From d9f97cd57f9f797c25212f2fc2d9791733a24ca0 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sat, 20 Nov 2010 21:15:57 +0100 Subject: s4:objectclass_attrs LDB module - add more delete protected attributes And enhance the testsuite --- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 5 +- source4/dsdb/tests/python/sam.py | 131 ++++++++------------- 2 files changed, 50 insertions(+), 86 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index 67d11b302d..ba1f7abad1 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -203,7 +203,10 @@ static int attr_handler2(struct oc_context *ac) /* There exists a hardcoded delete-protected attributes list in AD */ const char *del_prot_attributes[] = { "nTSecurityDescriptor", "objectSid", "sAMAccountType", "sAMAccountName", "groupType", - "primaryGroupID", "userAccountControl", NULL }, **l; + "primaryGroupID", "userAccountControl", "accountExpires", + "badPasswordTime", "badPwdCount", "codePage", "countryCode", + "lastLogoff", "lastLogon", "logonCount", "pwdLastSet", NULL }, + **l; const struct dsdb_attribute *attr; unsigned int i; bool found; diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index f8871b7e52..e00e23e9fe 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -616,15 +616,28 @@ class SamTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["groupType"] = MessageElement([], FLAG_MOD_DELETE, - "groupType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + # Delete protection tests + + for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType", + "sAMAccountName", "groupType"]: + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m[attr] = MessageElement([], FLAG_MOD_DELETE, attr) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) @@ -636,16 +649,6 @@ class SamTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE, - "primaryGroupID") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD, @@ -656,16 +659,6 @@ class SamTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE, - "userAccountControl") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) m["objectSid"] = MessageElement("xxxxxxxxxxxxxxxx", FLAG_MOD_ADD, @@ -676,24 +669,6 @@ class SamTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectSid"] = MessageElement([], FLAG_MOD_REPLACE, "objectSid") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectSid"] = MessageElement([], FLAG_MOD_DELETE, "objectSid") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD, @@ -704,26 +679,6 @@ class SamTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE, - "sAMAccountType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE, - "sAMAccountType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) m["sAMAccountName"] = MessageElement("test", FLAG_MOD_ADD, @@ -734,25 +689,31 @@ class SamTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountName"] = MessageElement([], FLAG_MOD_REPLACE, - "sAMAccountName") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + # Delete protection tests - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountName"] = MessageElement([], FLAG_MOD_DELETE, - "sAMAccountName") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType", + "sAMAccountName", "primaryGroupID", "userAccountControl", + "accountExpires", "badPasswordTime", "badPwdCount", + "codePage", "countryCode", "lastLogoff", "lastLogon", + "logonCount", "pwdLastSet"]: + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m[attr] = MessageElement([], FLAG_MOD_DELETE, attr) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) -- cgit