summaryrefslogtreecommitdiff
path: root/source4/lib/ldb/tests
diff options
context:
space:
mode:
Diffstat (limited to 'source4/lib/ldb/tests')
-rwxr-xr-xsource4/lib/ldb/tests/python/sec_descriptor.py64
1 files changed, 60 insertions, 4 deletions
diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py
index 8763579dc0..3e0be64f9b 100755
--- a/source4/lib/ldb/tests/python/sec_descriptor.py
+++ b/source4/lib/ldb/tests/python/sec_descriptor.py
@@ -208,8 +208,8 @@ showInAdvancedViewOnly: TRUE
ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
_ldb.add_ldif(ldif)
- def read_desc(self, object_dn):
- res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"])
+ def read_desc(self, object_dn, controls=None):
+ res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
desc = res[0]["nTSecurityDescriptor"][0]
return ndr_unpack(security.descriptor, desc)
@@ -257,10 +257,10 @@ userAccountControl: %s""" % userAccountControl
desc_sddl = desc_sddl + ace
self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
- def get_desc_sddl(self, object_dn):
+ def get_desc_sddl(self, object_dn, controls=None):
""" Return object nTSecutiryDescriptor in SDDL format
"""
- desc = self.read_desc(object_dn)
+ desc = self.read_desc(object_dn, controls)
return desc.as_sddl(self.domain_sid)
def setUp(self):
@@ -1783,6 +1783,62 @@ class SdFlagsDescriptorTests(DescriptorTests):
self.assertTrue("G:AU" in desc_sddl)
self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
+ def test_307(self):
+ """ Read a descriptor with OWNER_SECURITY_INFORMATION
+ Only the owner part should be returned.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
+ # make sure we have read the owner
+ self.assertTrue("O:" in desc_sddl)
+ # make sure we have read nothing else
+ self.assertFalse("G:" in desc_sddl)
+ self.assertFalse("D:" in desc_sddl)
+ self.assertFalse("S:" in desc_sddl)
+
+ def test_308(self):
+ """ Read a descriptor with GROUP_SECURITY_INFORMATION
+ Only the group part should be returned.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
+ # make sure we have read the owner
+ self.assertTrue("G:" in desc_sddl)
+ # make sure we have read nothing else
+ self.assertFalse("O:" in desc_sddl)
+ self.assertFalse("D:" in desc_sddl)
+ self.assertFalse("S:" in desc_sddl)
+
+ def test_309(self):
+ """ Read a descriptor with SACL_SECURITY_INFORMATION
+ Only the sacl part should be returned.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
+ # make sure we have read the owner
+ self.assertTrue("S:" in desc_sddl)
+ # make sure we have read nothing else
+ self.assertFalse("O:" in desc_sddl)
+ self.assertFalse("D:" in desc_sddl)
+ self.assertFalse("G:" in desc_sddl)
+
+ def test_310(self):
+ """ Read a descriptor with DACL_SECURITY_INFORMATION
+ Only the dacl part should be returned.
+ """
+ ou_dn = "OU=test_sdflags_ou," + self.base_dn
+ self.create_domain_ou(self.ldb_admin, ou_dn)
+ desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
+ # make sure we have read the owner
+ self.assertTrue("D:" in desc_sddl)
+ # make sure we have read nothing else
+ self.assertFalse("O:" in desc_sddl)
+ self.assertFalse("S:" in desc_sddl)
+ self.assertFalse("G:" in desc_sddl)
+
if not "://" in host:
host = "ldap://%s" % host
ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])