From c03ec03212ff08b56710f1935caa6aa7f6cb529f Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Wed, 15 Sep 2010 14:57:59 +0200 Subject: s4:ldap.py - test default primary groups on modify operations Signed-off-by: Andrew Bartlett --- source4/dsdb/tests/python/ldap.py | 70 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) (limited to 'source4/dsdb') diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index 0d5bcb543f..d2aeeb1a12 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -1342,6 +1342,76 @@ objectClass: container self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + # Test default primary groups on modify operations + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE, + "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupID"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS)) + + # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested + # since such accounts aren't directly creatable (ACCESS_DENIED) + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["computer"]}) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupID"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS)) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE, + "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupID"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS)) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE, + "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupID"]) + self.assertTrue(len(res1) == 1) + self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS)) + + # Read-only DC accounts are only creatable by + # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore + # we have a fallback in the assertion) + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE, + "userAccountControl") + ldb.modify(m) + + res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupID"]) + self.assertTrue(len(res1) == 1) + self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or + res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS)) + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + # Recreate account for further tests ldb.add({ -- cgit