From 932911e1e1c09caa51a5c7a574987cab6ecb16e4 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Mon, 17 Jan 2011 13:52:00 +0100 Subject: s4:ldap.py - check the write protection on LSA objects Signed-off-by: Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Tue Jan 25 13:09:41 CET 2011 on sn-devel-104 --- source4/dsdb/tests/python/ldap.py | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index 6972ce3c8f..902dfb77d8 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -39,7 +39,7 @@ from subunit.run import SubunitTestRunner import unittest from samba.ndr import ndr_pack, ndr_unpack -from samba.dcerpc import security +from samba.dcerpc import security, lsa from samba.tests import delete_force parser = optparse.OptionParser("ldap.py [options] ") @@ -95,7 +95,7 @@ class BasicTests(unittest.TestCase): delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn) delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn) delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn) - delete_force(self.ldb, "cn=testsecret,cn=system," + self.base_dn) + delete_force(self.ldb, "cn=Test Secret,cn=system," + self.base_dn) def test_objectclasses(self): """Test objectClass behaviour""" @@ -104,7 +104,7 @@ class BasicTests(unittest.TestCase): # We cannot create LSA-specific objects (oc "secret" or "trustedDomain") try: self.ldb.add({ - "dn": "cn=testsecret,cn=system," + self.base_dn, + "dn": "cn=Test Secret,cn=system," + self.base_dn, "objectClass": "secret" }) self.fail() except LdbError, (num, _): @@ -369,14 +369,39 @@ class BasicTests(unittest.TestCase): try: self.ldb.add({ - "dn": "cn=testsecret,cn=system," + self.base_dn, + "dn": "cn=Test Secret,cn=system," + self.base_dn, "objectclass": "secret"}) self.fail() except LdbError, (num, _): self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn) - delete_force(self.ldb, "cn=testsecret,cn=system," + self.base_dn) + delete_force(self.ldb, "cn=Test Secret,cn=system," + self.base_dn) + + # Create secret over LSA and try to change it + + lsa_conn = lsa.lsarpc("ncacn_np:%s" % args[0], lp, creds) + lsa_handle = lsa_conn.OpenPolicy2(system_name="\\", + attr=lsa.ObjectAttribute(), + access_mask=security.SEC_FLAG_MAXIMUM_ALLOWED) + secret_name = lsa.String() + secret_name.string = "G$Test" + sec_handle = lsa_conn.CreateSecret(handle=lsa_handle, + name=secret_name, + access_mask=security.SEC_FLAG_MAXIMUM_ALLOWED) + lsa_conn.Close(lsa_handle) + + m = Message() + m.dn = Dn(ldb, "cn=Test Secret,cn=system," + self.base_dn) + m["description"] = MessageElement("desc", FLAG_MOD_REPLACE, + "description") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + delete_force(self.ldb, "cn=Test Secret,cn=system," + self.base_dn) try: self.ldb.add({ -- cgit