# Notice: This tests will also work against Windows Server if the connection is
-# secured enough (SASL with a minimum of 128 Bit encryption) - consider
-# MS-ADTS 3.1.1.3.1.5
-#
-# Important: Make sure that the minimum password age is set to "0"!
-
-import optparse
-import sys
-import base64
-import os
-
-sys.path.append("bin/python")
-import samba
-samba.ensure_external_module("subunit", "subunit/python")
-samba.ensure_external_module("testtools", "testtools")
-
-import samba.getopt as options
-
-from samba.auth import system_session
-from samba.credentials import Credentials
-from ldb import SCOPE_BASE, LdbError
-from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
-from ldb import ERR_UNWILLING_TO_PERFORM
-from ldb import ERR_NO_SUCH_ATTRIBUTE
-from ldb import ERR_CONSTRAINT_VIOLATION
-from ldb import Message, MessageElement, Dn
-from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE
-from samba import gensec
-from samba.samdb import SamDB
-import samba.tests
-from subunit.run import SubunitTestRunner
-import unittest
-
-parser = optparse.OptionParser("passwords [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-# Force an encrypted connection
-creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
-
-#
-# Tests start here
-#
-
-class PasswordTests(samba.tests.TestCase):
-
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def setUp(self):
- super(PasswordTests, self).setUp()
- self.ldb = ldb
- self.base_dn = self.find_basedn(ldb)
-
- # (Re)adds the test user "testuser" with the inital password
- # "thatsAcomplPASS1"
- self.delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
- self.ldb.add({
- "dn": "cn=testuser,cn=users," + self.base_dn,
- "objectclass": ["user", "person"],
- "sAMAccountName": "testuser",
- "userPassword": "thatsAcomplPASS1" })
- self.ldb.enable_account("(sAMAccountName=testuser)")
-
- # Open a second LDB connection with the user credentials. Use the
- # command line credentials for informations like the domain, the realm
- # and the workstation.
- creds2 = Credentials()
- # FIXME: Reactivate the user credentials when we have user password
- # change support also on the ACL level in s4
- creds2.set_username(creds.get_username())
- creds2.set_password(creds.get_password())
- #creds2.set_username("testuser")
- #creds2.set_password("thatsAcomplPASS1")
- creds2.set_domain(creds.get_domain())
- creds2.set_realm(creds.get_realm())
- creds2.set_workstation(creds.get_workstation())
- creds2.set_gensec_features(creds2.get_gensec_features()
- | gensec.FEATURE_SEAL)
- self.ldb2 = SamDB(url=host, credentials=creds2, lp=lp)
-
- def test_unicodePwd_hash_set(self):
- print "Performs a password hash set operation on 'unicodePwd' which should be prevented"
- # Notice: Direct hash password sets should never work
-
- m = Message()
- m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
- m["unicodePwd"] = MessageElement("XXXXXXXXXXXXXXXX", FLAG_MOD_REPLACE,
- "unicodePwd")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- def test_unicodePwd_hash_change(self):
- print "Performs a password hash change operation on 'unicodePwd' which should be prevented"
- # Notice: Direct hash password changes should never work
-
- # Hash password changes should never work
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: unicodePwd
-unicodePwd: XXXXXXXXXXXXXXXX
-add: unicodePwd
-unicodePwd: YYYYYYYYYYYYYYYY
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- def test_unicodePwd_clear_set(self):
- print "Performs a password cleartext set operation on 'unicodePwd'"
-
- m = Message()
- m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
- m["unicodePwd"] = MessageElement("\"thatsAcomplPASS2\"".encode('utf-16-le'),
- FLAG_MOD_REPLACE, "unicodePwd")
- ldb.modify(m)
-
- def test_unicodePwd_clear_change(self):
- print "Performs a password cleartext change operation on 'unicodePwd'"
-
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: unicodePwd
-unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
-add: unicodePwd
-unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
-""")
-
- # A change to the same password again will not work (password history)
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: unicodePwd
-unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
-add: unicodePwd
-unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- def test_dBCSPwd_hash_set(self):
- print "Performs a password hash set operation on 'dBCSPwd' which should be prevented"
- # Notice: Direct hash password sets should never work
-
- m = Message()
- m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
- m["dBCSPwd"] = MessageElement("XXXXXXXXXXXXXXXX", FLAG_MOD_REPLACE,
- "dBCSPwd")
- try:
- ldb.modify(m)
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- def test_dBCSPwd_hash_change(self):
- print "Performs a password hash change operation on 'dBCSPwd' which should be prevented"
- # Notice: Direct hash password changes should never work
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: dBCSPwd
-dBCSPwd: XXXXXXXXXXXXXXXX
-add: dBCSPwd
-dBCSPwd: YYYYYYYYYYYYYYYY
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- def test_userPassword_clear_set(self):
- print "Performs a password cleartext set operation on 'userPassword'"
- # Notice: This works only against Windows if "dSHeuristics" has been set
- # properly
-
- m = Message()
- m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
- m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE,
- "userPassword")
- ldb.modify(m)
-
- def test_userPassword_clear_change(self):
- print "Performs a password cleartext change operation on 'userPassword'"
- # Notice: This works only against Windows if "dSHeuristics" has been set
- # properly
-
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-""")
-
- # A change to the same password again will not work (password history)
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS2
-add: userPassword
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- def test_clearTextPassword_clear_set(self):
- print "Performs a password cleartext set operation on 'clearTextPassword'"
- # Notice: This never works against Windows - only supported by us
-
- try:
- m = Message()
- m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
- m["clearTextPassword"] = MessageElement("thatsAcomplPASS2".encode('utf-16-le'),
- FLAG_MOD_REPLACE, "clearTextPassword")
- ldb.modify(m)
- # this passes against s4
- except LdbError, (num, msg):
- # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it
- if num != ERR_NO_SUCH_ATTRIBUTE:
- raise LdbError(num, msg)
-
- def test_clearTextPassword_clear_change(self):
- print "Performs a password cleartext change operation on 'clearTextPassword'"
- # Notice: This never works against Windows - only supported by us
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: clearTextPassword
-clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS1".encode('utf-16-le')) + """
-add: clearTextPassword
-clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """
-""")
- # this passes against s4
- except LdbError, (num, msg):
- # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it
- if num != ERR_NO_SUCH_ATTRIBUTE:
- raise LdbError(num, msg)
-
- # A change to the same password again will not work (password history)
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: clearTextPassword
-clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """
-add: clearTextPassword
-clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """
-""")
- self.fail()
- except LdbError, (num, _):
- # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it
- if num != ERR_NO_SUCH_ATTRIBUTE:
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- def test_failures(self):
- print "Performs some failure testing"
-
- try:
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- try:
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-add: userPassword
-userPassword: thatsAcomplPASS1
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-add: userPassword
-userPassword: thatsAcomplPASS1
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- try:
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- try:
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
-
- try:
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-add: userPassword
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-add: userPassword
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- try:
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- try:
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-replace: userPassword
-userPassword: thatsAcomplPASS3
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS1
-add: userPassword
-userPassword: thatsAcomplPASS2
-replace: userPassword
-userPassword: thatsAcomplPASS3
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
-
- # Reverse order does work
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-add: userPassword
-userPassword: thatsAcomplPASS2
-delete: userPassword
-userPassword: thatsAcomplPASS1
-""")
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: userPassword
-userPassword: thatsAcomplPASS2
-add: unicodePwd
-unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """
-""")
- # this passes against s4
- except LdbError, (num, _):
- self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
-
- try:
- self.ldb2.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-delete: unicodePwd
-unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """
-add: userPassword
-userPassword: thatsAcomplPASS4
-""")
- # this passes against s4
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
-
- # Several password changes at once are allowed
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-replace: userPassword
-userPassword: thatsAcomplPASS1
-userPassword: thatsAcomplPASS2
-""")
-
- # Several password changes at once are allowed
- ldb.modify_ldif("""
-dn: cn=testuser,cn=users,""" + self.base_dn + """
-changetype: modify
-replace: userPassword
-userPassword: thatsAcomplPASS1
-userPassword: thatsAcomplPASS2
-replace: userPassword
-userPassword: thatsAcomplPASS3
-replace: userPassword
-userPassword: thatsAcomplPASS4
-""")
-
- # This surprisingly should work
- self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
- self.ldb.add({
- "dn": "cn=testuser2,cn=users," + self.base_dn,
- "objectclass": ["user", "person"],
- "userPassword": ["thatsAcomplPASS1", "thatsAcomplPASS2"] })
-
- # This surprisingly should work
- self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
- self.ldb.add({
- "dn": "cn=testuser2,cn=users," + self.base_dn,
- "objectclass": ["user", "person"],
- "userPassword": ["thatsAcomplPASS1", "thatsAcomplPASS1"] })
-
- def tearDown(self):
- super(PasswordTests, self).tearDown()
- self.delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
- self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
- # Close the second LDB connection (with the user credentials)
- self.ldb2 = None
-
-if not "://" in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
-
-ldb = SamDB(url=host, session_info=system_session(), credentials=creds, lp=lp)
-
-# Gets back the configuration basedn
-res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["configurationNamingContext"])
-configuration_dn = res[0]["configurationNamingContext"][0]
-
-# Get the old "dSHeuristics" if it was set
-res = ldb.search("CN=Directory Service, CN=Windows NT, CN=Services, "
- + configuration_dn, scope=SCOPE_BASE, attrs=["dSHeuristics"])
-if "dSHeuristics" in res[0]:
- dsheuristics = res[0]["dSHeuristics"][0]
-else:
- dsheuristics = None
-
-# Set the "dSHeuristics" to have the tests run against Windows Server
-m = Message()
-m.dn = Dn(ldb, "CN=Directory Service, CN=Windows NT, CN=Services, "
- + configuration_dn)
-m["dSHeuristics"] = MessageElement("000000001", FLAG_MOD_REPLACE,
- "dSHeuristics")
-ldb.modify(m)
-
-runner = SubunitTestRunner()
-rc = 0
-if not runner.run(unittest.makeSuite(PasswordTests)).wasSuccessful():
- rc = 1
-
-# Reset the "dSHeuristics" as they were before
-m = Message()
-m.dn = Dn(ldb, "CN=Directory Service, CN=Windows NT, CN=Services, "
- + configuration_dn)
-if dsheuristics is not None:
- m["dSHeuristics"] = MessageElement(dsheuristics, FLAG_MOD_REPLACE,
- "dSHeuristics")
-else:
- m["dSHeuristics"] = MessageElement([], FLAG_MOD_DELETE, "dsHeuristics")
-ldb.modify(m)
-
-sys.exit(rc)
diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py
deleted file mode 100755
index 8dc77321b4..0000000000
--- a/source4/lib/ldb/tests/python/sec_descriptor.py
+++ /dev/null
@@ -1,1979 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-import optparse
-import sys
-import os
-import base64
-import re
-import random
-
-sys.path.append("bin/python")
-import samba
-samba.ensure_external_module("subunit", "subunit/python")
-samba.ensure_external_module("testtools", "testtools")
-
-import samba.getopt as options
-
-# Some error messages that are being tested
-from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
-
-# For running the test unit
-from samba.ndr import ndr_pack, ndr_unpack
-from samba.dcerpc import security
-
-from samba import gensec
-from samba.samdb import SamDB
-from samba.credentials import Credentials
-from samba.auth import system_session
-from samba.dsdb import DS_DOMAIN_FUNCTION_2008
-from samba.dcerpc.security import (
- SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
-from subunit.run import SubunitTestRunner
-import samba.tests
-import unittest
-
-parser = optparse.OptionParser("sec_descriptor [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
-
-#
-# Tests start here
-#
-
-class DescriptorTests(samba.tests.TestCase):
-
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def find_configurationdn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["configurationNamingContext"][0]
-
- def find_schemadn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["schemaNamingContext"][0]
-
- def find_domain_sid(self, ldb):
- res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
- return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
-
- def get_users_domain_dn(self, name):
- return "CN=%s,CN=Users,%s" % (name, self.base_dn)
-
- def modify_desc(self, _ldb, object_dn, desc, controls=None):
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- mod = """
-dn: """ + object_dn + """
-changetype: modify
-replace: nTSecurityDescriptor
-"""
- if isinstance(desc, str):
- mod += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.modify_ldif(mod, controls)
-
- def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
- ldif = """
-dn: """ + ou_dn + """
-ou: """ + ou_dn.split(",")[0][3:] + """
-objectClass: organizationalUnit
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif, controls)
-
- def create_domain_user(self, _ldb, user_dn, desc=None):
- ldif = """
-dn: """ + user_dn + """
-sAMAccountName: """ + user_dn.split(",")[0][3:] + """
-objectClass: user
-userPassword: samba123@
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def create_domain_group(self, _ldb, group_dn, desc=None):
- ldif = """
-dn: """ + group_dn + """
-objectClass: group
-sAMAccountName: """ + group_dn.split(",")[0][3:] + """
-groupType: 4
-url: www.example.com
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def get_unique_schema_class_name(self):
- while True:
- class_name = "test-class%s" % random.randint(1,100000)
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- try:
- self.ldb_admin.search(base=class_dn, attrs=["*"])
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
- return class_name
-
- def create_schema_class(self, _ldb, object_dn, desc=None):
- ldif = """
-dn: """ + object_dn + """
-objectClass: classSchema
-objectCategory: CN=Class-Schema,""" + self.schema_dn + """
-defaultObjectCategory: """ + object_dn + """
-distinguishedName: """ + object_dn + """
-governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
-instanceType: 4
-objectClassCategory: 1
-subClassOf: organizationalPerson
-systemFlags: 16
-rDNAttID: cn
-systemMustContain: cn
-systemOnly: FALSE
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def create_configuration_container(self, _ldb, object_dn, desc=None):
- ldif = """
-dn: """ + object_dn + """
-objectClass: container
-objectCategory: CN=Container,""" + self.schema_dn + """
-showInAdvancedViewOnly: TRUE
-instanceType: 4
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def create_configuration_specifier(self, _ldb, object_dn, desc=None):
- ldif = """
-dn: """ + object_dn + """
-objectClass: displaySpecifier
-showInAdvancedViewOnly: TRUE
-"""
- if desc:
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- if isinstance(desc, str):
- ldif += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- _ldb.add_ldif(ldif)
-
- def read_desc(self, object_dn, controls=None):
- res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
- desc = res[0]["nTSecurityDescriptor"][0]
- return ndr_unpack(security.descriptor, desc)
-
- def create_active_user(self, _ldb, user_dn):
- ldif = """
-dn: """ + user_dn + """
-sAMAccountName: """ + user_dn.split(",")[0][3:] + """
-objectClass: user
-unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
-url: www.example.com
-"""
- _ldb.add_ldif(ldif)
-
- def add_user_to_group(self, _ldb, username, groupname):
- ldif = """
-dn: """ + self.get_users_domain_dn(groupname) + """
-changetype: modify
-add: member
-member: """ + self.get_users_domain_dn(username)
- _ldb.modify_ldif(ldif)
-
- def get_ldb_connection(self, target_username, target_password):
- creds_tmp = Credentials()
- creds_tmp.set_username(target_username)
- creds_tmp.set_password(target_password)
- creds_tmp.set_domain(creds.get_domain())
- creds_tmp.set_realm(creds.get_realm())
- creds_tmp.set_workstation(creds.get_workstation())
- creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
- | gensec.FEATURE_SEAL)
- ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
- return ldb_target
-
- def get_object_sid(self, object_dn):
- res = self.ldb_admin.search(object_dn)
- return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
-
- def dacl_add_ace(self, object_dn, ace):
- desc = self.read_desc( object_dn )
- desc_sddl = desc.as_sddl( self.domain_sid )
- if ace in desc_sddl:
- return
- if desc_sddl.find("(") >= 0:
- desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
- else:
- desc_sddl = desc_sddl + ace
- self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
-
- def get_desc_sddl(self, object_dn, controls=None):
- """ Return object nTSecutiryDescriptor in SDDL format
- """
- desc = self.read_desc(object_dn, controls)
- return desc.as_sddl(self.domain_sid)
-
- def create_enable_user(self, username):
- user_dn = self.get_users_domain_dn(username)
- self.create_active_user(self.ldb_admin, user_dn)
- self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
-
- def setUp(self):
- super(DescriptorTests, self).setUp()
- self.ldb_admin = ldb
- self.base_dn = self.find_basedn(self.ldb_admin)
- self.configuration_dn = self.find_configurationdn(self.ldb_admin)
- self.schema_dn = self.find_schemadn(self.ldb_admin)
- self.domain_sid = self.find_domain_sid(self.ldb_admin)
- print "baseDN: %s" % self.base_dn
-
- ################################################################################################
-
- ## Tests for DOMAIN
-
- # Default descriptor tests #####################################################################
-
-class OwnerGroupDescriptorTests(DescriptorTests):
-
- def deleteAll(self):
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
- # DOMAIN
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
- self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
- # SCHEMA
- # CONFIGURATION
- self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
- + self.configuration_dn)
- self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
-
- def setUp(self):
- super(OwnerGroupDescriptorTests, self).setUp()
- self.deleteAll()
- ### Create users
- # User 1
- self.create_enable_user("testuser1")
- self.add_user_to_group(self.ldb_admin, "testuser1", "Enterprise Admins")
- # User 2
- self.create_enable_user("testuser2")
- self.add_user_to_group(self.ldb_admin, "testuser2", "Domain Admins")
- # User 3
- self.create_enable_user("testuser3")
- self.add_user_to_group(self.ldb_admin, "testuser3", "Schema Admins")
- # User 4
- self.create_enable_user("testuser4")
- # User 5
- self.create_enable_user("testuser5")
- self.add_user_to_group(self.ldb_admin, "testuser5", "Enterprise Admins")
- self.add_user_to_group(self.ldb_admin, "testuser5", "Domain Admins")
- # User 6
- self.create_enable_user("testuser6")
- self.add_user_to_group(self.ldb_admin, "testuser6", "Enterprise Admins")
- self.add_user_to_group(self.ldb_admin, "testuser6", "Domain Admins")
- self.add_user_to_group(self.ldb_admin, "testuser6", "Schema Admins")
- # User 7
- self.create_enable_user("testuser7")
- self.add_user_to_group(self.ldb_admin, "testuser7", "Domain Admins")
- self.add_user_to_group(self.ldb_admin, "testuser7", "Schema Admins")
- # User 8
- self.create_enable_user("testuser8")
- self.add_user_to_group(self.ldb_admin, "testuser8", "Enterprise Admins")
- self.add_user_to_group(self.ldb_admin, "testuser8", "Schema Admins")
-
- self.results = {
- # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
- "ds_behavior_win2003" : {
- "100" : "O:EAG:DU",
- "101" : "O:DAG:DU",
- "102" : "O:%sG:DU",
- "103" : "O:%sG:DU",
- "104" : "O:DAG:DU",
- "105" : "O:DAG:DU",
- "106" : "O:DAG:DU",
- "107" : "O:EAG:DU",
- "108" : "O:DAG:DA",
- "109" : "O:DAG:DA",
- "110" : "O:%sG:DA",
- "111" : "O:%sG:DA",
- "112" : "O:DAG:DA",
- "113" : "O:DAG:DA",
- "114" : "O:DAG:DA",
- "115" : "O:DAG:DA",
- "130" : "O:EAG:DU",
- "131" : "O:DAG:DU",
- "132" : "O:SAG:DU",
- "133" : "O:%sG:DU",
- "134" : "O:EAG:DU",
- "135" : "O:SAG:DU",
- "136" : "O:SAG:DU",
- "137" : "O:SAG:DU",
- "138" : "O:DAG:DA",
- "139" : "O:DAG:DA",
- "140" : "O:%sG:DA",
- "141" : "O:%sG:DA",
- "142" : "O:DAG:DA",
- "143" : "O:DAG:DA",
- "144" : "O:DAG:DA",
- "145" : "O:DAG:DA",
- "160" : "O:EAG:DU",
- "161" : "O:DAG:DU",
- "162" : "O:%sG:DU",
- "163" : "O:%sG:DU",
- "164" : "O:EAG:DU",
- "165" : "O:EAG:DU",
- "166" : "O:DAG:DU",
- "167" : "O:EAG:DU",
- "168" : "O:DAG:DA",
- "169" : "O:DAG:DA",
- "170" : "O:%sG:DA",
- "171" : "O:%sG:DA",
- "172" : "O:DAG:DA",
- "173" : "O:DAG:DA",
- "174" : "O:DAG:DA",
- "175" : "O:DAG:DA",
- },
- # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
- "ds_behavior_win2008" : {
- "100" : "O:EAG:EA",
- "101" : "O:DAG:DA",
- "102" : "O:%sG:DU",
- "103" : "O:%sG:DU",
- "104" : "O:DAG:DA",
- "105" : "O:DAG:DA",
- "106" : "O:DAG:DA",
- "107" : "O:EAG:EA",
- "108" : "O:DAG:DA",
- "109" : "O:DAG:DA",
- "110" : "O:%sG:DA",
- "111" : "O:%sG:DA",
- "112" : "O:DAG:DA",
- "113" : "O:DAG:DA",
- "114" : "O:DAG:DA",
- "115" : "O:DAG:DA",
- "130" : "O:EAG:EA",
- "131" : "O:DAG:DA",
- "132" : "O:SAG:SA",
- "133" : "O:%sG:DU",
- "134" : "O:EAG:EA",
- "135" : "O:SAG:SA",
- "136" : "O:SAG:SA",
- "137" : "O:SAG:SA",
- "138" : "",
- "139" : "",
- "140" : "O:%sG:DA",
- "141" : "O:%sG:DA",
- "142" : "",
- "143" : "",
- "144" : "",
- "145" : "",
- "160" : "O:EAG:EA",
- "161" : "O:DAG:DA",
- "162" : "O:%sG:DU",
- "163" : "O:%sG:DU",
- "164" : "O:EAG:EA",
- "165" : "O:EAG:EA",
- "166" : "O:DAG:DA",
- "167" : "O:EAG:EA",
- "168" : "O:DAG:DA",
- "169" : "O:DAG:DA",
- "170" : "O:%sG:DA",
- "171" : "O:%sG:DA",
- "172" : "O:DAG:DA",
- "173" : "O:DAG:DA",
- "174" : "O:DAG:DA",
- "175" : "O:DAG:DA",
- },
- }
- # Discover 'msDS-Behavior-Version'
- res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
- attrs=['msDS-Behavior-Version'])
- res = int(res[0]['msDS-Behavior-Version'][0])
- if res < DS_DOMAIN_FUNCTION_2008:
- self.DS_BEHAVIOR = "ds_behavior_win2003"
- else:
- self.DS_BEHAVIOR = "ds_behavior_win2008"
-
- def tearDown(self):
- super(DescriptorTests, self).tearDown()
- self.deleteAll()
-
- def check_user_belongs(self, user_dn, groups=[]):
- """ Test wether user is member of the expected group(s) """
- if groups != []:
- # User is member of at least one additional group
- res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
- res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
- expected = []
- for x in groups:
- expected.append(self.get_users_domain_dn(x))
- expected = [x.upper() for x in sorted(expected)]
- self.assertEqual(expected, res)
- else:
- # User is not a member of any additional groups but default
- res = self.ldb_admin.search(user_dn, attrs=["*"])
- res = [x.upper() for x in res[0].keys()]
- self.assertFalse( "MEMBEROF" in res)
-
- def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
- # Modify
- ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
- if owner_group != "":
- self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
- else:
- self.modify_desc(_ldb, object_dn, "D:" + ace)
- # Make sure the modify operation has been applied
- desc_sddl = self.get_desc_sddl(object_dn)
- self.assertTrue(ace in desc_sddl)
- # Make sure we have identical result for both "add" and "modify"
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- print self._testMethodName
- test_number = self._testMethodName[5:]
- self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
-
- def test_100(self):
- """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
- """
- user_name = "testuser1"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_101(self):
- """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
- """
- user_name = "testuser2"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_102(self):
- """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
- """
- user_name = "testuser3"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- # Create additional object into the first one
- object_dn = "CN=test_domain_user1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_user(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
- # This fails, research why
- #self.check_modify_inheritance(_ldb, object_dn)
-
- def test_103(self):
- """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
- """
- user_name = "testuser4"
- self.check_user_belongs(self.get_users_domain_dn(user_name), [])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- # Create additional object into the first one
- object_dn = "CN=test_domain_user1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_user(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
- #this fails, research why
- #self.check_modify_inheritance(_ldb, object_dn)
-
- def test_104(self):
- """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
- """
- user_name = "testuser5"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_105(self):
- """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
- """
- user_name = "testuser6"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_106(self):
- """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
- """
- user_name = "testuser7"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_107(self):
- """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
- """
- user_name = "testuser8"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_group(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- # Control descriptor tests #####################################################################
-
- def test_108(self):
- """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
- """
- user_name = "testuser1"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
-
- def test_109(self):
- """ Domain admin group member creates object (custom descriptor) in DOMAIN
- """
- user_name = "testuser2"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
-
- def test_110(self):
- """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
- """
- user_name = "testuser3"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- # Create a custom security descriptor
- # NB! Problematic owner part won't accept DA only <User Sid> !!!
- desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
- # Create additional object into the first one
- object_dn = "CN=test_domain_user1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_user(_ldb, object_dn, desc_sddl)
- desc = self.read_desc(object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
-
- def test_111(self):
- """ Regular user with CC right creates object (custom descriptor) in DOMAIN
- """
- user_name = "testuser4"
- self.check_user_belongs(self.get_users_domain_dn(user_name), [])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- # Create a custom security descriptor
- # NB! Problematic owner part won't accept DA only <User Sid> !!!
- desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
- # Create additional object into the first one
- object_dn = "CN=test_domain_user1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_user(_ldb, object_dn, desc_sddl)
- desc = self.read_desc(object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
-
- def test_112(self):
- """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
- """
- user_name = "testuser5"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
-
- def test_113(self):
- """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
- """
- user_name = "testuser6"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
-
- def test_114(self):
- """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
- """
- user_name = "testuser7"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
-
- def test_115(self):
- """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
- """
- user_name = "testuser8"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
-
- def test_999(self):
- user_name = "Administrator"
- object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(D;CI;WP;;;S-1-3-0)"
- #mod = ""
- self.dacl_add_ace(object_dn, mod)
- desc_sddl = self.get_desc_sddl(object_dn)
- # Create additional object into the first one
- object_dn = "OU=test_domain_ou2," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
-
- ## Tests for SCHEMA
-
- # Defalt descriptor tests ##################################################################
-
- def test_130(self):
- user_name = "testuser1"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, class_dn)
-
- def test_131(self):
- user_name = "testuser2"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, class_dn)
-
- def test_132(self):
- user_name = "testuser3"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- #self.check_modify_inheritance(_ldb, class_dn)
-
- def test_133(self):
- user_name = "testuser4"
- self.check_user_belongs(self.get_users_domain_dn(user_name), [])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- #Change Schema partition descriptor
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
- #self.check_modify_inheritance(_ldb, class_dn)
-
- def test_134(self):
- user_name = "testuser5"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- #Change Schema partition descriptor
- mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, class_dn)
-
- def test_135(self):
- user_name = "testuser6"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, class_dn)
-
- def test_136(self):
- user_name = "testuser7"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, class_dn)
-
- def test_137(self):
- user_name = "testuser8"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, class_dn)
-
- # Custom descriptor tests ##################################################################
-
- def test_138(self):
- user_name = "testuser1"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_139(self):
- user_name = "testuser2"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_140(self):
- user_name = "testuser3"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create a custom security descriptor
- # NB! Problematic owner part won't accept DA only <User Sid> !!!
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
-
- def test_141(self):
- user_name = "testuser4"
- self.check_user_belongs(self.get_users_domain_dn(user_name), [])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create a custom security descriptor
- # NB! Problematic owner part won't accept DA only <User Sid> !!!
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
-
- def test_142(self):
- user_name = "testuser5"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_143(self):
- user_name = "testuser6"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_144(self):
- user_name = "testuser7"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_145(self):
- user_name = "testuser8"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(self.schema_dn, mod)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- # Create example Schema class
- class_name = self.get_unique_schema_class_name()
- class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
- self.create_schema_class(_ldb, class_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(class_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- ## Tests for CONFIGURATION
-
- # Defalt descriptor tests ##################################################################
-
- def test_160(self):
- user_name = "testuser1"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_161(self):
- user_name = "testuser2"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_162(self):
- user_name = "testuser3"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(self.ldb_admin, object_dn, )
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;WDCC;;;AU)"
- self.dacl_add_ace(object_dn, mod)
- # Create child object with user's credentials
- object_dn = "CN=test-specifier1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_specifier(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
- #self.check_modify_inheritance(_ldb, object_dn)
-
- def test_163(self):
- user_name = "testuser4"
- self.check_user_belongs(self.get_users_domain_dn(user_name), [])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(self.ldb_admin, object_dn, )
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;CI;WDCC;;;AU)"
- self.dacl_add_ace(object_dn, mod)
- # Create child object with user's credentials
- object_dn = "CN=test-specifier1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_specifier(_ldb, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
- #self.check_modify_inheritance(_ldb, object_dn)
-
- def test_164(self):
- user_name = "testuser5"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_165(self):
- user_name = "testuser6"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_166(self):
- user_name = "testuser7"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- def test_167(self):
- user_name = "testuser8"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(_ldb, object_dn, )
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
- self.check_modify_inheritance(_ldb, object_dn)
-
- # Custom descriptor tests ##################################################################
-
- def test_168(self):
- user_name = "testuser1"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_169(self):
- user_name = "testuser2"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_170(self):
- user_name = "testuser3"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(self.ldb_admin, object_dn, )
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(object_dn, mod)
- # Create child object with user's credentials
- object_dn = "CN=test-specifier1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- # NB! Problematic owner part won't accept DA only <User Sid> !!!
- desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
- self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
-
- def test_171(self):
- user_name = "testuser4"
- self.check_user_belongs(self.get_users_domain_dn(user_name), [])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_configuration_container(self.ldb_admin, object_dn, )
- user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(object_dn, mod)
- # Create child object with user's credentials
- object_dn = "CN=test-specifier1," + object_dn
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- # NB! Problematic owner part won't accept DA only <User Sid> !!!
- desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
- self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
-
- def test_172(self):
- user_name = "testuser5"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_173(self):
- user_name = "testuser6"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_174(self):
- user_name = "testuser7"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- def test_175(self):
- user_name = "testuser8"
- self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
- # Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection(user_name, "samba123@")
- # Create example Configuration container
- container_name = "test-container1"
- object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
- self.delete_force(self.ldb_admin, object_dn)
- # Create a custom security descriptor
- desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_configuration_container(_ldb, object_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(object_dn)
- res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual("O:DAG:DA", res)
-
- ########################################################################################
- # Inharitance tests for DACL
-
-class DaclDescriptorTests(DescriptorTests):
-
- def deleteAll(self):
- self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
-
- def setUp(self):
- super(DaclDescriptorTests, self).setUp()
- self.deleteAll()
-
- def create_clean_ou(self, object_dn):
- """ Base repeating setup for unittests to follow """
- res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
- expression="distinguishedName=%s" % object_dn)
- # Make sure top testing OU has been deleted before starting the test
- self.assertEqual(res, [])
- self.create_domain_ou(self.ldb_admin, object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
- # Make sure there are inheritable ACEs initially
- self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
- # Find and remove all inherit ACEs
- res = re.findall("\(.*?\)", desc_sddl)
- res = [x for x in res if ("CI" in x) or ("OI" in x)]
- for x in res:
- desc_sddl = desc_sddl.replace(x, "")
- # Add flag 'protected' in both DACL and SACL so no inherit ACEs
- # can propagate from above
- # remove SACL, we are not interested
- desc_sddl = desc_sddl.replace(":AI", ":AIP")
- self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
- # Verify all inheritable ACEs are gone
- desc_sddl = self.get_desc_sddl(object_dn)
- self.assertFalse("CI" in desc_sddl)
- self.assertFalse("OI" in desc_sddl)
-
- def test_200(self):
- """ OU with protected flag and child group. See if the group has inherit ACEs.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn)
- # Make sure created group object contains NO inherit ACEs
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertFalse("ID" in desc_sddl)
-
- def test_201(self):
- """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
- Verify group has custom and default ACEs only.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Create group child object using custom security descriptor
- sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
- self.create_domain_group(self.ldb_admin, group_dn, sddl)
- # Make sure created group descriptor has NO additional ACEs
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertEqual(desc_sddl, sddl)
- sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
- self.modify_desc(self.ldb_admin, group_dn, sddl)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertEqual(desc_sddl, sddl)
-
- def test_202(self):
- """ OU with protected flag and add couple non-inheritable ACEs, child group.
- See if the group has any of the added ACEs.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom non-inheritable ACEs
- mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
- moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- # Verify all inheritable ACEs are gone
- desc_sddl = self.get_desc_sddl(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn)
- # Make sure created group object contains NO inherit ACEs
- # also make sure the added above non-inheritable ACEs are absent too
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertFalse("ID" in desc_sddl)
- for x in re.findall("\(.*?\)", mod):
- self.assertFalse(x in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertFalse("ID" in desc_sddl)
- for x in re.findall("\(.*?\)", mod):
- self.assertFalse(x in desc_sddl)
-
- def test_203(self):
- """ OU with protected flag and add 'CI' ACE, child group.
- See if the group has the added inherited ACE.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'CI' ACE
- mod = "(D;CI;WP;;;DU)"
- moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
- # Make sure created group object contains only the above inherited ACE
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";CI;", ";CIID;")
- self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue(moded in desc_sddl)
- self.assertTrue(mod in desc_sddl)
-
- def test_204(self):
- """ OU with protected flag and add 'OI' ACE, child group.
- See if the group has the added inherited ACE.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'CI' ACE
- mod = "(D;OI;WP;;;DU)"
- moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
- # Make sure created group object contains only the above inherited ACE
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
- self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue(moded in desc_sddl)
- self.assertTrue(mod in desc_sddl)
-
- def test_205(self):
- """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
- See if the group has the added inherited ACE.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'OA' for 'name' attribute & 'CI' ACE
- mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
- moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
- # Make sure created group object contains only the above inherited ACE
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
- self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue(moded in desc_sddl)
- self.assertTrue(mod in desc_sddl)
-
- def test_206(self):
- """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
- See if the group has the added inherited ACE.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'OA' for 'name' attribute & 'OI' ACE
- mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
- moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
- # Make sure created group object contains only the above inherited ACE
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
- self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue(moded in desc_sddl)
- self.assertTrue(mod in desc_sddl)
-
- def test_207(self):
- """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
- See if the group has the added inherited ACE.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
- mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
- moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
- # Make sure created group object contains only the above inherited ACE
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
- self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue(moded in desc_sddl)
- self.assertTrue(mod in desc_sddl)
-
- def test_208(self):
- """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
- See if the group has the added inherited ACE.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
- mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
- moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
- # Make sure created group object contains only the above inherited ACE
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
- self.assertTrue(mod in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue(moded in desc_sddl)
- self.assertTrue(mod in desc_sddl)
-
- def test_209(self):
- """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
- See if the group has the added inherited ACE.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'CI' ACE
- mod = "(D;CI;WP;;;CO)"
- moded = "(D;;CC;;;LG)"
- self.dacl_add_ace(ou_dn, mod)
- desc_sddl = self.get_desc_sddl(ou_dn)
- # Create group child object
- self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
- # Make sure created group object contains only the above inherited ACE(s)
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
- self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
- self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue(moded in desc_sddl)
- self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
- self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
-
- def test_210(self):
- """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- self.create_clean_ou(ou_dn)
- # Add some custom ACE
- mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
- self.create_domain_group(self.ldb_admin, group_dn, mod)
- # Make sure created group object does not contain the ID ace
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
-
- def test_211(self):
- """ Provide ACE with CO SID, should be expanded and replaced
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'CI' ACE
- mod = "D:(D;CI;WP;;;CO)"
- self.create_domain_group(self.ldb_admin, group_dn, mod)
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
-
- def test_212(self):
- """ Provide ACE with IO flag, should be ignored
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- # Add some custom 'CI' ACE
- mod = "D:(D;CIIO;WP;;;CO)"
- self.create_domain_group(self.ldb_admin, group_dn, mod)
- # Make sure created group object contains only the above inherited ACE(s)
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
- self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
- self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
-
- def test_213(self):
- """ Provide ACE with IO flag, should be ignored
- """
- ou_dn = "OU=test_inherit_ou," + self.base_dn
- group_dn = "CN=test_inherit_group," + ou_dn
- # Create inheritable-free OU
- self.create_clean_ou(ou_dn)
- mod = "D:(D;IO;WP;;;DA)"
- self.create_domain_group(self.ldb_admin, group_dn, mod)
- # Make sure created group object contains only the above inherited ACE(s)
- # that we've added manually
- desc_sddl = self.get_desc_sddl(group_dn)
- self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
-
- ########################################################################################
-
-
-class SdFlagsDescriptorTests(DescriptorTests):
- def deleteAll(self):
- self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
-
- def setUp(self):
- super(SdFlagsDescriptorTests, self).setUp()
- self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
- self.deleteAll()
-
- def test_301(self):
- """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
- See that only the owner has been changed.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
- desc_sddl = self.get_desc_sddl(ou_dn)
- # make sure we have modified the owner
- self.assertTrue("O:AU" in desc_sddl)
- # make sure nothing else has been modified
- self.assertFalse("G:AU" in desc_sddl)
- self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
- self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
-
- def test_302(self):
- """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
- See that only the owner has been changed.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
- desc_sddl = self.get_desc_sddl(ou_dn)
- # make sure we have modified the group
- self.assertTrue("G:AU" in desc_sddl)
- # make sure nothing else has been modified
- self.assertFalse("O:AU" in desc_sddl)
- self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
- self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
-
- def test_303(self):
- """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
- See that only the owner has been changed.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
- desc_sddl = self.get_desc_sddl(ou_dn)
- # make sure we have modified the DACL
- self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
- # make sure nothing else has been modified
- self.assertFalse("O:AU" in desc_sddl)
- self.assertFalse("G:AU" in desc_sddl)
- self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
-
- def test_304(self):
- """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
- See that only the owner has been changed.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
- desc_sddl = self.get_desc_sddl(ou_dn)
- # make sure we have modified the DACL
- self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
- # make sure nothing else has been modified
- self.assertFalse("O:AU" in desc_sddl)
- self.assertFalse("G:AU" in desc_sddl)
- self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
-
- def test_305(self):
- """ Modify a descriptor with 0x0 set.
- Contrary to logic this is interpreted as no control,
- which is the same as 0xF
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
- desc_sddl = self.get_desc_sddl(ou_dn)
- # make sure we have modified the DACL
- self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
- # make sure nothing else has been modified
- self.assertTrue("O:AU" in desc_sddl)
- self.assertTrue("G:AU" in desc_sddl)
- self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
-
- def test_306(self):
- """ Modify a descriptor with 0xF set.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
- desc_sddl = self.get_desc_sddl(ou_dn)
- # make sure we have modified the DACL
- self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
- # make sure nothing else has been modified
- self.assertTrue("O:AU" in desc_sddl)
- self.assertTrue("G:AU" in desc_sddl)
- self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
-
- def test_307(self):
- """ Read a descriptor with OWNER_SECURITY_INFORMATION
- Only the owner part should be returned.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
- # make sure we have read the owner
- self.assertTrue("O:" in desc_sddl)
- # make sure we have read nothing else
- self.assertFalse("G:" in desc_sddl)
- self.assertFalse("D:" in desc_sddl)
- self.assertFalse("S:" in desc_sddl)
-
- def test_308(self):
- """ Read a descriptor with GROUP_SECURITY_INFORMATION
- Only the group part should be returned.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
- # make sure we have read the owner
- self.assertTrue("G:" in desc_sddl)
- # make sure we have read nothing else
- self.assertFalse("O:" in desc_sddl)
- self.assertFalse("D:" in desc_sddl)
- self.assertFalse("S:" in desc_sddl)
-
- def test_309(self):
- """ Read a descriptor with SACL_SECURITY_INFORMATION
- Only the sacl part should be returned.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
- # make sure we have read the owner
- self.assertTrue("S:" in desc_sddl)
- # make sure we have read nothing else
- self.assertFalse("O:" in desc_sddl)
- self.assertFalse("D:" in desc_sddl)
- self.assertFalse("G:" in desc_sddl)
-
- def test_310(self):
- """ Read a descriptor with DACL_SECURITY_INFORMATION
- Only the dacl part should be returned.
- """
- ou_dn = "OU=test_sdflags_ou," + self.base_dn
- self.create_domain_ou(self.ldb_admin, ou_dn)
- desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
- # make sure we have read the owner
- self.assertTrue("D:" in desc_sddl)
- # make sure we have read nothing else
- self.assertFalse("O:" in desc_sddl)
- self.assertFalse("S:" in desc_sddl)
- self.assertFalse("G:" in desc_sddl)
-
-
-class RightsAttributesTests(DescriptorTests):
-
- def deleteAll(self):
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
- self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
- self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
-
- def setUp(self):
- super(RightsAttributesTests, self).setUp()
- self.deleteAll()
- ### Create users
- # User 1
- self.create_enable_user("testuser_attr")
- # User 2, Domain Admins
- self.create_enable_user("testuser_attr2")
- self.add_user_to_group(self.ldb_admin, "testuser_attr2", "Domain Admins")
-
- def test_sDRightsEffective(self):
- object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- print self.get_users_domain_dn("testuser_attr")
- user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
- #give testuser1 read access so attributes can be retrieved
- mod = "(A;CI;RP;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
- res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["sDRightsEffective"])
- #user whould have no rights at all
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["sDRightsEffective"][0], "0")
- #give the user Write DACL and see what happens
- mod = "(A;CI;WD;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["sDRightsEffective"])
- #user whould have DACL_SECURITY_INFORMATION
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
- #give the user Write Owners and see what happens
- mod = "(A;CI;WO;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["sDRightsEffective"])
- #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
- #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
- _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
- res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["sDRightsEffective"])
- #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["sDRightsEffective"][0], \
- ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
-
- def test_allowedChildClassesEffective(self):
- object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
- #give testuser1 read access so attributes can be retrieved
- mod = "(A;CI;RP;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
- res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["allowedChildClassesEffective"])
- #there should be no allowed child classes
- self.assertEquals(len(res), 1)
- self.assertFalse("allowedChildClassesEffective" in res[0].keys())
- #give the user the right to create children of type user
- mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["allowedChildClassesEffective"])
- # allowedChildClassesEffective should only have one value, user
- self.assertEquals(len(res), 1)
- self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
- self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
-
- def test_allowedAttributesEffective(self):
- object_dn = "OU=test_domain_ou1," + self.base_dn
- self.delete_force(self.ldb_admin, object_dn)
- self.create_domain_ou(self.ldb_admin, object_dn)
- user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
- #give testuser1 read access so attributes can be retrieved
- mod = "(A;CI;RP;;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod)
- _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
- res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["allowedAttributesEffective"])
- #there should be no allowed attributes
- self.assertEquals(len(res), 1)
- self.assertFalse("allowedAttributesEffective" in res[0].keys())
- #give the user the right to write displayName and managedBy
- mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
- # also rights to modify an read only attribute, fromEntry
- mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
- self.dacl_add_ace(object_dn, mod + mod2 + mod3)
- res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
- attrs=["allowedAttributesEffective"])
- # value should only contain user and managedBy
- self.assertEquals(len(res), 1)
- self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
- self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
- self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
-
-if not "://" in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
-
-ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
-
-runner = SubunitTestRunner()
-rc = 0
-if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
- rc = 1
-if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
- rc = 1
-sys.exit(rc)
diff --git a/source4/lib/ldb/tests/python/urgent_replication.py b/source4/lib/ldb/tests/python/urgent_replication.py
deleted file mode 100755
index 5e9f4ad128..0000000000
--- a/source4/lib/ldb/tests/python/urgent_replication.py
+++ /dev/null
@@ -1,386 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-import optparse
-import sys
-import os
-
-sys.path.append("bin/python")
-import samba
-samba.ensure_external_module("subunit", "subunit/python")
-samba.ensure_external_module("testtools", "testtools")
-
-import samba.getopt as options
-
-from samba.auth import system_session
-from ldb import (SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, Message,
- MessageElement, Dn, FLAG_MOD_REPLACE)
-from samba.samdb import SamDB
-import samba.tests
-
-from subunit.run import SubunitTestRunner
-import unittest
-
-parser = optparse.OptionParser("urgent_replication [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-class UrgentReplicationTests(samba.tests.TestCase):
-
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def setUp(self):
- super(UrgentReplicationTests, self).setUp()
- self.ldb = ldb
- self.base_dn = self.find_basedn(ldb)
-
- print "baseDN: %s\n" % self.base_dn
-
- def test_nonurgent_object(self):
- """Test if the urgent replication is not activated
- when handling a non urgent object"""
- self.ldb.add({
- "dn": "cn=nonurgenttest,cn=users," + self.base_dn,
- "objectclass":"user",
- "samaccountname":"nonurgenttest",
- "description":"nonurgenttest description"});
-
- # urgent replication should not be enabled when creating
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should not be enabled when modifying
- m = Message()
- m.dn = Dn(ldb, "cn=nonurgenttest,cn=users," + self.base_dn)
- m["description"] = MessageElement("new description", FLAG_MOD_REPLACE,
- "description")
- ldb.modify(m)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should not be enabled when deleting
- self.delete_force(self.ldb, "cn=nonurgenttest,cn=users," + self.base_dn)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
-
- def test_nTDSDSA_object(self):
- '''Test if the urgent replication is activated
- when handling a nTDSDSA object'''
- self.ldb.add({
- "dn": "cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn,
- "objectclass":"server",
- "cn":"test server",
- "name":"test server",
- "systemFlags":"50000000"});
-
- self.ldb.add_ldif(
- """dn: cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,%s""" % (self.base_dn) + """
-objectclass: nTDSDSA
-cn: NTDS Settings test
-options: 1
-instanceType: 4
-systemFlags: 33554432""", ["relax:0"]);
-
- # urgent replication should be enabled when creation
- res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should NOT be enabled when modifying
- m = Message()
- m.dn = Dn(ldb, "cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn)
- m["options"] = MessageElement("0", FLAG_MOD_REPLACE,
- "options")
- ldb.modify(m)
- res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should be enabled when deleting
- self.delete_force(self.ldb, "cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn)
- res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- self.delete_force(self.ldb, "cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn)
-
-
- def test_crossRef_object(self):
- '''Test if the urgent replication is activated
- when handling a crossRef object'''
- self.ldb.add({
- "dn": "CN=test crossRef,CN=Partitions,CN=Configuration,"+ self.base_dn,
- "objectClass": "crossRef",
- "cn": "test crossRef",
- "dnsRoot": lp.get("realm").lower(),
- "instanceType": "4",
- "nCName": self.base_dn,
- "showInAdvancedViewOnly": "TRUE",
- "name": "test crossRef",
- "systemFlags": "1"});
-
- # urgent replication should be enabled when creating
- res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should NOT be enabled when modifying
- m = Message()
- m.dn = Dn(ldb, "cn=test crossRef,CN=Partitions,CN=Configuration," + self.base_dn)
- m["systemFlags"] = MessageElement("0", FLAG_MOD_REPLACE,
- "systemFlags")
- ldb.modify(m)
- res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
-
- # urgent replication should be enabled when deleting
- self.delete_force(self.ldb, "cn=test crossRef,CN=Partitions,CN=Configuration," + self.base_dn)
- res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
-
-
- def test_attributeSchema_object(self):
- '''Test if the urgent replication is activated
- when handling an attributeSchema object'''
-
- try:
- self.ldb.add_ldif(
- """dn: CN=test attributeSchema,cn=Schema,CN=Configuration,%s""" % self.base_dn + """
-objectClass: attributeSchema
-cn: test attributeSchema
-instanceType: 4
-isSingleValued: FALSE
-showInAdvancedViewOnly: FALSE
-attributeID: 0.9.2342.19200300.100.1.1
-attributeSyntax: 2.5.5.12
-adminDisplayName: test attributeSchema
-adminDescription: test attributeSchema
-oMSyntax: 64
-systemOnly: FALSE
-searchFlags: 8
-lDAPDisplayName: test attributeSchema
-name: test attributeSchema
-systemFlags: 0""", ["relax:0"]);
-
- # urgent replication should be enabled when creating
- res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- except LdbError:
- print "Not testing urgent replication when creating attributeSchema object ...\n"
-
- # urgent replication should be enabled when modifying
- m = Message()
- m.dn = Dn(ldb, "CN=test attributeSchema,CN=Schema,CN=Configuration," + self.base_dn)
- m["lDAPDisplayName"] = MessageElement("updated test attributeSchema", FLAG_MOD_REPLACE,
- "lDAPDisplayName")
- ldb.modify(m)
- res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
-
- def test_classSchema_object(self):
- '''Test if the urgent replication is activated
- when handling a classSchema object'''
- try:
- self.ldb.add_ldif(
- """dn: CN=test classSchema,CN=Schema,CN=Configuration,%s""" % self.base_dn + """
-objectClass: classSchema
-cn: test classSchema
-instanceType: 4
-subClassOf: top
-governsID: 1.2.840.113556.1.5.999
-rDNAttID: cn
-showInAdvancedViewOnly: TRUE
-adminDisplayName: test classSchema
-adminDescription: test classSchema
-objectClassCategory: 1
-lDAPDisplayName: test classSchema
-name: test classSchema
-systemOnly: FALSE
-systemPossSuperiors: dfsConfiguration
-systemMustContain: msDFS-SchemaMajorVersion
-defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCD
- CLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
-systemFlags: 16
-defaultHidingValue: TRUE""", ["relax:0"]);
-
- # urgent replication should be enabled when creating
- res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- except LdbError:
- print "Not testing urgent replication when creating classSchema object ...\n"
-
- # urgent replication should be enabled when modifying
- m = Message()
- m.dn = Dn(ldb, "CN=test classSchema,CN=Schema,CN=Configuration," + self.base_dn)
- m["lDAPDisplayName"] = MessageElement("updated test classSchema", FLAG_MOD_REPLACE,
- "lDAPDisplayName")
- ldb.modify(m)
- res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
-
- def test_secret_object(self):
- '''Test if the urgent replication is activated
- when handling a secret object'''
-
- self.ldb.add({
- "dn": "cn=test secret,cn=System," + self.base_dn,
- "objectClass":"secret",
- "cn":"test secret",
- "name":"test secret",
- "currentValue":"xxxxxxx"});
-
-
- # urgent replication should be enabled when creating
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should be enabled when modifying
- m = Message()
- m.dn = Dn(ldb, "cn=test secret,cn=System," + self.base_dn)
- m["currentValue"] = MessageElement("yyyyyyyy", FLAG_MOD_REPLACE,
- "currentValue")
- ldb.modify(m)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should NOT be enabled when deleting
- self.delete_force(self.ldb, "cn=test secret,cn=System," + self.base_dn)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
-
- def test_rIDManager_object(self):
- '''Test if the urgent replication is activated
- when handling a rIDManager object'''
- self.ldb.add_ldif(
- """dn: CN=RID Manager test,CN=System,%s""" % self.base_dn + """
-objectClass: rIDManager
-cn: RID Manager test
-instanceType: 4
-showInAdvancedViewOnly: TRUE
-name: RID Manager test
-systemFlags: -1946157056
-isCriticalSystemObject: TRUE
-rIDAvailablePool: 133001-1073741823""", ["relax:0"])
-
- # urgent replication should be enabled when creating
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should be enabled when modifying
- m = Message()
- m.dn = Dn(ldb, "CN=RID Manager test,CN=System," + self.base_dn)
- m["systemFlags"] = MessageElement("0", FLAG_MOD_REPLACE,
- "systemFlags")
- ldb.modify(m)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should NOT be enabled when deleting
- self.delete_force(self.ldb, "CN=RID Manager test,CN=System," + self.base_dn)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
-
- def test_urgent_attributes(self):
- '''Test if the urgent replication is activated
- when handling urgent attributes of an object'''
-
- self.ldb.add({
- "dn": "cn=user UrgAttr test,cn=users," + self.base_dn,
- "objectclass":"user",
- "samaccountname":"user UrgAttr test",
- "userAccountControl":"1",
- "lockoutTime":"0",
- "pwdLastSet":"0",
- "description":"urgent attributes test description"});
-
- # urgent replication should NOT be enabled when creating
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should be enabled when modifying userAccountControl
- m = Message()
- m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn)
- m["userAccountControl"] = MessageElement("0", FLAG_MOD_REPLACE,
- "userAccountControl")
- ldb.modify(m)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should be enabled when modifying lockoutTime
- m = Message()
- m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn)
- m["lockoutTime"] = MessageElement("1", FLAG_MOD_REPLACE,
- "lockoutTime")
- ldb.modify(m)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should be enabled when modifying pwdLastSet
- m = Message()
- m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn)
- m["pwdLastSet"] = MessageElement("1", FLAG_MOD_REPLACE,
- "pwdLastSet")
- ldb.modify(m)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should NOT be enabled when modifying a not-urgent
- # attribute
- m = Message()
- m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn)
- m["description"] = MessageElement("updated urgent attributes test description",
- FLAG_MOD_REPLACE, "description")
- ldb.modify(m)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
- # urgent replication should NOT be enabled when deleting
- self.delete_force(self.ldb, "cn=user UrgAttr test,cn=users," + self.base_dn)
- res = self.ldb.load_partition_usn(self.base_dn)
- self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]);
-
-
-if not "://" in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
-
-
-ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp,
- global_schema=False)
-
-runner = SubunitTestRunner()
-rc = 0
-if not runner.run(unittest.makeSuite(UrgentReplicationTests)).wasSuccessful():
- rc = 1
-sys.exit(rc)