diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 5 | ||||
-rwxr-xr-x | source4/dsdb/tests/python/sam.py | 131 |
2 files changed, 50 insertions, 86 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index 67d11b302d..ba1f7abad1 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -203,7 +203,10 @@ static int attr_handler2(struct oc_context *ac) /* There exists a hardcoded delete-protected attributes list in AD */ const char *del_prot_attributes[] = { "nTSecurityDescriptor", "objectSid", "sAMAccountType", "sAMAccountName", "groupType", - "primaryGroupID", "userAccountControl", NULL }, **l; + "primaryGroupID", "userAccountControl", "accountExpires", + "badPasswordTime", "badPwdCount", "codePage", "countryCode", + "lastLogoff", "lastLogon", "logonCount", "pwdLastSet", NULL }, + **l; const struct dsdb_attribute *attr; unsigned int i; bool found; diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index f8871b7e52..e00e23e9fe 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -616,15 +616,28 @@ class SamTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["groupType"] = MessageElement([], FLAG_MOD_DELETE, - "groupType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + # Delete protection tests + + for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType", + "sAMAccountName", "groupType"]: + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m[attr] = MessageElement([], FLAG_MOD_DELETE, attr) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) @@ -638,16 +651,6 @@ class SamTests(unittest.TestCase): m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE, - "primaryGroupID") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD, "userAccountControl") try: @@ -658,16 +661,6 @@ class SamTests(unittest.TestCase): m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE, - "userAccountControl") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) m["objectSid"] = MessageElement("xxxxxxxxxxxxxxxx", FLAG_MOD_ADD, "objectSid") try: @@ -678,24 +671,6 @@ class SamTests(unittest.TestCase): m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectSid"] = MessageElement([], FLAG_MOD_REPLACE, "objectSid") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectSid"] = MessageElement([], FLAG_MOD_DELETE, "objectSid") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD, "sAMAccountType") try: @@ -706,26 +681,6 @@ class SamTests(unittest.TestCase): m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE, - "sAMAccountType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE, - "sAMAccountType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) m["sAMAccountName"] = MessageElement("test", FLAG_MOD_ADD, "sAMAccountName") try: @@ -734,25 +689,31 @@ class SamTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountName"] = MessageElement([], FLAG_MOD_REPLACE, - "sAMAccountName") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + # Delete protection tests - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountName"] = MessageElement([], FLAG_MOD_DELETE, - "sAMAccountName") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType", + "sAMAccountName", "primaryGroupID", "userAccountControl", + "accountExpires", "badPasswordTime", "badPwdCount", + "codePage", "countryCode", "lastLogoff", "lastLogon", + "logonCount", "pwdLastSet"]: + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m[attr] = MessageElement([], FLAG_MOD_DELETE, attr) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) |