From 14f8953aa4f000173a051b8010252063db5295c1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 30 Jun 2010 11:09:10 +0200 Subject: s4:dsdb: move dsdb python tests from lib/ldb/ to dsdb/ metze --- source4/dsdb/tests/python/acl.py | 1042 ++++++++ source4/dsdb/tests/python/deletetest.py | 201 ++ source4/dsdb/tests/python/dsdb_schema_info.py | 213 ++ source4/dsdb/tests/python/ldap.py | 2688 ++++++++++++++++++++ source4/dsdb/tests/python/ldap_schema.py | 556 ++++ source4/dsdb/tests/python/passwords.py | 615 +++++ source4/dsdb/tests/python/sec_descriptor.py | 1979 ++++++++++++++ source4/dsdb/tests/python/urgent_replication.py | 386 +++ source4/lib/ldb/tests/python/acl.py | 1042 -------- source4/lib/ldb/tests/python/deletetest.py | 201 -- source4/lib/ldb/tests/python/dsdb_schema_info.py | 213 -- source4/lib/ldb/tests/python/ldap.py | 2688 -------------------- source4/lib/ldb/tests/python/ldap_schema.py | 556 ---- source4/lib/ldb/tests/python/passwords.py | 615 ----- source4/lib/ldb/tests/python/sec_descriptor.py | 1979 -------------- source4/lib/ldb/tests/python/urgent_replication.py | 386 --- source4/selftest/tests.sh | 16 +- 17 files changed, 7688 insertions(+), 7688 deletions(-) create mode 100755 source4/dsdb/tests/python/acl.py create mode 100755 source4/dsdb/tests/python/deletetest.py create mode 100755 source4/dsdb/tests/python/dsdb_schema_info.py create mode 100755 source4/dsdb/tests/python/ldap.py create mode 100755 source4/dsdb/tests/python/ldap_schema.py create mode 100755 source4/dsdb/tests/python/passwords.py create mode 100755 source4/dsdb/tests/python/sec_descriptor.py create mode 100755 source4/dsdb/tests/python/urgent_replication.py delete mode 100755 source4/lib/ldb/tests/python/acl.py delete mode 100755 source4/lib/ldb/tests/python/deletetest.py delete mode 100755 source4/lib/ldb/tests/python/dsdb_schema_info.py delete mode 100755 source4/lib/ldb/tests/python/ldap.py delete mode 100755 source4/lib/ldb/tests/python/ldap_schema.py delete mode 100755 source4/lib/ldb/tests/python/passwords.py delete mode 100755 source4/lib/ldb/tests/python/sec_descriptor.py delete mode 100755 source4/lib/ldb/tests/python/urgent_replication.py (limited to 'source4') diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py new file mode 100755 index 0000000000..5bf3ff9b1b --- /dev/null +++ b/source4/dsdb/tests/python/acl.py @@ -0,0 +1,1042 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# This is unit with tests for LDAP access checks + +import optparse +import sys +import base64 +import re + +sys.path.append("bin/python") +import samba +samba.ensure_external_module("subunit", "subunit/python") +samba.ensure_external_module("testtools", "testtools") + +import samba.getopt as options + +from ldb import ( + SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS) + +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc import security + +from samba.auth import system_session +from samba import gensec +from samba.samdb import SamDB +from samba.credentials import Credentials +import samba.tests +from subunit.run import SubunitTestRunner +import unittest + +parser = optparse.OptionParser("ldap [options] ") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) + +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) + +# +# Tests start here +# + +class AclTests(samba.tests.TestCase): + + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + + def find_domain_sid(self, ldb): + res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) + return ndr_unpack(security.dom_sid,res[0]["objectSid"][0]) + + def setUp(self): + super(AclTests, self).setUp() + self.ldb_admin = ldb + self.base_dn = self.find_basedn(self.ldb_admin) + self.domain_sid = self.find_domain_sid(self.ldb_admin) + self.user_pass = "samba123@" + print "baseDN: %s" % self.base_dn + + def get_user_dn(self, name): + return "CN=%s,CN=Users,%s" % (name, self.base_dn) + + def modify_desc(self, object_dn, desc): + """ Modify security descriptor using either SDDL string + or security.descriptor object + """ + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + mod = """ +dn: """ + object_dn + """ +changetype: modify +replace: nTSecurityDescriptor +""" + if isinstance(desc, str): + mod += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + self.ldb_admin.modify_ldif(mod) + + def add_group_member(self, _ldb, group_dn, member_dn): + """ Modify user to ge member of a group + e.g. User to be 'Doamin Admin' group member + """ + ldif = """ +dn: """ + group_dn + """ +changetype: modify +add: member +member: """ + member_dn + _ldb.modify_ldif(ldif) + + def create_ou(self, _ldb, ou_dn, desc=None): + ldif = """ +dn: """ + ou_dn + """ +ou: """ + ou_dn.split(",")[0][3:] + """ +objectClass: organizationalUnit +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_active_user(self, _ldb, user_dn): + ldif = """ +dn: """ + user_dn + """ +sAMAccountName: """ + user_dn.split(",")[0][3:] + """ +objectClass: user +unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """ +url: www.example.com +""" + _ldb.add_ldif(ldif) + + def create_test_user(self, _ldb, user_dn, desc=None): + ldif = """ +dn: """ + user_dn + """ +sAMAccountName: """ + user_dn.split(",")[0][3:] + """ +objectClass: user +userPassword: """ + self.user_pass + """ +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_group(self, _ldb, group_dn, desc=None): + ldif = """ +dn: """ + group_dn + """ +objectClass: group +sAMAccountName: """ + group_dn.split(",")[0][3:] + """ +groupType: 2147483650 +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def read_desc(self, object_dn): + res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + return ndr_unpack(security.descriptor, desc) + + def get_ldb_connection(self, target_username, target_password): + creds_tmp = Credentials() + creds_tmp.set_username(target_username) + creds_tmp.set_password(target_password) + creds_tmp.set_domain(creds.get_domain()) + creds_tmp.set_realm(creds.get_realm()) + creds_tmp.set_workstation(creds.get_workstation()) + creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() + | gensec.FEATURE_SEAL) + ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) + return ldb_target + + def get_object_sid(self, object_dn): + res = self.ldb_admin.search(object_dn) + return ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) + + def dacl_add_ace(self, object_dn, ace): + desc = self.read_desc(object_dn) + desc_sddl = desc.as_sddl(self.domain_sid) + if ace in desc_sddl: + return + if desc_sddl.find("(") >= 0: + desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] + else: + desc_sddl = desc_sddl + ace + self.modify_desc(object_dn, desc_sddl) + + def get_desc_sddl(self, object_dn): + """ Return object nTSecutiryDescriptor in SDDL format + """ + desc = self.read_desc(object_dn) + return desc.as_sddl(self.domain_sid) + + # Test if we have any additional groups for users than default ones + def assert_user_no_group_member(self, username): + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % self.get_user_dn(username)) + try: + self.assertEqual(res[0]["memberOf"][0], "") + except KeyError: + pass + else: + self.fail() + + def create_enable_user(self, username): + self.create_active_user(self.ldb_admin, self.get_user_dn(username)) + self.ldb_admin.enable_account("(sAMAccountName=" + username + ")") + +#tests on ldap add operations +class AclAddTests(AclTests): + + def setUp(self): + super(AclAddTests, self).setUp() + # Domain admin that will be creator of OU parent-child structure + self.usr_admin_owner = "acl_add_user1" + # Second domain admin that will not be creator of OU parent-child structure + self.usr_admin_not_owner = "acl_add_user2" + # Regular user + self.regular_user = "acl_add_user3" + self.create_enable_user(self.usr_admin_owner) + self.create_enable_user(self.usr_admin_not_owner) + self.create_enable_user(self.regular_user) + + # add admins to the Domain Admins group + self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \ + self.get_user_dn(self.usr_admin_owner)) + self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \ + self.get_user_dn(self.usr_admin_not_owner)) + + self.ldb_owner = self.get_ldb_connection(self.usr_admin_owner, self.user_pass) + self.ldb_notowner = self.get_ldb_connection(self.usr_admin_not_owner, self.user_pass) + self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) + + def tearDown(self): + super(AclAddTests, self).tearDown() + self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_owner)) + self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_not_owner)) + self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) + + # Make sure top OU is deleted (and so everything under it) + def assert_top_ou_deleted(self): + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s,%s)" % ( + "OU=test_add_ou1", self.base_dn)) + self.assertEqual(res, []) + + def test_add_u1(self): + """Testing OU with the rights of Doman Admin not creator of the OU """ + self.assert_top_ou_deleted() + # Change descriptor for top level OU + self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) + self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + user_sid = self.get_object_sid(self.get_user_dn(self.usr_admin_not_owner)) + mod = "(D;CI;WPCC;;;%s)" % str(user_sid) + self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) + # Test user and group creation with another domain admin's credentials + self.create_test_user(self.ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + self.create_group(self.ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + # Make sure we HAVE created the two objects -- user and group + # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE + # !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) + self.assertTrue(len(res) > 0) + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) + self.assertTrue(len(res) > 0) + + def test_add_u2(self): + """Testing OU with the regular user that has no rights granted over the OU """ + self.assert_top_ou_deleted() + # Create a parent-child OU structure with domain admin credentials + self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) + self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + # Test user and group creation with regular user credentials + try: + self.create_test_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + self.fail() + # Make sure we HAVEN'T created any of two objects -- user or group + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) + self.assertEqual(res, []) + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) + self.assertEqual(res, []) + + def test_add_u3(self): + """Testing OU with the rights of regular user granted the right 'Create User child objects' """ + self.assert_top_ou_deleted() + # Change descriptor for top level OU + self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) + user_sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) + self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) + self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + # Test user and group creation with granted user only to one of the objects + self.create_test_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + try: + self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + self.fail() + # Make sure we HAVE created the one of two objects -- user + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s,%s)" % + ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", + self.base_dn)) + self.assertNotEqual(len(res), 0) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s,%s)" % + ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", + self.base_dn) ) + self.assertEqual(res, []) + + def test_add_u4(self): + """ 4 Testing OU with the rights of Doman Admin creator of the OU""" + self.assert_top_ou_deleted() + self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) + self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + self.create_test_user(self.ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + self.create_group(self.ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) + # Make sure we have successfully created the two objects -- user and group + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) + self.assertTrue(len(res) > 0) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) + self.assertTrue(len(res) > 0) + +#tests on ldap modify operations +class AclModifyTests(AclTests): + + def setUp(self): + super(AclModifyTests, self).setUp() + self.user_with_wp = "acl_mod_user1" + self.user_with_sm = "acl_mod_user2" + self.user_with_group_sm = "acl_mod_user3" + self.create_enable_user(self.user_with_wp) + self.create_enable_user(self.user_with_sm) + self.create_enable_user(self.user_with_group_sm) + self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass) + self.ldb_user2 = self.get_ldb_connection(self.user_with_sm, self.user_pass) + self.ldb_user3 = self.get_ldb_connection(self.user_with_group_sm, self.user_pass) + self.user_sid = self.get_object_sid( self.get_user_dn(self.user_with_wp)) + self.create_group(self.ldb_admin, "CN=test_modify_group2,CN=Users," + self.base_dn) + self.create_group(self.ldb_admin, "CN=test_modify_group3,CN=Users," + self.base_dn) + self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user2")) + + def tearDown(self): + super(AclModifyTests, self).tearDown() + self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1")) + self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_modify_group2,CN=Users," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_modify_group3,CN=Users," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp)) + self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_sm)) + self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_group_sm)) + self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user2")) + + def test_modify_u1(self): + """5 Modify one attribute if you have DS_WRITE_PROPERTY for it""" + mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid) + # First test object -- User + print "Testing modify on User object" + self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) + self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) + ldif = """ +dn: """ + self.get_user_dn("test_modify_user1") + """ +changetype: modify +replace: displayName +displayName: test_changed""" + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % self.get_user_dn("test_modify_user1")) + self.assertEqual(res[0]["displayName"][0], "test_changed") + # Second test object -- Group + print "Testing modify on Group object" + self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) + self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) + ldif = """ +dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ +changetype: modify +replace: displayName +displayName: test_changed""" + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("CN=test_modify_group1,CN=Users," + self.base_dn)) + self.assertEqual(res[0]["displayName"][0], "test_changed") + # Third test object -- Organizational Unit + print "Testing modify on OU object" + #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) + self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) + self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) + ldif = """ +dn: OU=test_modify_ou1,""" + self.base_dn + """ +changetype: modify +replace: displayName +displayName: test_changed""" + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("OU=test_modify_ou1," + self.base_dn)) + self.assertEqual(res[0]["displayName"][0], "test_changed") + + def _test_modify_u2(self): + """6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them""" + mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid) + # First test object -- User + print "Testing modify on User object" + #self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1")) + self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) + self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) + # Modify on attribute you have rights for + ldif = """ +dn: """ + self.get_user_dn("test_modify_user1") + """ +changetype: modify +replace: displayName +displayName: test_changed""" + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % + self.get_user_dn("test_modify_user1")) + self.assertEqual(res[0]["displayName"][0], "test_changed") + # Modify on attribute you do not have rights for granted + ldif = """ +dn: """ + self.get_user_dn("test_modify_user1") + """ +changetype: modify +replace: url +url: www.samba.org""" + try: + self.ldb_user.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + # Second test object -- Group + print "Testing modify on Group object" + self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) + self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) + ldif = """ +dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ +changetype: modify +replace: displayName +displayName: test_changed""" + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % + str("CN=test_modify_group1,CN=Users," + self.base_dn)) + self.assertEqual(res[0]["displayName"][0], "test_changed") + # Modify on attribute you do not have rights for granted + ldif = """ +dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ +changetype: modify +replace: url +url: www.samba.org""" + try: + self.ldb_user.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + # Second test object -- Organizational Unit + print "Testing modify on OU object" + self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) + self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) + ldif = """ +dn: OU=test_modify_ou1,""" + self.base_dn + """ +changetype: modify +replace: displayName +displayName: test_changed""" + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % str("OU=test_modify_ou1," + + self.base_dn)) + self.assertEqual(res[0]["displayName"][0], "test_changed") + # Modify on attribute you do not have rights for granted + ldif = """ +dn: OU=test_modify_ou1,""" + self.base_dn + """ +changetype: modify +replace: url +url: www.samba.org""" + try: + self.ldb_user.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + + def test_modify_u3(self): + """7 Modify one attribute as you have no what so ever rights granted""" + # First test object -- User + print "Testing modify on User object" + self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) + # Modify on attribute you do not have rights for granted + ldif = """ +dn: """ + self.get_user_dn("test_modify_user1") + """ +changetype: modify +replace: url +url: www.samba.org""" + try: + self.ldb_user.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + + # Second test object -- Group + print "Testing modify on Group object" + self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) + # Modify on attribute you do not have rights for granted + ldif = """ +dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ +changetype: modify +replace: url +url: www.samba.org""" + try: + self.ldb_user.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + + # Second test object -- Organizational Unit + print "Testing modify on OU object" + #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) + self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) + # Modify on attribute you do not have rights for granted + ldif = """ +dn: OU=test_modify_ou1,""" + self.base_dn + """ +changetype: modify +replace: url +url: www.samba.org""" + try: + self.ldb_user.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + + + def test_modify_u4(self): + """11 Grant WP to PRINCIPAL_SELF and test modify""" + ldif = """ +dn: """ + self.get_user_dn(self.user_with_wp) + """ +changetype: modify +add: adminDescription +adminDescription: blah blah blah""" + try: + self.ldb_user.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + + mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)" + self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod) + # Modify on attribute you have rights for + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" \ + % self.get_user_dn(self.user_with_wp), attrs=["adminDescription"] ) + self.assertEqual(res[0]["adminDescription"][0], "blah blah blah") + + def test_modify_u5(self): + """12 test self membership""" + ldif = """ +dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ +changetype: modify +add: Member +Member: """ + self.get_user_dn(self.user_with_sm) +#the user has no rights granted, this should fail + try: + self.ldb_user2.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + +#grant self-membership, should be able to add himself + user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm)) + mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) + self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) + self.ldb_user2.modify_ldif(ldif) + res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ + % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) + self.assertEqual(res[0]["Member"][0], self.get_user_dn(self.user_with_sm)) +#but not other users + ldif = """ +dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ +changetype: modify +add: Member +Member: CN=test_modify_user2,CN=Users,""" + self.base_dn + try: + self.ldb_user2.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + self.fail() + + def test_modify_u6(self): + """13 test self membership""" + ldif = """ +dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ +changetype: modify +add: Member +Member: """ + self.get_user_dn(self.user_with_sm) + """ +Member: CN=test_modify_user2,CN=Users,""" + self.base_dn + +#grant self-membership, should be able to add himself but not others at the same time + user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm)) + mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) + self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) + try: + self.ldb_user2.modify_ldif(ldif) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + self.fail() + + def test_modify_u7(self): + """13 User with WP modifying Member""" +#a second user is given write property permission + user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp)) + mod = "(OA;;WP;;;%s)" % str(user_sid) + self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) + ldif = """ +dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ +changetype: modify +add: Member +Member: """ + self.get_user_dn(self.user_with_wp) + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ + % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) + self.assertEqual(res[0]["Member"][0], self.get_user_dn(self.user_with_wp)) + ldif = """ +dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ +changetype: modify +delete: Member""" + self.ldb_user.modify_ldif(ldif) + ldif = """ +dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ +changetype: modify +add: Member +Member: CN=test_modify_user2,CN=Users,""" + self.base_dn + self.ldb_user.modify_ldif(ldif) + res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ + % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) + self.assertEqual(res[0]["Member"][0], "CN=test_modify_user2,CN=Users," + self.base_dn) + +#enable these when we have search implemented +class AclSearchTests(AclTests): + + def setUp(self): + super(AclTests, self).setUp() + self.regular_user = "acl_search_user1" + self.create_enable_user(self.regular_user) + self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) + + def tearDown(self): + super(AclSearchTests, self).tearDown() + self.delete_force(self.ldb_admin, "CN=test_search_user1,OU=test_search_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) + + def test_search_u1(self): + """See if can prohibit user to read another User object""" + ou_dn = "OU=test_search_ou1," + self.base_dn + user_dn = "CN=test_search_user1," + ou_dn + # Create clean OU + self.delete_force(self.ldb_admin, ou_dn) + self.create_ou(self.ldb_admin, ou_dn) + desc = self.read_desc(ou_dn) + desc_sddl = desc.as_sddl(self.domain_sid) + # Parse descriptor's SDDL and remove all inherited ACEs reffering + # to 'Registered Users' or 'Authenticated Users' + desc_aces = re.findall("\(.*?\)", desc_sddl) + for ace in desc_aces: + if ("I" in ace) and (("RU" in ace) or ("AU" in ace)): + desc_sddl = desc_sddl.replace(ace, "") + # Add 'P' in the DACL so it breaks further inheritance + desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(") + # Create a security descriptor object and OU with that descriptor + desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) + self.delete_force(self.ldb_admin, ou_dn) + self.create_ou(self.ldb_admin, ou_dn, desc) + # Create clean user + self.delete_force(self.ldb_admin, user_dn) + self.create_test_user(self.ldb_admin, user_dn) + desc = self.read_desc(user_dn) + desc_sddl = desc.as_sddl(self.domain_sid) + # Parse security descriptor SDDL and remove all 'Read' ACEs + # reffering to AU + desc_aces = re.findall("\(.*?\)", desc_sddl) + for ace in desc_aces: + if ("AU" in ace) and ("R" in ace): + desc_sddl = desc_sddl.replace(ace, "") + # Create user with the edited descriptor + desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) + self.delete_force(self.ldb_admin, user_dn) + self.create_test_user(self.ldb_admin, user_dn, desc) + + res = self.ldb_user.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + + def test_search_u2(self): + """User's group ACEs cleared and after that granted RIGHT_DS_READ_PROPERTY to another User object""" + ou_dn = "OU=test_search_ou1," + self.base_dn + user_dn = "CN=test_search_user1," + ou_dn + # Create clean OU + self.delete_force(self.ldb_admin, ou_dn) + self.create_ou(self.ldb_admin, ou_dn) + desc = self.read_desc(ou_dn) + desc_sddl = desc.as_sddl(self.domain_sid) + # Parse descriptor's SDDL and remove all inherited ACEs reffering + # to 'Registered Users' or 'Authenticated Users' + desc_aces = re.findall("\(.*?\)", desc_sddl) + for ace in desc_aces: + if ("I" in ace) and (("RU" in ace) or ("AU" in ace)): + desc_sddl = desc_sddl.replace(ace, "") + # Add 'P' in the DACL so it breaks further inheritance + desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(") + # Create a security descriptor object and OU with that descriptor + desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) + self.delete_force(self.ldb_admin, ou_dn) + self.create_ou(self.ldb_admin, ou_dn, desc) + # Create clean user + self.delete_force(self.ldb_admin, user_dn) + self.create_test_user(self.ldb_admin, user_dn) + # Parse security descriptor SDDL and remove all 'Read' ACEs + # reffering to AU + desc_aces = re.findall("\(.*?\)", desc_sddl) + for ace in desc_aces: + if ("AU" in ace) and ("R" in ace): + desc_sddl = desc_sddl.replace(ace, "") + #mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" + mod = "(A;;RP;;;AU)" + self.dacl_add_ace(user_dn, mod) + res = self.ldb_user.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertNotEqual(res, []) + +#tests on ldap delete operations +class AclDeleteTests(AclTests): + + def setUp(self): + super(AclDeleteTests, self).setUp() + self.regular_user = "acl_delete_user1" + # Create regular user + self.create_enable_user(self.regular_user) + self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) + + def tearDown(self): + super(AclDeleteTests, self).tearDown() + self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user1")) + self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) + + def test_delete_u1(self): + """User is prohibited by default to delete another User object""" + # Create user that we try to delete + self.create_test_user(self.ldb_admin, self.get_user_dn("test_delete_user1")) + # Here delete User object should ALWAYS through exception + try: + self.ldb_user.delete(self.get_user_dn("test_delete_user1")) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + self.fail() + + def test_delete_u2(self): + """User's group has RIGHT_DELETE to another User object""" + user_dn = self.get_user_dn("test_delete_user1") + # Create user that we try to delete + self.create_test_user(self.ldb_admin, user_dn) + mod = "(A;;SD;;;AU)" + self.dacl_add_ace(user_dn, mod) + # Try to delete User object + self.ldb_user.delete(user_dn) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + + def test_delete_u3(self): + """User indentified by SID has RIGHT_DELETE to another User object""" + user_dn = self.get_user_dn("test_delete_user1") + # Create user that we try to delete + self.create_test_user(self.ldb_admin, user_dn) + mod = "(A;;SD;;;%s)" % self.get_object_sid(self.get_user_dn(self.regular_user)) + self.dacl_add_ace(user_dn, mod) + # Try to delete User object + self.ldb_user.delete(user_dn) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + +#tests on ldap rename operations +class AclRenameTests(AclTests): + + def setUp(self): + super(AclRenameTests, self).setUp() + self.regular_user = "acl_rename_user1" + + # Create regular user + self.create_enable_user(self.regular_user) + self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) + + def tearDown(self): + super(AclRenameTests, self).tearDown() + # Rename OU3 + self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) + # Rename OU2 + self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou2," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou2," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou2," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_rename_ou2," + self.base_dn) + # Rename OU1 + self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) + + def test_rename_u1(self): + """Regular user fails to rename 'User object' within single OU""" + # Create OU structure + self.create_ou(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn) + self.create_test_user(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn) + try: + self.ldb_user.rename("CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn, \ + "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + self.fail() + + def test_rename_u2(self): + """Grant WRITE_PROPERTY to AU so regular user can rename 'User object' within single OU""" + ou_dn = "OU=test_rename_ou1," + self.base_dn + user_dn = "CN=test_rename_user1," + ou_dn + rename_user_dn = "CN=test_rename_user5," + ou_dn + # Create OU structure + self.create_ou(self.ldb_admin, ou_dn) + self.create_test_user(self.ldb_admin, user_dn) + mod = "(A;;WP;;;AU)" + self.dacl_add_ace(user_dn, mod) + # Rename 'User object' having WP to AU + self.ldb_user.rename(user_dn, rename_user_dn) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % rename_user_dn) + self.assertNotEqual(res, []) + + def test_rename_u3(self): + """Test rename with rights granted to 'User object' SID""" + ou_dn = "OU=test_rename_ou1," + self.base_dn + user_dn = "CN=test_rename_user1," + ou_dn + rename_user_dn = "CN=test_rename_user5," + ou_dn + # Create OU structure + self.create_ou(self.ldb_admin, ou_dn) + self.create_test_user(self.ldb_admin, user_dn) + sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + mod = "(A;;WP;;;%s)" % str(sid) + self.dacl_add_ace(user_dn, mod) + # Rename 'User object' having WP to AU + self.ldb_user.rename(user_dn, rename_user_dn) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % rename_user_dn) + self.assertNotEqual(res, []) + + def test_rename_u4(self): + """Rename 'User object' cross OU with WP, SD and CC right granted on reg. user to AU""" + ou1_dn = "OU=test_rename_ou1," + self.base_dn + ou2_dn = "OU=test_rename_ou2," + self.base_dn + user_dn = "CN=test_rename_user2," + ou1_dn + rename_user_dn = "CN=test_rename_user5," + ou2_dn + # Create OU structure + self.create_ou(self.ldb_admin, ou1_dn) + self.create_ou(self.ldb_admin, ou2_dn) + self.create_test_user(self.ldb_admin, user_dn) + mod = "(A;;WPSD;;;AU)" + self.dacl_add_ace(user_dn, mod) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(ou2_dn, mod) + # Rename 'User object' having SD and CC to AU + self.ldb_user.rename(user_dn, rename_user_dn) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % rename_user_dn) + self.assertNotEqual(res, []) + + def test_rename_u5(self): + """Test rename with rights granted to 'User object' SID""" + ou1_dn = "OU=test_rename_ou1," + self.base_dn + ou2_dn = "OU=test_rename_ou2," + self.base_dn + user_dn = "CN=test_rename_user2," + ou1_dn + rename_user_dn = "CN=test_rename_user5," + ou2_dn + # Create OU structure + self.create_ou(self.ldb_admin, ou1_dn) + self.create_ou(self.ldb_admin, ou2_dn) + self.create_test_user(self.ldb_admin, user_dn) + sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + mod = "(A;;WPSD;;;%s)" % str(sid) + self.dacl_add_ace(user_dn, mod) + mod = "(A;;CC;;;%s)" % str(sid) + self.dacl_add_ace(ou2_dn, mod) + # Rename 'User object' having SD and CC to AU + self.ldb_user.rename(user_dn, rename_user_dn) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % rename_user_dn) + self.assertNotEqual(res, []) + + def test_rename_u6(self): + """Rename 'User object' cross OU with WP, DC and CC right granted on OU & user to AU""" + ou1_dn = "OU=test_rename_ou1," + self.base_dn + ou2_dn = "OU=test_rename_ou2," + self.base_dn + user_dn = "CN=test_rename_user2," + ou1_dn + rename_user_dn = "CN=test_rename_user2," + ou2_dn + # Create OU structure + self.create_ou(self.ldb_admin, ou1_dn) + self.create_ou(self.ldb_admin, ou2_dn) + #mod = "(A;CI;DCWP;;;AU)" + mod = "(A;;DC;;;AU)" + self.dacl_add_ace(ou1_dn, mod) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(ou2_dn, mod) + self.create_test_user(self.ldb_admin, user_dn) + mod = "(A;;WP;;;AU)" + self.dacl_add_ace(user_dn, mod) + # Rename 'User object' having SD and CC to AU + self.ldb_user.rename(user_dn, rename_user_dn) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % rename_user_dn) + self.assertNotEqual(res, []) + + def test_rename_u7(self): + """Rename 'User object' cross OU (second level) with WP, DC and CC right granted on OU to AU""" + ou1_dn = "OU=test_rename_ou1," + self.base_dn + ou2_dn = "OU=test_rename_ou2," + self.base_dn + ou3_dn = "OU=test_rename_ou3," + ou2_dn + user_dn = "CN=test_rename_user2," + ou1_dn + rename_user_dn = "CN=test_rename_user5," + ou3_dn + # Create OU structure + self.create_ou(self.ldb_admin, ou1_dn) + self.create_ou(self.ldb_admin, ou2_dn) + self.create_ou(self.ldb_admin, ou3_dn) + mod = "(A;CI;WPDC;;;AU)" + self.dacl_add_ace(ou1_dn, mod) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(ou3_dn, mod) + self.create_test_user(self.ldb_admin, user_dn) + # Rename 'User object' having SD and CC to AU + self.ldb_user.rename(user_dn, rename_user_dn) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % user_dn) + self.assertEqual(res, []) + res = self.ldb_admin.search(self.base_dn, + expression="(distinguishedName=%s)" % rename_user_dn) + self.assertNotEqual(res, []) + + def test_rename_u8(self): + """Test rename on an object with and without modify access on the RDN attribute""" + ou1_dn = "OU=test_rename_ou1," + self.base_dn + ou2_dn = "OU=test_rename_ou2," + ou1_dn + ou3_dn = "OU=test_rename_ou3," + ou1_dn + # Create OU structure + self.create_ou(self.ldb_admin, ou1_dn) + self.create_ou(self.ldb_admin, ou2_dn) + sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + mod = "(OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) + self.dacl_add_ace(ou2_dn, mod) + mod = "(OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) + self.dacl_add_ace(ou2_dn, mod) + try: + self.ldb_user.rename(ou2_dn, ou3_dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + # This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS + self.fail() + sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + mod = "(A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) + self.dacl_add_ace(ou2_dn, mod) + self.ldb_user.rename(ou2_dn, ou3_dn) + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou2_dn) + self.assertEqual(res, []) + res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou3_dn) + self.assertNotEqual(res, []) + +# Important unit running information + +if not "://" in host: + host = "ldap://%s" % host +ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp) + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(AclAddTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(AclModifyTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(AclDeleteTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(AclRenameTests)).wasSuccessful(): + rc = 1 +sys.exit(rc) diff --git a/source4/dsdb/tests/python/deletetest.py b/source4/dsdb/tests/python/deletetest.py new file mode 100755 index 0000000000..aa93104c04 --- /dev/null +++ b/source4/dsdb/tests/python/deletetest.py @@ -0,0 +1,201 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +import optparse +import sys +import os + +sys.path.append("bin/python") +import samba +samba.ensure_external_module("subunit", "subunit/python") +samba.ensure_external_module("testtools", "testtools") + +import samba.getopt as options + +from samba.auth import system_session +from ldb import SCOPE_BASE, LdbError +from ldb import ERR_NO_SUCH_OBJECT +from samba import Ldb + +from subunit.run import SubunitTestRunner +import unittest + +parser = optparse.OptionParser("deletetest.py [options] ") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +class BasicDeleteTests(unittest.TestCase): + + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def GUID_string(self, guid): + return self.ldb.schema_format_value("objectGUID", guid) + + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + + def setUp(self): + self.ldb = ldb + self.base_dn = self.find_basedn(ldb) + + def search_guid(self,guid): + print "SEARCH by GUID %s" % self.GUID_string(guid) + + expression = "(objectGUID=%s)" % self.GUID_string(guid) + res = ldb.search(expression=expression, + controls=["show_deleted:1"]) + self.assertEquals(len(res), 1) + return res[0] + + def search_dn(self,dn): + print "SEARCH by DN %s" % dn + + res = ldb.search(expression="(objectClass=*)", + base=dn, + scope=SCOPE_BASE, + controls=["show_deleted:1"]) + self.assertEquals(len(res), 1) + return res[0] + + def del_attr_values(self, delObj): + print "Checking attributes for %s" % delObj["dn"] + + self.assertEquals(delObj["isDeleted"][0],"TRUE") + self.assertTrue(not("objectCategory" in delObj)) + self.assertTrue(not("sAMAccountType" in delObj)) + + def preserved_attributes_list(self, liveObj, delObj): + print "Checking for preserved attributes list" + + preserved_list = ["nTSecurityDescriptor", "attributeID", "attributeSyntax", "dNReferenceUpdate", "dNSHostName", + "flatName", "governsID", "groupType", "instanceType", "lDAPDisplayName", "legacyExchangeDN", + "isDeleted", "isRecycled", "lastKnownParent", "msDS-LastKnownRDN", "mS-DS-CreatorSID", + "mSMQOwnerID", "nCName", "objectClass", "distinguishedName", "objectGUID", "objectSid", + "oMSyntax", "proxiedObjectName", "name", "replPropertyMetaData", "sAMAccountName", + "securityIdentifier", "sIDHistory", "subClassOf", "systemFlags", "trustPartner", "trustDirection", + "trustType", "trustAttributes", "userAccountControl", "uSNChanged", "uSNCreated", "whenCreated"] + + for a in liveObj: + if a in preserved_list: + self.assertTrue(a in delObj) + + def check_rdn(self, liveObj, delObj, rdnName): + print "Checking for correct rDN" + rdn=liveObj[rdnName][0] + rdn2=delObj[rdnName][0] + name2=delObj[rdnName][0] + guid=liveObj["objectGUID"][0] + self.assertEquals(rdn2, rdn + "\nDEL:" + self.GUID_string(guid)) + self.assertEquals(name2, rdn + "\nDEL:" + self.GUID_string(guid)) + + def delete_deleted(self, ldb, dn): + print "Testing the deletion of the already deleted dn %s" % dn + + try: + ldb.delete(dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def test_all(self): + """Basic delete tests""" + + print self.base_dn + + dn1="cn=testuser,cn=users," + self.base_dn + dn2="cn=testuser2,cn=users," + self.base_dn + grp1="cn=testdelgroup1,cn=users," + self.base_dn + + self.delete_force(self.ldb, dn1) + self.delete_force(self.ldb, dn2) + self.delete_force(self.ldb, grp1) + + ldb.add({ + "dn": dn1, + "objectclass": "user", + "cn": "testuser", + "description": "test user description", + "samaccountname": "testuser"}) + + ldb.add({ + "dn": dn2, + "objectclass": "user", + "cn": "testuser2", + "description": "test user 2 description", + "samaccountname": "testuser2"}) + + ldb.add({ + "dn": grp1, + "objectclass": "group", + "cn": "testdelgroup1", + "description": "test group", + "samaccountname": "testdelgroup1", + "member": [ dn1, dn2 ] }) + + objLive1 = self.search_dn(dn1) + guid1=objLive1["objectGUID"][0] + + objLive2 = self.search_dn(dn2) + guid2=objLive2["objectGUID"][0] + + objLive3 = self.search_dn(grp1) + guid3=objLive3["objectGUID"][0] + + ldb.delete(dn1) + ldb.delete(dn2) + ldb.delete(grp1) + + objDeleted1 = self.search_guid(guid1) + objDeleted2 = self.search_guid(guid2) + objDeleted3 = self.search_guid(guid3) + + self.del_attr_values(objDeleted1) + self.del_attr_values(objDeleted2) + self.del_attr_values(objDeleted3) + + self.preserved_attributes_list(objLive1, objDeleted1) + self.preserved_attributes_list(objLive2, objDeleted2) + + self.check_rdn(objLive1, objDeleted1, "cn") + self.check_rdn(objLive2, objDeleted2, "cn") + self.check_rdn(objLive3, objDeleted3, "cn") + + self.delete_deleted(ldb, dn1) + self.delete_deleted(ldb, dn2) + self.delete_deleted(ldb, grp1) + +if not "://" in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + +ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(BasicDeleteTests)).wasSuccessful(): + rc = 1 + +sys.exit(rc) diff --git a/source4/dsdb/tests/python/dsdb_schema_info.py b/source4/dsdb/tests/python/dsdb_schema_info.py new file mode 100755 index 0000000000..ff3c7f9b98 --- /dev/null +++ b/source4/dsdb/tests/python/dsdb_schema_info.py @@ -0,0 +1,213 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Unix SMB/CIFS implementation. +# Copyright (C) Kamen Mazdrashki 2010 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# +# Usage: +# export DC_SERVER=target_dc_or_local_samdb_url +# export SUBUNITRUN=$samba4srcdir/scripting/bin/subunitrun +# PYTHONPATH="$PYTHONPATH:$samba4srcdir/lib/ldb/tests/python" $SUBUNITRUN dsdb_schema_info -U"$DOMAIN/$DC_USERNAME"%"$DC_PASSWORD" +# + +import sys +import time +import random +import os + +sys.path.append("bin/python") +import samba +samba.ensure_external_module("subunit", "subunit/python") +samba.ensure_external_module("testtools", "testtools") + +from samba.auth import system_session +from ldb import SCOPE_BASE, LdbError +from samba.samdb import SamDB + +import samba.tests +import samba.dcerpc.drsuapi +from samba.dcerpc.drsblobs import schemaInfoBlob +from samba.ndr import ndr_unpack +from samba.dcerpc.misc import GUID + + +class SchemaInfoTestCase(samba.tests.TestCase): + + def setUp(self): + super(SchemaInfoTestCase, self).setUp() + + # fetch rootDSE + self.ldb = ldb + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.schema_dn = res[0]["schemaNamingContext"][0] + self.base_dn = res[0]["defaultNamingContext"][0] + self.forest_level = int(res[0]["forestFunctionality"][0]) + + # get DC invocation_id + self.invocation_id = GUID(ldb.get_invocation_id()) + + def tearDown(self): + super(SchemaInfoTestCase, self).tearDown() + + def _getSchemaInfo(self): + try: + schema_info_data = ldb.searchone(attribute="schemaInfo", + basedn=self.schema_dn, + expression="(objectClass=*)", + scope=SCOPE_BASE) + self.assertEqual(len(schema_info_data), 21) + schema_info = ndr_unpack(schemaInfoBlob, schema_info_data) + self.assertEqual(schema_info.marker, 0xFF) + except KeyError: + # create default schemaInfo if + # attribute value is not created yet + schema_info = schemaInfoBlob() + schema_info.revision = 0 + schema_info.invocation_id = self.invocation_id + return schema_info + + def _checkSchemaInfo(self, schi_before, schi_after): + self.assertEqual(schi_before.revision + 1, schi_after.revision) + self.assertEqual(schi_before.invocation_id, schi_after.invocation_id) + self.assertEqual(schi_after.invocation_id, self.invocation_id) + + def _ldap_schemaUpdateNow(self): + ldif = """ +dn: +changetype: modify +add: schemaUpdateNow +schemaUpdateNow: 1 +""" + self.ldb.modify_ldif(ldif) + + def _make_obj_names(self, prefix): + obj_name = prefix + time.strftime("%s", time.gmtime()) + obj_ldap_name = obj_name.replace("-", "") + obj_dn = "CN=%s,%s" % (obj_name, self.schema_dn) + return (obj_name, obj_ldap_name, obj_dn) + + def _make_attr_ldif(self, attr_name, attr_dn): + ldif = """ +dn: """ + attr_dn + """ +objectClass: top +objectClass: attributeSchema +adminDescription: """ + attr_name + """ +adminDisplayName: """ + attr_name + """ +cn: """ + attr_name + """ +attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940 +attributeSyntax: 2.5.5.12 +omSyntax: 64 +instanceType: 4 +isSingleValued: TRUE +systemOnly: FALSE +""" + return ldif + + def test_AddModifyAttribute(self): + # get initial schemaInfo + schi_before = self._getSchemaInfo() + + # create names for an attribute to add + (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("schemaInfo-Attr-") + ldif = self._make_attr_ldif(attr_name, attr_dn) + + # add the new attribute + self.ldb.add_ldif(ldif) + self._ldap_schemaUpdateNow() + # compare resulting schemaInfo + schi_after = self._getSchemaInfo() + self._checkSchemaInfo(schi_before, schi_after) + + # rename the Attribute + attr_dn_new = attr_dn.replace(attr_name, attr_name + "-NEW") + try: + self.ldb.rename(attr_dn, attr_dn_new) + except LdbError, (num, _): + self.fail("failed to change lDAPDisplayName for %s: %s" % (attr_name, _)) + + # compare resulting schemaInfo + schi_after = self._getSchemaInfo() + self._checkSchemaInfo(schi_before, schi_after) + pass + + + def _make_class_ldif(self, class_name, class_dn): + ldif = """ +dn: """ + class_dn + """ +objectClass: top +objectClass: classSchema +adminDescription: """ + class_name + """ +adminDisplayName: """ + class_name + """ +cn: """ + class_name + """ +governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 +instanceType: 4 +objectClassCategory: 1 +subClassOf: organizationalPerson +rDNAttID: cn +systemMustContain: cn +systemOnly: FALSE +""" + return ldif + + def test_AddModifyClass(self): + # get initial schemaInfo + schi_before = self._getSchemaInfo() + + # create names for a Class to add + (class_name, class_ldap_name, class_dn) = self._make_obj_names("schemaInfo-Class-") + ldif = self._make_class_ldif(class_name, class_dn) + + # add the new Class + self.ldb.add_ldif(ldif) + self._ldap_schemaUpdateNow() + # compare resulting schemaInfo + schi_after = self._getSchemaInfo() + self._checkSchemaInfo(schi_before, schi_after) + + # rename the Class + class_dn_new = class_dn.replace(class_name, class_name + "-NEW") + try: + self.ldb.rename(class_dn, class_dn_new) + except LdbError, (num, _): + self.fail("failed to change lDAPDisplayName for %s: %s" % (class_name, _)) + + # compare resulting schemaInfo + schi_after = self._getSchemaInfo() + self._checkSchemaInfo(schi_before, schi_after) + + +######################################################################################## +if not "DC_SERVER" in os.environ.keys(): + raise AssertionError("Please supply TARGET_DC in environment") +ldb_url = os.environ["DC_SERVER"] + +ldb_options = [] +if not "://" in ldb_url: + if os.path.isfile(ldb_url): + ldb_url = "tdb://%s" % ldb_url + else: + ldb_url = "ldap://%s" % ldb_url + # user 'paged_search' module when connecting remotely + ldb_options = ["modules:paged_searches"] + +ldb = SamDB(url=ldb_url, + lp=samba.tests.env_loadparm(), + session_info=system_session(), + credentials=samba.tests.cmdline_credentials, + options=ldb_options) diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py new file mode 100755 index 0000000000..de8e89b7f8 --- /dev/null +++ b/source4/dsdb/tests/python/ldap.py @@ -0,0 +1,2688 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# This is a port of the original in testprogs/ejs/ldap.js + +import optparse +import sys +import time +import base64 +import os + +sys.path.append("bin/python") +import samba +samba.ensure_external_module("subunit", "subunit/python") +samba.ensure_external_module("testtools", "testtools") + +import samba.getopt as options + +from samba.auth import system_session +from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError +from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS +from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM +from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX +from ldb import ERR_NO_SUCH_ATTRIBUTE +from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN +from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION +from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE +from ldb import Message, MessageElement, Dn +from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE +from samba import Ldb +from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT, + UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT, + ATYPE_WORKSTATION_TRUST) + +from subunit.run import SubunitTestRunner +import unittest + +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc import security + +parser = optparse.OptionParser("ldap [options] ") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +class BasicTests(unittest.TestCase): + + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + + def find_configurationdn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["configurationNamingContext"][0] + + def find_schemadn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["schemaNamingContext"][0] + + def find_domain_sid(self): + res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) + return ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + + def setUp(self): + super(BasicTests, self).setUp() + self.ldb = ldb + self.gc_ldb = gc_ldb + self.base_dn = self.find_basedn(ldb) + self.configuration_dn = self.find_configurationdn(ldb) + self.schema_dn = self.find_schemadn(ldb) + self.domain_sid = self.find_domain_sid() + + print "baseDN: %s\n" % self.base_dn + + self.delete_force(self.ldb, "cn=posixuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer2," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=entry1,cn=ldaptestcontainer," + self.base_dn) + self.delete_force(self.ldb, "cn=entry2,cn=ldaptestcontainer," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn) + self.delete_force(self.ldb, "cn=parentguidtest,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn) + self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn) + self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn) + self.delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn) + + def test_objectclasses(self): + """Test objectClass behaviour""" + print "Test objectClass behaviour""" + + # Invalid objectclass specified + try: + self.ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectClass": "X" }) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) + + # We cannot instanciate from an abstract objectclass + try: + self.ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectClass": "connectionPoint" }) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + self.ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectClass": "person" }) + + # We can remove derivation classes of the structural objectclass + # but they're going to be readded afterwards + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("top", FLAG_MOD_DELETE, + "objectClass") + ldb.modify(m) + + res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["objectClass"]) + self.assertTrue(len(res) == 1) + self.assertTrue("top" in res[0]["objectClass"]) + + # The top-most structural class cannot be deleted since there are + # attributes of it in use + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("person", FLAG_MOD_DELETE, + "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + # We cannot delete classes which weren't specified + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("computer", FLAG_MOD_DELETE, + "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) + + # An invalid class cannot be added + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("X", FLAG_MOD_ADD, + "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) + + # The top-most structural class cannot be changed by adding another + # structural one + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("user", FLAG_MOD_ADD, + "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + # An already specified objectclass cannot be added another time + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("person", FLAG_MOD_ADD, + "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + # Auxiliary classes can always be added + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD, + "objectClass") + ldb.modify(m) + + # It's only possible to replace with the same objectclass combination. + # So the replace action on "objectClass" attributes is really useless. + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement(["top", "person", "bootableDevice"], + FLAG_MOD_REPLACE, "objectClass") + ldb.modify(m) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement(["person", "bootableDevice"], + FLAG_MOD_REPLACE, "objectClass") + ldb.modify(m) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement(["top", "person", "bootableDevice", + "connectionPoint"], FLAG_MOD_REPLACE, "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement(["top", "computer"], FLAG_MOD_REPLACE, + "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + # Classes can be removed unless attributes of them are used. + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE, + "objectClass") + ldb.modify(m) + + res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["objectClass"]) + self.assertTrue(len(res) == 1) + self.assertFalse("bootableDevice" in res[0]["objectClass"]) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD, + "objectClass") + ldb.modify(m) + + # Add an attribute specific to the "bootableDevice" class + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["bootParameter"] = MessageElement("test", FLAG_MOD_ADD, + "bootParameter") + ldb.modify(m) + + # Classes can be removed unless attributes of them are used. Now there + # exist such attributes on the entry. + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE, + "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + # Remove the previously specified attribute + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["bootParameter"] = MessageElement("test", FLAG_MOD_DELETE, + "bootParameter") + ldb.modify(m) + + # Classes can be removed unless attributes of them are used. + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE, + "objectClass") + ldb.modify(m) + + self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) + + def test_system_only(self): + """Test systemOnly objects""" + print "Test systemOnly objects""" + + try: + self.ldb.add({ + "dn": "cn=ldaptestobject," + self.base_dn, + "objectclass": "configuration"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn) + + def test_invalid_parent(self): + """Test adding an object with invalid parent""" + print "Test adding an object with invalid parent""" + + try: + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=thisdoesnotexist123," + + self.base_dn, + "objectclass": "group"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=thisdoesnotexist123," + + self.base_dn) + + try: + self.ldb.add({ + "dn": "ou=testou,cn=users," + self.base_dn, + "objectclass": "organizationalUnit"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NAMING_VIOLATION) + + self.delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn) + + def test_invalid_attribute(self): + """Test invalid attributes on schema/objectclasses""" + print "Test invalid attributes on schema/objectclasses""" + + # attributes not in schema test + + # add operation + + try: + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "thisdoesnotexist": "x"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) + + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + # modify operation + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["thisdoesnotexist"] = MessageElement("x", FLAG_MOD_REPLACE, + "thisdoesnotexist") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + # attributes not in objectclasses and mandatory attributes missing test + # Use here a non-SAM entry since it doesn't have special triggers + # associated which have an impact on the error results. + + # add operations + + # mandatory attribute missing + try: + self.ldb.add({ + "dn": "cn=ldaptestobject," + self.base_dn, + "objectclass": "ipProtocol"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + # inadequate but schema-valid attribute specified + try: + self.ldb.add({ + "dn": "cn=ldaptestobject," + self.base_dn, + "objectclass": "ipProtocol", + "ipProtocolNumber": "1", + "uid" : "0"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + self.ldb.add({ + "dn": "cn=ldaptestobject," + self.base_dn, + "objectclass": "ipProtocol", + "ipProtocolNumber": "1"}) + + # modify operations + + # inadequate but schema-valid attribute add trial + m = Message() + m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn) + m["uid"] = MessageElement("0", FLAG_MOD_ADD, "uid") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + # mandatory attribute delete trial + m = Message() + m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn) + m["ipProtocolNumber"] = MessageElement([], FLAG_MOD_DELETE, + "ipProtocolNumber") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + # mandatory attribute delete trial + m = Message() + m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn) + m["ipProtocolNumber"] = MessageElement([], FLAG_MOD_REPLACE, + "ipProtocolNumber") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn) + + def test_single_valued_attributes(self): + """Test single-valued attributes""" + print "Test single-valued attributes""" + + try: + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "sAMAccountName": ["nam1", "nam2"]}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["sAMAccountName"] = MessageElement(["nam1","nam2"], FLAG_MOD_REPLACE, + "sAMAccountName") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["sAMAccountName"] = MessageElement("testgroupXX", FLAG_MOD_REPLACE, + "sAMAccountName") + ldb.modify(m) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["sAMAccountName"] = MessageElement("testgroupXX2", FLAG_MOD_ADD, + "sAMAccountName") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_multi_valued_attributes(self): + """Test multi-valued attributes""" + print "Test multi-valued attributes""" + +# TODO: In this test I added some special tests where I got very unusual +# results back from a real AD. s4 doesn't match them and I've no idea how to +# implement those error cases (maybe there exists a special trigger for +# "description" attributes which handle them) + + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "description": "desc2", + "objectclass": "group", + "description": "desc1"}) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "description": ["desc1", "desc2"]}) + +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) +# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE, +# "description") +# try: +# ldb.modify(m) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE, + "description") + ldb.modify(m) + +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) +# m["description"] = MessageElement("desc3", FLAG_MOD_ADD, +# "description") +# try: +# ldb.modify(m) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE, + "description") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["description"] = MessageElement("desc1", FLAG_MOD_DELETE, + "description") + ldb.modify(m) + +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) +# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE, +# "description") +# try: +# ldb.modify(m) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) +# m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD, +# "description") +# try: +# ldb.modify(m) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["description"] = MessageElement("desc3", FLAG_MOD_ADD, + "description") + ldb.modify(m) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_empty_messages(self): + """Test empty messages""" + print "Test empty messages""" + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + try: + ldb.add(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_empty_attributes(self): + """Test empty attributes""" + print "Test empty attributes""" + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("group", FLAG_MOD_ADD, "objectClass") + m["description"] = MessageElement([], FLAG_MOD_ADD, "description") + + try: + ldb.add(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["description"] = MessageElement([], FLAG_MOD_ADD, "description") + + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["description"] = MessageElement([], FLAG_MOD_REPLACE, "description") + ldb.modify(m) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["description"] = MessageElement([], FLAG_MOD_DELETE, "description") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_instanceType(self): + """Tests the 'instanceType' attribute""" + print "Tests the 'instanceType' attribute""" + + try: + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "instanceType": ["0", "1"]}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["instanceType"] = MessageElement("0", FLAG_MOD_REPLACE, + "instanceType") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["instanceType"] = MessageElement([], FLAG_MOD_REPLACE, + "instanceType") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["instanceType"] = MessageElement([], FLAG_MOD_DELETE, "instanceType") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_distinguished_name(self): + """Tests the 'distinguishedName' attribute""" + print "Tests the 'distinguishedName' attribute""" + + # a wrong "distinguishedName" attribute is obviously tolerated + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "distinguishedName": "cn=ldaptest,cn=users," + self.base_dn}) + + # proof if the DN has been set correctly + res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["distinguishedName"]) + self.assertTrue(len(res) == 1) + self.assertTrue("distinguishedName" in res[0]) + self.assertTrue(Dn(ldb, res[0]["distinguishedName"][0]) + == Dn(ldb, "cn=ldaptestgroup, cn=users," + self.base_dn)) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["distinguishedName"] = MessageElement( + "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_ADD, + "distinguishedName") + + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["distinguishedName"] = MessageElement( + "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_REPLACE, + "distinguishedName") + + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["distinguishedName"] = MessageElement( + "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_DELETE, + "distinguishedName") + + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_rdn_name(self): + """Tests the RDN""" + print "Tests the RDN""" + + try: + self.ldb.add({ + "dn": "description=xyz,cn=users," + self.base_dn, + "objectclass": "group"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NAMING_VIOLATION) + + self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn) + + # a wrong "name" attribute is obviously tolerated + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "name": "ldaptestgroupx"}) + + # proof if the name has been set correctly + res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["name"]) + self.assertTrue(len(res) == 1) + self.assertTrue("name" in res[0]) + self.assertTrue(res[0]["name"][0] == "ldaptestgroup") + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["name"] = MessageElement("cn=ldaptestuser", FLAG_MOD_REPLACE, + "name") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["cn"] = MessageElement("ldaptestuser", + FLAG_MOD_REPLACE, "cn") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + + # this test needs to be disabled until we really understand + # what the rDN length constraints are + def DISABLED_test_largeRDN(self): + """Testing large rDN (limit 64 characters)""" + rdn = "CN=a012345678901234567890123456789012345678901234567890123456789012"; + self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn)) + ldif = """ +dn: %s,%s""" % (rdn,self.base_dn) + """ +objectClass: container +""" + self.ldb.add_ldif(ldif) + self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn)) + + rdn = "CN=a0123456789012345678901234567890123456789012345678901234567890120"; + self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn)) + try: + ldif = """ +dn: %s,%s""" % (rdn,self.base_dn) + """ +objectClass: container +""" + self.ldb.add_ldif(ldif) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn)) + + def test_rename(self): + """Tests the rename operation""" + print "Tests the rename operations""" + + try: + # cannot rename to be a child of itself + ldb.rename(self.base_dn, "dc=test," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + # inexistent object + ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + self.ldb.add({ + "dn": "cn=ldaptestuser2,cn=users," + self.base_dn, + "objectclass": ["user", "person"] }) + + ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn) + ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn) + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestUSER3,cn=users," + self.base_dn) + + try: + # containment problem: a user entry cannot contain user entries + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser4,cn=ldaptestuser3,cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NAMING_VIOLATION) + + try: + # invalid parent + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=people,cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OTHER) + + try: + # invalid target DN syntax + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, ",cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_INVALID_DN_SYNTAX) + + try: + # invalid RDN name + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "ou=ldaptestuser3,cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn) + + def test_rename_twice(self): + """Tests the rename operation twice - this corresponds to a past bug""" + print "Tests the rename twice operation""" + + self.ldb.add({ + "dn": "cn=ldaptestuser5,cn=users," + self.base_dn, + "objectclass": ["user", "person"] }) + + ldb.rename("cn=ldaptestuser5,cn=users," + self.base_dn, "cn=ldaptestUSER5,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn) + self.ldb.add({ + "dn": "cn=ldaptestuser5,cn=users," + self.base_dn, + "objectclass": ["user", "person"] }) + ldb.rename("cn=ldaptestuser5,cn=Users," + self.base_dn, "cn=ldaptestUSER5,cn=users," + self.base_dn) + res = ldb.search(expression="cn=ldaptestuser5") + print "Found %u records" % len(res) + self.assertEquals(len(res), 1, "Wrong number of hits for cn=ldaptestuser5") + res = ldb.search(expression="(&(cn=ldaptestuser5)(objectclass=user))") + print "Found %u records" % len(res) + self.assertEquals(len(res), 1, "Wrong number of hits for (&(cn=ldaptestuser5)(objectclass=user))") + self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn) + + def test_parentGUID(self): + """Test parentGUID behaviour""" + print "Testing parentGUID behaviour\n" + + # TODO: This seems to fail on Windows Server. Hidden attribute? + + self.ldb.add({ + "dn": "cn=parentguidtest,cn=users," + self.base_dn, + "objectclass":"user", + "samaccountname":"parentguidtest"}); + res1 = ldb.search(base="cn=parentguidtest,cn=users," + self.base_dn, scope=SCOPE_BASE, + attrs=["parentGUID", "samaccountname"]); + res2 = ldb.search(base="cn=users," + self.base_dn,scope=SCOPE_BASE, + attrs=["objectGUID"]); + res3 = ldb.search(base=self.base_dn, scope=SCOPE_BASE, + attrs=["parentGUID"]); + + """Check if the parentGUID is valid """ + self.assertEquals(res1[0]["parentGUID"], res2[0]["objectGUID"]); + + """Check if it returns nothing when there is no parent object""" + has_parentGUID = False + for key in res3[0].keys(): + if key == "parentGUID": + has_parentGUID = True + break + self.assertFalse(has_parentGUID); + + """Ensures that if you look for another object attribute after the constructed + parentGUID, it will return correctly""" + has_another_attribute = False + for key in res1[0].keys(): + if key == "sAMAccountName": + has_another_attribute = True + break + self.assertTrue(has_another_attribute) + self.assertTrue(len(res1[0]["samaccountname"]) == 1) + self.assertEquals(res1[0]["samaccountname"][0], "parentguidtest"); + + print "Testing parentGUID behaviour on rename\n" + + self.ldb.add({ + "dn": "cn=testotherusers," + self.base_dn, + "objectclass":"container"}); + res1 = ldb.search(base="cn=testotherusers," + self.base_dn,scope=SCOPE_BASE, + attrs=["objectGUID"]); + ldb.rename("cn=parentguidtest,cn=users," + self.base_dn, + "cn=parentguidtest,cn=testotherusers," + self.base_dn); + res2 = ldb.search(base="cn=parentguidtest,cn=testotherusers," + self.base_dn, + scope=SCOPE_BASE, + attrs=["parentGUID"]); + self.assertEquals(res1[0]["objectGUID"], res2[0]["parentGUID"]); + + self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn) + self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn) + + def test_groupType_int32(self): + """Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparsion)""" + print "Testing groupType (int32) behaviour\n" + + res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE, + attrs=["groupType"], expression="groupType=2147483653"); + + res2 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE, + attrs=["groupType"], expression="groupType=-2147483643"); + + self.assertEquals(len(res1), len(res2)) + + self.assertTrue(res1.count > 0) + + self.assertEquals(res1[0]["groupType"][0], "-2147483643") + + def test_linked_attributes(self): + """This tests the linked attribute behaviour""" + print "Testing linked attribute behaviour\n" + + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + # This should not work since "memberOf" is linked to "member" + try: + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "memberOf": "cn=ldaptestgroup,cn=users," + self.base_dn}) + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn, + FLAG_MOD_ADD, "memberOf") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, + FLAG_MOD_ADD, "member") + ldb.modify(m) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn, + FLAG_MOD_REPLACE, "memberOf") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn, + FLAG_MOD_DELETE, "memberOf") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, + FLAG_MOD_DELETE, "member") + ldb.modify(m) + + # This should yield no results since the member attribute for + # "ldaptestuser" should have been deleted + res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn, + scope=SCOPE_BASE, + expression="(member=cn=ldaptestuser,cn=users," + self.base_dn + ")", + attrs=[]) + self.assertTrue(len(res1) == 0) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "member": "cn=ldaptestuser,cn=users," + self.base_dn}) + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + + # Make sure that the "member" attribute for "ldaptestuser" has been + # removed + res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["member"]) + self.assertTrue(len(res) == 1) + self.assertFalse("member" in res[0]) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_groups(self): + """This tests the group behaviour (setting, changing) of a user account""" + print "Testing group behaviour\n" + + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + ldb.add({ + "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn, + "objectclass": "group"}) + + res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["objectSID"]) + self.assertTrue(len(res1) == 1) + group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID", + res1[0]["objectSID"][0])).split()[1] + + res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["objectSID"]) + self.assertTrue(len(res1) == 1) + group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID", + res1[0]["objectSID"][0])).split()[1] + + # Try to create a user with an invalid primary group + try: + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "primaryGroupID": "0"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + + # Try to Create a user with a valid primary group +# TODO Some more investigation needed here +# try: +# ldb.add({ +# "dn": "cn=ldaptestuser,cn=users," + self.base_dn, +# "objectclass": ["user", "person"], +# "primaryGroupID": str(group_rid_1)}) +# self.fail() +# except LdbError, (num, _): +# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) +# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + + # Test to see how we should behave when the user account doesn't + # exist + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE, + "primaryGroupID") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + # Test to see how we should behave when the account isn't a user + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE, + "primaryGroupID") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + + # We should be able to reset our actual primary group + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement("513", FLAG_MOD_REPLACE, + "primaryGroupID") + ldb.modify(m) + + # Try to add invalid primary group + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE, + "primaryGroupID") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + # Try to make group 1 primary - should be denied since it is not yet + # secondary + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement(str(group_rid_1), + FLAG_MOD_REPLACE, "primaryGroupID") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + # Make group 1 secondary + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, + FLAG_MOD_REPLACE, "member") + ldb.modify(m) + + # Make group 1 primary + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement(str(group_rid_1), + FLAG_MOD_REPLACE, "primaryGroupID") + ldb.modify(m) + + # Try to delete group 1 - should be denied + try: + ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) + + # Try to add group 1 also as secondary - should be denied + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, + FLAG_MOD_ADD, "member") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) + + # Try to add invalid member to group 1 - should be denied + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["member"] = MessageElement( + "cn=ldaptestuser3,cn=users," + self.base_dn, + FLAG_MOD_ADD, "member") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + # Make group 2 secondary + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) + m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, + FLAG_MOD_ADD, "member") + ldb.modify(m) + + # Swap the groups + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement(str(group_rid_2), + FLAG_MOD_REPLACE, "primaryGroupID") + ldb.modify(m) + + # Old primary group should contain a "member" attribute for the user, + # the new shouldn't contain anymore one + res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["member"]) + self.assertTrue(len(res1) == 1) + self.assertTrue(len(res1[0]["member"]) == 1) + self.assertEquals(res1[0]["member"][0].lower(), + ("cn=ldaptestuser,cn=users," + self.base_dn).lower()) + + res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["member"]) + self.assertTrue(len(res1) == 1) + self.assertFalse("member" in res1[0]) + + # Also this should be denied + try: + ldb.add({ + "dn": "cn=ldaptestuser1,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "primaryGroupID": "0"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) + + def test_sam_attributes(self): + """Test the behaviour of special attributes of SAM objects""" + print "Testing the behaviour of special attributes of SAM objects\n""" + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["groupType"] = MessageElement("0", FLAG_MOD_ADD, + "groupType") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["groupType"] = MessageElement([], FLAG_MOD_DELETE, + "groupType") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement("0", FLAG_MOD_ADD, + "primaryGroupID") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE, + "primaryGroupID") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement("0", FLAG_MOD_ADD, + "userAccountControl") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE, + "userAccountControl") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD, + "sAMAccountType") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE, + "sAMAccountType") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE, + "sAMAccountType") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_primary_group_token_constructed(self): + """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes""" + print "Testing primary group token behaviour and other constructed attributes\n" + + try: + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "primaryGroupToken": "100"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + # Testing for one invalid, and one valid operational attribute, but also the things they are built from + res1 = ldb.search(self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"]) + self.assertTrue(len(res1) == 1) + self.assertFalse("primaryGroupToken" in res1[0]) + self.assertTrue("canonicalName" in res1[0]) + self.assertTrue("objectClass" in res1[0]) + self.assertTrue("objectSid" in res1[0]) + + res1 = ldb.search(self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"]) + self.assertTrue(len(res1) == 1) + self.assertFalse("primaryGroupToken" in res1[0]) + self.assertFalse("objectSid" in res1[0]) + self.assertFalse("objectClass" in res1[0]) + self.assertTrue("canonicalName" in res1[0]) + + res1 = ldb.search("cn=users,"+self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupToken"]) + self.assertTrue(len(res1) == 1) + self.assertFalse("primaryGroupToken" in res1[0]) + + res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupToken"]) + self.assertTrue(len(res1) == 1) + self.assertFalse("primaryGroupToken" in res1[0]) + + res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE) + self.assertTrue(len(res1) == 1) + self.assertFalse("primaryGroupToken" in res1[0]) + + res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"]) + self.assertTrue(len(res1) == 1) + primary_group_token = int(res1[0]["primaryGroupToken"][0]) + + rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1] + self.assertEquals(primary_group_token, rid) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["primaryGroupToken"] = "100" + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + def test_tokenGroups(self): + """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)""" + print "Testing tokenGroups behaviour\n" + + # The domain object shouldn't contain any "tokenGroups" entry + res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"]) + self.assertTrue(len(res) == 1) + self.assertFalse("tokenGroups" in res[0]) + + # The domain administrator should contain "tokenGroups" entries + # (the exact number depends on the domain/forest function level and the + # DC software versions) + res = ldb.search("cn=Administrator,cn=Users," + self.base_dn, + scope=SCOPE_BASE, attrs=["tokenGroups"]) + self.assertTrue(len(res) == 1) + self.assertTrue("tokenGroups" in res[0]) + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + + # This testuser should contain at least two "tokenGroups" entries + # (exactly two on an unmodified "Domain Users" and "Users" group) + res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["tokenGroups"]) + self.assertTrue(len(res) == 1) + self.assertTrue(len(res[0]["tokenGroups"]) >= 2) + + # one entry which we need to find should point to domains "Domain Users" + # group and another entry should point to the builtin "Users"group + domain_users_group_found = False + users_group_found = False + for sid in res[0]["tokenGroups"]: + rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1] + if rid == 513: + domain_users_group_found = True + if rid == 545: + users_group_found = True + + self.assertTrue(domain_users_group_found) + self.assertTrue(users_group_found) + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + + def test_wkguid(self): + """Test Well known GUID behaviours (including DN+Binary)""" + print "Test Well known GUID behaviours (including DN+Binary)""" + + res = self.ldb.search(base=("" % self.base_dn), scope=SCOPE_BASE, attrs=[]) + self.assertEquals(len(res), 1) + + res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd:%s" % res[0].dn)) + self.assertEquals(len(res2), 1) + + # Prove that the matching rule is over the whole DN+Binary + res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd")) + self.assertEquals(len(res2), 0) + # Prove that the matching rule is over the whole DN+Binary + res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=%s") % res[0].dn) + self.assertEquals(len(res2), 0) + + def test_subschemasubentry(self): + """Test subSchemaSubEntry appears when requested, but not when not requested""" + print "Test subSchemaSubEntry""" + + res = self.ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=["subSchemaSubEntry"]) + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["subSchemaSubEntry"][0], "CN=Aggregate,"+self.schema_dn) + + res = self.ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertTrue("subScheamSubEntry" not in res[0]) + + def test_subtree_delete(self): + """Tests subtree deletes""" + + print "Test subtree deletes""" + + ldb.add({ + "dn": "cn=ldaptestcontainer," + self.base_dn, + "objectclass": "container"}) + ldb.add({ + "dn": "cn=entry1,cn=ldaptestcontainer," + self.base_dn, + "objectclass": "container"}) + ldb.add({ + "dn": "cn=entry2,cn=ldaptestcontainer," + self.base_dn, + "objectclass": "container"}) + + try: + ldb.delete("cn=ldaptestcontainer," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF) + + ldb.delete("cn=ldaptestcontainer," + self.base_dn, ["tree_delete:0"]) + + try: + res = ldb.search("cn=ldaptestcontainer," + self.base_dn, + scope=SCOPE_BASE, attrs=[]) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + try: + res = ldb.search("cn=entry1,cn=ldaptestcontainer," + self.base_dn, + scope=SCOPE_BASE, attrs=[]) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + try: + res = ldb.search("cn=entry2,cn=ldaptestcontainer," + self.base_dn, + scope=SCOPE_BASE, attrs=[]) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + self.delete_force(self.ldb, "cn=entry1,cn=ldaptestcontainer," + self.base_dn) + self.delete_force(self.ldb, "cn=entry2,cn=ldaptestcontainer," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn) + + def test_all(self): + """Basic tests""" + + print "Testing user add" + + ldb.add({ + "dn": "cn=ldaptestuser,cn=uSers," + self.base_dn, + "objectclass": ["user", "person"], + "cN": "LDAPtestUSER", + "givenname": "ldap", + "sn": "testy"}) + + ldb.add({ + "dn": "cn=ldaptestgroup,cn=uSers," + self.base_dn, + "objectclass": "group", + "member": "cn=ldaptestuser,cn=useRs," + self.base_dn}) + + ldb.add({ + "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, + "objectclass": "computer", + "cN": "LDAPtestCOMPUTER"}) + + ldb.add({"dn": "cn=ldaptest2computer,cn=computers," + self.base_dn, + "objectClass": "computer", + "cn": "LDAPtest2COMPUTER", + "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT), + "displayname": "ldap testy"}) + + try: + ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn, + "objectClass": "computer", + "cn": "LDAPtest2COMPUTER" + }) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_INVALID_DN_SYNTAX) + + try: + ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn, + "objectClass": "computer", + "cn": "ldaptestcomputer3", + "sAMAccountType": str(ATYPE_NORMAL_ACCOUNT) + }) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn, + "objectClass": "computer", + "cn": "LDAPtestCOMPUTER3" + }) + + print "Testing ldb.search for (&(cn=ldaptestcomputer3)(objectClass=user))"; + res = ldb.search(self.base_dn, expression="(&(cn=ldaptestcomputer3)(objectClass=user))"); + self.assertEquals(len(res), 1, "Found only %d for (&(cn=ldaptestcomputer3)(objectClass=user))" % len(res)) + + self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer3,CN=Computers," + self.base_dn)); + self.assertEquals(res[0]["cn"][0], "ldaptestcomputer3"); + self.assertEquals(res[0]["name"][0], "ldaptestcomputer3"); + self.assertEquals(res[0]["objectClass"][0], "top"); + self.assertEquals(res[0]["objectClass"][1], "person"); + self.assertEquals(res[0]["objectClass"][2], "organizationalPerson"); + self.assertEquals(res[0]["objectClass"][3], "user"); + self.assertEquals(res[0]["objectClass"][4], "computer"); + self.assertTrue("objectGUID" in res[0]) + self.assertTrue("whenCreated" in res[0]) + self.assertEquals(res[0]["objectCategory"][0], ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn)); + self.assertEquals(int(res[0]["primaryGroupID"][0]), 513); + self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT); + self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE); + + self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) + + print "Testing attribute or value exists behaviour" + try: + ldb.modify_ldif(""" +dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ +changetype: modify +replace: servicePrincipalName +servicePrincipalName: host/ldaptest2computer +servicePrincipalName: host/ldaptest2computer +servicePrincipalName: cifs/ldaptest2computer +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + ldb.modify_ldif(""" +dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ +changetype: modify +replace: servicePrincipalName +servicePrincipalName: host/ldaptest2computer +servicePrincipalName: cifs/ldaptest2computer +""") + try: + ldb.modify_ldif(""" +dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ +changetype: modify +add: servicePrincipalName +servicePrincipalName: host/ldaptest2computer +""") + self.fail() + except LdbError, (num, msg): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + print "Testing ranged results" + ldb.modify_ldif(""" +dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ +changetype: modify +replace: servicePrincipalName +""") + + ldb.modify_ldif(""" +dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ +changetype: modify +add: servicePrincipalName +servicePrincipalName: host/ldaptest2computer0 +servicePrincipalName: host/ldaptest2computer1 +servicePrincipalName: host/ldaptest2computer2 +servicePrincipalName: host/ldaptest2computer3 +servicePrincipalName: host/ldaptest2computer4 +servicePrincipalName: host/ldaptest2computer5 +servicePrincipalName: host/ldaptest2computer6 +servicePrincipalName: host/ldaptest2computer7 +servicePrincipalName: host/ldaptest2computer8 +servicePrincipalName: host/ldaptest2computer9 +servicePrincipalName: host/ldaptest2computer10 +servicePrincipalName: host/ldaptest2computer11 +servicePrincipalName: host/ldaptest2computer12 +servicePrincipalName: host/ldaptest2computer13 +servicePrincipalName: host/ldaptest2computer14 +servicePrincipalName: host/ldaptest2computer15 +servicePrincipalName: host/ldaptest2computer16 +servicePrincipalName: host/ldaptest2computer17 +servicePrincipalName: host/ldaptest2computer18 +servicePrincipalName: host/ldaptest2computer19 +servicePrincipalName: host/ldaptest2computer20 +servicePrincipalName: host/ldaptest2computer21 +servicePrincipalName: host/ldaptest2computer22 +servicePrincipalName: host/ldaptest2computer23 +servicePrincipalName: host/ldaptest2computer24 +servicePrincipalName: host/ldaptest2computer25 +servicePrincipalName: host/ldaptest2computer26 +servicePrincipalName: host/ldaptest2computer27 +servicePrincipalName: host/ldaptest2computer28 +servicePrincipalName: host/ldaptest2computer29 +""") + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, + attrs=["servicePrincipalName;range=0-*"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + #print len(res[0]["servicePrincipalName;range=0-*"]) + self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30) + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-19"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + # print res[0]["servicePrincipalName;range=0-19"].length + self.assertEquals(len(res[0]["servicePrincipalName;range=0-19"]), 20) + + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-30"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30) + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-40"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30) + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=30-40"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + self.assertEquals(len(res[0]["servicePrincipalName;range=30-*"]), 0) + + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=10-40"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + self.assertEquals(len(res[0]["servicePrincipalName;range=10-*"]), 20) + # pos_11 = res[0]["servicePrincipalName;range=10-*"][18] + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=11-40"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + self.assertEquals(len(res[0]["servicePrincipalName;range=11-*"]), 19) + # print res[0]["servicePrincipalName;range=11-*"][18] + # print pos_11 + # self.assertEquals((res[0]["servicePrincipalName;range=11-*"][18]), pos_11) + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=11-15"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + self.assertEquals(len(res[0]["servicePrincipalName;range=11-15"]), 5) + # self.assertEquals(res[0]["servicePrincipalName;range=11-15"][4], pos_11) + + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName"]) + self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") + # print res[0]["servicePrincipalName"][18] + # print pos_11 + self.assertEquals(len(res[0]["servicePrincipalName"]), 30) + # self.assertEquals(res[0]["servicePrincipalName"][18], pos_11) + + self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) + ldb.add({ + "dn": "cn=ldaptestuser2,cn=useRs," + self.base_dn, + "objectClass": ["person", "user"], + "cn": "LDAPtestUSER2", + "givenname": "testy", + "sn": "ldap user2"}) + + print "Testing Ambigious Name Resolution" + # Testing ldb.search for (&(anr=ldap testy)(objectClass=user)) + res = ldb.search(expression="(&(anr=ldap testy)(objectClass=user))") + self.assertEquals(len(res), 3, "Found only %d of 3 for (&(anr=ldap testy)(objectClass=user))" % len(res)) + + # Testing ldb.search for (&(anr=testy ldap)(objectClass=user)) + res = ldb.search(expression="(&(anr=testy ldap)(objectClass=user))") + self.assertEquals(len(res), 2, "Found only %d of 2 for (&(anr=testy ldap)(objectClass=user))" % len(res)) + + # Testing ldb.search for (&(anr=ldap)(objectClass=user)) + res = ldb.search(expression="(&(anr=ldap)(objectClass=user))") + self.assertEquals(len(res), 4, "Found only %d of 4 for (&(anr=ldap)(objectClass=user))" % len(res)) + + # Testing ldb.search for (&(anr==ldap)(objectClass=user)) + res = ldb.search(expression="(&(anr==ldap)(objectClass=user))") + self.assertEquals(len(res), 1, "Could not find (&(anr==ldap)(objectClass=user)). Found only %d for (&(anr=ldap)(objectClass=user))" % len(res)) + + self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn)) + self.assertEquals(res[0]["cn"][0], "ldaptestuser") + self.assertEquals(str(res[0]["name"]), "ldaptestuser") + + # Testing ldb.search for (&(anr=testy)(objectClass=user)) + res = ldb.search(expression="(&(anr=testy)(objectClass=user))") + self.assertEquals(len(res), 2, "Found only %d for (&(anr=testy)(objectClass=user))" % len(res)) + + # Testing ldb.search for (&(anr=testy ldap)(objectClass=user)) + res = ldb.search(expression="(&(anr=testy ldap)(objectClass=user))") + self.assertEquals(len(res), 2, "Found only %d for (&(anr=testy ldap)(objectClass=user))" % len(res)) + + # Testing ldb.search for (&(anr==testy ldap)(objectClass=user)) +# this test disabled for the moment, as anr with == tests are not understood +# res = ldb.search(expression="(&(anr==testy ldap)(objectClass=user))") +# self.assertEquals(len(res), 1, "Found only %d for (&(anr==testy ldap)(objectClass=user))" % len(res)) + +# self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn)) +# self.assertEquals(res[0]["cn"][0], "ldaptestuser") +# self.assertEquals(res[0]["name"][0], "ldaptestuser") + + # Testing ldb.search for (&(anr==testy ldap)(objectClass=user)) +# res = ldb.search(expression="(&(anr==testy ldap)(objectClass=user))") +# self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap)(objectClass=user))") + +# self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn)) +# self.assertEquals(res[0]["cn"][0], "ldaptestuser") +# self.assertEquals(res[0]["name"][0], "ldaptestuser") + + # Testing ldb.search for (&(anr=testy ldap user)(objectClass=user)) + res = ldb.search(expression="(&(anr=testy ldap user)(objectClass=user))") + self.assertEquals(len(res), 1, "Could not find (&(anr=testy ldap user)(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestuser2") + self.assertEquals(str(res[0]["name"]), "ldaptestuser2") + + # Testing ldb.search for (&(anr==testy ldap user2)(objectClass=user)) +# res = ldb.search(expression="(&(anr==testy ldap user2)(objectClass=user))") +# self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap user2)(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestuser2") + self.assertEquals(str(res[0]["name"]), "ldaptestuser2") + + # Testing ldb.search for (&(anr==ldap user2)(objectClass=user)) +# res = ldb.search(expression="(&(anr==ldap user2)(objectClass=user))") +# self.assertEquals(len(res), 1, "Could not find (&(anr==ldap user2)(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestuser2") + self.assertEquals(str(res[0]["name"]), "ldaptestuser2") + + # Testing ldb.search for (&(anr==not ldap user2)(objectClass=user)) +# res = ldb.search(expression="(&(anr==not ldap user2)(objectClass=user))") +# self.assertEquals(len(res), 0, "Must not find (&(anr==not ldap user2)(objectClass=user))") + + # Testing ldb.search for (&(anr=not ldap user2)(objectClass=user)) + res = ldb.search(expression="(&(anr=not ldap user2)(objectClass=user))") + self.assertEquals(len(res), 0, "Must not find (&(anr=not ldap user2)(objectClass=user))") + + # Testing ldb.search for (&(anr="testy ldap")(objectClass=user)) (ie, with quotes) +# res = ldb.search(expression="(&(anr==\"testy ldap\")(objectClass=user))") +# self.assertEquals(len(res), 0, "Found (&(anr==\"testy ldap\")(objectClass=user))") + + print "Testing Renames" + + attrs = ["objectGUID", "objectSid"] + print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))" + res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs) + self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))") + + # Check rename works with extended/alternate DN forms + ldb.rename("" , "cn=ldaptestUSER3,cn=users," + self.base_dn) + + print "Testing ldb.search for (&(cn=ldaptestuser3)(objectClass=user))" + res = ldb.search(expression="(&(cn=ldaptestuser3)(objectClass=user))") + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser3)(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3") + self.assertEquals(str(res[0]["name"]), "ldaptestUSER3") + + #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))" + res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))") + self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3") + self.assertEquals(str(res[0]["name"]), "ldaptestUSER3") + + #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))" + res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))") + self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3") + self.assertEquals(str(res[0]["name"]), "ldaptestUSER3") + + #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))" + res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))") + self.assertEquals(len(res), 0, "(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))") + + # This is a Samba special, and does not exist in real AD + # print "Testing ldb.search for (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")" + # res = ldb.search("(dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")") + # if (res.error != 0 || len(res) != 1) { + # print "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")" + # self.assertEquals(len(res), 1) + # } + # self.assertEquals(res[0].dn, ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) + # self.assertEquals(res[0].cn, "ldaptestUSER3") + # self.assertEquals(res[0].name, "ldaptestUSER3") + + print "Testing ldb.search for (distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")" + res = ldb.search(expression="(distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")") + self.assertEquals(len(res), 1, "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")") + self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3") + self.assertEquals(str(res[0]["name"]), "ldaptestUSER3") + + # ensure we cannot add it again + try: + ldb.add({"dn": "cn=ldaptestuser3,cn=userS," + self.base_dn, + "objectClass": ["person", "user"], + "cn": "LDAPtestUSER3"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) + + # rename back + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn) + + # ensure we cannot rename it twice + try: + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, + "cn=ldaptestuser2,cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + # ensure can now use that name + ldb.add({"dn": "cn=ldaptestuser3,cn=users," + self.base_dn, + "objectClass": ["person", "user"], + "cn": "LDAPtestUSER3"}) + + # ensure we now cannot rename + try: + ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) + try: + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=configuration," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertTrue(num in (71, 64)) + + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser5,cn=users," + self.base_dn) + + ldb.delete("cn=ldaptestuser5,cn=users," + self.base_dn) + + self.delete_force(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) + + ldb.rename("cn=ldaptestgroup,cn=users," + self.base_dn, "cn=ldaptestgroup2,cn=users," + self.base_dn) + + print "Testing subtree renames" + + ldb.add({"dn": "cn=ldaptestcontainer," + self.base_dn, + "objectClass": "container"}) + + ldb.add({"dn": "CN=ldaptestuser4,CN=ldaptestcontainer," + self.base_dn, + "objectClass": ["person", "user"], + "cn": "LDAPtestUSER4"}) + + ldb.modify_ldif(""" +dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ +changetype: modify +add: member +member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ +member: cn=ldaptestcomputer,cn=computers,""" + self.base_dn + """ +member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """ +""") + + print "Testing ldb.rename of cn=ldaptestcontainer," + self.base_dn + " to cn=ldaptestcontainer2," + self.base_dn + ldb.rename("CN=ldaptestcontainer," + self.base_dn, "CN=ldaptestcontainer2," + self.base_dn) + + print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user))" + res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))") + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser4)(objectClass=user))") + + print "Testing subtree ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn + try: + res = ldb.search("cn=ldaptestcontainer," + self.base_dn, + expression="(&(cn=ldaptestuser4)(objectClass=user))", + scope=SCOPE_SUBTREE) + self.fail(res) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn + try: + res = ldb.search("cn=ldaptestcontainer," + self.base_dn, + expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_ONELEVEL) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in renamed container" + res = ldb.search("cn=ldaptestcontainer2," + self.base_dn, expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_SUBTREE) + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser4)(objectClass=user)) under cn=ldaptestcontainer2," + self.base_dn) + + self.assertEquals(str(res[0].dn), ("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn)) + self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) + + time.sleep(4) + + print "Testing ldb.search for (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)) to check subtree renames and linked attributes" + res = ldb.search(self.base_dn, expression="(&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group))", scope=SCOPE_SUBTREE) + self.assertEquals(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistant with subtree renames?") + + print "Testing ldb.rename (into itself) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn + try: + ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + print "Testing ldb.rename (into non-existent container) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn + try: + ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertTrue(num in (ERR_UNWILLING_TO_PERFORM, ERR_OTHER)) + + print "Testing delete (should fail, not a leaf node) of renamed cn=ldaptestcontainer2," + self.base_dn + try: + ldb.delete("cn=ldaptestcontainer2," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF) + + print "Testing base ldb.search for CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + res = ldb.search(expression="(objectclass=*)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE) + self.assertEquals(len(res), 1) + res = ldb.search(expression="(cn=ldaptestuser40)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE) + self.assertEquals(len(res), 0) + + print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in cn=ldaptestcontainer2," + self.base_dn + res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))", base=("cn=ldaptestcontainer2," + self.base_dn), scope=SCOPE_ONELEVEL) + # FIXME: self.assertEquals(len(res), 0) + + print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in cn=ldaptestcontainer2," + self.base_dn + res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))", base=("cn=ldaptestcontainer2," + self.base_dn), scope=SCOPE_SUBTREE) + # FIXME: self.assertEquals(len(res), 0) + + print "Testing delete of subtree renamed "+("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn) + ldb.delete(("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn)) + print "Testing delete of renamed cn=ldaptestcontainer2," + self.base_dn + ldb.delete("cn=ldaptestcontainer2," + self.base_dn) + + ldb.add({"dn": "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn, "objectClass": "user"}) + + ldb.add({"dn": "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn, "objectClass": "user"}) + + print "Testing ldb.search for (&(cn=ldaptestuser)(objectClass=user))" + res = ldb.search(expression="(&(cn=ldaptestuser)(objectClass=user))") + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestuser") + self.assertEquals(str(res[0]["name"]), "ldaptestuser") + self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user"])) + self.assertTrue("objectGUID" in res[0]) + self.assertTrue("whenCreated" in res[0]) + self.assertEquals(str(res[0]["objectCategory"]), ("CN=Person,CN=Schema,CN=Configuration," + self.base_dn)) + self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) + self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE) + self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) + self.assertEquals(len(res[0]["memberOf"]), 1) + + print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))" + res2 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))") + self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))") + + self.assertEquals(res[0].dn, res2[0].dn) + + print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon))" + res3 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))") + self.assertEquals(len(res3), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)): matched %d" % len(res3)) + + self.assertEquals(res[0].dn, res3[0].dn) + + if gc_ldb is not None: + print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog" + res3gc = gc_ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))") + self.assertEquals(len(res3gc), 1) + + self.assertEquals(res[0].dn, res3gc[0].dn) + + print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in with 'phantom root' control" + + if gc_ldb is not None: + res3control = gc_ldb.search(self.base_dn, expression="(&(cn=ldaptestuser)(objectCategory=PerSon))", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"]) + self.assertEquals(len(res3control), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog") + + self.assertEquals(res[0].dn, res3control[0].dn) + + ldb.delete(res[0].dn) + + print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectClass=user))" + res = ldb.search(expression="(&(cn=ldaptestcomputer)(objectClass=user))") + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer,CN=Computers," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestcomputer") + self.assertEquals(str(res[0]["name"]), "ldaptestcomputer") + self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user", "computer"])) + self.assertTrue("objectGUID" in res[0]) + self.assertTrue("whenCreated" in res[0]) + self.assertEquals(str(res[0]["objectCategory"]), ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn)) + self.assertEquals(int(res[0]["primaryGroupID"][0]), 513) + self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) + self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE) + self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) + self.assertEquals(len(res[0]["memberOf"]), 1) + + print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))" + res2 = ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))") + self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))") + + self.assertEquals(res[0].dn, res2[0].dn) + + if gc_ldb is not None: + print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + ")) in Global Catlog" + res2gc = gc_ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))") + self.assertEquals(len(res2gc), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + ")) in Global Catlog") + + self.assertEquals(res[0].dn, res2gc[0].dn) + + print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=compuTER))" + res3 = ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=compuTER))") + self.assertEquals(len(res3), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=compuTER))") + + self.assertEquals(res[0].dn, res3[0].dn) + + if gc_ldb is not None: + print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=compuTER)) in Global Catalog" + res3gc = gc_ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=compuTER))") + self.assertEquals(len(res3gc), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=compuTER)) in Global Catalog") + + self.assertEquals(res[0].dn, res3gc[0].dn) + + print "Testing ldb.search for (&(cn=ldaptestcomp*r)(objectCategory=compuTER))" + res4 = ldb.search(expression="(&(cn=ldaptestcomp*r)(objectCategory=compuTER))") + self.assertEquals(len(res4), 1, "Could not find (&(cn=ldaptestcomp*r)(objectCategory=compuTER))") + + self.assertEquals(res[0].dn, res4[0].dn) + + print "Testing ldb.search for (&(cn=ldaptestcomput*)(objectCategory=compuTER))" + res5 = ldb.search(expression="(&(cn=ldaptestcomput*)(objectCategory=compuTER))") + self.assertEquals(len(res5), 1, "Could not find (&(cn=ldaptestcomput*)(objectCategory=compuTER))") + + self.assertEquals(res[0].dn, res5[0].dn) + + print "Testing ldb.search for (&(cn=*daptestcomputer)(objectCategory=compuTER))" + res6 = ldb.search(expression="(&(cn=*daptestcomputer)(objectCategory=compuTER))") + self.assertEquals(len(res6), 1, "Could not find (&(cn=*daptestcomputer)(objectCategory=compuTER))") + + self.assertEquals(res[0].dn, res6[0].dn) + + ldb.delete("") + + print "Testing ldb.search for (&(cn=ldaptest2computer)(objectClass=user))" + res = ldb.search(expression="(&(cn=ldaptest2computer)(objectClass=user))") + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptest2computer)(objectClass=user))") + + self.assertEquals(str(res[0].dn), "CN=ldaptest2computer,CN=Computers," + self.base_dn) + self.assertEquals(str(res[0]["cn"]), "ldaptest2computer") + self.assertEquals(str(res[0]["name"]), "ldaptest2computer") + self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user", "computer"]) + self.assertTrue("objectGUID" in res[0]) + self.assertTrue("whenCreated" in res[0]) + self.assertEquals(res[0]["objectCategory"][0], "CN=Computer,CN=Schema,CN=Configuration," + self.base_dn) + self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_WORKSTATION_TRUST) + self.assertEquals(int(res[0]["userAccountControl"][0]), UF_WORKSTATION_TRUST_ACCOUNT) + + ldb.delete("") + + attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "memberOf", "allowedAttributes", "allowedAttributesEffective"] + print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))" + res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs) + self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))") + + self.assertEquals(str(res_user[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn)) + self.assertEquals(str(res_user[0]["cn"]), "ldaptestuser2") + self.assertEquals(str(res_user[0]["name"]), "ldaptestuser2") + self.assertEquals(list(res_user[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"]) + self.assertTrue("objectSid" in res_user[0]) + self.assertTrue("objectGUID" in res_user[0]) + self.assertTrue("whenCreated" in res_user[0]) + self.assertTrue("nTSecurityDescriptor" in res_user[0]) + self.assertTrue("allowedAttributes" in res_user[0]) + self.assertTrue("allowedAttributesEffective" in res_user[0]) + self.assertEquals(res_user[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) + + ldaptestuser2_sid = res_user[0]["objectSid"][0] + ldaptestuser2_guid = res_user[0]["objectGUID"][0] + + attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "member", "allowedAttributes", "allowedAttributesEffective"] + print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group))" + res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs) + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestgroup2") + self.assertEquals(str(res[0]["name"]), "ldaptestgroup2") + self.assertEquals(list(res[0]["objectClass"]), ["top", "group"]) + self.assertTrue("objectGUID" in res[0]) + self.assertTrue("objectSid" in res[0]) + self.assertTrue("whenCreated" in res[0]) + self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertTrue("allowedAttributes" in res[0]) + self.assertTrue("allowedAttributesEffective" in res[0]) + memberUP = [] + for m in res[0]["member"]: + memberUP.append(m.upper()) + self.assertTrue(("CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP) + + res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs, controls=["extended_dn:1:1"]) + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))") + + print res[0]["member"] + memberUP = [] + for m in res[0]["member"]: + memberUP.append(m.upper()) + print (";;CN=ldaptestuser2,CN=Users," + self.base_dn).upper() + + self.assertTrue((";;CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP) + + print "Quicktest for linked attributes" + ldb.modify_ldif(""" +dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ +changetype: modify +replace: member +member: CN=ldaptestuser2,CN=Users,""" + self.base_dn + """ +member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ +""") + + ldb.modify_ldif(""" +dn: +changetype: modify +replace: member +member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ +""") + + ldb.modify_ldif(""" +dn: +changetype: modify +delete: member +""") + + ldb.modify_ldif(""" +dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ +changetype: modify +add: member +member: +member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ +""") + + ldb.modify_ldif(""" +dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ +changetype: modify +replace: member +""") + + ldb.modify_ldif(""" +dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ +changetype: modify +add: member +member: +member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ +""") + + ldb.modify_ldif(""" +dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ +changetype: modify +delete: member +member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ +""") + + res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs) + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn)) + self.assertEquals(res[0]["member"][0], ("CN=ldaptestuser2,CN=Users," + self.base_dn)) + self.assertEquals(len(res[0]["member"]), 1) + + ldb.delete(("CN=ldaptestuser2,CN=Users," + self.base_dn)) + + time.sleep(4) + + attrs = ["cn", "name", "objectClass", "objectGUID", "whenCreated", "nTSecurityDescriptor", "member"] + print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete" + res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs) + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn)) + self.assertTrue("member" not in res[0]) + + print "Testing ldb.search for (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))" +# TODO UTF8 users don't seem to work fully anymore +# res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))") + res = ldb.search(expression="(&(cn=ldaptestutf8user èùéìòà)(objectclass=user))") + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))") + + self.assertEquals(str(res[0].dn), ("CN=ldaptestutf8user èùéìòà,CN=Users," + self.base_dn)) + self.assertEquals(str(res[0]["cn"]), "ldaptestutf8user èùéìòà") + self.assertEquals(str(res[0]["name"]), "ldaptestutf8user èùéìòà") + self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"]) + self.assertTrue("objectGUID" in res[0]) + self.assertTrue("whenCreated" in res[0]) + + ldb.delete(res[0].dn) + + print "Testing ldb.search for (&(cn=ldaptestutf8user2*)(objectClass=user))" + res = ldb.search(expression="(&(cn=ldaptestutf8user2*)(objectClass=user))") + self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user2*)(objectClass=user))") + + ldb.delete(res[0].dn) + + ldb.delete(("CN=ldaptestgroup2,CN=Users," + self.base_dn)) + + print "Testing ldb.search for (&(cn=ldaptestutf8user2 ÈÙÉÌÒÀ)(objectClass=user))" +# TODO UTF8 users don't seem to work fully anymore +# res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))") +# self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))") + + print "Testing that we can't get at the configuration DN from the main search base" + res = ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertEquals(len(res), 0) + + print "Testing that we can get at the configuration DN from the main search base on the LDAP port with the 'phantom root' search_options control" + res = ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"]) + self.assertTrue(len(res) > 0) + + if gc_ldb is not None: + print "Testing that we can get at the configuration DN from the main search base on the GC port with the search_options control == 0" + + res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:0"]) + self.assertTrue(len(res) > 0) + + print "Testing that we do find configuration elements in the global catlog" + res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0) + + print "Testing that we do find configuration elements and user elements at the same time" + res = gc_ldb.search(self.base_dn, expression="(|(objectClass=crossRef)(objectClass=person))", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0) + + print "Testing that we do find configuration elements in the global catlog, with the configuration basedn" + res = gc_ldb.search(self.configuration_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0) + + print "Testing that we can get at the configuration DN on the main LDAP port" + res = ldb.search(self.configuration_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0) + + print "Testing objectCategory canonacolisation" + res = ldb.search(self.configuration_dn, expression="objectCategory=ntDsDSA", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=ntDsDSA") + self.assertTrue(len(res) != 0) + + res = ldb.search(self.configuration_dn, expression="objectCategory=CN=ntDs-DSA," + self.schema_dn, scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=CN=ntDs-DSA," + self.schema_dn) + self.assertTrue(len(res) != 0) + + print "Testing objectClass attribute order on "+ self.base_dn + res = ldb.search(expression="objectClass=domain", base=self.base_dn, + scope=SCOPE_BASE, attrs=["objectClass"]) + self.assertEquals(len(res), 1) + + self.assertEquals(list(res[0]["objectClass"]), ["top", "domain", "domainDNS"]) + + # check enumeration + + print "Testing ldb.search for objectCategory=person" + res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0) + + print "Testing ldb.search for objectCategory=person with domain scope control" + res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) + self.assertTrue(len(res) > 0) + + print "Testing ldb.search for objectCategory=user" + res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0) + + print "Testing ldb.search for objectCategory=user with domain scope control" + res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) + self.assertTrue(len(res) > 0) + + print "Testing ldb.search for objectCategory=group" + res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"]) + self.assertTrue(len(res) > 0) + + print "Testing ldb.search for objectCategory=group with domain scope control" + res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) + self.assertTrue(len(res) > 0) + + print "Testing creating a user with the posixAccount objectClass" + self.ldb.add_ldif("""dn: cn=posixuser,CN=Users,%s +objectClass: top +objectClass: person +objectClass: posixAccount +objectClass: user +objectClass: organizationalPerson +cn: posixuser +uid: posixuser +sn: posixuser +uidNumber: 10126 +gidNumber: 10126 +homeDirectory: /home/posixuser +loginShell: /bin/bash +gecos: Posix User;;; +description: A POSIX user"""% (self.base_dn)) + + print "Testing removing the posixAccount objectClass from an existing user" + self.ldb.modify_ldif("""dn: cn=posixuser,CN=Users,%s +changetype: modify +delete: objectClass +objectClass: posixAccount"""% (self.base_dn)) + + print "Testing adding the posixAccount objectClass to an existing user" + self.ldb.modify_ldif("""dn: cn=posixuser,CN=Users,%s +changetype: modify +add: objectClass +objectClass: posixAccount"""% (self.base_dn)) + + self.delete_force(self.ldb, "cn=posixuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer2," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn) + + def test_security_descriptor_add(self): + """ Testing ldb.add_ldif() for nTSecurityDescriptor """ + user_name = "testdescriptoruser1" + user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) + # + # Test add_ldif() with SDDL security descriptor input + # + self.delete_force(self.ldb, user_dn) + try: + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name + """ +nTSecurityDescriptor: """ + sddl) + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack( security.descriptor, desc ) + desc_sddl = desc.as_sddl( self.domain_sid ) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + # + # Test add_ldif() with BASE64 security descriptor + # + try: + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + desc = security.descriptor.from_sddl(sddl, self.domain_sid) + desc_binary = ndr_pack(desc) + desc_base64 = base64.b64encode(desc_binary) + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name + """ +nTSecurityDescriptor:: """ + desc_base64) + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + + def test_security_descriptor_add_neg(self): + """Test add_ldif() with BASE64 security descriptor input using WRONG domain SID + Negative test + """ + user_name = "testdescriptoruser1" + user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) + self.delete_force(self.ldb, user_dn) + try: + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21')) + desc_base64 = base64.b64encode( ndr_pack(desc) ) + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name + """ +nTSecurityDescriptor:: """ + desc_base64) + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + self.assertTrue("nTSecurityDescriptor" in res[0]) + finally: + self.delete_force(self.ldb, user_dn) + + def test_security_descriptor_modify(self): + """ Testing ldb.modify_ldif() for nTSecurityDescriptor """ + user_name = "testdescriptoruser2" + user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) + # + # Delete user object and test modify_ldif() with SDDL security descriptor input + # Add ACE to the original descriptor test + # + try: + self.delete_force(self.ldb, user_dn) + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name) + # Modify descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):] + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: nTSecurityDescriptor +nTSecurityDescriptor: """ + sddl + self.ldb.modify_ldif(mod) + # Read modified descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + # + # Test modify_ldif() with SDDL security descriptor input + # New desctiptor test + # + try: + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name) + # Modify descriptor + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: nTSecurityDescriptor +nTSecurityDescriptor: """ + sddl + self.ldb.modify_ldif(mod) + # Read modified descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + # + # Test modify_ldif() with BASE64 security descriptor input + # Add ACE to the original descriptor test + # + try: + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name) + # Modify descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):] + desc = security.descriptor.from_sddl(sddl, self.domain_sid) + desc_base64 = base64.b64encode(ndr_pack(desc)) + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: nTSecurityDescriptor +nTSecurityDescriptor:: """ + desc_base64 + self.ldb.modify_ldif(mod) + # Read modified descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + # + # Test modify_ldif() with BASE64 security descriptor input + # New descriptor test + # + try: + self.delete_force(self.ldb, user_dn) + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name) + # Modify descriptor + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + desc = security.descriptor.from_sddl(sddl, self.domain_sid) + desc_base64 = base64.b64encode(ndr_pack(desc)) + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: nTSecurityDescriptor +nTSecurityDescriptor:: """ + desc_base64 + self.ldb.modify_ldif(mod) + # Read modified descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + + +class BaseDnTests(unittest.TestCase): + + def setUp(self): + super(BaseDnTests, self).setUp() + self.ldb = ldb + + def test_rootdse_attrs(self): + """Testing for all rootDSE attributes""" + res = self.ldb.search(scope=SCOPE_BASE, attrs=[]) + self.assertEquals(len(res), 1) + + def test_highestcommittedusn(self): + """Testing for highestCommittedUSN""" + res = self.ldb.search("", scope=SCOPE_BASE, attrs=["highestCommittedUSN"]) + self.assertEquals(len(res), 1) + self.assertTrue(int(res[0]["highestCommittedUSN"][0]) != 0) + + def test_netlogon(self): + """Testing for netlogon via LDAP""" + res = self.ldb.search("", scope=SCOPE_BASE, attrs=["netlogon"]) + self.assertEquals(len(res), 0) + + def test_netlogon_highestcommitted_usn(self): + """Testing for netlogon and highestCommittedUSN via LDAP""" + res = self.ldb.search("", scope=SCOPE_BASE, + attrs=["netlogon", "highestCommittedUSN"]) + self.assertEquals(len(res), 0) + + def test_namingContexts(self): + """Testing for namingContexts in rootDSE""" + res = self.ldb.search("", scope=SCOPE_BASE, + attrs=["namingContexts", "defaultNamingContext", "schemaNamingContext", "configurationNamingContext"]) + self.assertEquals(len(res), 1) + + ncs = set([]) + for nc in res[0]["namingContexts"]: + self.assertTrue(nc not in ncs) + ncs.add(nc) + + self.assertTrue(res[0]["defaultNamingContext"][0] in ncs) + self.assertTrue(res[0]["configurationNamingContext"][0] in ncs) + self.assertTrue(res[0]["schemaNamingContext"][0] in ncs) + + +if not "://" in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + +ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) +if not "tdb://" in host: + gc_ldb = Ldb("%s:3268" % host, credentials=creds, + session_info=system_session(), lp=lp) +else: + gc_ldb = None + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(BaseDnTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(BasicTests)).wasSuccessful(): + rc = 1 +sys.exit(rc) diff --git a/source4/dsdb/tests/python/ldap_schema.py b/source4/dsdb/tests/python/ldap_schema.py new file mode 100755 index 0000000000..270e22adb1 --- /dev/null +++ b/source4/dsdb/tests/python/ldap_schema.py @@ -0,0 +1,556 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# This is a port of the original in testprogs/ejs/ldap.js + +import optparse +import sys +import time +import random +import os + +sys.path.append("bin/python") +import samba +samba.ensure_external_module("subunit", "subunit/python") +samba.ensure_external_module("testtools", "testtools") + +import samba.getopt as options + +from samba.auth import system_session +from ldb import SCOPE_ONELEVEL, SCOPE_BASE, LdbError +from ldb import ERR_NO_SUCH_OBJECT +from ldb import ERR_UNWILLING_TO_PERFORM +from ldb import ERR_CONSTRAINT_VIOLATION +from ldb import Message, MessageElement, Dn +from ldb import FLAG_MOD_REPLACE +from samba import Ldb +from samba.dsdb import DS_DOMAIN_FUNCTION_2003 + +from subunit.run import SubunitTestRunner +import unittest + +parser = optparse.OptionParser("ldap [options] ") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + + +class SchemaTests(unittest.TestCase): + + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def find_schemadn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["schemaNamingContext"][0] + + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + + def setUp(self): + super(SchemaTests, self).setUp() + self.ldb = ldb + self.schema_dn = self.find_schemadn(ldb) + self.base_dn = self.find_basedn(ldb) + + def test_generated_schema(self): + """Testing we can read the generated schema via LDAP""" + res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE, + attrs=["objectClasses", "attributeTypes", "dITContentRules"]) + self.assertEquals(len(res), 1) + self.assertTrue("dITContentRules" in res[0]) + self.assertTrue("objectClasses" in res[0]) + self.assertTrue("attributeTypes" in res[0]) + + def test_generated_schema_is_operational(self): + """Testing we don't get the generated schema via LDAP by default""" + res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE, + attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertFalse("dITContentRules" in res[0]) + self.assertFalse("objectClasses" in res[0]) + self.assertFalse("attributeTypes" in res[0]) + + def test_schemaUpdateNow(self): + """Testing schemaUpdateNow""" + attr_name = "test-Attr" + time.strftime("%s", time.gmtime()) + attr_ldap_display_name = attr_name.replace("-", "") + + ldif = """ +dn: CN=%s,%s""" % (attr_name, self.schema_dn) + """ +objectClass: top +objectClass: attributeSchema +adminDescription: """ + attr_name + """ +adminDisplayName: """ + attr_name + """ +cn: """ + attr_name + """ +attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940 +attributeSyntax: 2.5.5.12 +omSyntax: 64 +instanceType: 4 +isSingleValued: TRUE +systemOnly: FALSE +""" + self.ldb.add_ldif(ldif) + + # Search for created attribute + res = [] + res = self.ldb.search("cn=%s,%s" % (attr_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_display_name) + self.assertTrue("schemaIDGUID" in res[0]) + + # Samba requires a "schemaUpdateNow" here. + # TODO: remove this when Samba is fixed + ldif = """ +dn: +changetype: modify +add: schemaUpdateNow +schemaUpdateNow: 1 +""" + self.ldb.modify_ldif(ldif) + + class_name = "test-Class" + time.strftime("%s", time.gmtime()) + class_ldap_display_name = class_name.replace("-", "") + + # First try to create a class with a wrong "defaultObjectCategory" + ldif = """ +dn: CN=%s,%s""" % (class_name, self.schema_dn) + """ +objectClass: top +objectClass: classSchema +defaultObjectCategory: CN=_ +adminDescription: """ + class_name + """ +adminDisplayName: """ + class_name + """ +cn: """ + class_name + """ +governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 +instanceType: 4 +objectClassCategory: 1 +subClassOf: organizationalPerson +systemFlags: 16 +rDNAttID: cn +systemMustContain: cn +systemMustContain: """ + attr_ldap_display_name + """ +systemOnly: FALSE +""" + try: + self.ldb.add_ldif(ldif) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + ldif = """ +dn: CN=%s,%s""" % (class_name, self.schema_dn) + """ +objectClass: top +objectClass: classSchema +adminDescription: """ + class_name + """ +adminDisplayName: """ + class_name + """ +cn: """ + class_name + """ +governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 +instanceType: 4 +objectClassCategory: 1 +subClassOf: organizationalPerson +systemFlags: 16 +rDNAttID: cn +systemMustContain: cn +systemMustContain: """ + attr_ldap_display_name + """ +systemOnly: FALSE +""" + self.ldb.add_ldif(ldif) + + # Search for created objectclass + res = [] + res = self.ldb.search("cn=%s,%s" % (class_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["lDAPDisplayName"][0], class_ldap_display_name) + self.assertEquals(res[0]["defaultObjectCategory"][0], res[0]["distinguishedName"][0]) + self.assertTrue("schemaIDGUID" in res[0]) + + ldif = """ +dn: +changetype: modify +add: schemaUpdateNow +schemaUpdateNow: 1 +""" + self.ldb.modify_ldif(ldif) + + object_name = "obj" + time.strftime("%s", time.gmtime()) + + ldif = """ +dn: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """ +objectClass: organizationalPerson +objectClass: person +objectClass: """ + class_ldap_display_name + """ +objectClass: top +cn: """ + object_name + """ +instanceType: 4 +objectCategory: CN=%s,%s"""% (class_name, self.schema_dn) + """ +distinguishedName: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """ +name: """ + object_name + """ +""" + attr_ldap_display_name + """: test +""" + self.ldb.add_ldif(ldif) + + # Search for created object + res = [] + res = self.ldb.search("cn=%s,cn=Users,%s" % (object_name, self.base_dn), scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + # Delete the object + self.delete_force(self.ldb, "cn=%s,cn=Users,%s" % (object_name, self.base_dn)) + + +class SchemaTests_msDS_IntId(unittest.TestCase): + + def setUp(self): + super(SchemaTests_msDS_IntId, self).setUp() + self.ldb = ldb + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.schema_dn = res[0]["schemaNamingContext"][0] + self.base_dn = res[0]["defaultNamingContext"][0] + self.forest_level = int(res[0]["forestFunctionality"][0]) + + def _ldap_schemaUpdateNow(self): + ldif = """ +dn: +changetype: modify +add: schemaUpdateNow +schemaUpdateNow: 1 +""" + self.ldb.modify_ldif(ldif) + + def _make_obj_names(self, prefix): + class_name = prefix + time.strftime("%s", time.gmtime()) + class_ldap_name = class_name.replace("-", "") + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + return (class_name, class_ldap_name, class_dn) + + def _is_schema_base_object(self, ldb_msg): + """Test systemFlags for SYSTEM_FLAG_SCHEMA_BASE_OBJECT (16)""" + systemFlags = 0 + if "systemFlags" in ldb_msg: + systemFlags = int(ldb_msg["systemFlags"][0]) + return (systemFlags & 16) != 0 + + def _make_attr_ldif(self, attr_name, attr_dn): + ldif = """ +dn: """ + attr_dn + """ +objectClass: top +objectClass: attributeSchema +adminDescription: """ + attr_name + """ +adminDisplayName: """ + attr_name + """ +cn: """ + attr_name + """ +attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940 +attributeSyntax: 2.5.5.12 +omSyntax: 64 +instanceType: 4 +isSingleValued: TRUE +systemOnly: FALSE +""" + return ldif + + def test_msDS_IntId_on_attr(self): + """Testing msDs-IntId creation for Attributes. + See MS-ADTS - 3.1.1.Attributes + + This test should verify that: + - Creating attribute with 'msDS-IntId' fails with ERR_UNWILLING_TO_PERFORM + - Adding 'msDS-IntId' on existing attribute fails with ERR_CONSTRAINT_VIOLATION + - Creating attribute with 'msDS-IntId' set and FLAG_SCHEMA_BASE_OBJECT flag + set fails with ERR_UNWILLING_TO_PERFORM + - Attributes created with FLAG_SCHEMA_BASE_OBJECT not set have + 'msDS-IntId' attribute added internally + """ + + # 1. Create attribute without systemFlags + # msDS-IntId should be created if forest functional + # level is >= DS_DOMAIN_FUNCTION_2003 + # and missing otherwise + (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-1-") + ldif = self._make_attr_ldif(attr_name, attr_dn) + + # try to add msDS-IntId during Attribute creation + ldif_fail = ldif + "msDS-IntId: -1993108831\n" + try: + self.ldb.add_ldif(ldif_fail) + self.fail("Adding attribute with preset msDS-IntId should fail") + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + # add the new attribute and update schema + self.ldb.add_ldif(ldif) + self._ldap_schemaUpdateNow() + + # Search for created attribute + res = [] + res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name) + if self.forest_level >= DS_DOMAIN_FUNCTION_2003: + if self._is_schema_base_object(res[0]): + self.assertTrue("msDS-IntId" not in res[0]) + else: + self.assertTrue("msDS-IntId" in res[0]) + else: + self.assertTrue("msDS-IntId" not in res[0]) + + msg = Message() + msg.dn = Dn(self.ldb, attr_dn) + msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") + try: + self.ldb.modify(msg) + self.fail("Modifying msDS-IntId should return error") + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + # 2. Create attribute with systemFlags = FLAG_SCHEMA_BASE_OBJECT + # msDS-IntId should be created if forest functional + # level is >= DS_DOMAIN_FUNCTION_2003 + # and missing otherwise + (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-2-") + ldif = self._make_attr_ldif(attr_name, attr_dn) + ldif += "systemFlags: 16\n" + + # try to add msDS-IntId during Attribute creation + ldif_fail = ldif + "msDS-IntId: -1993108831\n" + try: + self.ldb.add_ldif(ldif_fail) + self.fail("Adding attribute with preset msDS-IntId should fail") + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + # add the new attribute and update schema + self.ldb.add_ldif(ldif) + self._ldap_schemaUpdateNow() + + # Search for created attribute + res = [] + res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name) + if self.forest_level >= DS_DOMAIN_FUNCTION_2003: + if self._is_schema_base_object(res[0]): + self.assertTrue("msDS-IntId" not in res[0]) + else: + self.assertTrue("msDS-IntId" in res[0]) + else: + self.assertTrue("msDS-IntId" not in res[0]) + + msg = Message() + msg.dn = Dn(self.ldb, attr_dn) + msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") + try: + self.ldb.modify(msg) + self.fail("Modifying msDS-IntId should return error") + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + + def _make_class_ldif(self, class_dn, class_name): + ldif = """ +dn: """ + class_dn + """ +objectClass: top +objectClass: classSchema +adminDescription: """ + class_name + """ +adminDisplayName: """ + class_name + """ +cn: """ + class_name + """ +governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 +instanceType: 4 +objectClassCategory: 1 +subClassOf: organizationalPerson +rDNAttID: cn +systemMustContain: cn +systemOnly: FALSE +""" + return ldif + + def test_msDS_IntId_on_class(self): + """Testing msDs-IntId creation for Class + Reference: MS-ADTS - 3.1.1.2.4.8 Class classSchema""" + + # 1. Create Class without systemFlags + # msDS-IntId should be created if forest functional + # level is >= DS_DOMAIN_FUNCTION_2003 + # and missing otherwise + (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-1-") + ldif = self._make_class_ldif(class_dn, class_name) + + # try to add msDS-IntId during Class creation + ldif_add = ldif + "msDS-IntId: -1993108831\n" + self.ldb.add_ldif(ldif_add) + self._ldap_schemaUpdateNow() + + res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["msDS-IntId"][0], "-1993108831") + + # add a new Class and update schema + (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-2-") + ldif = self._make_class_ldif(class_dn, class_name) + + self.ldb.add_ldif(ldif) + self._ldap_schemaUpdateNow() + + # Search for created Class + res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertFalse("msDS-IntId" in res[0]) + + msg = Message() + msg.dn = Dn(self.ldb, class_dn) + msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") + try: + self.ldb.modify(msg) + self.fail("Modifying msDS-IntId should return error") + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + # 2. Create Class with systemFlags = FLAG_SCHEMA_BASE_OBJECT + # msDS-IntId should be created if forest functional + # level is >= DS_DOMAIN_FUNCTION_2003 + # and missing otherwise + (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-3-") + ldif = self._make_class_ldif(class_dn, class_name) + ldif += "systemFlags: 16\n" + + # try to add msDS-IntId during Class creation + ldif_add = ldif + "msDS-IntId: -1993108831\n" + self.ldb.add_ldif(ldif_add) + + res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["msDS-IntId"][0], "-1993108831") + + # add the new Class and update schema + (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-4-") + ldif = self._make_class_ldif(class_dn, class_name) + ldif += "systemFlags: 16\n" + + self.ldb.add_ldif(ldif) + self._ldap_schemaUpdateNow() + + # Search for created Class + res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertFalse("msDS-IntId" in res[0]) + + msg = Message() + msg.dn = Dn(self.ldb, class_dn) + msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") + try: + self.ldb.modify(msg) + self.fail("Modifying msDS-IntId should return error") + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertFalse("msDS-IntId" in res[0]) + + + def test_verify_msDS_IntId(self): + """Verify msDS-IntId exists only on attributes without FLAG_SCHEMA_BASE_OBJECT flag set""" + count = 0 + res = self.ldb.search(self.schema_dn, scope=SCOPE_ONELEVEL, + expression="objectClass=attributeSchema", + attrs=["systemFlags", "msDS-IntId", "attributeID", "cn"]) + self.assertTrue(len(res) > 1) + for ldb_msg in res: + if self.forest_level >= DS_DOMAIN_FUNCTION_2003: + if self._is_schema_base_object(ldb_msg): + self.assertTrue("msDS-IntId" not in ldb_msg) + else: + # don't assert here as there are plenty of + # attributes under w2k8 that are not part of + # Base Schema (SYSTEM_FLAG_SCHEMA_BASE_OBJECT flag not set) + # has not msDS-IntId attribute set + #self.assertTrue("msDS-IntId" in ldb_msg, "msDS-IntId expected on: %s" % ldb_msg.dn) + if "msDS-IntId" not in ldb_msg: + count = count + 1 + print "%3d warning: msDS-IntId expected on: %-30s %s" % (count, ldb_msg["attributeID"], ldb_msg["cn"]) + else: + self.assertTrue("msDS-IntId" not in ldb_msg) + + +class SchemaTests_msDS_isRODC(unittest.TestCase): + + def setUp(self): + super(SchemaTests_msDS_isRODC, self).setUp() + self.ldb = ldb + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.base_dn = res[0]["defaultNamingContext"][0] + + def test_objectClass_ntdsdsa(self): + res = self.ldb.search(self.base_dn, expression="objectClass=nTDSDSA", + attrs=["msDS-isRODC"], controls=["search_options:1:2"]) + for ldb_msg in res: + self.assertTrue("msDS-isRODC" in ldb_msg) + + def test_objectClass_server(self): + res = self.ldb.search(self.base_dn, expression="objectClass=server", + attrs=["msDS-isRODC"], controls=["search_options:1:2"]) + for ldb_msg in res: + ntds_search_dn = "CN=NTDS Settings,%s" % ldb_msg['dn'] + try: + res_check = self.ldb.search(ntds_search_dn, attrs=["objectCategory"]) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + print("Server entry %s doesn't have a NTDS settings object" % res[0]['dn']) + else: + self.assertTrue("objectCategory" in res_check[0]) + self.assertTrue("msDS-isRODC" in ldb_msg) + + def test_objectClass_computer(self): + res = self.ldb.search(self.base_dn, expression="objectClass=computer", + attrs=["serverReferenceBL","msDS-isRODC"], controls=["search_options:1:2"]) + for ldb_msg in res: + if "serverReferenceBL" not in ldb_msg: + print("Computer entry %s doesn't have a serverReferenceBL attribute" % ldb_msg['dn']) + else: + self.assertTrue("msDS-isRODC" in ldb_msg) + +if not "://" in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + +ldb_options = [] +if host.startswith("ldap://"): + # user 'paged_search' module when connecting remotely + ldb_options = ["modules:paged_searches"] + +ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=ldb_options) +if not "tdb://" in host: + gc_ldb = Ldb("%s:3268" % host, credentials=creds, + session_info=system_session(), lp=lp) +else: + gc_ldb = None + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(SchemaTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(SchemaTests_msDS_IntId)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(SchemaTests_msDS_isRODC)).wasSuccessful(): + rc = 1 + +sys.exit(rc) diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py new file mode 100755 index 0000000000..fd2ed1c105 --- /dev/null +++ b/source4/dsdb/tests/python/passwords.py @@ -0,0 +1,615 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# This tests the password changes over LDAP for AD implementations +# +# Copyright Matthias Dieter Wallnoefer 2010 +# +# Notice: This tests will also work against Windows Server if the connection is +# secured enough (SASL with a minimum of 128 Bit encryption) - consider +# MS-ADTS 3.1.1.3.1.5 +# +# Important: Make sure that the minimum password age is set to "0"! + +import optparse +import sys +import base64 +import os + +sys.path.append("bin/python") +import samba +samba.ensure_external_module("subunit", "subunit/python") +samba.ensure_external_module("testtools", "testtools") + +import samba.getopt as options + +from samba.auth import system_session +from samba.credentials import Credentials +from ldb import SCOPE_BASE, LdbError +from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS +from ldb import ERR_UNWILLING_TO_PERFORM +from ldb import ERR_NO_SUCH_ATTRIBUTE +from ldb import ERR_CONSTRAINT_VIOLATION +from ldb import Message, MessageElement, Dn +from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE +from samba import gensec +from samba.samdb import SamDB +import samba.tests +from subunit.run import SubunitTestRunner +import unittest + +parser = optparse.OptionParser("passwords [options] ") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +# Force an encrypted connection +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) + +# +# Tests start here +# + +class PasswordTests(samba.tests.TestCase): + + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + + def setUp(self): + super(PasswordTests, self).setUp() + self.ldb = ldb + self.base_dn = self.find_basedn(ldb) + + # (Re)adds the test user "testuser" with the inital password + # "thatsAcomplPASS1" + self.delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn) + self.ldb.add({ + "dn": "cn=testuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "sAMAccountName": "testuser", + "userPassword": "thatsAcomplPASS1" }) + self.ldb.enable_account("(sAMAccountName=testuser)") + + # Open a second LDB connection with the user credentials. Use the + # command line credentials for informations like the domain, the realm + # and the workstation. + creds2 = Credentials() + # FIXME: Reactivate the user credentials when we have user password + # change support also on the ACL level in s4 + creds2.set_username(creds.get_username()) + creds2.set_password(creds.get_password()) + #creds2.set_username("testuser") + #creds2.set_password("thatsAcomplPASS1") + creds2.set_domain(creds.get_domain()) + creds2.set_realm(creds.get_realm()) + creds2.set_workstation(creds.get_workstation()) + creds2.set_gensec_features(creds2.get_gensec_features() + | gensec.FEATURE_SEAL) + self.ldb2 = SamDB(url=host, credentials=creds2, lp=lp) + + def test_unicodePwd_hash_set(self): + print "Performs a password hash set operation on 'unicodePwd' which should be prevented" + # Notice: Direct hash password sets should never work + + m = Message() + m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) + m["unicodePwd"] = MessageElement("XXXXXXXXXXXXXXXX", FLAG_MOD_REPLACE, + "unicodePwd") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + def test_unicodePwd_hash_change(self): + print "Performs a password hash change operation on 'unicodePwd' which should be prevented" + # Notice: Direct hash password changes should never work + + # Hash password changes should never work + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd: XXXXXXXXXXXXXXXX +add: unicodePwd +unicodePwd: YYYYYYYYYYYYYYYY +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + def test_unicodePwd_clear_set(self): + print "Performs a password cleartext set operation on 'unicodePwd'" + + m = Message() + m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) + m["unicodePwd"] = MessageElement("\"thatsAcomplPASS2\"".encode('utf-16-le'), + FLAG_MOD_REPLACE, "unicodePwd") + ldb.modify(m) + + def test_unicodePwd_clear_change(self): + print "Performs a password cleartext change operation on 'unicodePwd'" + + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +""") + + # A change to the same password again will not work (password history) + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + def test_dBCSPwd_hash_set(self): + print "Performs a password hash set operation on 'dBCSPwd' which should be prevented" + # Notice: Direct hash password sets should never work + + m = Message() + m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) + m["dBCSPwd"] = MessageElement("XXXXXXXXXXXXXXXX", FLAG_MOD_REPLACE, + "dBCSPwd") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + def test_dBCSPwd_hash_change(self): + print "Performs a password hash change operation on 'dBCSPwd' which should be prevented" + # Notice: Direct hash password changes should never work + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: dBCSPwd +dBCSPwd: XXXXXXXXXXXXXXXX +add: dBCSPwd +dBCSPwd: YYYYYYYYYYYYYYYY +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + def test_userPassword_clear_set(self): + print "Performs a password cleartext set operation on 'userPassword'" + # Notice: This works only against Windows if "dSHeuristics" has been set + # properly + + m = Message() + m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) + m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE, + "userPassword") + ldb.modify(m) + + def test_userPassword_clear_change(self): + print "Performs a password cleartext change operation on 'userPassword'" + # Notice: This works only against Windows if "dSHeuristics" has been set + # properly + + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + + # A change to the same password again will not work (password history) + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS2 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + def test_clearTextPassword_clear_set(self): + print "Performs a password cleartext set operation on 'clearTextPassword'" + # Notice: This never works against Windows - only supported by us + + try: + m = Message() + m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) + m["clearTextPassword"] = MessageElement("thatsAcomplPASS2".encode('utf-16-le'), + FLAG_MOD_REPLACE, "clearTextPassword") + ldb.modify(m) + # this passes against s4 + except LdbError, (num, msg): + # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it + if num != ERR_NO_SUCH_ATTRIBUTE: + raise LdbError(num, msg) + + def test_clearTextPassword_clear_change(self): + print "Performs a password cleartext change operation on 'clearTextPassword'" + # Notice: This never works against Windows - only supported by us + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: clearTextPassword +clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS1".encode('utf-16-le')) + """ +add: clearTextPassword +clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """ +""") + # this passes against s4 + except LdbError, (num, msg): + # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it + if num != ERR_NO_SUCH_ATTRIBUTE: + raise LdbError(num, msg) + + # A change to the same password again will not work (password history) + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: clearTextPassword +clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """ +add: clearTextPassword +clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """ +""") + self.fail() + except LdbError, (num, _): + # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it + if num != ERR_NO_SUCH_ATTRIBUTE: + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + def test_failures(self): + print "Performs some failure testing" + + try: + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + try: + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +add: userPassword +userPassword: thatsAcomplPASS1 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +add: userPassword +userPassword: thatsAcomplPASS1 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + try: + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + try: + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +replace: userPassword +userPassword: thatsAcomplPASS3 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS1 +add: userPassword +userPassword: thatsAcomplPASS2 +replace: userPassword +userPassword: thatsAcomplPASS3 +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + # Reverse order does work + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +add: userPassword +userPassword: thatsAcomplPASS2 +delete: userPassword +userPassword: thatsAcomplPASS1 +""") + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: userPassword +userPassword: thatsAcomplPASS2 +add: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """ +""") + # this passes against s4 + except LdbError, (num, _): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + + try: + self.ldb2.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +delete: unicodePwd +unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """ +add: userPassword +userPassword: thatsAcomplPASS4 +""") + # this passes against s4 + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) + + # Several password changes at once are allowed + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +replace: userPassword +userPassword: thatsAcomplPASS1 +userPassword: thatsAcomplPASS2 +""") + + # Several password changes at once are allowed + ldb.modify_ldif(""" +dn: cn=testuser,cn=users,""" + self.base_dn + """ +changetype: modify +replace: userPassword +userPassword: thatsAcomplPASS1 +userPassword: thatsAcomplPASS2 +replace: userPassword +userPassword: thatsAcomplPASS3 +replace: userPassword +userPassword: thatsAcomplPASS4 +""") + + # This surprisingly should work + self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn) + self.ldb.add({ + "dn": "cn=testuser2,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "userPassword": ["thatsAcomplPASS1", "thatsAcomplPASS2"] }) + + # This surprisingly should work + self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn) + self.ldb.add({ + "dn": "cn=testuser2,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "userPassword": ["thatsAcomplPASS1", "thatsAcomplPASS1"] }) + + def tearDown(self): + super(PasswordTests, self).tearDown() + self.delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn) + # Close the second LDB connection (with the user credentials) + self.ldb2 = None + +if not "://" in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + +ldb = SamDB(url=host, session_info=system_session(), credentials=creds, lp=lp) + +# Gets back the configuration basedn +res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["configurationNamingContext"]) +configuration_dn = res[0]["configurationNamingContext"][0] + +# Get the old "dSHeuristics" if it was set +res = ldb.search("CN=Directory Service, CN=Windows NT, CN=Services, " + + configuration_dn, scope=SCOPE_BASE, attrs=["dSHeuristics"]) +if "dSHeuristics" in res[0]: + dsheuristics = res[0]["dSHeuristics"][0] +else: + dsheuristics = None + +# Set the "dSHeuristics" to have the tests run against Windows Server +m = Message() +m.dn = Dn(ldb, "CN=Directory Service, CN=Windows NT, CN=Services, " + + configuration_dn) +m["dSHeuristics"] = MessageElement("000000001", FLAG_MOD_REPLACE, + "dSHeuristics") +ldb.modify(m) + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(PasswordTests)).wasSuccessful(): + rc = 1 + +# Reset the "dSHeuristics" as they were before +m = Message() +m.dn = Dn(ldb, "CN=Directory Service, CN=Windows NT, CN=Services, " + + configuration_dn) +if dsheuristics is not None: + m["dSHeuristics"] = MessageElement(dsheuristics, FLAG_MOD_REPLACE, + "dSHeuristics") +else: + m["dSHeuristics"] = MessageElement([], FLAG_MOD_DELETE, "dsHeuristics") +ldb.modify(m) + +sys.exit(rc) diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py new file mode 100755 index 0000000000..8dc77321b4 --- /dev/null +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -0,0 +1,1979 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +import optparse +import sys +import os +import base64 +import re +import random + +sys.path.append("bin/python") +import samba +samba.ensure_external_module("subunit", "subunit/python") +samba.ensure_external_module("testtools", "testtools") + +import samba.getopt as options + +# Some error messages that are being tested +from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT + +# For running the test unit +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc import security + +from samba import gensec +from samba.samdb import SamDB +from samba.credentials import Credentials +from samba.auth import system_session +from samba.dsdb import DS_DOMAIN_FUNCTION_2008 +from samba.dcerpc.security import ( + SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL) +from subunit.run import SubunitTestRunner +import samba.tests +import unittest + +parser = optparse.OptionParser("sec_descriptor [options] ") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) + +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) + +# +# Tests start here +# + +class DescriptorTests(samba.tests.TestCase): + + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + + def find_configurationdn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["configurationNamingContext"][0] + + def find_schemadn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["schemaNamingContext"][0] + + def find_domain_sid(self, ldb): + res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) + return ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + + def get_users_domain_dn(self, name): + return "CN=%s,CN=Users,%s" % (name, self.base_dn) + + def modify_desc(self, _ldb, object_dn, desc, controls=None): + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + mod = """ +dn: """ + object_dn + """ +changetype: modify +replace: nTSecurityDescriptor +""" + if isinstance(desc, str): + mod += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.modify_ldif(mod, controls) + + def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None): + ldif = """ +dn: """ + ou_dn + """ +ou: """ + ou_dn.split(",")[0][3:] + """ +objectClass: organizationalUnit +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif, controls) + + def create_domain_user(self, _ldb, user_dn, desc=None): + ldif = """ +dn: """ + user_dn + """ +sAMAccountName: """ + user_dn.split(",")[0][3:] + """ +objectClass: user +userPassword: samba123@ +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_domain_group(self, _ldb, group_dn, desc=None): + ldif = """ +dn: """ + group_dn + """ +objectClass: group +sAMAccountName: """ + group_dn.split(",")[0][3:] + """ +groupType: 4 +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def get_unique_schema_class_name(self): + while True: + class_name = "test-class%s" % random.randint(1,100000) + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + try: + self.ldb_admin.search(base=class_dn, attrs=["*"]) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + return class_name + + def create_schema_class(self, _ldb, object_dn, desc=None): + ldif = """ +dn: """ + object_dn + """ +objectClass: classSchema +objectCategory: CN=Class-Schema,""" + self.schema_dn + """ +defaultObjectCategory: """ + object_dn + """ +distinguishedName: """ + object_dn + """ +governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 +instanceType: 4 +objectClassCategory: 1 +subClassOf: organizationalPerson +systemFlags: 16 +rDNAttID: cn +systemMustContain: cn +systemOnly: FALSE +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_configuration_container(self, _ldb, object_dn, desc=None): + ldif = """ +dn: """ + object_dn + """ +objectClass: container +objectCategory: CN=Container,""" + self.schema_dn + """ +showInAdvancedViewOnly: TRUE +instanceType: 4 +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_configuration_specifier(self, _ldb, object_dn, desc=None): + ldif = """ +dn: """ + object_dn + """ +objectClass: displaySpecifier +showInAdvancedViewOnly: TRUE +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def read_desc(self, object_dn, controls=None): + res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls) + desc = res[0]["nTSecurityDescriptor"][0] + return ndr_unpack(security.descriptor, desc) + + def create_active_user(self, _ldb, user_dn): + ldif = """ +dn: """ + user_dn + """ +sAMAccountName: """ + user_dn.split(",")[0][3:] + """ +objectClass: user +unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """ +url: www.example.com +""" + _ldb.add_ldif(ldif) + + def add_user_to_group(self, _ldb, username, groupname): + ldif = """ +dn: """ + self.get_users_domain_dn(groupname) + """ +changetype: modify +add: member +member: """ + self.get_users_domain_dn(username) + _ldb.modify_ldif(ldif) + + def get_ldb_connection(self, target_username, target_password): + creds_tmp = Credentials() + creds_tmp.set_username(target_username) + creds_tmp.set_password(target_password) + creds_tmp.set_domain(creds.get_domain()) + creds_tmp.set_realm(creds.get_realm()) + creds_tmp.set_workstation(creds.get_workstation()) + creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() + | gensec.FEATURE_SEAL) + ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) + return ldb_target + + def get_object_sid(self, object_dn): + res = self.ldb_admin.search(object_dn) + return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] ) + + def dacl_add_ace(self, object_dn, ace): + desc = self.read_desc( object_dn ) + desc_sddl = desc.as_sddl( self.domain_sid ) + if ace in desc_sddl: + return + if desc_sddl.find("(") >= 0: + desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] + else: + desc_sddl = desc_sddl + ace + self.modify_desc(self.ldb_admin, object_dn, desc_sddl) + + def get_desc_sddl(self, object_dn, controls=None): + """ Return object nTSecutiryDescriptor in SDDL format + """ + desc = self.read_desc(object_dn, controls) + return desc.as_sddl(self.domain_sid) + + def create_enable_user(self, username): + user_dn = self.get_users_domain_dn(username) + self.create_active_user(self.ldb_admin, user_dn) + self.ldb_admin.enable_account("(sAMAccountName=" + username + ")") + + def setUp(self): + super(DescriptorTests, self).setUp() + self.ldb_admin = ldb + self.base_dn = self.find_basedn(self.ldb_admin) + self.configuration_dn = self.find_configurationdn(self.ldb_admin) + self.schema_dn = self.find_schemadn(self.ldb_admin) + self.domain_sid = self.find_domain_sid(self.ldb_admin) + print "baseDN: %s" % self.base_dn + + ################################################################################################ + + ## Tests for DOMAIN + + # Default descriptor tests ##################################################################### + +class OwnerGroupDescriptorTests(DescriptorTests): + + def deleteAll(self): + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8")) + # DOMAIN + self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1")) + self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) + # SCHEMA + # CONFIGURATION + self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \ + + self.configuration_dn) + self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn) + + def setUp(self): + super(OwnerGroupDescriptorTests, self).setUp() + self.deleteAll() + ### Create users + # User 1 + self.create_enable_user("testuser1") + self.add_user_to_group(self.ldb_admin, "testuser1", "Enterprise Admins") + # User 2 + self.create_enable_user("testuser2") + self.add_user_to_group(self.ldb_admin, "testuser2", "Domain Admins") + # User 3 + self.create_enable_user("testuser3") + self.add_user_to_group(self.ldb_admin, "testuser3", "Schema Admins") + # User 4 + self.create_enable_user("testuser4") + # User 5 + self.create_enable_user("testuser5") + self.add_user_to_group(self.ldb_admin, "testuser5", "Enterprise Admins") + self.add_user_to_group(self.ldb_admin, "testuser5", "Domain Admins") + # User 6 + self.create_enable_user("testuser6") + self.add_user_to_group(self.ldb_admin, "testuser6", "Enterprise Admins") + self.add_user_to_group(self.ldb_admin, "testuser6", "Domain Admins") + self.add_user_to_group(self.ldb_admin, "testuser6", "Schema Admins") + # User 7 + self.create_enable_user("testuser7") + self.add_user_to_group(self.ldb_admin, "testuser7", "Domain Admins") + self.add_user_to_group(self.ldb_admin, "testuser7", "Schema Admins") + # User 8 + self.create_enable_user("testuser8") + self.add_user_to_group(self.ldb_admin, "testuser8", "Enterprise Admins") + self.add_user_to_group(self.ldb_admin, "testuser8", "Schema Admins") + + self.results = { + # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008 + "ds_behavior_win2003" : { + "100" : "O:EAG:DU", + "101" : "O:DAG:DU", + "102" : "O:%sG:DU", + "103" : "O:%sG:DU", + "104" : "O:DAG:DU", + "105" : "O:DAG:DU", + "106" : "O:DAG:DU", + "107" : "O:EAG:DU", + "108" : "O:DAG:DA", + "109" : "O:DAG:DA", + "110" : "O:%sG:DA", + "111" : "O:%sG:DA", + "112" : "O:DAG:DA", + "113" : "O:DAG:DA", + "114" : "O:DAG:DA", + "115" : "O:DAG:DA", + "130" : "O:EAG:DU", + "131" : "O:DAG:DU", + "132" : "O:SAG:DU", + "133" : "O:%sG:DU", + "134" : "O:EAG:DU", + "135" : "O:SAG:DU", + "136" : "O:SAG:DU", + "137" : "O:SAG:DU", + "138" : "O:DAG:DA", + "139" : "O:DAG:DA", + "140" : "O:%sG:DA", + "141" : "O:%sG:DA", + "142" : "O:DAG:DA", + "143" : "O:DAG:DA", + "144" : "O:DAG:DA", + "145" : "O:DAG:DA", + "160" : "O:EAG:DU", + "161" : "O:DAG:DU", + "162" : "O:%sG:DU", + "163" : "O:%sG:DU", + "164" : "O:EAG:DU", + "165" : "O:EAG:DU", + "166" : "O:DAG:DU", + "167" : "O:EAG:DU", + "168" : "O:DAG:DA", + "169" : "O:DAG:DA", + "170" : "O:%sG:DA", + "171" : "O:%sG:DA", + "172" : "O:DAG:DA", + "173" : "O:DAG:DA", + "174" : "O:DAG:DA", + "175" : "O:DAG:DA", + }, + # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008 + "ds_behavior_win2008" : { + "100" : "O:EAG:EA", + "101" : "O:DAG:DA", + "102" : "O:%sG:DU", + "103" : "O:%sG:DU", + "104" : "O:DAG:DA", + "105" : "O:DAG:DA", + "106" : "O:DAG:DA", + "107" : "O:EAG:EA", + "108" : "O:DAG:DA", + "109" : "O:DAG:DA", + "110" : "O:%sG:DA", + "111" : "O:%sG:DA", + "112" : "O:DAG:DA", + "113" : "O:DAG:DA", + "114" : "O:DAG:DA", + "115" : "O:DAG:DA", + "130" : "O:EAG:EA", + "131" : "O:DAG:DA", + "132" : "O:SAG:SA", + "133" : "O:%sG:DU", + "134" : "O:EAG:EA", + "135" : "O:SAG:SA", + "136" : "O:SAG:SA", + "137" : "O:SAG:SA", + "138" : "", + "139" : "", + "140" : "O:%sG:DA", + "141" : "O:%sG:DA", + "142" : "", + "143" : "", + "144" : "", + "145" : "", + "160" : "O:EAG:EA", + "161" : "O:DAG:DA", + "162" : "O:%sG:DU", + "163" : "O:%sG:DU", + "164" : "O:EAG:EA", + "165" : "O:EAG:EA", + "166" : "O:DAG:DA", + "167" : "O:EAG:EA", + "168" : "O:DAG:DA", + "169" : "O:DAG:DA", + "170" : "O:%sG:DA", + "171" : "O:%sG:DA", + "172" : "O:DAG:DA", + "173" : "O:DAG:DA", + "174" : "O:DAG:DA", + "175" : "O:DAG:DA", + }, + } + # Discover 'msDS-Behavior-Version' + res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \ + attrs=['msDS-Behavior-Version']) + res = int(res[0]['msDS-Behavior-Version'][0]) + if res < DS_DOMAIN_FUNCTION_2008: + self.DS_BEHAVIOR = "ds_behavior_win2003" + else: + self.DS_BEHAVIOR = "ds_behavior_win2008" + + def tearDown(self): + super(DescriptorTests, self).tearDown() + self.deleteAll() + + def check_user_belongs(self, user_dn, groups=[]): + """ Test wether user is member of the expected group(s) """ + if groups != []: + # User is member of at least one additional group + res = self.ldb_admin.search(user_dn, attrs=["memberOf"]) + res = [x.upper() for x in sorted(list(res[0]["memberOf"]))] + expected = [] + for x in groups: + expected.append(self.get_users_domain_dn(x)) + expected = [x.upper() for x in sorted(expected)] + self.assertEqual(expected, res) + else: + # User is not a member of any additional groups but default + res = self.ldb_admin.search(user_dn, attrs=["*"]) + res = [x.upper() for x in res[0].keys()] + self.assertFalse( "MEMBEROF" in res) + + def check_modify_inheritance(self, _ldb, object_dn, owner_group=""): + # Modify + ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account + if owner_group != "": + self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace) + else: + self.modify_desc(_ldb, object_dn, "D:" + ace) + # Make sure the modify operation has been applied + desc_sddl = self.get_desc_sddl(object_dn) + self.assertTrue(ace in desc_sddl) + # Make sure we have identical result for both "add" and "modify" + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + print self._testMethodName + test_number = self._testMethodName[5:] + self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res) + + def test_100(self): + """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_group(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_101(self): + """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_group(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_102(self): + """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + # Create additional object into the first one + object_dn = "CN=test_domain_user1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_user(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + # This fails, research why + #self.check_modify_inheritance(_ldb, object_dn) + + def test_103(self): + """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + # Create additional object into the first one + object_dn = "CN=test_domain_user1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_user(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + #this fails, research why + #self.check_modify_inheritance(_ldb, object_dn) + + def test_104(self): + """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_group(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_105(self): + """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_group(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_106(self): + """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_group(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_107(self): + """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_group(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + # Control descriptor tests ##################################################################### + + def test_108(self): + """ Enterprise admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + + def test_109(self): + """ Domain admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + + def test_110(self): + """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only !!! + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + # Create additional object into the first one + object_dn = "CN=test_domain_user1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_user(_ldb, object_dn, desc_sddl) + desc = self.read_desc(object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + + def test_111(self): + """ Regular user with CC right creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only !!! + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + # Create additional object into the first one + object_dn = "CN=test_domain_user1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_user(_ldb, object_dn, desc_sddl) + desc = self.read_desc(object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + + def test_112(self): + """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + + def test_113(self): + """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + + def test_114(self): + """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + + def test_115(self): + """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + + def test_999(self): + user_name = "Administrator" + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(D;CI;WP;;;S-1-3-0)" + #mod = "" + self.dacl_add_ace(object_dn, mod) + desc_sddl = self.get_desc_sddl(object_dn) + # Create additional object into the first one + object_dn = "OU=test_domain_ou2," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + + ## Tests for SCHEMA + + # Defalt descriptor tests ################################################################## + + def test_130(self): + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;WDCC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, class_dn) + + def test_131(self): + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;CI;WDCC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, class_dn) + + def test_132(self): + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;CI;WDCC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + #self.check_modify_inheritance(_ldb, class_dn) + + def test_133(self): + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + #Change Schema partition descriptor + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;CI;WDCC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + #self.check_modify_inheritance(_ldb, class_dn) + + def test_134(self): + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + #Change Schema partition descriptor + mod = "(A;CI;WDCC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, class_dn) + + def test_135(self): + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;CI;WDCC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, class_dn) + + def test_136(self): + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;CI;WDCC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, class_dn) + + def test_137(self): + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;CI;WDCC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, class_dn) + + # Custom descriptor tests ################################################################## + + def test_138(self): + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_139(self): + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_140(self): + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only !!! + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + + def test_141(self): + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only !!! + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + + def test_142(self): + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_143(self): + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_144(self): + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_145(self): + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + ## Tests for CONFIGURATION + + # Defalt descriptor tests ################################################################## + + def test_160(self): + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_161(self): + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_162(self): + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(self.ldb_admin, object_dn, ) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;WDCC;;;AU)" + self.dacl_add_ace(object_dn, mod) + # Create child object with user's credentials + object_dn = "CN=test-specifier1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_specifier(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + #self.check_modify_inheritance(_ldb, object_dn) + + def test_163(self): + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(self.ldb_admin, object_dn, ) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;CI;WDCC;;;AU)" + self.dacl_add_ace(object_dn, mod) + # Create child object with user's credentials + object_dn = "CN=test-specifier1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_specifier(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + #self.check_modify_inheritance(_ldb, object_dn) + + def test_164(self): + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_165(self): + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_166(self): + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + def test_167(self): + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) + self.check_modify_inheritance(_ldb, object_dn) + + # Custom descriptor tests ################################################################## + + def test_168(self): + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_169(self): + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_170(self): + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(self.ldb_admin, object_dn, ) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(object_dn, mod) + # Create child object with user's credentials + object_dn = "CN=test-specifier1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only !!! + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + self.create_configuration_specifier(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + + def test_171(self): + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(self.ldb_admin, object_dn, ) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(object_dn, mod) + # Create child object with user's credentials + object_dn = "CN=test-specifier1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only !!! + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + self.create_configuration_specifier(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) + + def test_172(self): + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_173(self): + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_174(self): + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_175(self): + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + ######################################################################################## + # Inharitance tests for DACL + +class DaclDescriptorTests(DescriptorTests): + + def deleteAll(self): + self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn) + + def setUp(self): + super(DaclDescriptorTests, self).setUp() + self.deleteAll() + + def create_clean_ou(self, object_dn): + """ Base repeating setup for unittests to follow """ + res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \ + expression="distinguishedName=%s" % object_dn) + # Make sure top testing OU has been deleted before starting the test + self.assertEqual(res, []) + self.create_domain_ou(self.ldb_admin, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + # Make sure there are inheritable ACEs initially + self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl) + # Find and remove all inherit ACEs + res = re.findall("\(.*?\)", desc_sddl) + res = [x for x in res if ("CI" in x) or ("OI" in x)] + for x in res: + desc_sddl = desc_sddl.replace(x, "") + # Add flag 'protected' in both DACL and SACL so no inherit ACEs + # can propagate from above + # remove SACL, we are not interested + desc_sddl = desc_sddl.replace(":AI", ":AIP") + self.modify_desc(self.ldb_admin, object_dn, desc_sddl) + # Verify all inheritable ACEs are gone + desc_sddl = self.get_desc_sddl(object_dn) + self.assertFalse("CI" in desc_sddl) + self.assertFalse("OI" in desc_sddl) + + def test_200(self): + """ OU with protected flag and child group. See if the group has inherit ACEs. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn) + # Make sure created group object contains NO inherit ACEs + desc_sddl = self.get_desc_sddl(group_dn) + self.assertFalse("ID" in desc_sddl) + + def test_201(self): + """ OU with protected flag and no inherit ACEs, child group with custom descriptor. + Verify group has custom and default ACEs only. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Create group child object using custom security descriptor + sddl = "O:AUG:AUD:AI(D;;WP;;;DU)" + self.create_domain_group(self.ldb_admin, group_dn, sddl) + # Make sure created group descriptor has NO additional ACEs + desc_sddl = self.get_desc_sddl(group_dn) + self.assertEqual(desc_sddl, sddl) + sddl = "O:AUG:AUD:AI(D;;CC;;;LG)" + self.modify_desc(self.ldb_admin, group_dn, sddl) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertEqual(desc_sddl, sddl) + + def test_202(self): + """ OU with protected flag and add couple non-inheritable ACEs, child group. + See if the group has any of the added ACEs. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom non-inheritable ACEs + mod = "(D;;WP;;;DU)(A;;RP;;;DU)" + moded = "(D;;CC;;;LG)" + self.dacl_add_ace(ou_dn, mod) + # Verify all inheritable ACEs are gone + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn) + # Make sure created group object contains NO inherit ACEs + # also make sure the added above non-inheritable ACEs are absent too + desc_sddl = self.get_desc_sddl(group_dn) + self.assertFalse("ID" in desc_sddl) + for x in re.findall("\(.*?\)", mod): + self.assertFalse(x in desc_sddl) + self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertFalse("ID" in desc_sddl) + for x in re.findall("\(.*?\)", mod): + self.assertFalse(x in desc_sddl) + + def test_203(self): + """ OU with protected flag and add 'CI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'CI' ACE + mod = "(D;CI;WP;;;DU)" + moded = "(D;;CC;;;LG)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";CI;", ";CIID;") + self.assertTrue(mod in desc_sddl) + self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue(moded in desc_sddl) + self.assertTrue(mod in desc_sddl) + + def test_204(self): + """ OU with protected flag and add 'OI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'CI' ACE + mod = "(D;OI;WP;;;DU)" + moded = "(D;;CC;;;LG)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + self.modify_desc(self.ldb_admin, group_dn, "D:" +moded) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue(moded in desc_sddl) + self.assertTrue(mod in desc_sddl) + + def test_205(self): + """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'name' attribute & 'CI' ACE + mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" + moded = "(D;;CC;;;LG)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue(moded in desc_sddl) + self.assertTrue(mod in desc_sddl) + + def test_206(self): + """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'name' attribute & 'OI' ACE + mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" + moded = "(D;;CC;;;LG)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue(moded in desc_sddl) + self.assertTrue(mod in desc_sddl) + + def test_207(self): + """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE + mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded = "(D;;CC;;;LG)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue(moded in desc_sddl) + self.assertTrue(mod in desc_sddl) + + def test_208(self): + """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE + mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded = "(D;;CC;;;LG)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue(moded in desc_sddl) + self.assertTrue(mod in desc_sddl) + + def test_209(self): + """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'CI' ACE + mod = "(D;CI;WP;;;CO)" + moded = "(D;;CC;;;LG)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE(s) + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl) + self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) + self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue(moded in desc_sddl) + self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl) + self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) + + def test_210(self): + """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + self.create_clean_ou(ou_dn) + # Add some custom ACE + mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)" + self.create_domain_group(self.ldb_admin, group_dn, mod) + # Make sure created group object does not contain the ID ace + desc_sddl = self.get_desc_sddl(group_dn) + self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl) + + def test_211(self): + """ Provide ACE with CO SID, should be expanded and replaced + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'CI' ACE + mod = "D:(D;CI;WP;;;CO)" + self.create_domain_group(self.ldb_admin, group_dn, mod) + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl) + + def test_212(self): + """ Provide ACE with IO flag, should be ignored + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'CI' ACE + mod = "D:(D;CIIO;WP;;;CO)" + self.create_domain_group(self.ldb_admin, group_dn, mod) + # Make sure created group object contains only the above inherited ACE(s) + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl) + self.assertFalse("(D;;WP;;;DA)" in desc_sddl) + self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl) + + def test_213(self): + """ Provide ACE with IO flag, should be ignored + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "D:(D;IO;WP;;;DA)" + self.create_domain_group(self.ldb_admin, group_dn, mod) + # Make sure created group object contains only the above inherited ACE(s) + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl) + + ######################################################################################## + + +class SdFlagsDescriptorTests(DescriptorTests): + def deleteAll(self): + self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn) + + def setUp(self): + super(SdFlagsDescriptorTests, self).setUp() + self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)" + self.deleteAll() + + def test_301(self): + """ Modify a descriptor with OWNER_SECURITY_INFORMATION set. + See that only the owner has been changed. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the owner + self.assertTrue("O:AU" in desc_sddl) + # make sure nothing else has been modified + self.assertFalse("G:AU" in desc_sddl) + self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) + self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + + def test_302(self): + """ Modify a descriptor with GROUP_SECURITY_INFORMATION set. + See that only the owner has been changed. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the group + self.assertTrue("G:AU" in desc_sddl) + # make sure nothing else has been modified + self.assertFalse("O:AU" in desc_sddl) + self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) + self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + + def test_303(self): + """ Modify a descriptor with SACL_SECURITY_INFORMATION set. + See that only the owner has been changed. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the DACL + self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + # make sure nothing else has been modified + self.assertFalse("O:AU" in desc_sddl) + self.assertFalse("G:AU" in desc_sddl) + self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + + def test_304(self): + """ Modify a descriptor with SACL_SECURITY_INFORMATION set. + See that only the owner has been changed. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the DACL + self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + # make sure nothing else has been modified + self.assertFalse("O:AU" in desc_sddl) + self.assertFalse("G:AU" in desc_sddl) + self.assertFalse("(D;;CC;;;LG)" in desc_sddl) + + def test_305(self): + """ Modify a descriptor with 0x0 set. + Contrary to logic this is interpreted as no control, + which is the same as 0xF + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the DACL + self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + # make sure nothing else has been modified + self.assertTrue("O:AU" in desc_sddl) + self.assertTrue("G:AU" in desc_sddl) + self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + + def test_306(self): + """ Modify a descriptor with 0xF set. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the DACL + self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + # make sure nothing else has been modified + self.assertTrue("O:AU" in desc_sddl) + self.assertTrue("G:AU" in desc_sddl) + self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + + def test_307(self): + """ Read a descriptor with OWNER_SECURITY_INFORMATION + Only the owner part should be returned. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) + # make sure we have read the owner + self.assertTrue("O:" in desc_sddl) + # make sure we have read nothing else + self.assertFalse("G:" in desc_sddl) + self.assertFalse("D:" in desc_sddl) + self.assertFalse("S:" in desc_sddl) + + def test_308(self): + """ Read a descriptor with GROUP_SECURITY_INFORMATION + Only the group part should be returned. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) + # make sure we have read the owner + self.assertTrue("G:" in desc_sddl) + # make sure we have read nothing else + self.assertFalse("O:" in desc_sddl) + self.assertFalse("D:" in desc_sddl) + self.assertFalse("S:" in desc_sddl) + + def test_309(self): + """ Read a descriptor with SACL_SECURITY_INFORMATION + Only the sacl part should be returned. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) + # make sure we have read the owner + self.assertTrue("S:" in desc_sddl) + # make sure we have read nothing else + self.assertFalse("O:" in desc_sddl) + self.assertFalse("D:" in desc_sddl) + self.assertFalse("G:" in desc_sddl) + + def test_310(self): + """ Read a descriptor with DACL_SECURITY_INFORMATION + Only the dacl part should be returned. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) + # make sure we have read the owner + self.assertTrue("D:" in desc_sddl) + # make sure we have read nothing else + self.assertFalse("O:" in desc_sddl) + self.assertFalse("S:" in desc_sddl) + self.assertFalse("G:" in desc_sddl) + + +class RightsAttributesTests(DescriptorTests): + + def deleteAll(self): + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2")) + self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) + + def setUp(self): + super(RightsAttributesTests, self).setUp() + self.deleteAll() + ### Create users + # User 1 + self.create_enable_user("testuser_attr") + # User 2, Domain Admins + self.create_enable_user("testuser_attr2") + self.add_user_to_group(self.ldb_admin, "testuser_attr2", "Domain Admins") + + def test_sDRightsEffective(self): + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + print self.get_users_domain_dn("testuser_attr") + user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) + #give testuser1 read access so attributes can be retrieved + mod = "(A;CI;RP;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + _ldb = self.get_ldb_connection("testuser_attr", "samba123@") + res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, + attrs=["sDRightsEffective"]) + #user whould have no rights at all + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["sDRightsEffective"][0], "0") + #give the user Write DACL and see what happens + mod = "(A;CI;WD;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, + attrs=["sDRightsEffective"]) + #user whould have DACL_SECURITY_INFORMATION + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL) + #give the user Write Owners and see what happens + mod = "(A;CI;WO;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, + attrs=["sDRightsEffective"]) + #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER)) + #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins + _ldb = self.get_ldb_connection("testuser_attr2", "samba123@") + res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, + attrs=["sDRightsEffective"]) + #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["sDRightsEffective"][0], \ + ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL)) + + def test_allowedChildClassesEffective(self): + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) + #give testuser1 read access so attributes can be retrieved + mod = "(A;CI;RP;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + _ldb = self.get_ldb_connection("testuser_attr", "samba123@") + res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, + attrs=["allowedChildClassesEffective"]) + #there should be no allowed child classes + self.assertEquals(len(res), 1) + self.assertFalse("allowedChildClassesEffective" in res[0].keys()) + #give the user the right to create children of type user + mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, + attrs=["allowedChildClassesEffective"]) + # allowedChildClassesEffective should only have one value, user + self.assertEquals(len(res), 1) + self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1) + self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user") + + def test_allowedAttributesEffective(self): + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) + #give testuser1 read access so attributes can be retrieved + mod = "(A;CI;RP;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + _ldb = self.get_ldb_connection("testuser_attr", "samba123@") + res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, + attrs=["allowedAttributesEffective"]) + #there should be no allowed attributes + self.assertEquals(len(res), 1) + self.assertFalse("allowedAttributesEffective" in res[0].keys()) + #give the user the right to write displayName and managedBy + mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) + mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid) + # also rights to modify an read only attribute, fromEntry + mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod + mod2 + mod3) + res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, + attrs=["allowedAttributesEffective"]) + # value should only contain user and managedBy + self.assertEquals(len(res), 1) + self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2) + self.assertTrue("displayName" in res[0]["allowedAttributesEffective"]) + self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"]) + +if not "://" in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + +ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"]) + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful(): + rc = 1 +sys.exit(rc) diff --git a/source4/dsdb/tests/python/urgent_replication.py b/source4/dsdb/tests/python/urgent_replication.py new file mode 100755 index 0000000000..5e9f4ad128 --- /dev/null +++ b/source4/dsdb/tests/python/urgent_replication.py @@ -0,0 +1,386 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +import optparse +import sys +import os + +sys.path.append("bin/python") +import samba +samba.ensure_external_module("subunit", "subunit/python") +samba.ensure_external_module("testtools", "testtools") + +import samba.getopt as options + +from samba.auth import system_session +from ldb import (SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, Message, + MessageElement, Dn, FLAG_MOD_REPLACE) +from samba.samdb import SamDB +import samba.tests + +from subunit.run import SubunitTestRunner +import unittest + +parser = optparse.OptionParser("urgent_replication [options] ") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +class UrgentReplicationTests(samba.tests.TestCase): + + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + + def setUp(self): + super(UrgentReplicationTests, self).setUp() + self.ldb = ldb + self.base_dn = self.find_basedn(ldb) + + print "baseDN: %s\n" % self.base_dn + + def test_nonurgent_object(self): + """Test if the urgent replication is not activated + when handling a non urgent object""" + self.ldb.add({ + "dn": "cn=nonurgenttest,cn=users," + self.base_dn, + "objectclass":"user", + "samaccountname":"nonurgenttest", + "description":"nonurgenttest description"}); + + # urgent replication should not be enabled when creating + res = self.ldb.load_partition_usn(self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should not be enabled when modifying + m = Message() + m.dn = Dn(ldb, "cn=nonurgenttest,cn=users," + self.base_dn) + m["description"] = MessageElement("new description", FLAG_MOD_REPLACE, + "description") + ldb.modify(m) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should not be enabled when deleting + self.delete_force(self.ldb, "cn=nonurgenttest,cn=users," + self.base_dn) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + + def test_nTDSDSA_object(self): + '''Test if the urgent replication is activated + when handling a nTDSDSA object''' + self.ldb.add({ + "dn": "cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn, + "objectclass":"server", + "cn":"test server", + "name":"test server", + "systemFlags":"50000000"}); + + self.ldb.add_ldif( + """dn: cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,%s""" % (self.base_dn) + """ +objectclass: nTDSDSA +cn: NTDS Settings test +options: 1 +instanceType: 4 +systemFlags: 33554432""", ["relax:0"]); + + # urgent replication should be enabled when creation + res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should NOT be enabled when modifying + m = Message() + m.dn = Dn(ldb, "cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn) + m["options"] = MessageElement("0", FLAG_MOD_REPLACE, + "options") + ldb.modify(m) + res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should be enabled when deleting + self.delete_force(self.ldb, "cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn) + res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + self.delete_force(self.ldb, "cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn) + + + def test_crossRef_object(self): + '''Test if the urgent replication is activated + when handling a crossRef object''' + self.ldb.add({ + "dn": "CN=test crossRef,CN=Partitions,CN=Configuration,"+ self.base_dn, + "objectClass": "crossRef", + "cn": "test crossRef", + "dnsRoot": lp.get("realm").lower(), + "instanceType": "4", + "nCName": self.base_dn, + "showInAdvancedViewOnly": "TRUE", + "name": "test crossRef", + "systemFlags": "1"}); + + # urgent replication should be enabled when creating + res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should NOT be enabled when modifying + m = Message() + m.dn = Dn(ldb, "cn=test crossRef,CN=Partitions,CN=Configuration," + self.base_dn) + m["systemFlags"] = MessageElement("0", FLAG_MOD_REPLACE, + "systemFlags") + ldb.modify(m) + res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + + # urgent replication should be enabled when deleting + self.delete_force(self.ldb, "cn=test crossRef,CN=Partitions,CN=Configuration," + self.base_dn) + res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + + + def test_attributeSchema_object(self): + '''Test if the urgent replication is activated + when handling an attributeSchema object''' + + try: + self.ldb.add_ldif( + """dn: CN=test attributeSchema,cn=Schema,CN=Configuration,%s""" % self.base_dn + """ +objectClass: attributeSchema +cn: test attributeSchema +instanceType: 4 +isSingleValued: FALSE +showInAdvancedViewOnly: FALSE +attributeID: 0.9.2342.19200300.100.1.1 +attributeSyntax: 2.5.5.12 +adminDisplayName: test attributeSchema +adminDescription: test attributeSchema +oMSyntax: 64 +systemOnly: FALSE +searchFlags: 8 +lDAPDisplayName: test attributeSchema +name: test attributeSchema +systemFlags: 0""", ["relax:0"]); + + # urgent replication should be enabled when creating + res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + except LdbError: + print "Not testing urgent replication when creating attributeSchema object ...\n" + + # urgent replication should be enabled when modifying + m = Message() + m.dn = Dn(ldb, "CN=test attributeSchema,CN=Schema,CN=Configuration," + self.base_dn) + m["lDAPDisplayName"] = MessageElement("updated test attributeSchema", FLAG_MOD_REPLACE, + "lDAPDisplayName") + ldb.modify(m) + res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + + def test_classSchema_object(self): + '''Test if the urgent replication is activated + when handling a classSchema object''' + try: + self.ldb.add_ldif( + """dn: CN=test classSchema,CN=Schema,CN=Configuration,%s""" % self.base_dn + """ +objectClass: classSchema +cn: test classSchema +instanceType: 4 +subClassOf: top +governsID: 1.2.840.113556.1.5.999 +rDNAttID: cn +showInAdvancedViewOnly: TRUE +adminDisplayName: test classSchema +adminDescription: test classSchema +objectClassCategory: 1 +lDAPDisplayName: test classSchema +name: test classSchema +systemOnly: FALSE +systemPossSuperiors: dfsConfiguration +systemMustContain: msDFS-SchemaMajorVersion +defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCD + CLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO) +systemFlags: 16 +defaultHidingValue: TRUE""", ["relax:0"]); + + # urgent replication should be enabled when creating + res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + except LdbError: + print "Not testing urgent replication when creating classSchema object ...\n" + + # urgent replication should be enabled when modifying + m = Message() + m.dn = Dn(ldb, "CN=test classSchema,CN=Schema,CN=Configuration," + self.base_dn) + m["lDAPDisplayName"] = MessageElement("updated test classSchema", FLAG_MOD_REPLACE, + "lDAPDisplayName") + ldb.modify(m) + res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + + def test_secret_object(self): + '''Test if the urgent replication is activated + when handling a secret object''' + + self.ldb.add({ + "dn": "cn=test secret,cn=System," + self.base_dn, + "objectClass":"secret", + "cn":"test secret", + "name":"test secret", + "currentValue":"xxxxxxx"}); + + + # urgent replication should be enabled when creating + res = self.ldb.load_partition_usn(self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should be enabled when modifying + m = Message() + m.dn = Dn(ldb, "cn=test secret,cn=System," + self.base_dn) + m["currentValue"] = MessageElement("yyyyyyyy", FLAG_MOD_REPLACE, + "currentValue") + ldb.modify(m) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should NOT be enabled when deleting + self.delete_force(self.ldb, "cn=test secret,cn=System," + self.base_dn) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + + def test_rIDManager_object(self): + '''Test if the urgent replication is activated + when handling a rIDManager object''' + self.ldb.add_ldif( + """dn: CN=RID Manager test,CN=System,%s""" % self.base_dn + """ +objectClass: rIDManager +cn: RID Manager test +instanceType: 4 +showInAdvancedViewOnly: TRUE +name: RID Manager test +systemFlags: -1946157056 +isCriticalSystemObject: TRUE +rIDAvailablePool: 133001-1073741823""", ["relax:0"]) + + # urgent replication should be enabled when creating + res = self.ldb.load_partition_usn(self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should be enabled when modifying + m = Message() + m.dn = Dn(ldb, "CN=RID Manager test,CN=System," + self.base_dn) + m["systemFlags"] = MessageElement("0", FLAG_MOD_REPLACE, + "systemFlags") + ldb.modify(m) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should NOT be enabled when deleting + self.delete_force(self.ldb, "CN=RID Manager test,CN=System," + self.base_dn) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + + def test_urgent_attributes(self): + '''Test if the urgent replication is activated + when handling urgent attributes of an object''' + + self.ldb.add({ + "dn": "cn=user UrgAttr test,cn=users," + self.base_dn, + "objectclass":"user", + "samaccountname":"user UrgAttr test", + "userAccountControl":"1", + "lockoutTime":"0", + "pwdLastSet":"0", + "description":"urgent attributes test description"}); + + # urgent replication should NOT be enabled when creating + res = self.ldb.load_partition_usn(self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should be enabled when modifying userAccountControl + m = Message() + m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) + m["userAccountControl"] = MessageElement("0", FLAG_MOD_REPLACE, + "userAccountControl") + ldb.modify(m) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should be enabled when modifying lockoutTime + m = Message() + m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) + m["lockoutTime"] = MessageElement("1", FLAG_MOD_REPLACE, + "lockoutTime") + ldb.modify(m) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should be enabled when modifying pwdLastSet + m = Message() + m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) + m["pwdLastSet"] = MessageElement("1", FLAG_MOD_REPLACE, + "pwdLastSet") + ldb.modify(m) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should NOT be enabled when modifying a not-urgent + # attribute + m = Message() + m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) + m["description"] = MessageElement("updated urgent attributes test description", + FLAG_MOD_REPLACE, "description") + ldb.modify(m) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + # urgent replication should NOT be enabled when deleting + self.delete_force(self.ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) + res = self.ldb.load_partition_usn(self.base_dn) + self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); + + +if not "://" in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + + +ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp, + global_schema=False) + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(UrgentReplicationTests)).wasSuccessful(): + rc = 1 +sys.exit(rc) diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py deleted file mode 100755 index 5bf3ff9b1b..0000000000 --- a/source4/lib/ldb/tests/python/acl.py +++ /dev/null @@ -1,1042 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -# This is unit with tests for LDAP access checks - -import optparse -import sys -import base64 -import re - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -import samba.getopt as options - -from ldb import ( - SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS) - -from samba.ndr import ndr_pack, ndr_unpack -from samba.dcerpc import security - -from samba.auth import system_session -from samba import gensec -from samba.samdb import SamDB -from samba.credentials import Credentials -import samba.tests -from subunit.run import SubunitTestRunner -import unittest - -parser = optparse.OptionParser("ldap [options] ") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) - -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -host = args[0] - -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) -creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) - -# -# Tests start here -# - -class AclTests(samba.tests.TestCase): - - def delete_force(self, ldb, dn): - try: - ldb.delete(dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["defaultNamingContext"][0] - - def find_domain_sid(self, ldb): - res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) - return ndr_unpack(security.dom_sid,res[0]["objectSid"][0]) - - def setUp(self): - super(AclTests, self).setUp() - self.ldb_admin = ldb - self.base_dn = self.find_basedn(self.ldb_admin) - self.domain_sid = self.find_domain_sid(self.ldb_admin) - self.user_pass = "samba123@" - print "baseDN: %s" % self.base_dn - - def get_user_dn(self, name): - return "CN=%s,CN=Users,%s" % (name, self.base_dn) - - def modify_desc(self, object_dn, desc): - """ Modify security descriptor using either SDDL string - or security.descriptor object - """ - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - mod = """ -dn: """ + object_dn + """ -changetype: modify -replace: nTSecurityDescriptor -""" - if isinstance(desc, str): - mod += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - self.ldb_admin.modify_ldif(mod) - - def add_group_member(self, _ldb, group_dn, member_dn): - """ Modify user to ge member of a group - e.g. User to be 'Doamin Admin' group member - """ - ldif = """ -dn: """ + group_dn + """ -changetype: modify -add: member -member: """ + member_dn - _ldb.modify_ldif(ldif) - - def create_ou(self, _ldb, ou_dn, desc=None): - ldif = """ -dn: """ + ou_dn + """ -ou: """ + ou_dn.split(",")[0][3:] + """ -objectClass: organizationalUnit -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def create_active_user(self, _ldb, user_dn): - ldif = """ -dn: """ + user_dn + """ -sAMAccountName: """ + user_dn.split(",")[0][3:] + """ -objectClass: user -unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """ -url: www.example.com -""" - _ldb.add_ldif(ldif) - - def create_test_user(self, _ldb, user_dn, desc=None): - ldif = """ -dn: """ + user_dn + """ -sAMAccountName: """ + user_dn.split(",")[0][3:] + """ -objectClass: user -userPassword: """ + self.user_pass + """ -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def create_group(self, _ldb, group_dn, desc=None): - ldif = """ -dn: """ + group_dn + """ -objectClass: group -sAMAccountName: """ + group_dn.split(",")[0][3:] + """ -groupType: 2147483650 -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def read_desc(self, object_dn): - res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - return ndr_unpack(security.descriptor, desc) - - def get_ldb_connection(self, target_username, target_password): - creds_tmp = Credentials() - creds_tmp.set_username(target_username) - creds_tmp.set_password(target_password) - creds_tmp.set_domain(creds.get_domain()) - creds_tmp.set_realm(creds.get_realm()) - creds_tmp.set_workstation(creds.get_workstation()) - creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() - | gensec.FEATURE_SEAL) - ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) - return ldb_target - - def get_object_sid(self, object_dn): - res = self.ldb_admin.search(object_dn) - return ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) - - def dacl_add_ace(self, object_dn, ace): - desc = self.read_desc(object_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - if ace in desc_sddl: - return - if desc_sddl.find("(") >= 0: - desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] - else: - desc_sddl = desc_sddl + ace - self.modify_desc(object_dn, desc_sddl) - - def get_desc_sddl(self, object_dn): - """ Return object nTSecutiryDescriptor in SDDL format - """ - desc = self.read_desc(object_dn) - return desc.as_sddl(self.domain_sid) - - # Test if we have any additional groups for users than default ones - def assert_user_no_group_member(self, username): - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % self.get_user_dn(username)) - try: - self.assertEqual(res[0]["memberOf"][0], "") - except KeyError: - pass - else: - self.fail() - - def create_enable_user(self, username): - self.create_active_user(self.ldb_admin, self.get_user_dn(username)) - self.ldb_admin.enable_account("(sAMAccountName=" + username + ")") - -#tests on ldap add operations -class AclAddTests(AclTests): - - def setUp(self): - super(AclAddTests, self).setUp() - # Domain admin that will be creator of OU parent-child structure - self.usr_admin_owner = "acl_add_user1" - # Second domain admin that will not be creator of OU parent-child structure - self.usr_admin_not_owner = "acl_add_user2" - # Regular user - self.regular_user = "acl_add_user3" - self.create_enable_user(self.usr_admin_owner) - self.create_enable_user(self.usr_admin_not_owner) - self.create_enable_user(self.regular_user) - - # add admins to the Domain Admins group - self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \ - self.get_user_dn(self.usr_admin_owner)) - self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \ - self.get_user_dn(self.usr_admin_not_owner)) - - self.ldb_owner = self.get_ldb_connection(self.usr_admin_owner, self.user_pass) - self.ldb_notowner = self.get_ldb_connection(self.usr_admin_not_owner, self.user_pass) - self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) - - def tearDown(self): - super(AclAddTests, self).tearDown() - self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_owner)) - self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_not_owner)) - self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) - - # Make sure top OU is deleted (and so everything under it) - def assert_top_ou_deleted(self): - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s,%s)" % ( - "OU=test_add_ou1", self.base_dn)) - self.assertEqual(res, []) - - def test_add_u1(self): - """Testing OU with the rights of Doman Admin not creator of the OU """ - self.assert_top_ou_deleted() - # Change descriptor for top level OU - self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) - self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - user_sid = self.get_object_sid(self.get_user_dn(self.usr_admin_not_owner)) - mod = "(D;CI;WPCC;;;%s)" % str(user_sid) - self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) - # Test user and group creation with another domain admin's credentials - self.create_test_user(self.ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.create_group(self.ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - # Make sure we HAVE created the two objects -- user and group - # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE - # !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertTrue(len(res) > 0) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertTrue(len(res) > 0) - - def test_add_u2(self): - """Testing OU with the regular user that has no rights granted over the OU """ - self.assert_top_ou_deleted() - # Create a parent-child OU structure with domain admin credentials - self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) - self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - # Test user and group creation with regular user credentials - try: - self.create_test_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - # Make sure we HAVEN'T created any of two objects -- user or group - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertEqual(res, []) - - def test_add_u3(self): - """Testing OU with the rights of regular user granted the right 'Create User child objects' """ - self.assert_top_ou_deleted() - # Change descriptor for top level OU - self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) - user_sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) - self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - # Test user and group creation with granted user only to one of the objects - self.create_test_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - try: - self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - # Make sure we HAVE created the one of two objects -- user - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s,%s)" % - ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", - self.base_dn)) - self.assertNotEqual(len(res), 0) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s,%s)" % - ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", - self.base_dn) ) - self.assertEqual(res, []) - - def test_add_u4(self): - """ 4 Testing OU with the rights of Doman Admin creator of the OU""" - self.assert_top_ou_deleted() - self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn) - self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.create_test_user(self.ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - self.create_group(self.ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - # Make sure we have successfully created the two objects -- user and group - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertTrue(len(res) > 0) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s,%s)" % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn)) - self.assertTrue(len(res) > 0) - -#tests on ldap modify operations -class AclModifyTests(AclTests): - - def setUp(self): - super(AclModifyTests, self).setUp() - self.user_with_wp = "acl_mod_user1" - self.user_with_sm = "acl_mod_user2" - self.user_with_group_sm = "acl_mod_user3" - self.create_enable_user(self.user_with_wp) - self.create_enable_user(self.user_with_sm) - self.create_enable_user(self.user_with_group_sm) - self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass) - self.ldb_user2 = self.get_ldb_connection(self.user_with_sm, self.user_pass) - self.ldb_user3 = self.get_ldb_connection(self.user_with_group_sm, self.user_pass) - self.user_sid = self.get_object_sid( self.get_user_dn(self.user_with_wp)) - self.create_group(self.ldb_admin, "CN=test_modify_group2,CN=Users," + self.base_dn) - self.create_group(self.ldb_admin, "CN=test_modify_group3,CN=Users," + self.base_dn) - self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user2")) - - def tearDown(self): - super(AclModifyTests, self).tearDown() - self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1")) - self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_modify_group2,CN=Users," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_modify_group3,CN=Users," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp)) - self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_sm)) - self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_group_sm)) - self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user2")) - - def test_modify_u1(self): - """5 Modify one attribute if you have DS_WRITE_PROPERTY for it""" - mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid) - # First test object -- User - print "Testing modify on User object" - self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) - self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) - ldif = """ -dn: """ + self.get_user_dn("test_modify_user1") + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % self.get_user_dn("test_modify_user1")) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Second test object -- Group - print "Testing modify on Group object" - self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) - self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) - ldif = """ -dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("CN=test_modify_group1,CN=Users," + self.base_dn)) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Third test object -- Organizational Unit - print "Testing modify on OU object" - #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) - ldif = """ -dn: OU=test_modify_ou1,""" + self.base_dn + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("OU=test_modify_ou1," + self.base_dn)) - self.assertEqual(res[0]["displayName"][0], "test_changed") - - def _test_modify_u2(self): - """6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them""" - mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid) - # First test object -- User - print "Testing modify on User object" - #self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1")) - self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) - self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) - # Modify on attribute you have rights for - ldif = """ -dn: """ + self.get_user_dn("test_modify_user1") + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % - self.get_user_dn("test_modify_user1")) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Modify on attribute you do not have rights for granted - ldif = """ -dn: """ + self.get_user_dn("test_modify_user1") + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - # Second test object -- Group - print "Testing modify on Group object" - self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) - self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) - ldif = """ -dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % - str("CN=test_modify_group1,CN=Users," + self.base_dn)) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Modify on attribute you do not have rights for granted - ldif = """ -dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - # Second test object -- Organizational Unit - print "Testing modify on OU object" - self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) - ldif = """ -dn: OU=test_modify_ou1,""" + self.base_dn + """ -changetype: modify -replace: displayName -displayName: test_changed""" - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % str("OU=test_modify_ou1," - + self.base_dn)) - self.assertEqual(res[0]["displayName"][0], "test_changed") - # Modify on attribute you do not have rights for granted - ldif = """ -dn: OU=test_modify_ou1,""" + self.base_dn + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - def test_modify_u3(self): - """7 Modify one attribute as you have no what so ever rights granted""" - # First test object -- User - print "Testing modify on User object" - self.create_test_user(self.ldb_admin, self.get_user_dn("test_modify_user1")) - # Modify on attribute you do not have rights for granted - ldif = """ -dn: """ + self.get_user_dn("test_modify_user1") + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - # Second test object -- Group - print "Testing modify on Group object" - self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn) - # Modify on attribute you do not have rights for granted - ldif = """ -dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - # Second test object -- Organizational Unit - print "Testing modify on OU object" - #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) - # Modify on attribute you do not have rights for granted - ldif = """ -dn: OU=test_modify_ou1,""" + self.base_dn + """ -changetype: modify -replace: url -url: www.samba.org""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - - def test_modify_u4(self): - """11 Grant WP to PRINCIPAL_SELF and test modify""" - ldif = """ -dn: """ + self.get_user_dn(self.user_with_wp) + """ -changetype: modify -add: adminDescription -adminDescription: blah blah blah""" - try: - self.ldb_user.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - - mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)" - self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod) - # Modify on attribute you have rights for - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" \ - % self.get_user_dn(self.user_with_wp), attrs=["adminDescription"] ) - self.assertEqual(res[0]["adminDescription"][0], "blah blah blah") - - def test_modify_u5(self): - """12 test self membership""" - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: """ + self.get_user_dn(self.user_with_sm) -#the user has no rights granted, this should fail - try: - self.ldb_user2.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - -#grant self-membership, should be able to add himself - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm)) - mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) - self.ldb_user2.modify_ldif(ldif) - res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ - % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) - self.assertEqual(res[0]["Member"][0], self.get_user_dn(self.user_with_sm)) -#but not other users - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: CN=test_modify_user2,CN=Users,""" + self.base_dn - try: - self.ldb_user2.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - - def test_modify_u6(self): - """13 test self membership""" - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: """ + self.get_user_dn(self.user_with_sm) + """ -Member: CN=test_modify_user2,CN=Users,""" + self.base_dn - -#grant self-membership, should be able to add himself but not others at the same time - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm)) - mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) - try: - self.ldb_user2.modify_ldif(ldif) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - - def test_modify_u7(self): - """13 User with WP modifying Member""" -#a second user is given write property permission - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp)) - mod = "(OA;;WP;;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: """ + self.get_user_dn(self.user_with_wp) - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ - % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) - self.assertEqual(res[0]["Member"][0], self.get_user_dn(self.user_with_wp)) - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -delete: Member""" - self.ldb_user.modify_ldif(ldif) - ldif = """ -dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ -changetype: modify -add: Member -Member: CN=test_modify_user2,CN=Users,""" + self.base_dn - self.ldb_user.modify_ldif(ldif) - res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ - % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) - self.assertEqual(res[0]["Member"][0], "CN=test_modify_user2,CN=Users," + self.base_dn) - -#enable these when we have search implemented -class AclSearchTests(AclTests): - - def setUp(self): - super(AclTests, self).setUp() - self.regular_user = "acl_search_user1" - self.create_enable_user(self.regular_user) - self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) - - def tearDown(self): - super(AclSearchTests, self).tearDown() - self.delete_force(self.ldb_admin, "CN=test_search_user1,OU=test_search_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) - - def test_search_u1(self): - """See if can prohibit user to read another User object""" - ou_dn = "OU=test_search_ou1," + self.base_dn - user_dn = "CN=test_search_user1," + ou_dn - # Create clean OU - self.delete_force(self.ldb_admin, ou_dn) - self.create_ou(self.ldb_admin, ou_dn) - desc = self.read_desc(ou_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - # Parse descriptor's SDDL and remove all inherited ACEs reffering - # to 'Registered Users' or 'Authenticated Users' - desc_aces = re.findall("\(.*?\)", desc_sddl) - for ace in desc_aces: - if ("I" in ace) and (("RU" in ace) or ("AU" in ace)): - desc_sddl = desc_sddl.replace(ace, "") - # Add 'P' in the DACL so it breaks further inheritance - desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(") - # Create a security descriptor object and OU with that descriptor - desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) - self.delete_force(self.ldb_admin, ou_dn) - self.create_ou(self.ldb_admin, ou_dn, desc) - # Create clean user - self.delete_force(self.ldb_admin, user_dn) - self.create_test_user(self.ldb_admin, user_dn) - desc = self.read_desc(user_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - # Parse security descriptor SDDL and remove all 'Read' ACEs - # reffering to AU - desc_aces = re.findall("\(.*?\)", desc_sddl) - for ace in desc_aces: - if ("AU" in ace) and ("R" in ace): - desc_sddl = desc_sddl.replace(ace, "") - # Create user with the edited descriptor - desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) - self.delete_force(self.ldb_admin, user_dn) - self.create_test_user(self.ldb_admin, user_dn, desc) - - res = self.ldb_user.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - - def test_search_u2(self): - """User's group ACEs cleared and after that granted RIGHT_DS_READ_PROPERTY to another User object""" - ou_dn = "OU=test_search_ou1," + self.base_dn - user_dn = "CN=test_search_user1," + ou_dn - # Create clean OU - self.delete_force(self.ldb_admin, ou_dn) - self.create_ou(self.ldb_admin, ou_dn) - desc = self.read_desc(ou_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - # Parse descriptor's SDDL and remove all inherited ACEs reffering - # to 'Registered Users' or 'Authenticated Users' - desc_aces = re.findall("\(.*?\)", desc_sddl) - for ace in desc_aces: - if ("I" in ace) and (("RU" in ace) or ("AU" in ace)): - desc_sddl = desc_sddl.replace(ace, "") - # Add 'P' in the DACL so it breaks further inheritance - desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(") - # Create a security descriptor object and OU with that descriptor - desc = security.descriptor.from_sddl(desc_sddl, self.domain_sid) - self.delete_force(self.ldb_admin, ou_dn) - self.create_ou(self.ldb_admin, ou_dn, desc) - # Create clean user - self.delete_force(self.ldb_admin, user_dn) - self.create_test_user(self.ldb_admin, user_dn) - # Parse security descriptor SDDL and remove all 'Read' ACEs - # reffering to AU - desc_aces = re.findall("\(.*?\)", desc_sddl) - for ace in desc_aces: - if ("AU" in ace) and ("R" in ace): - desc_sddl = desc_sddl.replace(ace, "") - #mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" - mod = "(A;;RP;;;AU)" - self.dacl_add_ace(user_dn, mod) - res = self.ldb_user.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertNotEqual(res, []) - -#tests on ldap delete operations -class AclDeleteTests(AclTests): - - def setUp(self): - super(AclDeleteTests, self).setUp() - self.regular_user = "acl_delete_user1" - # Create regular user - self.create_enable_user(self.regular_user) - self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) - - def tearDown(self): - super(AclDeleteTests, self).tearDown() - self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user1")) - self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) - - def test_delete_u1(self): - """User is prohibited by default to delete another User object""" - # Create user that we try to delete - self.create_test_user(self.ldb_admin, self.get_user_dn("test_delete_user1")) - # Here delete User object should ALWAYS through exception - try: - self.ldb_user.delete(self.get_user_dn("test_delete_user1")) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - - def test_delete_u2(self): - """User's group has RIGHT_DELETE to another User object""" - user_dn = self.get_user_dn("test_delete_user1") - # Create user that we try to delete - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;SD;;;AU)" - self.dacl_add_ace(user_dn, mod) - # Try to delete User object - self.ldb_user.delete(user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - - def test_delete_u3(self): - """User indentified by SID has RIGHT_DELETE to another User object""" - user_dn = self.get_user_dn("test_delete_user1") - # Create user that we try to delete - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;SD;;;%s)" % self.get_object_sid(self.get_user_dn(self.regular_user)) - self.dacl_add_ace(user_dn, mod) - # Try to delete User object - self.ldb_user.delete(user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - -#tests on ldap rename operations -class AclRenameTests(AclTests): - - def setUp(self): - super(AclRenameTests, self).setUp() - self.regular_user = "acl_rename_user1" - - # Create regular user - self.create_enable_user(self.regular_user) - self.ldb_user = self.get_ldb_connection(self.regular_user, self.user_pass) - - def tearDown(self): - super(AclRenameTests, self).tearDown() - # Rename OU3 - self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn) - # Rename OU2 - self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou2," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_rename_ou2," + self.base_dn) - # Rename OU1 - self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user)) - - def test_rename_u1(self): - """Regular user fails to rename 'User object' within single OU""" - # Create OU structure - self.create_ou(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn) - self.create_test_user(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn) - try: - self.ldb_user.rename("CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn, \ - "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - self.fail() - - def test_rename_u2(self): - """Grant WRITE_PROPERTY to AU so regular user can rename 'User object' within single OU""" - ou_dn = "OU=test_rename_ou1," + self.base_dn - user_dn = "CN=test_rename_user1," + ou_dn - rename_user_dn = "CN=test_rename_user5," + ou_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou_dn) - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;WP;;;AU)" - self.dacl_add_ace(user_dn, mod) - # Rename 'User object' having WP to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u3(self): - """Test rename with rights granted to 'User object' SID""" - ou_dn = "OU=test_rename_ou1," + self.base_dn - user_dn = "CN=test_rename_user1," + ou_dn - rename_user_dn = "CN=test_rename_user5," + ou_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou_dn) - self.create_test_user(self.ldb_admin, user_dn) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(A;;WP;;;%s)" % str(sid) - self.dacl_add_ace(user_dn, mod) - # Rename 'User object' having WP to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u4(self): - """Rename 'User object' cross OU with WP, SD and CC right granted on reg. user to AU""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + self.base_dn - user_dn = "CN=test_rename_user2," + ou1_dn - rename_user_dn = "CN=test_rename_user5," + ou2_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;WPSD;;;AU)" - self.dacl_add_ace(user_dn, mod) - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou2_dn, mod) - # Rename 'User object' having SD and CC to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u5(self): - """Test rename with rights granted to 'User object' SID""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + self.base_dn - user_dn = "CN=test_rename_user2," + ou1_dn - rename_user_dn = "CN=test_rename_user5," + ou2_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - self.create_test_user(self.ldb_admin, user_dn) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(A;;WPSD;;;%s)" % str(sid) - self.dacl_add_ace(user_dn, mod) - mod = "(A;;CC;;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) - # Rename 'User object' having SD and CC to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u6(self): - """Rename 'User object' cross OU with WP, DC and CC right granted on OU & user to AU""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + self.base_dn - user_dn = "CN=test_rename_user2," + ou1_dn - rename_user_dn = "CN=test_rename_user2," + ou2_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - #mod = "(A;CI;DCWP;;;AU)" - mod = "(A;;DC;;;AU)" - self.dacl_add_ace(ou1_dn, mod) - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou2_dn, mod) - self.create_test_user(self.ldb_admin, user_dn) - mod = "(A;;WP;;;AU)" - self.dacl_add_ace(user_dn, mod) - # Rename 'User object' having SD and CC to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u7(self): - """Rename 'User object' cross OU (second level) with WP, DC and CC right granted on OU to AU""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + self.base_dn - ou3_dn = "OU=test_rename_ou3," + ou2_dn - user_dn = "CN=test_rename_user2," + ou1_dn - rename_user_dn = "CN=test_rename_user5," + ou3_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - self.create_ou(self.ldb_admin, ou3_dn) - mod = "(A;CI;WPDC;;;AU)" - self.dacl_add_ace(ou1_dn, mod) - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou3_dn, mod) - self.create_test_user(self.ldb_admin, user_dn) - # Rename 'User object' having SD and CC to AU - self.ldb_user.rename(user_dn, rename_user_dn) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % user_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, - expression="(distinguishedName=%s)" % rename_user_dn) - self.assertNotEqual(res, []) - - def test_rename_u8(self): - """Test rename on an object with and without modify access on the RDN attribute""" - ou1_dn = "OU=test_rename_ou1," + self.base_dn - ou2_dn = "OU=test_rename_ou2," + ou1_dn - ou3_dn = "OU=test_rename_ou3," + ou1_dn - # Create OU structure - self.create_ou(self.ldb_admin, ou1_dn) - self.create_ou(self.ldb_admin, ou2_dn) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) - mod = "(OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) - try: - self.ldb_user.rename(ou2_dn, ou3_dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) - else: - # This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS - self.fail() - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) - mod = "(A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) - self.ldb_user.rename(ou2_dn, ou3_dn) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou2_dn) - self.assertEqual(res, []) - res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou3_dn) - self.assertNotEqual(res, []) - -# Important unit running information - -if not "://" in host: - host = "ldap://%s" % host -ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp) - -runner = SubunitTestRunner() -rc = 0 -if not runner.run(unittest.makeSuite(AclAddTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(AclModifyTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(AclDeleteTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(AclRenameTests)).wasSuccessful(): - rc = 1 -sys.exit(rc) diff --git a/source4/lib/ldb/tests/python/deletetest.py b/source4/lib/ldb/tests/python/deletetest.py deleted file mode 100755 index aa93104c04..0000000000 --- a/source4/lib/ldb/tests/python/deletetest.py +++ /dev/null @@ -1,201 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -import optparse -import sys -import os - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -import samba.getopt as options - -from samba.auth import system_session -from ldb import SCOPE_BASE, LdbError -from ldb import ERR_NO_SUCH_OBJECT -from samba import Ldb - -from subunit.run import SubunitTestRunner -import unittest - -parser = optparse.OptionParser("deletetest.py [options] ") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -host = args[0] - -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) - -class BasicDeleteTests(unittest.TestCase): - - def delete_force(self, ldb, dn): - try: - ldb.delete(dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def GUID_string(self, guid): - return self.ldb.schema_format_value("objectGUID", guid) - - def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["defaultNamingContext"][0] - - def setUp(self): - self.ldb = ldb - self.base_dn = self.find_basedn(ldb) - - def search_guid(self,guid): - print "SEARCH by GUID %s" % self.GUID_string(guid) - - expression = "(objectGUID=%s)" % self.GUID_string(guid) - res = ldb.search(expression=expression, - controls=["show_deleted:1"]) - self.assertEquals(len(res), 1) - return res[0] - - def search_dn(self,dn): - print "SEARCH by DN %s" % dn - - res = ldb.search(expression="(objectClass=*)", - base=dn, - scope=SCOPE_BASE, - controls=["show_deleted:1"]) - self.assertEquals(len(res), 1) - return res[0] - - def del_attr_values(self, delObj): - print "Checking attributes for %s" % delObj["dn"] - - self.assertEquals(delObj["isDeleted"][0],"TRUE") - self.assertTrue(not("objectCategory" in delObj)) - self.assertTrue(not("sAMAccountType" in delObj)) - - def preserved_attributes_list(self, liveObj, delObj): - print "Checking for preserved attributes list" - - preserved_list = ["nTSecurityDescriptor", "attributeID", "attributeSyntax", "dNReferenceUpdate", "dNSHostName", - "flatName", "governsID", "groupType", "instanceType", "lDAPDisplayName", "legacyExchangeDN", - "isDeleted", "isRecycled", "lastKnownParent", "msDS-LastKnownRDN", "mS-DS-CreatorSID", - "mSMQOwnerID", "nCName", "objectClass", "distinguishedName", "objectGUID", "objectSid", - "oMSyntax", "proxiedObjectName", "name", "replPropertyMetaData", "sAMAccountName", - "securityIdentifier", "sIDHistory", "subClassOf", "systemFlags", "trustPartner", "trustDirection", - "trustType", "trustAttributes", "userAccountControl", "uSNChanged", "uSNCreated", "whenCreated"] - - for a in liveObj: - if a in preserved_list: - self.assertTrue(a in delObj) - - def check_rdn(self, liveObj, delObj, rdnName): - print "Checking for correct rDN" - rdn=liveObj[rdnName][0] - rdn2=delObj[rdnName][0] - name2=delObj[rdnName][0] - guid=liveObj["objectGUID"][0] - self.assertEquals(rdn2, rdn + "\nDEL:" + self.GUID_string(guid)) - self.assertEquals(name2, rdn + "\nDEL:" + self.GUID_string(guid)) - - def delete_deleted(self, ldb, dn): - print "Testing the deletion of the already deleted dn %s" % dn - - try: - ldb.delete(dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def test_all(self): - """Basic delete tests""" - - print self.base_dn - - dn1="cn=testuser,cn=users," + self.base_dn - dn2="cn=testuser2,cn=users," + self.base_dn - grp1="cn=testdelgroup1,cn=users," + self.base_dn - - self.delete_force(self.ldb, dn1) - self.delete_force(self.ldb, dn2) - self.delete_force(self.ldb, grp1) - - ldb.add({ - "dn": dn1, - "objectclass": "user", - "cn": "testuser", - "description": "test user description", - "samaccountname": "testuser"}) - - ldb.add({ - "dn": dn2, - "objectclass": "user", - "cn": "testuser2", - "description": "test user 2 description", - "samaccountname": "testuser2"}) - - ldb.add({ - "dn": grp1, - "objectclass": "group", - "cn": "testdelgroup1", - "description": "test group", - "samaccountname": "testdelgroup1", - "member": [ dn1, dn2 ] }) - - objLive1 = self.search_dn(dn1) - guid1=objLive1["objectGUID"][0] - - objLive2 = self.search_dn(dn2) - guid2=objLive2["objectGUID"][0] - - objLive3 = self.search_dn(grp1) - guid3=objLive3["objectGUID"][0] - - ldb.delete(dn1) - ldb.delete(dn2) - ldb.delete(grp1) - - objDeleted1 = self.search_guid(guid1) - objDeleted2 = self.search_guid(guid2) - objDeleted3 = self.search_guid(guid3) - - self.del_attr_values(objDeleted1) - self.del_attr_values(objDeleted2) - self.del_attr_values(objDeleted3) - - self.preserved_attributes_list(objLive1, objDeleted1) - self.preserved_attributes_list(objLive2, objDeleted2) - - self.check_rdn(objLive1, objDeleted1, "cn") - self.check_rdn(objLive2, objDeleted2, "cn") - self.check_rdn(objLive3, objDeleted3, "cn") - - self.delete_deleted(ldb, dn1) - self.delete_deleted(ldb, dn2) - self.delete_deleted(ldb, grp1) - -if not "://" in host: - if os.path.isfile(host): - host = "tdb://%s" % host - else: - host = "ldap://%s" % host - -ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) - -runner = SubunitTestRunner() -rc = 0 -if not runner.run(unittest.makeSuite(BasicDeleteTests)).wasSuccessful(): - rc = 1 - -sys.exit(rc) diff --git a/source4/lib/ldb/tests/python/dsdb_schema_info.py b/source4/lib/ldb/tests/python/dsdb_schema_info.py deleted file mode 100755 index ff3c7f9b98..0000000000 --- a/source4/lib/ldb/tests/python/dsdb_schema_info.py +++ /dev/null @@ -1,213 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -# -# Unix SMB/CIFS implementation. -# Copyright (C) Kamen Mazdrashki 2010 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# - -# -# Usage: -# export DC_SERVER=target_dc_or_local_samdb_url -# export SUBUNITRUN=$samba4srcdir/scripting/bin/subunitrun -# PYTHONPATH="$PYTHONPATH:$samba4srcdir/lib/ldb/tests/python" $SUBUNITRUN dsdb_schema_info -U"$DOMAIN/$DC_USERNAME"%"$DC_PASSWORD" -# - -import sys -import time -import random -import os - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -from samba.auth import system_session -from ldb import SCOPE_BASE, LdbError -from samba.samdb import SamDB - -import samba.tests -import samba.dcerpc.drsuapi -from samba.dcerpc.drsblobs import schemaInfoBlob -from samba.ndr import ndr_unpack -from samba.dcerpc.misc import GUID - - -class SchemaInfoTestCase(samba.tests.TestCase): - - def setUp(self): - super(SchemaInfoTestCase, self).setUp() - - # fetch rootDSE - self.ldb = ldb - res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.schema_dn = res[0]["schemaNamingContext"][0] - self.base_dn = res[0]["defaultNamingContext"][0] - self.forest_level = int(res[0]["forestFunctionality"][0]) - - # get DC invocation_id - self.invocation_id = GUID(ldb.get_invocation_id()) - - def tearDown(self): - super(SchemaInfoTestCase, self).tearDown() - - def _getSchemaInfo(self): - try: - schema_info_data = ldb.searchone(attribute="schemaInfo", - basedn=self.schema_dn, - expression="(objectClass=*)", - scope=SCOPE_BASE) - self.assertEqual(len(schema_info_data), 21) - schema_info = ndr_unpack(schemaInfoBlob, schema_info_data) - self.assertEqual(schema_info.marker, 0xFF) - except KeyError: - # create default schemaInfo if - # attribute value is not created yet - schema_info = schemaInfoBlob() - schema_info.revision = 0 - schema_info.invocation_id = self.invocation_id - return schema_info - - def _checkSchemaInfo(self, schi_before, schi_after): - self.assertEqual(schi_before.revision + 1, schi_after.revision) - self.assertEqual(schi_before.invocation_id, schi_after.invocation_id) - self.assertEqual(schi_after.invocation_id, self.invocation_id) - - def _ldap_schemaUpdateNow(self): - ldif = """ -dn: -changetype: modify -add: schemaUpdateNow -schemaUpdateNow: 1 -""" - self.ldb.modify_ldif(ldif) - - def _make_obj_names(self, prefix): - obj_name = prefix + time.strftime("%s", time.gmtime()) - obj_ldap_name = obj_name.replace("-", "") - obj_dn = "CN=%s,%s" % (obj_name, self.schema_dn) - return (obj_name, obj_ldap_name, obj_dn) - - def _make_attr_ldif(self, attr_name, attr_dn): - ldif = """ -dn: """ + attr_dn + """ -objectClass: top -objectClass: attributeSchema -adminDescription: """ + attr_name + """ -adminDisplayName: """ + attr_name + """ -cn: """ + attr_name + """ -attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940 -attributeSyntax: 2.5.5.12 -omSyntax: 64 -instanceType: 4 -isSingleValued: TRUE -systemOnly: FALSE -""" - return ldif - - def test_AddModifyAttribute(self): - # get initial schemaInfo - schi_before = self._getSchemaInfo() - - # create names for an attribute to add - (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("schemaInfo-Attr-") - ldif = self._make_attr_ldif(attr_name, attr_dn) - - # add the new attribute - self.ldb.add_ldif(ldif) - self._ldap_schemaUpdateNow() - # compare resulting schemaInfo - schi_after = self._getSchemaInfo() - self._checkSchemaInfo(schi_before, schi_after) - - # rename the Attribute - attr_dn_new = attr_dn.replace(attr_name, attr_name + "-NEW") - try: - self.ldb.rename(attr_dn, attr_dn_new) - except LdbError, (num, _): - self.fail("failed to change lDAPDisplayName for %s: %s" % (attr_name, _)) - - # compare resulting schemaInfo - schi_after = self._getSchemaInfo() - self._checkSchemaInfo(schi_before, schi_after) - pass - - - def _make_class_ldif(self, class_name, class_dn): - ldif = """ -dn: """ + class_dn + """ -objectClass: top -objectClass: classSchema -adminDescription: """ + class_name + """ -adminDisplayName: """ + class_name + """ -cn: """ + class_name + """ -governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 -instanceType: 4 -objectClassCategory: 1 -subClassOf: organizationalPerson -rDNAttID: cn -systemMustContain: cn -systemOnly: FALSE -""" - return ldif - - def test_AddModifyClass(self): - # get initial schemaInfo - schi_before = self._getSchemaInfo() - - # create names for a Class to add - (class_name, class_ldap_name, class_dn) = self._make_obj_names("schemaInfo-Class-") - ldif = self._make_class_ldif(class_name, class_dn) - - # add the new Class - self.ldb.add_ldif(ldif) - self._ldap_schemaUpdateNow() - # compare resulting schemaInfo - schi_after = self._getSchemaInfo() - self._checkSchemaInfo(schi_before, schi_after) - - # rename the Class - class_dn_new = class_dn.replace(class_name, class_name + "-NEW") - try: - self.ldb.rename(class_dn, class_dn_new) - except LdbError, (num, _): - self.fail("failed to change lDAPDisplayName for %s: %s" % (class_name, _)) - - # compare resulting schemaInfo - schi_after = self._getSchemaInfo() - self._checkSchemaInfo(schi_before, schi_after) - - -######################################################################################## -if not "DC_SERVER" in os.environ.keys(): - raise AssertionError("Please supply TARGET_DC in environment") -ldb_url = os.environ["DC_SERVER"] - -ldb_options = [] -if not "://" in ldb_url: - if os.path.isfile(ldb_url): - ldb_url = "tdb://%s" % ldb_url - else: - ldb_url = "ldap://%s" % ldb_url - # user 'paged_search' module when connecting remotely - ldb_options = ["modules:paged_searches"] - -ldb = SamDB(url=ldb_url, - lp=samba.tests.env_loadparm(), - session_info=system_session(), - credentials=samba.tests.cmdline_credentials, - options=ldb_options) diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py deleted file mode 100755 index de8e89b7f8..0000000000 --- a/source4/lib/ldb/tests/python/ldap.py +++ /dev/null @@ -1,2688 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -# This is a port of the original in testprogs/ejs/ldap.js - -import optparse -import sys -import time -import base64 -import os - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -import samba.getopt as options - -from samba.auth import system_session -from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError -from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS -from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM -from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX -from ldb import ERR_NO_SUCH_ATTRIBUTE -from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN -from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION -from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE -from ldb import Message, MessageElement, Dn -from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE -from samba import Ldb -from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT, - UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT, - ATYPE_WORKSTATION_TRUST) - -from subunit.run import SubunitTestRunner -import unittest - -from samba.ndr import ndr_pack, ndr_unpack -from samba.dcerpc import security - -parser = optparse.OptionParser("ldap [options] ") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -host = args[0] - -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) - -class BasicTests(unittest.TestCase): - - def delete_force(self, ldb, dn): - try: - ldb.delete(dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["defaultNamingContext"][0] - - def find_configurationdn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["configurationNamingContext"][0] - - def find_schemadn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["schemaNamingContext"][0] - - def find_domain_sid(self): - res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) - return ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) - - def setUp(self): - super(BasicTests, self).setUp() - self.ldb = ldb - self.gc_ldb = gc_ldb - self.base_dn = self.find_basedn(ldb) - self.configuration_dn = self.find_configurationdn(ldb) - self.schema_dn = self.find_schemadn(ldb) - self.domain_sid = self.find_domain_sid() - - print "baseDN: %s\n" % self.base_dn - - self.delete_force(self.ldb, "cn=posixuser,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer2," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=entry1,cn=ldaptestcontainer," + self.base_dn) - self.delete_force(self.ldb, "cn=entry2,cn=ldaptestcontainer," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn) - self.delete_force(self.ldb, "cn=parentguidtest,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn) - self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn) - self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn) - self.delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn) - - def test_objectclasses(self): - """Test objectClass behaviour""" - print "Test objectClass behaviour""" - - # Invalid objectclass specified - try: - self.ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectClass": "X" }) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) - - # We cannot instanciate from an abstract objectclass - try: - self.ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectClass": "connectionPoint" }) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - self.ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectClass": "person" }) - - # We can remove derivation classes of the structural objectclass - # but they're going to be readded afterwards - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("top", FLAG_MOD_DELETE, - "objectClass") - ldb.modify(m) - - res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["objectClass"]) - self.assertTrue(len(res) == 1) - self.assertTrue("top" in res[0]["objectClass"]) - - # The top-most structural class cannot be deleted since there are - # attributes of it in use - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("person", FLAG_MOD_DELETE, - "objectClass") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - # We cannot delete classes which weren't specified - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("computer", FLAG_MOD_DELETE, - "objectClass") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) - - # An invalid class cannot be added - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("X", FLAG_MOD_ADD, - "objectClass") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) - - # The top-most structural class cannot be changed by adding another - # structural one - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("user", FLAG_MOD_ADD, - "objectClass") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - # An already specified objectclass cannot be added another time - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("person", FLAG_MOD_ADD, - "objectClass") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - # Auxiliary classes can always be added - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD, - "objectClass") - ldb.modify(m) - - # It's only possible to replace with the same objectclass combination. - # So the replace action on "objectClass" attributes is really useless. - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement(["top", "person", "bootableDevice"], - FLAG_MOD_REPLACE, "objectClass") - ldb.modify(m) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement(["person", "bootableDevice"], - FLAG_MOD_REPLACE, "objectClass") - ldb.modify(m) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement(["top", "person", "bootableDevice", - "connectionPoint"], FLAG_MOD_REPLACE, "objectClass") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement(["top", "computer"], FLAG_MOD_REPLACE, - "objectClass") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - # Classes can be removed unless attributes of them are used. - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE, - "objectClass") - ldb.modify(m) - - res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["objectClass"]) - self.assertTrue(len(res) == 1) - self.assertFalse("bootableDevice" in res[0]["objectClass"]) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD, - "objectClass") - ldb.modify(m) - - # Add an attribute specific to the "bootableDevice" class - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["bootParameter"] = MessageElement("test", FLAG_MOD_ADD, - "bootParameter") - ldb.modify(m) - - # Classes can be removed unless attributes of them are used. Now there - # exist such attributes on the entry. - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE, - "objectClass") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - # Remove the previously specified attribute - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["bootParameter"] = MessageElement("test", FLAG_MOD_DELETE, - "bootParameter") - ldb.modify(m) - - # Classes can be removed unless attributes of them are used. - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE, - "objectClass") - ldb.modify(m) - - self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) - - def test_system_only(self): - """Test systemOnly objects""" - print "Test systemOnly objects""" - - try: - self.ldb.add({ - "dn": "cn=ldaptestobject," + self.base_dn, - "objectclass": "configuration"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn) - - def test_invalid_parent(self): - """Test adding an object with invalid parent""" - print "Test adding an object with invalid parent""" - - try: - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=thisdoesnotexist123," - + self.base_dn, - "objectclass": "group"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=thisdoesnotexist123," - + self.base_dn) - - try: - self.ldb.add({ - "dn": "ou=testou,cn=users," + self.base_dn, - "objectclass": "organizationalUnit"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NAMING_VIOLATION) - - self.delete_force(self.ldb, "ou=testou,cn=users," + self.base_dn) - - def test_invalid_attribute(self): - """Test invalid attributes on schema/objectclasses""" - print "Test invalid attributes on schema/objectclasses""" - - # attributes not in schema test - - # add operation - - try: - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group", - "thisdoesnotexist": "x"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) - - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group"}) - - # modify operation - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["thisdoesnotexist"] = MessageElement("x", FLAG_MOD_REPLACE, - "thisdoesnotexist") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - # attributes not in objectclasses and mandatory attributes missing test - # Use here a non-SAM entry since it doesn't have special triggers - # associated which have an impact on the error results. - - # add operations - - # mandatory attribute missing - try: - self.ldb.add({ - "dn": "cn=ldaptestobject," + self.base_dn, - "objectclass": "ipProtocol"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - # inadequate but schema-valid attribute specified - try: - self.ldb.add({ - "dn": "cn=ldaptestobject," + self.base_dn, - "objectclass": "ipProtocol", - "ipProtocolNumber": "1", - "uid" : "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - self.ldb.add({ - "dn": "cn=ldaptestobject," + self.base_dn, - "objectclass": "ipProtocol", - "ipProtocolNumber": "1"}) - - # modify operations - - # inadequate but schema-valid attribute add trial - m = Message() - m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn) - m["uid"] = MessageElement("0", FLAG_MOD_ADD, "uid") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - # mandatory attribute delete trial - m = Message() - m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn) - m["ipProtocolNumber"] = MessageElement([], FLAG_MOD_DELETE, - "ipProtocolNumber") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - # mandatory attribute delete trial - m = Message() - m.dn = Dn(ldb, "cn=ldaptestobject," + self.base_dn) - m["ipProtocolNumber"] = MessageElement([], FLAG_MOD_REPLACE, - "ipProtocolNumber") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn) - - def test_single_valued_attributes(self): - """Test single-valued attributes""" - print "Test single-valued attributes""" - - try: - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group", - "sAMAccountName": ["nam1", "nam2"]}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group"}) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["sAMAccountName"] = MessageElement(["nam1","nam2"], FLAG_MOD_REPLACE, - "sAMAccountName") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["sAMAccountName"] = MessageElement("testgroupXX", FLAG_MOD_REPLACE, - "sAMAccountName") - ldb.modify(m) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["sAMAccountName"] = MessageElement("testgroupXX2", FLAG_MOD_ADD, - "sAMAccountName") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_multi_valued_attributes(self): - """Test multi-valued attributes""" - print "Test multi-valued attributes""" - -# TODO: In this test I added some special tests where I got very unusual -# results back from a real AD. s4 doesn't match them and I've no idea how to -# implement those error cases (maybe there exists a special trigger for -# "description" attributes which handle them) - - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "description": "desc2", - "objectclass": "group", - "description": "desc1"}) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group", - "description": ["desc1", "desc2"]}) - -# m = Message() -# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) -# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE, -# "description") -# try: -# ldb.modify(m) -# self.fail() -# except LdbError, (num, _): -# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE, - "description") - ldb.modify(m) - -# m = Message() -# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) -# m["description"] = MessageElement("desc3", FLAG_MOD_ADD, -# "description") -# try: -# ldb.modify(m) -# self.fail() -# except LdbError, (num, _): -# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE, - "description") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["description"] = MessageElement("desc1", FLAG_MOD_DELETE, - "description") - ldb.modify(m) - -# m = Message() -# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) -# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE, -# "description") -# try: -# ldb.modify(m) -# self.fail() -# except LdbError, (num, _): -# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - -# m = Message() -# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) -# m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD, -# "description") -# try: -# ldb.modify(m) -# self.fail() -# except LdbError, (num, _): -# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["description"] = MessageElement("desc3", FLAG_MOD_ADD, - "description") - ldb.modify(m) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_empty_messages(self): - """Test empty messages""" - print "Test empty messages""" - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - try: - ldb.add(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_empty_attributes(self): - """Test empty attributes""" - print "Test empty attributes""" - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["objectClass"] = MessageElement("group", FLAG_MOD_ADD, "objectClass") - m["description"] = MessageElement([], FLAG_MOD_ADD, "description") - - try: - ldb.add(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group"}) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["description"] = MessageElement([], FLAG_MOD_ADD, "description") - - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["description"] = MessageElement([], FLAG_MOD_REPLACE, "description") - ldb.modify(m) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["description"] = MessageElement([], FLAG_MOD_DELETE, "description") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_instanceType(self): - """Tests the 'instanceType' attribute""" - print "Tests the 'instanceType' attribute""" - - try: - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group", - "instanceType": ["0", "1"]}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group"}) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["instanceType"] = MessageElement("0", FLAG_MOD_REPLACE, - "instanceType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["instanceType"] = MessageElement([], FLAG_MOD_REPLACE, - "instanceType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["instanceType"] = MessageElement([], FLAG_MOD_DELETE, "instanceType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_distinguished_name(self): - """Tests the 'distinguishedName' attribute""" - print "Tests the 'distinguishedName' attribute""" - - # a wrong "distinguishedName" attribute is obviously tolerated - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group", - "distinguishedName": "cn=ldaptest,cn=users," + self.base_dn}) - - # proof if the DN has been set correctly - res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["distinguishedName"]) - self.assertTrue(len(res) == 1) - self.assertTrue("distinguishedName" in res[0]) - self.assertTrue(Dn(ldb, res[0]["distinguishedName"][0]) - == Dn(ldb, "cn=ldaptestgroup, cn=users," + self.base_dn)) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["distinguishedName"] = MessageElement( - "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_ADD, - "distinguishedName") - - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["distinguishedName"] = MessageElement( - "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_REPLACE, - "distinguishedName") - - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["distinguishedName"] = MessageElement( - "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_DELETE, - "distinguishedName") - - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_rdn_name(self): - """Tests the RDN""" - print "Tests the RDN""" - - try: - self.ldb.add({ - "dn": "description=xyz,cn=users," + self.base_dn, - "objectclass": "group"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NAMING_VIOLATION) - - self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn) - - # a wrong "name" attribute is obviously tolerated - self.ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group", - "name": "ldaptestgroupx"}) - - # proof if the name has been set correctly - res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["name"]) - self.assertTrue(len(res) == 1) - self.assertTrue("name" in res[0]) - self.assertTrue(res[0]["name"][0] == "ldaptestgroup") - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["name"] = MessageElement("cn=ldaptestuser", FLAG_MOD_REPLACE, - "name") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["cn"] = MessageElement("ldaptestuser", - FLAG_MOD_REPLACE, "cn") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - - # this test needs to be disabled until we really understand - # what the rDN length constraints are - def DISABLED_test_largeRDN(self): - """Testing large rDN (limit 64 characters)""" - rdn = "CN=a012345678901234567890123456789012345678901234567890123456789012"; - self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn)) - ldif = """ -dn: %s,%s""" % (rdn,self.base_dn) + """ -objectClass: container -""" - self.ldb.add_ldif(ldif) - self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn)) - - rdn = "CN=a0123456789012345678901234567890123456789012345678901234567890120"; - self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn)) - try: - ldif = """ -dn: %s,%s""" % (rdn,self.base_dn) + """ -objectClass: container -""" - self.ldb.add_ldif(ldif) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn)) - - def test_rename(self): - """Tests the rename operation""" - print "Tests the rename operations""" - - try: - # cannot rename to be a child of itself - ldb.rename(self.base_dn, "dc=test," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - try: - # inexistent object - ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - self.ldb.add({ - "dn": "cn=ldaptestuser2,cn=users," + self.base_dn, - "objectclass": ["user", "person"] }) - - ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn) - ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn) - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestUSER3,cn=users," + self.base_dn) - - try: - # containment problem: a user entry cannot contain user entries - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser4,cn=ldaptestuser3,cn=users," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NAMING_VIOLATION) - - try: - # invalid parent - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=people,cn=users," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OTHER) - - try: - # invalid target DN syntax - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, ",cn=users," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_INVALID_DN_SYNTAX) - - try: - # invalid RDN name - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "ou=ldaptestuser3,cn=users," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn) - - def test_rename_twice(self): - """Tests the rename operation twice - this corresponds to a past bug""" - print "Tests the rename twice operation""" - - self.ldb.add({ - "dn": "cn=ldaptestuser5,cn=users," + self.base_dn, - "objectclass": ["user", "person"] }) - - ldb.rename("cn=ldaptestuser5,cn=users," + self.base_dn, "cn=ldaptestUSER5,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn) - self.ldb.add({ - "dn": "cn=ldaptestuser5,cn=users," + self.base_dn, - "objectclass": ["user", "person"] }) - ldb.rename("cn=ldaptestuser5,cn=Users," + self.base_dn, "cn=ldaptestUSER5,cn=users," + self.base_dn) - res = ldb.search(expression="cn=ldaptestuser5") - print "Found %u records" % len(res) - self.assertEquals(len(res), 1, "Wrong number of hits for cn=ldaptestuser5") - res = ldb.search(expression="(&(cn=ldaptestuser5)(objectclass=user))") - print "Found %u records" % len(res) - self.assertEquals(len(res), 1, "Wrong number of hits for (&(cn=ldaptestuser5)(objectclass=user))") - self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn) - - def test_parentGUID(self): - """Test parentGUID behaviour""" - print "Testing parentGUID behaviour\n" - - # TODO: This seems to fail on Windows Server. Hidden attribute? - - self.ldb.add({ - "dn": "cn=parentguidtest,cn=users," + self.base_dn, - "objectclass":"user", - "samaccountname":"parentguidtest"}); - res1 = ldb.search(base="cn=parentguidtest,cn=users," + self.base_dn, scope=SCOPE_BASE, - attrs=["parentGUID", "samaccountname"]); - res2 = ldb.search(base="cn=users," + self.base_dn,scope=SCOPE_BASE, - attrs=["objectGUID"]); - res3 = ldb.search(base=self.base_dn, scope=SCOPE_BASE, - attrs=["parentGUID"]); - - """Check if the parentGUID is valid """ - self.assertEquals(res1[0]["parentGUID"], res2[0]["objectGUID"]); - - """Check if it returns nothing when there is no parent object""" - has_parentGUID = False - for key in res3[0].keys(): - if key == "parentGUID": - has_parentGUID = True - break - self.assertFalse(has_parentGUID); - - """Ensures that if you look for another object attribute after the constructed - parentGUID, it will return correctly""" - has_another_attribute = False - for key in res1[0].keys(): - if key == "sAMAccountName": - has_another_attribute = True - break - self.assertTrue(has_another_attribute) - self.assertTrue(len(res1[0]["samaccountname"]) == 1) - self.assertEquals(res1[0]["samaccountname"][0], "parentguidtest"); - - print "Testing parentGUID behaviour on rename\n" - - self.ldb.add({ - "dn": "cn=testotherusers," + self.base_dn, - "objectclass":"container"}); - res1 = ldb.search(base="cn=testotherusers," + self.base_dn,scope=SCOPE_BASE, - attrs=["objectGUID"]); - ldb.rename("cn=parentguidtest,cn=users," + self.base_dn, - "cn=parentguidtest,cn=testotherusers," + self.base_dn); - res2 = ldb.search(base="cn=parentguidtest,cn=testotherusers," + self.base_dn, - scope=SCOPE_BASE, - attrs=["parentGUID"]); - self.assertEquals(res1[0]["objectGUID"], res2[0]["parentGUID"]); - - self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn) - self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn) - - def test_groupType_int32(self): - """Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparsion)""" - print "Testing groupType (int32) behaviour\n" - - res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE, - attrs=["groupType"], expression="groupType=2147483653"); - - res2 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE, - attrs=["groupType"], expression="groupType=-2147483643"); - - self.assertEquals(len(res1), len(res2)) - - self.assertTrue(res1.count > 0) - - self.assertEquals(res1[0]["groupType"][0], "-2147483643") - - def test_linked_attributes(self): - """This tests the linked attribute behaviour""" - print "Testing linked attribute behaviour\n" - - ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group"}) - - # This should not work since "memberOf" is linked to "member" - try: - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": ["user", "person"], - "memberOf": "cn=ldaptestgroup,cn=users," + self.base_dn}) - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": ["user", "person"]}) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn, - FLAG_MOD_ADD, "memberOf") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, - FLAG_MOD_ADD, "member") - ldb.modify(m) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn, - FLAG_MOD_REPLACE, "memberOf") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["memberOf"] = MessageElement("cn=ldaptestgroup,cn=users," + self.base_dn, - FLAG_MOD_DELETE, "memberOf") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, - FLAG_MOD_DELETE, "member") - ldb.modify(m) - - # This should yield no results since the member attribute for - # "ldaptestuser" should have been deleted - res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn, - scope=SCOPE_BASE, - expression="(member=cn=ldaptestuser,cn=users," + self.base_dn + ")", - attrs=[]) - self.assertTrue(len(res1) == 0) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group", - "member": "cn=ldaptestuser,cn=users," + self.base_dn}) - - self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - - # Make sure that the "member" attribute for "ldaptestuser" has been - # removed - res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["member"]) - self.assertTrue(len(res) == 1) - self.assertFalse("member" in res[0]) - - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_groups(self): - """This tests the group behaviour (setting, changing) of a user account""" - print "Testing group behaviour\n" - - ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group"}) - - ldb.add({ - "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn, - "objectclass": "group"}) - - res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["objectSID"]) - self.assertTrue(len(res1) == 1) - group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID", - res1[0]["objectSID"][0])).split()[1] - - res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["objectSID"]) - self.assertTrue(len(res1) == 1) - group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID", - res1[0]["objectSID"][0])).split()[1] - - # Try to create a user with an invalid primary group - try: - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": ["user", "person"], - "primaryGroupID": "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - - # Try to Create a user with a valid primary group -# TODO Some more investigation needed here -# try: -# ldb.add({ -# "dn": "cn=ldaptestuser,cn=users," + self.base_dn, -# "objectclass": ["user", "person"], -# "primaryGroupID": str(group_rid_1)}) -# self.fail() -# except LdbError, (num, _): -# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) -# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - - # Test to see how we should behave when the user account doesn't - # exist - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE, - "primaryGroupID") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - # Test to see how we should behave when the account isn't a user - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE, - "primaryGroupID") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) - - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": ["user", "person"]}) - - # We should be able to reset our actual primary group - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement("513", FLAG_MOD_REPLACE, - "primaryGroupID") - ldb.modify(m) - - # Try to add invalid primary group - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE, - "primaryGroupID") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - # Try to make group 1 primary - should be denied since it is not yet - # secondary - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement(str(group_rid_1), - FLAG_MOD_REPLACE, "primaryGroupID") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - # Make group 1 secondary - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, - FLAG_MOD_REPLACE, "member") - ldb.modify(m) - - # Make group 1 primary - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement(str(group_rid_1), - FLAG_MOD_REPLACE, "primaryGroupID") - ldb.modify(m) - - # Try to delete group 1 - should be denied - try: - ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) - - # Try to add group 1 also as secondary - should be denied - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, - FLAG_MOD_ADD, "member") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) - - # Try to add invalid member to group 1 - should be denied - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["member"] = MessageElement( - "cn=ldaptestuser3,cn=users," + self.base_dn, - FLAG_MOD_ADD, "member") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - # Make group 2 secondary - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) - m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn, - FLAG_MOD_ADD, "member") - ldb.modify(m) - - # Swap the groups - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement(str(group_rid_2), - FLAG_MOD_REPLACE, "primaryGroupID") - ldb.modify(m) - - # Old primary group should contain a "member" attribute for the user, - # the new shouldn't contain anymore one - res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["member"]) - self.assertTrue(len(res1) == 1) - self.assertTrue(len(res1[0]["member"]) == 1) - self.assertEquals(res1[0]["member"][0].lower(), - ("cn=ldaptestuser,cn=users," + self.base_dn).lower()) - - res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["member"]) - self.assertTrue(len(res1) == 1) - self.assertFalse("member" in res1[0]) - - # Also this should be denied - try: - ldb.add({ - "dn": "cn=ldaptestuser1,cn=users," + self.base_dn, - "objectclass": ["user", "person"], - "primaryGroupID": "0"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) - - def test_sam_attributes(self): - """Test the behaviour of special attributes of SAM objects""" - print "Testing the behaviour of special attributes of SAM objects\n""" - - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": ["user", "person"]}) - ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group"}) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["groupType"] = MessageElement("0", FLAG_MOD_ADD, - "groupType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["groupType"] = MessageElement([], FLAG_MOD_DELETE, - "groupType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement("0", FLAG_MOD_ADD, - "primaryGroupID") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE, - "primaryGroupID") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["userAccountControl"] = MessageElement("0", FLAG_MOD_ADD, - "userAccountControl") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE, - "userAccountControl") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD, - "sAMAccountType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE, - "sAMAccountType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE, - "sAMAccountType") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_primary_group_token_constructed(self): - """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes""" - print "Testing primary group token behaviour and other constructed attributes\n" - - try: - ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group", - "primaryGroupToken": "100"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE) - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": ["user", "person"]}) - - ldb.add({ - "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, - "objectclass": "group"}) - - # Testing for one invalid, and one valid operational attribute, but also the things they are built from - res1 = ldb.search(self.base_dn, - scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"]) - self.assertTrue(len(res1) == 1) - self.assertFalse("primaryGroupToken" in res1[0]) - self.assertTrue("canonicalName" in res1[0]) - self.assertTrue("objectClass" in res1[0]) - self.assertTrue("objectSid" in res1[0]) - - res1 = ldb.search(self.base_dn, - scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"]) - self.assertTrue(len(res1) == 1) - self.assertFalse("primaryGroupToken" in res1[0]) - self.assertFalse("objectSid" in res1[0]) - self.assertFalse("objectClass" in res1[0]) - self.assertTrue("canonicalName" in res1[0]) - - res1 = ldb.search("cn=users,"+self.base_dn, - scope=SCOPE_BASE, attrs=["primaryGroupToken"]) - self.assertTrue(len(res1) == 1) - self.assertFalse("primaryGroupToken" in res1[0]) - - res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["primaryGroupToken"]) - self.assertTrue(len(res1) == 1) - self.assertFalse("primaryGroupToken" in res1[0]) - - res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, - scope=SCOPE_BASE) - self.assertTrue(len(res1) == 1) - self.assertFalse("primaryGroupToken" in res1[0]) - - res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"]) - self.assertTrue(len(res1) == 1) - primary_group_token = int(res1[0]["primaryGroupToken"][0]) - - rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1] - self.assertEquals(primary_group_token, rid) - - m = Message() - m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - m["primaryGroupToken"] = "100" - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - - def test_tokenGroups(self): - """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)""" - print "Testing tokenGroups behaviour\n" - - # The domain object shouldn't contain any "tokenGroups" entry - res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"]) - self.assertTrue(len(res) == 1) - self.assertFalse("tokenGroups" in res[0]) - - # The domain administrator should contain "tokenGroups" entries - # (the exact number depends on the domain/forest function level and the - # DC software versions) - res = ldb.search("cn=Administrator,cn=Users," + self.base_dn, - scope=SCOPE_BASE, attrs=["tokenGroups"]) - self.assertTrue(len(res) == 1) - self.assertTrue("tokenGroups" in res[0]) - - ldb.add({ - "dn": "cn=ldaptestuser,cn=users," + self.base_dn, - "objectclass": ["user", "person"]}) - - # This testuser should contain at least two "tokenGroups" entries - # (exactly two on an unmodified "Domain Users" and "Users" group) - res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn, - scope=SCOPE_BASE, attrs=["tokenGroups"]) - self.assertTrue(len(res) == 1) - self.assertTrue(len(res[0]["tokenGroups"]) >= 2) - - # one entry which we need to find should point to domains "Domain Users" - # group and another entry should point to the builtin "Users"group - domain_users_group_found = False - users_group_found = False - for sid in res[0]["tokenGroups"]: - rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1] - if rid == 513: - domain_users_group_found = True - if rid == 545: - users_group_found = True - - self.assertTrue(domain_users_group_found) - self.assertTrue(users_group_found) - - self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - - def test_wkguid(self): - """Test Well known GUID behaviours (including DN+Binary)""" - print "Test Well known GUID behaviours (including DN+Binary)""" - - res = self.ldb.search(base=("" % self.base_dn), scope=SCOPE_BASE, attrs=[]) - self.assertEquals(len(res), 1) - - res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd:%s" % res[0].dn)) - self.assertEquals(len(res2), 1) - - # Prove that the matching rule is over the whole DN+Binary - res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=B:32:ab1d30f3768811d1aded00c04fd8d5cd")) - self.assertEquals(len(res2), 0) - # Prove that the matching rule is over the whole DN+Binary - res2 = self.ldb.search(scope=SCOPE_BASE, attrs=["wellKnownObjects"], expression=("wellKnownObjects=%s") % res[0].dn) - self.assertEquals(len(res2), 0) - - def test_subschemasubentry(self): - """Test subSchemaSubEntry appears when requested, but not when not requested""" - print "Test subSchemaSubEntry""" - - res = self.ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=["subSchemaSubEntry"]) - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["subSchemaSubEntry"][0], "CN=Aggregate,"+self.schema_dn) - - res = self.ldb.search(base=self.base_dn, scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertTrue("subScheamSubEntry" not in res[0]) - - def test_subtree_delete(self): - """Tests subtree deletes""" - - print "Test subtree deletes""" - - ldb.add({ - "dn": "cn=ldaptestcontainer," + self.base_dn, - "objectclass": "container"}) - ldb.add({ - "dn": "cn=entry1,cn=ldaptestcontainer," + self.base_dn, - "objectclass": "container"}) - ldb.add({ - "dn": "cn=entry2,cn=ldaptestcontainer," + self.base_dn, - "objectclass": "container"}) - - try: - ldb.delete("cn=ldaptestcontainer," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF) - - ldb.delete("cn=ldaptestcontainer," + self.base_dn, ["tree_delete:0"]) - - try: - res = ldb.search("cn=ldaptestcontainer," + self.base_dn, - scope=SCOPE_BASE, attrs=[]) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - try: - res = ldb.search("cn=entry1,cn=ldaptestcontainer," + self.base_dn, - scope=SCOPE_BASE, attrs=[]) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - try: - res = ldb.search("cn=entry2,cn=ldaptestcontainer," + self.base_dn, - scope=SCOPE_BASE, attrs=[]) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - self.delete_force(self.ldb, "cn=entry1,cn=ldaptestcontainer," + self.base_dn) - self.delete_force(self.ldb, "cn=entry2,cn=ldaptestcontainer," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn) - - def test_all(self): - """Basic tests""" - - print "Testing user add" - - ldb.add({ - "dn": "cn=ldaptestuser,cn=uSers," + self.base_dn, - "objectclass": ["user", "person"], - "cN": "LDAPtestUSER", - "givenname": "ldap", - "sn": "testy"}) - - ldb.add({ - "dn": "cn=ldaptestgroup,cn=uSers," + self.base_dn, - "objectclass": "group", - "member": "cn=ldaptestuser,cn=useRs," + self.base_dn}) - - ldb.add({ - "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn, - "objectclass": "computer", - "cN": "LDAPtestCOMPUTER"}) - - ldb.add({"dn": "cn=ldaptest2computer,cn=computers," + self.base_dn, - "objectClass": "computer", - "cn": "LDAPtest2COMPUTER", - "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT), - "displayname": "ldap testy"}) - - try: - ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn, - "objectClass": "computer", - "cn": "LDAPtest2COMPUTER" - }) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_INVALID_DN_SYNTAX) - - try: - ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn, - "objectClass": "computer", - "cn": "ldaptestcomputer3", - "sAMAccountType": str(ATYPE_NORMAL_ACCOUNT) - }) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn, - "objectClass": "computer", - "cn": "LDAPtestCOMPUTER3" - }) - - print "Testing ldb.search for (&(cn=ldaptestcomputer3)(objectClass=user))"; - res = ldb.search(self.base_dn, expression="(&(cn=ldaptestcomputer3)(objectClass=user))"); - self.assertEquals(len(res), 1, "Found only %d for (&(cn=ldaptestcomputer3)(objectClass=user))" % len(res)) - - self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer3,CN=Computers," + self.base_dn)); - self.assertEquals(res[0]["cn"][0], "ldaptestcomputer3"); - self.assertEquals(res[0]["name"][0], "ldaptestcomputer3"); - self.assertEquals(res[0]["objectClass"][0], "top"); - self.assertEquals(res[0]["objectClass"][1], "person"); - self.assertEquals(res[0]["objectClass"][2], "organizationalPerson"); - self.assertEquals(res[0]["objectClass"][3], "user"); - self.assertEquals(res[0]["objectClass"][4], "computer"); - self.assertTrue("objectGUID" in res[0]) - self.assertTrue("whenCreated" in res[0]) - self.assertEquals(res[0]["objectCategory"][0], ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn)); - self.assertEquals(int(res[0]["primaryGroupID"][0]), 513); - self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT); - self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE); - - self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) - - print "Testing attribute or value exists behaviour" - try: - ldb.modify_ldif(""" -dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ -changetype: modify -replace: servicePrincipalName -servicePrincipalName: host/ldaptest2computer -servicePrincipalName: host/ldaptest2computer -servicePrincipalName: cifs/ldaptest2computer -""") - self.fail() - except LdbError, (num, msg): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - ldb.modify_ldif(""" -dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ -changetype: modify -replace: servicePrincipalName -servicePrincipalName: host/ldaptest2computer -servicePrincipalName: cifs/ldaptest2computer -""") - try: - ldb.modify_ldif(""" -dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ -changetype: modify -add: servicePrincipalName -servicePrincipalName: host/ldaptest2computer -""") - self.fail() - except LdbError, (num, msg): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - print "Testing ranged results" - ldb.modify_ldif(""" -dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ -changetype: modify -replace: servicePrincipalName -""") - - ldb.modify_ldif(""" -dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ -changetype: modify -add: servicePrincipalName -servicePrincipalName: host/ldaptest2computer0 -servicePrincipalName: host/ldaptest2computer1 -servicePrincipalName: host/ldaptest2computer2 -servicePrincipalName: host/ldaptest2computer3 -servicePrincipalName: host/ldaptest2computer4 -servicePrincipalName: host/ldaptest2computer5 -servicePrincipalName: host/ldaptest2computer6 -servicePrincipalName: host/ldaptest2computer7 -servicePrincipalName: host/ldaptest2computer8 -servicePrincipalName: host/ldaptest2computer9 -servicePrincipalName: host/ldaptest2computer10 -servicePrincipalName: host/ldaptest2computer11 -servicePrincipalName: host/ldaptest2computer12 -servicePrincipalName: host/ldaptest2computer13 -servicePrincipalName: host/ldaptest2computer14 -servicePrincipalName: host/ldaptest2computer15 -servicePrincipalName: host/ldaptest2computer16 -servicePrincipalName: host/ldaptest2computer17 -servicePrincipalName: host/ldaptest2computer18 -servicePrincipalName: host/ldaptest2computer19 -servicePrincipalName: host/ldaptest2computer20 -servicePrincipalName: host/ldaptest2computer21 -servicePrincipalName: host/ldaptest2computer22 -servicePrincipalName: host/ldaptest2computer23 -servicePrincipalName: host/ldaptest2computer24 -servicePrincipalName: host/ldaptest2computer25 -servicePrincipalName: host/ldaptest2computer26 -servicePrincipalName: host/ldaptest2computer27 -servicePrincipalName: host/ldaptest2computer28 -servicePrincipalName: host/ldaptest2computer29 -""") - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, - attrs=["servicePrincipalName;range=0-*"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - #print len(res[0]["servicePrincipalName;range=0-*"]) - self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30) - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-19"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - # print res[0]["servicePrincipalName;range=0-19"].length - self.assertEquals(len(res[0]["servicePrincipalName;range=0-19"]), 20) - - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-30"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30) - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-40"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30) - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=30-40"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - self.assertEquals(len(res[0]["servicePrincipalName;range=30-*"]), 0) - - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=10-40"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - self.assertEquals(len(res[0]["servicePrincipalName;range=10-*"]), 20) - # pos_11 = res[0]["servicePrincipalName;range=10-*"][18] - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=11-40"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - self.assertEquals(len(res[0]["servicePrincipalName;range=11-*"]), 19) - # print res[0]["servicePrincipalName;range=11-*"][18] - # print pos_11 - # self.assertEquals((res[0]["servicePrincipalName;range=11-*"][18]), pos_11) - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=11-15"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - self.assertEquals(len(res[0]["servicePrincipalName;range=11-15"]), 5) - # self.assertEquals(res[0]["servicePrincipalName;range=11-15"][4], pos_11) - - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName"]) - self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") - # print res[0]["servicePrincipalName"][18] - # print pos_11 - self.assertEquals(len(res[0]["servicePrincipalName"]), 30) - # self.assertEquals(res[0]["servicePrincipalName"][18], pos_11) - - self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) - ldb.add({ - "dn": "cn=ldaptestuser2,cn=useRs," + self.base_dn, - "objectClass": ["person", "user"], - "cn": "LDAPtestUSER2", - "givenname": "testy", - "sn": "ldap user2"}) - - print "Testing Ambigious Name Resolution" - # Testing ldb.search for (&(anr=ldap testy)(objectClass=user)) - res = ldb.search(expression="(&(anr=ldap testy)(objectClass=user))") - self.assertEquals(len(res), 3, "Found only %d of 3 for (&(anr=ldap testy)(objectClass=user))" % len(res)) - - # Testing ldb.search for (&(anr=testy ldap)(objectClass=user)) - res = ldb.search(expression="(&(anr=testy ldap)(objectClass=user))") - self.assertEquals(len(res), 2, "Found only %d of 2 for (&(anr=testy ldap)(objectClass=user))" % len(res)) - - # Testing ldb.search for (&(anr=ldap)(objectClass=user)) - res = ldb.search(expression="(&(anr=ldap)(objectClass=user))") - self.assertEquals(len(res), 4, "Found only %d of 4 for (&(anr=ldap)(objectClass=user))" % len(res)) - - # Testing ldb.search for (&(anr==ldap)(objectClass=user)) - res = ldb.search(expression="(&(anr==ldap)(objectClass=user))") - self.assertEquals(len(res), 1, "Could not find (&(anr==ldap)(objectClass=user)). Found only %d for (&(anr=ldap)(objectClass=user))" % len(res)) - - self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn)) - self.assertEquals(res[0]["cn"][0], "ldaptestuser") - self.assertEquals(str(res[0]["name"]), "ldaptestuser") - - # Testing ldb.search for (&(anr=testy)(objectClass=user)) - res = ldb.search(expression="(&(anr=testy)(objectClass=user))") - self.assertEquals(len(res), 2, "Found only %d for (&(anr=testy)(objectClass=user))" % len(res)) - - # Testing ldb.search for (&(anr=testy ldap)(objectClass=user)) - res = ldb.search(expression="(&(anr=testy ldap)(objectClass=user))") - self.assertEquals(len(res), 2, "Found only %d for (&(anr=testy ldap)(objectClass=user))" % len(res)) - - # Testing ldb.search for (&(anr==testy ldap)(objectClass=user)) -# this test disabled for the moment, as anr with == tests are not understood -# res = ldb.search(expression="(&(anr==testy ldap)(objectClass=user))") -# self.assertEquals(len(res), 1, "Found only %d for (&(anr==testy ldap)(objectClass=user))" % len(res)) - -# self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn)) -# self.assertEquals(res[0]["cn"][0], "ldaptestuser") -# self.assertEquals(res[0]["name"][0], "ldaptestuser") - - # Testing ldb.search for (&(anr==testy ldap)(objectClass=user)) -# res = ldb.search(expression="(&(anr==testy ldap)(objectClass=user))") -# self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap)(objectClass=user))") - -# self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn)) -# self.assertEquals(res[0]["cn"][0], "ldaptestuser") -# self.assertEquals(res[0]["name"][0], "ldaptestuser") - - # Testing ldb.search for (&(anr=testy ldap user)(objectClass=user)) - res = ldb.search(expression="(&(anr=testy ldap user)(objectClass=user))") - self.assertEquals(len(res), 1, "Could not find (&(anr=testy ldap user)(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestuser2") - self.assertEquals(str(res[0]["name"]), "ldaptestuser2") - - # Testing ldb.search for (&(anr==testy ldap user2)(objectClass=user)) -# res = ldb.search(expression="(&(anr==testy ldap user2)(objectClass=user))") -# self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap user2)(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestuser2") - self.assertEquals(str(res[0]["name"]), "ldaptestuser2") - - # Testing ldb.search for (&(anr==ldap user2)(objectClass=user)) -# res = ldb.search(expression="(&(anr==ldap user2)(objectClass=user))") -# self.assertEquals(len(res), 1, "Could not find (&(anr==ldap user2)(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestuser2") - self.assertEquals(str(res[0]["name"]), "ldaptestuser2") - - # Testing ldb.search for (&(anr==not ldap user2)(objectClass=user)) -# res = ldb.search(expression="(&(anr==not ldap user2)(objectClass=user))") -# self.assertEquals(len(res), 0, "Must not find (&(anr==not ldap user2)(objectClass=user))") - - # Testing ldb.search for (&(anr=not ldap user2)(objectClass=user)) - res = ldb.search(expression="(&(anr=not ldap user2)(objectClass=user))") - self.assertEquals(len(res), 0, "Must not find (&(anr=not ldap user2)(objectClass=user))") - - # Testing ldb.search for (&(anr="testy ldap")(objectClass=user)) (ie, with quotes) -# res = ldb.search(expression="(&(anr==\"testy ldap\")(objectClass=user))") -# self.assertEquals(len(res), 0, "Found (&(anr==\"testy ldap\")(objectClass=user))") - - print "Testing Renames" - - attrs = ["objectGUID", "objectSid"] - print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))" - res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs) - self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))") - - # Check rename works with extended/alternate DN forms - ldb.rename("" , "cn=ldaptestUSER3,cn=users," + self.base_dn) - - print "Testing ldb.search for (&(cn=ldaptestuser3)(objectClass=user))" - res = ldb.search(expression="(&(cn=ldaptestuser3)(objectClass=user))") - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser3)(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3") - self.assertEquals(str(res[0]["name"]), "ldaptestUSER3") - - #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))" - res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))") - self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3") - self.assertEquals(str(res[0]["name"]), "ldaptestUSER3") - - #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))" - res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))") - self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3") - self.assertEquals(str(res[0]["name"]), "ldaptestUSER3") - - #"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))" - res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))") - self.assertEquals(len(res), 0, "(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))") - - # This is a Samba special, and does not exist in real AD - # print "Testing ldb.search for (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")" - # res = ldb.search("(dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")") - # if (res.error != 0 || len(res) != 1) { - # print "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")" - # self.assertEquals(len(res), 1) - # } - # self.assertEquals(res[0].dn, ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) - # self.assertEquals(res[0].cn, "ldaptestUSER3") - # self.assertEquals(res[0].name, "ldaptestUSER3") - - print "Testing ldb.search for (distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")" - res = ldb.search(expression="(distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")") - self.assertEquals(len(res), 1, "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")") - self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3") - self.assertEquals(str(res[0]["name"]), "ldaptestUSER3") - - # ensure we cannot add it again - try: - ldb.add({"dn": "cn=ldaptestuser3,cn=userS," + self.base_dn, - "objectClass": ["person", "user"], - "cn": "LDAPtestUSER3"}) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) - - # rename back - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn) - - # ensure we cannot rename it twice - try: - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, - "cn=ldaptestuser2,cn=users," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - # ensure can now use that name - ldb.add({"dn": "cn=ldaptestuser3,cn=users," + self.base_dn, - "objectClass": ["person", "user"], - "cn": "LDAPtestUSER3"}) - - # ensure we now cannot rename - try: - ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) - try: - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=configuration," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertTrue(num in (71, 64)) - - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser5,cn=users," + self.base_dn) - - ldb.delete("cn=ldaptestuser5,cn=users," + self.base_dn) - - self.delete_force(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) - - ldb.rename("cn=ldaptestgroup,cn=users," + self.base_dn, "cn=ldaptestgroup2,cn=users," + self.base_dn) - - print "Testing subtree renames" - - ldb.add({"dn": "cn=ldaptestcontainer," + self.base_dn, - "objectClass": "container"}) - - ldb.add({"dn": "CN=ldaptestuser4,CN=ldaptestcontainer," + self.base_dn, - "objectClass": ["person", "user"], - "cn": "LDAPtestUSER4"}) - - ldb.modify_ldif(""" -dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ -changetype: modify -add: member -member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ -member: cn=ldaptestcomputer,cn=computers,""" + self.base_dn + """ -member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """ -""") - - print "Testing ldb.rename of cn=ldaptestcontainer," + self.base_dn + " to cn=ldaptestcontainer2," + self.base_dn - ldb.rename("CN=ldaptestcontainer," + self.base_dn, "CN=ldaptestcontainer2," + self.base_dn) - - print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user))" - res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))") - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser4)(objectClass=user))") - - print "Testing subtree ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn - try: - res = ldb.search("cn=ldaptestcontainer," + self.base_dn, - expression="(&(cn=ldaptestuser4)(objectClass=user))", - scope=SCOPE_SUBTREE) - self.fail(res) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn - try: - res = ldb.search("cn=ldaptestcontainer," + self.base_dn, - expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_ONELEVEL) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in renamed container" - res = ldb.search("cn=ldaptestcontainer2," + self.base_dn, expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_SUBTREE) - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser4)(objectClass=user)) under cn=ldaptestcontainer2," + self.base_dn) - - self.assertEquals(str(res[0].dn), ("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn)) - self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) - - time.sleep(4) - - print "Testing ldb.search for (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)) to check subtree renames and linked attributes" - res = ldb.search(self.base_dn, expression="(&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group))", scope=SCOPE_SUBTREE) - self.assertEquals(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistant with subtree renames?") - - print "Testing ldb.rename (into itself) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn - try: - ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - print "Testing ldb.rename (into non-existent container) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn - try: - ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertTrue(num in (ERR_UNWILLING_TO_PERFORM, ERR_OTHER)) - - print "Testing delete (should fail, not a leaf node) of renamed cn=ldaptestcontainer2," + self.base_dn - try: - ldb.delete("cn=ldaptestcontainer2," + self.base_dn) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF) - - print "Testing base ldb.search for CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn - res = ldb.search(expression="(objectclass=*)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE) - self.assertEquals(len(res), 1) - res = ldb.search(expression="(cn=ldaptestuser40)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE) - self.assertEquals(len(res), 0) - - print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in cn=ldaptestcontainer2," + self.base_dn - res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))", base=("cn=ldaptestcontainer2," + self.base_dn), scope=SCOPE_ONELEVEL) - # FIXME: self.assertEquals(len(res), 0) - - print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in cn=ldaptestcontainer2," + self.base_dn - res = ldb.search(expression="(&(cn=ldaptestuser4)(objectClass=user))", base=("cn=ldaptestcontainer2," + self.base_dn), scope=SCOPE_SUBTREE) - # FIXME: self.assertEquals(len(res), 0) - - print "Testing delete of subtree renamed "+("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn) - ldb.delete(("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn)) - print "Testing delete of renamed cn=ldaptestcontainer2," + self.base_dn - ldb.delete("cn=ldaptestcontainer2," + self.base_dn) - - ldb.add({"dn": "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn, "objectClass": "user"}) - - ldb.add({"dn": "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn, "objectClass": "user"}) - - print "Testing ldb.search for (&(cn=ldaptestuser)(objectClass=user))" - res = ldb.search(expression="(&(cn=ldaptestuser)(objectClass=user))") - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestuser") - self.assertEquals(str(res[0]["name"]), "ldaptestuser") - self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user"])) - self.assertTrue("objectGUID" in res[0]) - self.assertTrue("whenCreated" in res[0]) - self.assertEquals(str(res[0]["objectCategory"]), ("CN=Person,CN=Schema,CN=Configuration," + self.base_dn)) - self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) - self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE) - self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) - self.assertEquals(len(res[0]["memberOf"]), 1) - - print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))" - res2 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))") - self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))") - - self.assertEquals(res[0].dn, res2[0].dn) - - print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon))" - res3 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))") - self.assertEquals(len(res3), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)): matched %d" % len(res3)) - - self.assertEquals(res[0].dn, res3[0].dn) - - if gc_ldb is not None: - print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog" - res3gc = gc_ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))") - self.assertEquals(len(res3gc), 1) - - self.assertEquals(res[0].dn, res3gc[0].dn) - - print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in with 'phantom root' control" - - if gc_ldb is not None: - res3control = gc_ldb.search(self.base_dn, expression="(&(cn=ldaptestuser)(objectCategory=PerSon))", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"]) - self.assertEquals(len(res3control), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog") - - self.assertEquals(res[0].dn, res3control[0].dn) - - ldb.delete(res[0].dn) - - print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectClass=user))" - res = ldb.search(expression="(&(cn=ldaptestcomputer)(objectClass=user))") - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer,CN=Computers," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestcomputer") - self.assertEquals(str(res[0]["name"]), "ldaptestcomputer") - self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user", "computer"])) - self.assertTrue("objectGUID" in res[0]) - self.assertTrue("whenCreated" in res[0]) - self.assertEquals(str(res[0]["objectCategory"]), ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn)) - self.assertEquals(int(res[0]["primaryGroupID"][0]), 513) - self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT) - self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE) - self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) - self.assertEquals(len(res[0]["memberOf"]), 1) - - print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))" - res2 = ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))") - self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))") - - self.assertEquals(res[0].dn, res2[0].dn) - - if gc_ldb is not None: - print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + ")) in Global Catlog" - res2gc = gc_ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + "))") - self.assertEquals(len(res2gc), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=cn=computer,cn=schema,cn=configuration," + self.base_dn + ")) in Global Catlog") - - self.assertEquals(res[0].dn, res2gc[0].dn) - - print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=compuTER))" - res3 = ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=compuTER))") - self.assertEquals(len(res3), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=compuTER))") - - self.assertEquals(res[0].dn, res3[0].dn) - - if gc_ldb is not None: - print "Testing ldb.search for (&(cn=ldaptestcomputer)(objectCategory=compuTER)) in Global Catalog" - res3gc = gc_ldb.search(expression="(&(cn=ldaptestcomputer)(objectCategory=compuTER))") - self.assertEquals(len(res3gc), 1, "Could not find (&(cn=ldaptestcomputer)(objectCategory=compuTER)) in Global Catalog") - - self.assertEquals(res[0].dn, res3gc[0].dn) - - print "Testing ldb.search for (&(cn=ldaptestcomp*r)(objectCategory=compuTER))" - res4 = ldb.search(expression="(&(cn=ldaptestcomp*r)(objectCategory=compuTER))") - self.assertEquals(len(res4), 1, "Could not find (&(cn=ldaptestcomp*r)(objectCategory=compuTER))") - - self.assertEquals(res[0].dn, res4[0].dn) - - print "Testing ldb.search for (&(cn=ldaptestcomput*)(objectCategory=compuTER))" - res5 = ldb.search(expression="(&(cn=ldaptestcomput*)(objectCategory=compuTER))") - self.assertEquals(len(res5), 1, "Could not find (&(cn=ldaptestcomput*)(objectCategory=compuTER))") - - self.assertEquals(res[0].dn, res5[0].dn) - - print "Testing ldb.search for (&(cn=*daptestcomputer)(objectCategory=compuTER))" - res6 = ldb.search(expression="(&(cn=*daptestcomputer)(objectCategory=compuTER))") - self.assertEquals(len(res6), 1, "Could not find (&(cn=*daptestcomputer)(objectCategory=compuTER))") - - self.assertEquals(res[0].dn, res6[0].dn) - - ldb.delete("") - - print "Testing ldb.search for (&(cn=ldaptest2computer)(objectClass=user))" - res = ldb.search(expression="(&(cn=ldaptest2computer)(objectClass=user))") - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptest2computer)(objectClass=user))") - - self.assertEquals(str(res[0].dn), "CN=ldaptest2computer,CN=Computers," + self.base_dn) - self.assertEquals(str(res[0]["cn"]), "ldaptest2computer") - self.assertEquals(str(res[0]["name"]), "ldaptest2computer") - self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user", "computer"]) - self.assertTrue("objectGUID" in res[0]) - self.assertTrue("whenCreated" in res[0]) - self.assertEquals(res[0]["objectCategory"][0], "CN=Computer,CN=Schema,CN=Configuration," + self.base_dn) - self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_WORKSTATION_TRUST) - self.assertEquals(int(res[0]["userAccountControl"][0]), UF_WORKSTATION_TRUST_ACCOUNT) - - ldb.delete("") - - attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "memberOf", "allowedAttributes", "allowedAttributesEffective"] - print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))" - res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs) - self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))") - - self.assertEquals(str(res_user[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn)) - self.assertEquals(str(res_user[0]["cn"]), "ldaptestuser2") - self.assertEquals(str(res_user[0]["name"]), "ldaptestuser2") - self.assertEquals(list(res_user[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"]) - self.assertTrue("objectSid" in res_user[0]) - self.assertTrue("objectGUID" in res_user[0]) - self.assertTrue("whenCreated" in res_user[0]) - self.assertTrue("nTSecurityDescriptor" in res_user[0]) - self.assertTrue("allowedAttributes" in res_user[0]) - self.assertTrue("allowedAttributesEffective" in res_user[0]) - self.assertEquals(res_user[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) - - ldaptestuser2_sid = res_user[0]["objectSid"][0] - ldaptestuser2_guid = res_user[0]["objectGUID"][0] - - attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "member", "allowedAttributes", "allowedAttributesEffective"] - print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group))" - res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs) - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestgroup2") - self.assertEquals(str(res[0]["name"]), "ldaptestgroup2") - self.assertEquals(list(res[0]["objectClass"]), ["top", "group"]) - self.assertTrue("objectGUID" in res[0]) - self.assertTrue("objectSid" in res[0]) - self.assertTrue("whenCreated" in res[0]) - self.assertTrue("nTSecurityDescriptor" in res[0]) - self.assertTrue("allowedAttributes" in res[0]) - self.assertTrue("allowedAttributesEffective" in res[0]) - memberUP = [] - for m in res[0]["member"]: - memberUP.append(m.upper()) - self.assertTrue(("CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP) - - res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs, controls=["extended_dn:1:1"]) - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))") - - print res[0]["member"] - memberUP = [] - for m in res[0]["member"]: - memberUP.append(m.upper()) - print (";;CN=ldaptestuser2,CN=Users," + self.base_dn).upper() - - self.assertTrue((";;CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP) - - print "Quicktest for linked attributes" - ldb.modify_ldif(""" -dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ -changetype: modify -replace: member -member: CN=ldaptestuser2,CN=Users,""" + self.base_dn + """ -member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ -""") - - ldb.modify_ldif(""" -dn: -changetype: modify -replace: member -member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ -""") - - ldb.modify_ldif(""" -dn: -changetype: modify -delete: member -""") - - ldb.modify_ldif(""" -dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ -changetype: modify -add: member -member: -member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ -""") - - ldb.modify_ldif(""" -dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ -changetype: modify -replace: member -""") - - ldb.modify_ldif(""" -dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ -changetype: modify -add: member -member: -member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ -""") - - ldb.modify_ldif(""" -dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ -changetype: modify -delete: member -member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ -""") - - res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs) - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn)) - self.assertEquals(res[0]["member"][0], ("CN=ldaptestuser2,CN=Users," + self.base_dn)) - self.assertEquals(len(res[0]["member"]), 1) - - ldb.delete(("CN=ldaptestuser2,CN=Users," + self.base_dn)) - - time.sleep(4) - - attrs = ["cn", "name", "objectClass", "objectGUID", "whenCreated", "nTSecurityDescriptor", "member"] - print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete" - res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs) - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn)) - self.assertTrue("member" not in res[0]) - - print "Testing ldb.search for (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))" -# TODO UTF8 users don't seem to work fully anymore -# res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))") - res = ldb.search(expression="(&(cn=ldaptestutf8user èùéìòà)(objectclass=user))") - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))") - - self.assertEquals(str(res[0].dn), ("CN=ldaptestutf8user èùéìòà,CN=Users," + self.base_dn)) - self.assertEquals(str(res[0]["cn"]), "ldaptestutf8user èùéìòà") - self.assertEquals(str(res[0]["name"]), "ldaptestutf8user èùéìòà") - self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"]) - self.assertTrue("objectGUID" in res[0]) - self.assertTrue("whenCreated" in res[0]) - - ldb.delete(res[0].dn) - - print "Testing ldb.search for (&(cn=ldaptestutf8user2*)(objectClass=user))" - res = ldb.search(expression="(&(cn=ldaptestutf8user2*)(objectClass=user))") - self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user2*)(objectClass=user))") - - ldb.delete(res[0].dn) - - ldb.delete(("CN=ldaptestgroup2,CN=Users," + self.base_dn)) - - print "Testing ldb.search for (&(cn=ldaptestutf8user2 ÈÙÉÌÒÀ)(objectClass=user))" -# TODO UTF8 users don't seem to work fully anymore -# res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))") -# self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))") - - print "Testing that we can't get at the configuration DN from the main search base" - res = ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertEquals(len(res), 0) - - print "Testing that we can get at the configuration DN from the main search base on the LDAP port with the 'phantom root' search_options control" - res = ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"]) - self.assertTrue(len(res) > 0) - - if gc_ldb is not None: - print "Testing that we can get at the configuration DN from the main search base on the GC port with the search_options control == 0" - - res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:0"]) - self.assertTrue(len(res) > 0) - - print "Testing that we do find configuration elements in the global catlog" - res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0) - - print "Testing that we do find configuration elements and user elements at the same time" - res = gc_ldb.search(self.base_dn, expression="(|(objectClass=crossRef)(objectClass=person))", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0) - - print "Testing that we do find configuration elements in the global catlog, with the configuration basedn" - res = gc_ldb.search(self.configuration_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0) - - print "Testing that we can get at the configuration DN on the main LDAP port" - res = ldb.search(self.configuration_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0) - - print "Testing objectCategory canonacolisation" - res = ldb.search(self.configuration_dn, expression="objectCategory=ntDsDSA", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=ntDsDSA") - self.assertTrue(len(res) != 0) - - res = ldb.search(self.configuration_dn, expression="objectCategory=CN=ntDs-DSA," + self.schema_dn, scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=CN=ntDs-DSA," + self.schema_dn) - self.assertTrue(len(res) != 0) - - print "Testing objectClass attribute order on "+ self.base_dn - res = ldb.search(expression="objectClass=domain", base=self.base_dn, - scope=SCOPE_BASE, attrs=["objectClass"]) - self.assertEquals(len(res), 1) - - self.assertEquals(list(res[0]["objectClass"]), ["top", "domain", "domainDNS"]) - - # check enumeration - - print "Testing ldb.search for objectCategory=person" - res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0) - - print "Testing ldb.search for objectCategory=person with domain scope control" - res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) - self.assertTrue(len(res) > 0) - - print "Testing ldb.search for objectCategory=user" - res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0) - - print "Testing ldb.search for objectCategory=user with domain scope control" - res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) - self.assertTrue(len(res) > 0) - - print "Testing ldb.search for objectCategory=group" - res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"]) - self.assertTrue(len(res) > 0) - - print "Testing ldb.search for objectCategory=group with domain scope control" - res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) - self.assertTrue(len(res) > 0) - - print "Testing creating a user with the posixAccount objectClass" - self.ldb.add_ldif("""dn: cn=posixuser,CN=Users,%s -objectClass: top -objectClass: person -objectClass: posixAccount -objectClass: user -objectClass: organizationalPerson -cn: posixuser -uid: posixuser -sn: posixuser -uidNumber: 10126 -gidNumber: 10126 -homeDirectory: /home/posixuser -loginShell: /bin/bash -gecos: Posix User;;; -description: A POSIX user"""% (self.base_dn)) - - print "Testing removing the posixAccount objectClass from an existing user" - self.ldb.modify_ldif("""dn: cn=posixuser,CN=Users,%s -changetype: modify -delete: objectClass -objectClass: posixAccount"""% (self.base_dn)) - - print "Testing adding the posixAccount objectClass to an existing user" - self.ldb.modify_ldif("""dn: cn=posixuser,CN=Users,%s -changetype: modify -add: objectClass -objectClass: posixAccount"""% (self.base_dn)) - - self.delete_force(self.ldb, "cn=posixuser,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer2," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestuser5,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn) - self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn) - - def test_security_descriptor_add(self): - """ Testing ldb.add_ldif() for nTSecurityDescriptor """ - user_name = "testdescriptoruser1" - user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) - # - # Test add_ldif() with SDDL security descriptor input - # - self.delete_force(self.ldb, user_dn) - try: - sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" - self.ldb.add_ldif(""" -dn: """ + user_dn + """ -objectclass: user -sAMAccountName: """ + user_name + """ -nTSecurityDescriptor: """ + sddl) - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack( security.descriptor, desc ) - desc_sddl = desc.as_sddl( self.domain_sid ) - self.assertEqual(desc_sddl, sddl) - finally: - self.delete_force(self.ldb, user_dn) - # - # Test add_ldif() with BASE64 security descriptor - # - try: - sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" - desc = security.descriptor.from_sddl(sddl, self.domain_sid) - desc_binary = ndr_pack(desc) - desc_base64 = base64.b64encode(desc_binary) - self.ldb.add_ldif(""" -dn: """ + user_dn + """ -objectclass: user -sAMAccountName: """ + user_name + """ -nTSecurityDescriptor:: """ + desc_base64) - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack(security.descriptor, desc) - desc_sddl = desc.as_sddl(self.domain_sid) - self.assertEqual(desc_sddl, sddl) - finally: - self.delete_force(self.ldb, user_dn) - - def test_security_descriptor_add_neg(self): - """Test add_ldif() with BASE64 security descriptor input using WRONG domain SID - Negative test - """ - user_name = "testdescriptoruser1" - user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) - self.delete_force(self.ldb, user_dn) - try: - sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" - desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21')) - desc_base64 = base64.b64encode( ndr_pack(desc) ) - self.ldb.add_ldif(""" -dn: """ + user_dn + """ -objectclass: user -sAMAccountName: """ + user_name + """ -nTSecurityDescriptor:: """ + desc_base64) - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - self.assertTrue("nTSecurityDescriptor" in res[0]) - finally: - self.delete_force(self.ldb, user_dn) - - def test_security_descriptor_modify(self): - """ Testing ldb.modify_ldif() for nTSecurityDescriptor """ - user_name = "testdescriptoruser2" - user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) - # - # Delete user object and test modify_ldif() with SDDL security descriptor input - # Add ACE to the original descriptor test - # - try: - self.delete_force(self.ldb, user_dn) - self.ldb.add_ldif(""" -dn: """ + user_dn + """ -objectclass: user -sAMAccountName: """ + user_name) - # Modify descriptor - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack(security.descriptor, desc) - desc_sddl = desc.as_sddl(self.domain_sid) - sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):] - mod = """ -dn: """ + user_dn + """ -changetype: modify -replace: nTSecurityDescriptor -nTSecurityDescriptor: """ + sddl - self.ldb.modify_ldif(mod) - # Read modified descriptor - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack(security.descriptor, desc) - desc_sddl = desc.as_sddl(self.domain_sid) - self.assertEqual(desc_sddl, sddl) - finally: - self.delete_force(self.ldb, user_dn) - # - # Test modify_ldif() with SDDL security descriptor input - # New desctiptor test - # - try: - self.ldb.add_ldif(""" -dn: """ + user_dn + """ -objectclass: user -sAMAccountName: """ + user_name) - # Modify descriptor - sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" - mod = """ -dn: """ + user_dn + """ -changetype: modify -replace: nTSecurityDescriptor -nTSecurityDescriptor: """ + sddl - self.ldb.modify_ldif(mod) - # Read modified descriptor - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack(security.descriptor, desc) - desc_sddl = desc.as_sddl(self.domain_sid) - self.assertEqual(desc_sddl, sddl) - finally: - self.delete_force(self.ldb, user_dn) - # - # Test modify_ldif() with BASE64 security descriptor input - # Add ACE to the original descriptor test - # - try: - self.ldb.add_ldif(""" -dn: """ + user_dn + """ -objectclass: user -sAMAccountName: """ + user_name) - # Modify descriptor - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack(security.descriptor, desc) - desc_sddl = desc.as_sddl(self.domain_sid) - sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):] - desc = security.descriptor.from_sddl(sddl, self.domain_sid) - desc_base64 = base64.b64encode(ndr_pack(desc)) - mod = """ -dn: """ + user_dn + """ -changetype: modify -replace: nTSecurityDescriptor -nTSecurityDescriptor:: """ + desc_base64 - self.ldb.modify_ldif(mod) - # Read modified descriptor - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack(security.descriptor, desc) - desc_sddl = desc.as_sddl(self.domain_sid) - self.assertEqual(desc_sddl, sddl) - finally: - self.delete_force(self.ldb, user_dn) - # - # Test modify_ldif() with BASE64 security descriptor input - # New descriptor test - # - try: - self.delete_force(self.ldb, user_dn) - self.ldb.add_ldif(""" -dn: """ + user_dn + """ -objectclass: user -sAMAccountName: """ + user_name) - # Modify descriptor - sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" - desc = security.descriptor.from_sddl(sddl, self.domain_sid) - desc_base64 = base64.b64encode(ndr_pack(desc)) - mod = """ -dn: """ + user_dn + """ -changetype: modify -replace: nTSecurityDescriptor -nTSecurityDescriptor:: """ + desc_base64 - self.ldb.modify_ldif(mod) - # Read modified descriptor - res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack(security.descriptor, desc) - desc_sddl = desc.as_sddl(self.domain_sid) - self.assertEqual(desc_sddl, sddl) - finally: - self.delete_force(self.ldb, user_dn) - - -class BaseDnTests(unittest.TestCase): - - def setUp(self): - super(BaseDnTests, self).setUp() - self.ldb = ldb - - def test_rootdse_attrs(self): - """Testing for all rootDSE attributes""" - res = self.ldb.search(scope=SCOPE_BASE, attrs=[]) - self.assertEquals(len(res), 1) - - def test_highestcommittedusn(self): - """Testing for highestCommittedUSN""" - res = self.ldb.search("", scope=SCOPE_BASE, attrs=["highestCommittedUSN"]) - self.assertEquals(len(res), 1) - self.assertTrue(int(res[0]["highestCommittedUSN"][0]) != 0) - - def test_netlogon(self): - """Testing for netlogon via LDAP""" - res = self.ldb.search("", scope=SCOPE_BASE, attrs=["netlogon"]) - self.assertEquals(len(res), 0) - - def test_netlogon_highestcommitted_usn(self): - """Testing for netlogon and highestCommittedUSN via LDAP""" - res = self.ldb.search("", scope=SCOPE_BASE, - attrs=["netlogon", "highestCommittedUSN"]) - self.assertEquals(len(res), 0) - - def test_namingContexts(self): - """Testing for namingContexts in rootDSE""" - res = self.ldb.search("", scope=SCOPE_BASE, - attrs=["namingContexts", "defaultNamingContext", "schemaNamingContext", "configurationNamingContext"]) - self.assertEquals(len(res), 1) - - ncs = set([]) - for nc in res[0]["namingContexts"]: - self.assertTrue(nc not in ncs) - ncs.add(nc) - - self.assertTrue(res[0]["defaultNamingContext"][0] in ncs) - self.assertTrue(res[0]["configurationNamingContext"][0] in ncs) - self.assertTrue(res[0]["schemaNamingContext"][0] in ncs) - - -if not "://" in host: - if os.path.isfile(host): - host = "tdb://%s" % host - else: - host = "ldap://%s" % host - -ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) -if not "tdb://" in host: - gc_ldb = Ldb("%s:3268" % host, credentials=creds, - session_info=system_session(), lp=lp) -else: - gc_ldb = None - -runner = SubunitTestRunner() -rc = 0 -if not runner.run(unittest.makeSuite(BaseDnTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(BasicTests)).wasSuccessful(): - rc = 1 -sys.exit(rc) diff --git a/source4/lib/ldb/tests/python/ldap_schema.py b/source4/lib/ldb/tests/python/ldap_schema.py deleted file mode 100755 index 270e22adb1..0000000000 --- a/source4/lib/ldb/tests/python/ldap_schema.py +++ /dev/null @@ -1,556 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -# This is a port of the original in testprogs/ejs/ldap.js - -import optparse -import sys -import time -import random -import os - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -import samba.getopt as options - -from samba.auth import system_session -from ldb import SCOPE_ONELEVEL, SCOPE_BASE, LdbError -from ldb import ERR_NO_SUCH_OBJECT -from ldb import ERR_UNWILLING_TO_PERFORM -from ldb import ERR_CONSTRAINT_VIOLATION -from ldb import Message, MessageElement, Dn -from ldb import FLAG_MOD_REPLACE -from samba import Ldb -from samba.dsdb import DS_DOMAIN_FUNCTION_2003 - -from subunit.run import SubunitTestRunner -import unittest - -parser = optparse.OptionParser("ldap [options] ") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -host = args[0] - -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) - - -class SchemaTests(unittest.TestCase): - - def delete_force(self, ldb, dn): - try: - ldb.delete(dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def find_schemadn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["schemaNamingContext"][0] - - def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["defaultNamingContext"][0] - - def setUp(self): - super(SchemaTests, self).setUp() - self.ldb = ldb - self.schema_dn = self.find_schemadn(ldb) - self.base_dn = self.find_basedn(ldb) - - def test_generated_schema(self): - """Testing we can read the generated schema via LDAP""" - res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE, - attrs=["objectClasses", "attributeTypes", "dITContentRules"]) - self.assertEquals(len(res), 1) - self.assertTrue("dITContentRules" in res[0]) - self.assertTrue("objectClasses" in res[0]) - self.assertTrue("attributeTypes" in res[0]) - - def test_generated_schema_is_operational(self): - """Testing we don't get the generated schema via LDAP by default""" - res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE, - attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertFalse("dITContentRules" in res[0]) - self.assertFalse("objectClasses" in res[0]) - self.assertFalse("attributeTypes" in res[0]) - - def test_schemaUpdateNow(self): - """Testing schemaUpdateNow""" - attr_name = "test-Attr" + time.strftime("%s", time.gmtime()) - attr_ldap_display_name = attr_name.replace("-", "") - - ldif = """ -dn: CN=%s,%s""" % (attr_name, self.schema_dn) + """ -objectClass: top -objectClass: attributeSchema -adminDescription: """ + attr_name + """ -adminDisplayName: """ + attr_name + """ -cn: """ + attr_name + """ -attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940 -attributeSyntax: 2.5.5.12 -omSyntax: 64 -instanceType: 4 -isSingleValued: TRUE -systemOnly: FALSE -""" - self.ldb.add_ldif(ldif) - - # Search for created attribute - res = [] - res = self.ldb.search("cn=%s,%s" % (attr_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_display_name) - self.assertTrue("schemaIDGUID" in res[0]) - - # Samba requires a "schemaUpdateNow" here. - # TODO: remove this when Samba is fixed - ldif = """ -dn: -changetype: modify -add: schemaUpdateNow -schemaUpdateNow: 1 -""" - self.ldb.modify_ldif(ldif) - - class_name = "test-Class" + time.strftime("%s", time.gmtime()) - class_ldap_display_name = class_name.replace("-", "") - - # First try to create a class with a wrong "defaultObjectCategory" - ldif = """ -dn: CN=%s,%s""" % (class_name, self.schema_dn) + """ -objectClass: top -objectClass: classSchema -defaultObjectCategory: CN=_ -adminDescription: """ + class_name + """ -adminDisplayName: """ + class_name + """ -cn: """ + class_name + """ -governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 -instanceType: 4 -objectClassCategory: 1 -subClassOf: organizationalPerson -systemFlags: 16 -rDNAttID: cn -systemMustContain: cn -systemMustContain: """ + attr_ldap_display_name + """ -systemOnly: FALSE -""" - try: - self.ldb.add_ldif(ldif) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - ldif = """ -dn: CN=%s,%s""" % (class_name, self.schema_dn) + """ -objectClass: top -objectClass: classSchema -adminDescription: """ + class_name + """ -adminDisplayName: """ + class_name + """ -cn: """ + class_name + """ -governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 -instanceType: 4 -objectClassCategory: 1 -subClassOf: organizationalPerson -systemFlags: 16 -rDNAttID: cn -systemMustContain: cn -systemMustContain: """ + attr_ldap_display_name + """ -systemOnly: FALSE -""" - self.ldb.add_ldif(ldif) - - # Search for created objectclass - res = [] - res = self.ldb.search("cn=%s,%s" % (class_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["lDAPDisplayName"][0], class_ldap_display_name) - self.assertEquals(res[0]["defaultObjectCategory"][0], res[0]["distinguishedName"][0]) - self.assertTrue("schemaIDGUID" in res[0]) - - ldif = """ -dn: -changetype: modify -add: schemaUpdateNow -schemaUpdateNow: 1 -""" - self.ldb.modify_ldif(ldif) - - object_name = "obj" + time.strftime("%s", time.gmtime()) - - ldif = """ -dn: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """ -objectClass: organizationalPerson -objectClass: person -objectClass: """ + class_ldap_display_name + """ -objectClass: top -cn: """ + object_name + """ -instanceType: 4 -objectCategory: CN=%s,%s"""% (class_name, self.schema_dn) + """ -distinguishedName: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """ -name: """ + object_name + """ -""" + attr_ldap_display_name + """: test -""" - self.ldb.add_ldif(ldif) - - # Search for created object - res = [] - res = self.ldb.search("cn=%s,cn=Users,%s" % (object_name, self.base_dn), scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - # Delete the object - self.delete_force(self.ldb, "cn=%s,cn=Users,%s" % (object_name, self.base_dn)) - - -class SchemaTests_msDS_IntId(unittest.TestCase): - - def setUp(self): - super(SchemaTests_msDS_IntId, self).setUp() - self.ldb = ldb - res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.schema_dn = res[0]["schemaNamingContext"][0] - self.base_dn = res[0]["defaultNamingContext"][0] - self.forest_level = int(res[0]["forestFunctionality"][0]) - - def _ldap_schemaUpdateNow(self): - ldif = """ -dn: -changetype: modify -add: schemaUpdateNow -schemaUpdateNow: 1 -""" - self.ldb.modify_ldif(ldif) - - def _make_obj_names(self, prefix): - class_name = prefix + time.strftime("%s", time.gmtime()) - class_ldap_name = class_name.replace("-", "") - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - return (class_name, class_ldap_name, class_dn) - - def _is_schema_base_object(self, ldb_msg): - """Test systemFlags for SYSTEM_FLAG_SCHEMA_BASE_OBJECT (16)""" - systemFlags = 0 - if "systemFlags" in ldb_msg: - systemFlags = int(ldb_msg["systemFlags"][0]) - return (systemFlags & 16) != 0 - - def _make_attr_ldif(self, attr_name, attr_dn): - ldif = """ -dn: """ + attr_dn + """ -objectClass: top -objectClass: attributeSchema -adminDescription: """ + attr_name + """ -adminDisplayName: """ + attr_name + """ -cn: """ + attr_name + """ -attributeId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9940 -attributeSyntax: 2.5.5.12 -omSyntax: 64 -instanceType: 4 -isSingleValued: TRUE -systemOnly: FALSE -""" - return ldif - - def test_msDS_IntId_on_attr(self): - """Testing msDs-IntId creation for Attributes. - See MS-ADTS - 3.1.1.Attributes - - This test should verify that: - - Creating attribute with 'msDS-IntId' fails with ERR_UNWILLING_TO_PERFORM - - Adding 'msDS-IntId' on existing attribute fails with ERR_CONSTRAINT_VIOLATION - - Creating attribute with 'msDS-IntId' set and FLAG_SCHEMA_BASE_OBJECT flag - set fails with ERR_UNWILLING_TO_PERFORM - - Attributes created with FLAG_SCHEMA_BASE_OBJECT not set have - 'msDS-IntId' attribute added internally - """ - - # 1. Create attribute without systemFlags - # msDS-IntId should be created if forest functional - # level is >= DS_DOMAIN_FUNCTION_2003 - # and missing otherwise - (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-1-") - ldif = self._make_attr_ldif(attr_name, attr_dn) - - # try to add msDS-IntId during Attribute creation - ldif_fail = ldif + "msDS-IntId: -1993108831\n" - try: - self.ldb.add_ldif(ldif_fail) - self.fail("Adding attribute with preset msDS-IntId should fail") - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - # add the new attribute and update schema - self.ldb.add_ldif(ldif) - self._ldap_schemaUpdateNow() - - # Search for created attribute - res = [] - res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name) - if self.forest_level >= DS_DOMAIN_FUNCTION_2003: - if self._is_schema_base_object(res[0]): - self.assertTrue("msDS-IntId" not in res[0]) - else: - self.assertTrue("msDS-IntId" in res[0]) - else: - self.assertTrue("msDS-IntId" not in res[0]) - - msg = Message() - msg.dn = Dn(self.ldb, attr_dn) - msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") - try: - self.ldb.modify(msg) - self.fail("Modifying msDS-IntId should return error") - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - # 2. Create attribute with systemFlags = FLAG_SCHEMA_BASE_OBJECT - # msDS-IntId should be created if forest functional - # level is >= DS_DOMAIN_FUNCTION_2003 - # and missing otherwise - (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-2-") - ldif = self._make_attr_ldif(attr_name, attr_dn) - ldif += "systemFlags: 16\n" - - # try to add msDS-IntId during Attribute creation - ldif_fail = ldif + "msDS-IntId: -1993108831\n" - try: - self.ldb.add_ldif(ldif_fail) - self.fail("Adding attribute with preset msDS-IntId should fail") - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - # add the new attribute and update schema - self.ldb.add_ldif(ldif) - self._ldap_schemaUpdateNow() - - # Search for created attribute - res = [] - res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name) - if self.forest_level >= DS_DOMAIN_FUNCTION_2003: - if self._is_schema_base_object(res[0]): - self.assertTrue("msDS-IntId" not in res[0]) - else: - self.assertTrue("msDS-IntId" in res[0]) - else: - self.assertTrue("msDS-IntId" not in res[0]) - - msg = Message() - msg.dn = Dn(self.ldb, attr_dn) - msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") - try: - self.ldb.modify(msg) - self.fail("Modifying msDS-IntId should return error") - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - - def _make_class_ldif(self, class_dn, class_name): - ldif = """ -dn: """ + class_dn + """ -objectClass: top -objectClass: classSchema -adminDescription: """ + class_name + """ -adminDisplayName: """ + class_name + """ -cn: """ + class_name + """ -governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 -instanceType: 4 -objectClassCategory: 1 -subClassOf: organizationalPerson -rDNAttID: cn -systemMustContain: cn -systemOnly: FALSE -""" - return ldif - - def test_msDS_IntId_on_class(self): - """Testing msDs-IntId creation for Class - Reference: MS-ADTS - 3.1.1.2.4.8 Class classSchema""" - - # 1. Create Class without systemFlags - # msDS-IntId should be created if forest functional - # level is >= DS_DOMAIN_FUNCTION_2003 - # and missing otherwise - (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-1-") - ldif = self._make_class_ldif(class_dn, class_name) - - # try to add msDS-IntId during Class creation - ldif_add = ldif + "msDS-IntId: -1993108831\n" - self.ldb.add_ldif(ldif_add) - self._ldap_schemaUpdateNow() - - res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["msDS-IntId"][0], "-1993108831") - - # add a new Class and update schema - (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-2-") - ldif = self._make_class_ldif(class_dn, class_name) - - self.ldb.add_ldif(ldif) - self._ldap_schemaUpdateNow() - - # Search for created Class - res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertFalse("msDS-IntId" in res[0]) - - msg = Message() - msg.dn = Dn(self.ldb, class_dn) - msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") - try: - self.ldb.modify(msg) - self.fail("Modifying msDS-IntId should return error") - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - # 2. Create Class with systemFlags = FLAG_SCHEMA_BASE_OBJECT - # msDS-IntId should be created if forest functional - # level is >= DS_DOMAIN_FUNCTION_2003 - # and missing otherwise - (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-3-") - ldif = self._make_class_ldif(class_dn, class_name) - ldif += "systemFlags: 16\n" - - # try to add msDS-IntId during Class creation - ldif_add = ldif + "msDS-IntId: -1993108831\n" - self.ldb.add_ldif(ldif_add) - - res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["msDS-IntId"][0], "-1993108831") - - # add the new Class and update schema - (class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-4-") - ldif = self._make_class_ldif(class_dn, class_name) - ldif += "systemFlags: 16\n" - - self.ldb.add_ldif(ldif) - self._ldap_schemaUpdateNow() - - # Search for created Class - res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertFalse("msDS-IntId" in res[0]) - - msg = Message() - msg.dn = Dn(self.ldb, class_dn) - msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") - try: - self.ldb.modify(msg) - self.fail("Modifying msDS-IntId should return error") - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - res = self.ldb.search(class_dn, scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.assertFalse("msDS-IntId" in res[0]) - - - def test_verify_msDS_IntId(self): - """Verify msDS-IntId exists only on attributes without FLAG_SCHEMA_BASE_OBJECT flag set""" - count = 0 - res = self.ldb.search(self.schema_dn, scope=SCOPE_ONELEVEL, - expression="objectClass=attributeSchema", - attrs=["systemFlags", "msDS-IntId", "attributeID", "cn"]) - self.assertTrue(len(res) > 1) - for ldb_msg in res: - if self.forest_level >= DS_DOMAIN_FUNCTION_2003: - if self._is_schema_base_object(ldb_msg): - self.assertTrue("msDS-IntId" not in ldb_msg) - else: - # don't assert here as there are plenty of - # attributes under w2k8 that are not part of - # Base Schema (SYSTEM_FLAG_SCHEMA_BASE_OBJECT flag not set) - # has not msDS-IntId attribute set - #self.assertTrue("msDS-IntId" in ldb_msg, "msDS-IntId expected on: %s" % ldb_msg.dn) - if "msDS-IntId" not in ldb_msg: - count = count + 1 - print "%3d warning: msDS-IntId expected on: %-30s %s" % (count, ldb_msg["attributeID"], ldb_msg["cn"]) - else: - self.assertTrue("msDS-IntId" not in ldb_msg) - - -class SchemaTests_msDS_isRODC(unittest.TestCase): - - def setUp(self): - super(SchemaTests_msDS_isRODC, self).setUp() - self.ldb = ldb - res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) - self.assertEquals(len(res), 1) - self.base_dn = res[0]["defaultNamingContext"][0] - - def test_objectClass_ntdsdsa(self): - res = self.ldb.search(self.base_dn, expression="objectClass=nTDSDSA", - attrs=["msDS-isRODC"], controls=["search_options:1:2"]) - for ldb_msg in res: - self.assertTrue("msDS-isRODC" in ldb_msg) - - def test_objectClass_server(self): - res = self.ldb.search(self.base_dn, expression="objectClass=server", - attrs=["msDS-isRODC"], controls=["search_options:1:2"]) - for ldb_msg in res: - ntds_search_dn = "CN=NTDS Settings,%s" % ldb_msg['dn'] - try: - res_check = self.ldb.search(ntds_search_dn, attrs=["objectCategory"]) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - print("Server entry %s doesn't have a NTDS settings object" % res[0]['dn']) - else: - self.assertTrue("objectCategory" in res_check[0]) - self.assertTrue("msDS-isRODC" in ldb_msg) - - def test_objectClass_computer(self): - res = self.ldb.search(self.base_dn, expression="objectClass=computer", - attrs=["serverReferenceBL","msDS-isRODC"], controls=["search_options:1:2"]) - for ldb_msg in res: - if "serverReferenceBL" not in ldb_msg: - print("Computer entry %s doesn't have a serverReferenceBL attribute" % ldb_msg['dn']) - else: - self.assertTrue("msDS-isRODC" in ldb_msg) - -if not "://" in host: - if os.path.isfile(host): - host = "tdb://%s" % host - else: - host = "ldap://%s" % host - -ldb_options = [] -if host.startswith("ldap://"): - # user 'paged_search' module when connecting remotely - ldb_options = ["modules:paged_searches"] - -ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=ldb_options) -if not "tdb://" in host: - gc_ldb = Ldb("%s:3268" % host, credentials=creds, - session_info=system_session(), lp=lp) -else: - gc_ldb = None - -runner = SubunitTestRunner() -rc = 0 -if not runner.run(unittest.makeSuite(SchemaTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(SchemaTests_msDS_IntId)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(SchemaTests_msDS_isRODC)).wasSuccessful(): - rc = 1 - -sys.exit(rc) diff --git a/source4/lib/ldb/tests/python/passwords.py b/source4/lib/ldb/tests/python/passwords.py deleted file mode 100755 index fd2ed1c105..0000000000 --- a/source4/lib/ldb/tests/python/passwords.py +++ /dev/null @@ -1,615 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -# This tests the password changes over LDAP for AD implementations -# -# Copyright Matthias Dieter Wallnoefer 2010 -# -# Notice: This tests will also work against Windows Server if the connection is -# secured enough (SASL with a minimum of 128 Bit encryption) - consider -# MS-ADTS 3.1.1.3.1.5 -# -# Important: Make sure that the minimum password age is set to "0"! - -import optparse -import sys -import base64 -import os - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -import samba.getopt as options - -from samba.auth import system_session -from samba.credentials import Credentials -from ldb import SCOPE_BASE, LdbError -from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS -from ldb import ERR_UNWILLING_TO_PERFORM -from ldb import ERR_NO_SUCH_ATTRIBUTE -from ldb import ERR_CONSTRAINT_VIOLATION -from ldb import Message, MessageElement, Dn -from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE -from samba import gensec -from samba.samdb import SamDB -import samba.tests -from subunit.run import SubunitTestRunner -import unittest - -parser = optparse.OptionParser("passwords [options] ") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -host = args[0] - -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) - -# Force an encrypted connection -creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) - -# -# Tests start here -# - -class PasswordTests(samba.tests.TestCase): - - def delete_force(self, ldb, dn): - try: - ldb.delete(dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["defaultNamingContext"][0] - - def setUp(self): - super(PasswordTests, self).setUp() - self.ldb = ldb - self.base_dn = self.find_basedn(ldb) - - # (Re)adds the test user "testuser" with the inital password - # "thatsAcomplPASS1" - self.delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn) - self.ldb.add({ - "dn": "cn=testuser,cn=users," + self.base_dn, - "objectclass": ["user", "person"], - "sAMAccountName": "testuser", - "userPassword": "thatsAcomplPASS1" }) - self.ldb.enable_account("(sAMAccountName=testuser)") - - # Open a second LDB connection with the user credentials. Use the - # command line credentials for informations like the domain, the realm - # and the workstation. - creds2 = Credentials() - # FIXME: Reactivate the user credentials when we have user password - # change support also on the ACL level in s4 - creds2.set_username(creds.get_username()) - creds2.set_password(creds.get_password()) - #creds2.set_username("testuser") - #creds2.set_password("thatsAcomplPASS1") - creds2.set_domain(creds.get_domain()) - creds2.set_realm(creds.get_realm()) - creds2.set_workstation(creds.get_workstation()) - creds2.set_gensec_features(creds2.get_gensec_features() - | gensec.FEATURE_SEAL) - self.ldb2 = SamDB(url=host, credentials=creds2, lp=lp) - - def test_unicodePwd_hash_set(self): - print "Performs a password hash set operation on 'unicodePwd' which should be prevented" - # Notice: Direct hash password sets should never work - - m = Message() - m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) - m["unicodePwd"] = MessageElement("XXXXXXXXXXXXXXXX", FLAG_MOD_REPLACE, - "unicodePwd") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - def test_unicodePwd_hash_change(self): - print "Performs a password hash change operation on 'unicodePwd' which should be prevented" - # Notice: Direct hash password changes should never work - - # Hash password changes should never work - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: unicodePwd -unicodePwd: XXXXXXXXXXXXXXXX -add: unicodePwd -unicodePwd: YYYYYYYYYYYYYYYY -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - def test_unicodePwd_clear_set(self): - print "Performs a password cleartext set operation on 'unicodePwd'" - - m = Message() - m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) - m["unicodePwd"] = MessageElement("\"thatsAcomplPASS2\"".encode('utf-16-le'), - FLAG_MOD_REPLACE, "unicodePwd") - ldb.modify(m) - - def test_unicodePwd_clear_change(self): - print "Performs a password cleartext change operation on 'unicodePwd'" - - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: unicodePwd -unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """ -add: unicodePwd -unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ -""") - - # A change to the same password again will not work (password history) - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: unicodePwd -unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ -add: unicodePwd -unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """ -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - def test_dBCSPwd_hash_set(self): - print "Performs a password hash set operation on 'dBCSPwd' which should be prevented" - # Notice: Direct hash password sets should never work - - m = Message() - m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) - m["dBCSPwd"] = MessageElement("XXXXXXXXXXXXXXXX", FLAG_MOD_REPLACE, - "dBCSPwd") - try: - ldb.modify(m) - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - def test_dBCSPwd_hash_change(self): - print "Performs a password hash change operation on 'dBCSPwd' which should be prevented" - # Notice: Direct hash password changes should never work - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: dBCSPwd -dBCSPwd: XXXXXXXXXXXXXXXX -add: dBCSPwd -dBCSPwd: YYYYYYYYYYYYYYYY -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - def test_userPassword_clear_set(self): - print "Performs a password cleartext set operation on 'userPassword'" - # Notice: This works only against Windows if "dSHeuristics" has been set - # properly - - m = Message() - m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) - m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE, - "userPassword") - ldb.modify(m) - - def test_userPassword_clear_change(self): - print "Performs a password cleartext change operation on 'userPassword'" - # Notice: This works only against Windows if "dSHeuristics" has been set - # properly - - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -""") - - # A change to the same password again will not work (password history) - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS2 -add: userPassword -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - def test_clearTextPassword_clear_set(self): - print "Performs a password cleartext set operation on 'clearTextPassword'" - # Notice: This never works against Windows - only supported by us - - try: - m = Message() - m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn) - m["clearTextPassword"] = MessageElement("thatsAcomplPASS2".encode('utf-16-le'), - FLAG_MOD_REPLACE, "clearTextPassword") - ldb.modify(m) - # this passes against s4 - except LdbError, (num, msg): - # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it - if num != ERR_NO_SUCH_ATTRIBUTE: - raise LdbError(num, msg) - - def test_clearTextPassword_clear_change(self): - print "Performs a password cleartext change operation on 'clearTextPassword'" - # Notice: This never works against Windows - only supported by us - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: clearTextPassword -clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS1".encode('utf-16-le')) + """ -add: clearTextPassword -clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """ -""") - # this passes against s4 - except LdbError, (num, msg): - # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it - if num != ERR_NO_SUCH_ATTRIBUTE: - raise LdbError(num, msg) - - # A change to the same password again will not work (password history) - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: clearTextPassword -clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """ -add: clearTextPassword -clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """ -""") - self.fail() - except LdbError, (num, _): - # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it - if num != ERR_NO_SUCH_ATTRIBUTE: - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - def test_failures(self): - print "Performs some failure testing" - - try: - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - try: - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -add: userPassword -userPassword: thatsAcomplPASS1 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -add: userPassword -userPassword: thatsAcomplPASS1 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - try: - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - try: - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) - - try: - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -add: userPassword -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -add: userPassword -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - try: - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - try: - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -replace: userPassword -userPassword: thatsAcomplPASS3 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS1 -add: userPassword -userPassword: thatsAcomplPASS2 -replace: userPassword -userPassword: thatsAcomplPASS3 -""") - self.fail() - except LdbError, (num, _): - self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - - # Reverse order does work - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -add: userPassword -userPassword: thatsAcomplPASS2 -delete: userPassword -userPassword: thatsAcomplPASS1 -""") - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: userPassword -userPassword: thatsAcomplPASS2 -add: unicodePwd -unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """ -""") - # this passes against s4 - except LdbError, (num, _): - self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) - - try: - self.ldb2.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -delete: unicodePwd -unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """ -add: userPassword -userPassword: thatsAcomplPASS4 -""") - # this passes against s4 - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE) - - # Several password changes at once are allowed - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -replace: userPassword -userPassword: thatsAcomplPASS1 -userPassword: thatsAcomplPASS2 -""") - - # Several password changes at once are allowed - ldb.modify_ldif(""" -dn: cn=testuser,cn=users,""" + self.base_dn + """ -changetype: modify -replace: userPassword -userPassword: thatsAcomplPASS1 -userPassword: thatsAcomplPASS2 -replace: userPassword -userPassword: thatsAcomplPASS3 -replace: userPassword -userPassword: thatsAcomplPASS4 -""") - - # This surprisingly should work - self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn) - self.ldb.add({ - "dn": "cn=testuser2,cn=users," + self.base_dn, - "objectclass": ["user", "person"], - "userPassword": ["thatsAcomplPASS1", "thatsAcomplPASS2"] }) - - # This surprisingly should work - self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn) - self.ldb.add({ - "dn": "cn=testuser2,cn=users," + self.base_dn, - "objectclass": ["user", "person"], - "userPassword": ["thatsAcomplPASS1", "thatsAcomplPASS1"] }) - - def tearDown(self): - super(PasswordTests, self).tearDown() - self.delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn) - self.delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn) - # Close the second LDB connection (with the user credentials) - self.ldb2 = None - -if not "://" in host: - if os.path.isfile(host): - host = "tdb://%s" % host - else: - host = "ldap://%s" % host - -ldb = SamDB(url=host, session_info=system_session(), credentials=creds, lp=lp) - -# Gets back the configuration basedn -res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["configurationNamingContext"]) -configuration_dn = res[0]["configurationNamingContext"][0] - -# Get the old "dSHeuristics" if it was set -res = ldb.search("CN=Directory Service, CN=Windows NT, CN=Services, " - + configuration_dn, scope=SCOPE_BASE, attrs=["dSHeuristics"]) -if "dSHeuristics" in res[0]: - dsheuristics = res[0]["dSHeuristics"][0] -else: - dsheuristics = None - -# Set the "dSHeuristics" to have the tests run against Windows Server -m = Message() -m.dn = Dn(ldb, "CN=Directory Service, CN=Windows NT, CN=Services, " - + configuration_dn) -m["dSHeuristics"] = MessageElement("000000001", FLAG_MOD_REPLACE, - "dSHeuristics") -ldb.modify(m) - -runner = SubunitTestRunner() -rc = 0 -if not runner.run(unittest.makeSuite(PasswordTests)).wasSuccessful(): - rc = 1 - -# Reset the "dSHeuristics" as they were before -m = Message() -m.dn = Dn(ldb, "CN=Directory Service, CN=Windows NT, CN=Services, " - + configuration_dn) -if dsheuristics is not None: - m["dSHeuristics"] = MessageElement(dsheuristics, FLAG_MOD_REPLACE, - "dSHeuristics") -else: - m["dSHeuristics"] = MessageElement([], FLAG_MOD_DELETE, "dsHeuristics") -ldb.modify(m) - -sys.exit(rc) diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py deleted file mode 100755 index 8dc77321b4..0000000000 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ /dev/null @@ -1,1979 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -import optparse -import sys -import os -import base64 -import re -import random - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -import samba.getopt as options - -# Some error messages that are being tested -from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT - -# For running the test unit -from samba.ndr import ndr_pack, ndr_unpack -from samba.dcerpc import security - -from samba import gensec -from samba.samdb import SamDB -from samba.credentials import Credentials -from samba.auth import system_session -from samba.dsdb import DS_DOMAIN_FUNCTION_2008 -from samba.dcerpc.security import ( - SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL) -from subunit.run import SubunitTestRunner -import samba.tests -import unittest - -parser = optparse.OptionParser("sec_descriptor [options] ") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) - -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -host = args[0] - -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) -creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) - -# -# Tests start here -# - -class DescriptorTests(samba.tests.TestCase): - - def delete_force(self, ldb, dn): - try: - ldb.delete(dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["defaultNamingContext"][0] - - def find_configurationdn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["configurationNamingContext"][0] - - def find_schemadn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["schemaNamingContext"][0] - - def find_domain_sid(self, ldb): - res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) - return ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) - - def get_users_domain_dn(self, name): - return "CN=%s,CN=Users,%s" % (name, self.base_dn) - - def modify_desc(self, _ldb, object_dn, desc, controls=None): - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - mod = """ -dn: """ + object_dn + """ -changetype: modify -replace: nTSecurityDescriptor -""" - if isinstance(desc, str): - mod += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.modify_ldif(mod, controls) - - def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None): - ldif = """ -dn: """ + ou_dn + """ -ou: """ + ou_dn.split(",")[0][3:] + """ -objectClass: organizationalUnit -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif, controls) - - def create_domain_user(self, _ldb, user_dn, desc=None): - ldif = """ -dn: """ + user_dn + """ -sAMAccountName: """ + user_dn.split(",")[0][3:] + """ -objectClass: user -userPassword: samba123@ -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def create_domain_group(self, _ldb, group_dn, desc=None): - ldif = """ -dn: """ + group_dn + """ -objectClass: group -sAMAccountName: """ + group_dn.split(",")[0][3:] + """ -groupType: 4 -url: www.example.com -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def get_unique_schema_class_name(self): - while True: - class_name = "test-class%s" % random.randint(1,100000) - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - try: - self.ldb_admin.search(base=class_dn, attrs=["*"]) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - return class_name - - def create_schema_class(self, _ldb, object_dn, desc=None): - ldif = """ -dn: """ + object_dn + """ -objectClass: classSchema -objectCategory: CN=Class-Schema,""" + self.schema_dn + """ -defaultObjectCategory: """ + object_dn + """ -distinguishedName: """ + object_dn + """ -governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 -instanceType: 4 -objectClassCategory: 1 -subClassOf: organizationalPerson -systemFlags: 16 -rDNAttID: cn -systemMustContain: cn -systemOnly: FALSE -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def create_configuration_container(self, _ldb, object_dn, desc=None): - ldif = """ -dn: """ + object_dn + """ -objectClass: container -objectCategory: CN=Container,""" + self.schema_dn + """ -showInAdvancedViewOnly: TRUE -instanceType: 4 -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def create_configuration_specifier(self, _ldb, object_dn, desc=None): - ldif = """ -dn: """ + object_dn + """ -objectClass: displaySpecifier -showInAdvancedViewOnly: TRUE -""" - if desc: - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - if isinstance(desc, str): - ldif += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) - - def read_desc(self, object_dn, controls=None): - res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls) - desc = res[0]["nTSecurityDescriptor"][0] - return ndr_unpack(security.descriptor, desc) - - def create_active_user(self, _ldb, user_dn): - ldif = """ -dn: """ + user_dn + """ -sAMAccountName: """ + user_dn.split(",")[0][3:] + """ -objectClass: user -unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """ -url: www.example.com -""" - _ldb.add_ldif(ldif) - - def add_user_to_group(self, _ldb, username, groupname): - ldif = """ -dn: """ + self.get_users_domain_dn(groupname) + """ -changetype: modify -add: member -member: """ + self.get_users_domain_dn(username) - _ldb.modify_ldif(ldif) - - def get_ldb_connection(self, target_username, target_password): - creds_tmp = Credentials() - creds_tmp.set_username(target_username) - creds_tmp.set_password(target_password) - creds_tmp.set_domain(creds.get_domain()) - creds_tmp.set_realm(creds.get_realm()) - creds_tmp.set_workstation(creds.get_workstation()) - creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() - | gensec.FEATURE_SEAL) - ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) - return ldb_target - - def get_object_sid(self, object_dn): - res = self.ldb_admin.search(object_dn) - return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] ) - - def dacl_add_ace(self, object_dn, ace): - desc = self.read_desc( object_dn ) - desc_sddl = desc.as_sddl( self.domain_sid ) - if ace in desc_sddl: - return - if desc_sddl.find("(") >= 0: - desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] - else: - desc_sddl = desc_sddl + ace - self.modify_desc(self.ldb_admin, object_dn, desc_sddl) - - def get_desc_sddl(self, object_dn, controls=None): - """ Return object nTSecutiryDescriptor in SDDL format - """ - desc = self.read_desc(object_dn, controls) - return desc.as_sddl(self.domain_sid) - - def create_enable_user(self, username): - user_dn = self.get_users_domain_dn(username) - self.create_active_user(self.ldb_admin, user_dn) - self.ldb_admin.enable_account("(sAMAccountName=" + username + ")") - - def setUp(self): - super(DescriptorTests, self).setUp() - self.ldb_admin = ldb - self.base_dn = self.find_basedn(self.ldb_admin) - self.configuration_dn = self.find_configurationdn(self.ldb_admin) - self.schema_dn = self.find_schemadn(self.ldb_admin) - self.domain_sid = self.find_domain_sid(self.ldb_admin) - print "baseDN: %s" % self.base_dn - - ################################################################################################ - - ## Tests for DOMAIN - - # Default descriptor tests ##################################################################### - -class OwnerGroupDescriptorTests(DescriptorTests): - - def deleteAll(self): - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8")) - # DOMAIN - self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1")) - self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) - # SCHEMA - # CONFIGURATION - self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \ - + self.configuration_dn) - self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn) - - def setUp(self): - super(OwnerGroupDescriptorTests, self).setUp() - self.deleteAll() - ### Create users - # User 1 - self.create_enable_user("testuser1") - self.add_user_to_group(self.ldb_admin, "testuser1", "Enterprise Admins") - # User 2 - self.create_enable_user("testuser2") - self.add_user_to_group(self.ldb_admin, "testuser2", "Domain Admins") - # User 3 - self.create_enable_user("testuser3") - self.add_user_to_group(self.ldb_admin, "testuser3", "Schema Admins") - # User 4 - self.create_enable_user("testuser4") - # User 5 - self.create_enable_user("testuser5") - self.add_user_to_group(self.ldb_admin, "testuser5", "Enterprise Admins") - self.add_user_to_group(self.ldb_admin, "testuser5", "Domain Admins") - # User 6 - self.create_enable_user("testuser6") - self.add_user_to_group(self.ldb_admin, "testuser6", "Enterprise Admins") - self.add_user_to_group(self.ldb_admin, "testuser6", "Domain Admins") - self.add_user_to_group(self.ldb_admin, "testuser6", "Schema Admins") - # User 7 - self.create_enable_user("testuser7") - self.add_user_to_group(self.ldb_admin, "testuser7", "Domain Admins") - self.add_user_to_group(self.ldb_admin, "testuser7", "Schema Admins") - # User 8 - self.create_enable_user("testuser8") - self.add_user_to_group(self.ldb_admin, "testuser8", "Enterprise Admins") - self.add_user_to_group(self.ldb_admin, "testuser8", "Schema Admins") - - self.results = { - # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008 - "ds_behavior_win2003" : { - "100" : "O:EAG:DU", - "101" : "O:DAG:DU", - "102" : "O:%sG:DU", - "103" : "O:%sG:DU", - "104" : "O:DAG:DU", - "105" : "O:DAG:DU", - "106" : "O:DAG:DU", - "107" : "O:EAG:DU", - "108" : "O:DAG:DA", - "109" : "O:DAG:DA", - "110" : "O:%sG:DA", - "111" : "O:%sG:DA", - "112" : "O:DAG:DA", - "113" : "O:DAG:DA", - "114" : "O:DAG:DA", - "115" : "O:DAG:DA", - "130" : "O:EAG:DU", - "131" : "O:DAG:DU", - "132" : "O:SAG:DU", - "133" : "O:%sG:DU", - "134" : "O:EAG:DU", - "135" : "O:SAG:DU", - "136" : "O:SAG:DU", - "137" : "O:SAG:DU", - "138" : "O:DAG:DA", - "139" : "O:DAG:DA", - "140" : "O:%sG:DA", - "141" : "O:%sG:DA", - "142" : "O:DAG:DA", - "143" : "O:DAG:DA", - "144" : "O:DAG:DA", - "145" : "O:DAG:DA", - "160" : "O:EAG:DU", - "161" : "O:DAG:DU", - "162" : "O:%sG:DU", - "163" : "O:%sG:DU", - "164" : "O:EAG:DU", - "165" : "O:EAG:DU", - "166" : "O:DAG:DU", - "167" : "O:EAG:DU", - "168" : "O:DAG:DA", - "169" : "O:DAG:DA", - "170" : "O:%sG:DA", - "171" : "O:%sG:DA", - "172" : "O:DAG:DA", - "173" : "O:DAG:DA", - "174" : "O:DAG:DA", - "175" : "O:DAG:DA", - }, - # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008 - "ds_behavior_win2008" : { - "100" : "O:EAG:EA", - "101" : "O:DAG:DA", - "102" : "O:%sG:DU", - "103" : "O:%sG:DU", - "104" : "O:DAG:DA", - "105" : "O:DAG:DA", - "106" : "O:DAG:DA", - "107" : "O:EAG:EA", - "108" : "O:DAG:DA", - "109" : "O:DAG:DA", - "110" : "O:%sG:DA", - "111" : "O:%sG:DA", - "112" : "O:DAG:DA", - "113" : "O:DAG:DA", - "114" : "O:DAG:DA", - "115" : "O:DAG:DA", - "130" : "O:EAG:EA", - "131" : "O:DAG:DA", - "132" : "O:SAG:SA", - "133" : "O:%sG:DU", - "134" : "O:EAG:EA", - "135" : "O:SAG:SA", - "136" : "O:SAG:SA", - "137" : "O:SAG:SA", - "138" : "", - "139" : "", - "140" : "O:%sG:DA", - "141" : "O:%sG:DA", - "142" : "", - "143" : "", - "144" : "", - "145" : "", - "160" : "O:EAG:EA", - "161" : "O:DAG:DA", - "162" : "O:%sG:DU", - "163" : "O:%sG:DU", - "164" : "O:EAG:EA", - "165" : "O:EAG:EA", - "166" : "O:DAG:DA", - "167" : "O:EAG:EA", - "168" : "O:DAG:DA", - "169" : "O:DAG:DA", - "170" : "O:%sG:DA", - "171" : "O:%sG:DA", - "172" : "O:DAG:DA", - "173" : "O:DAG:DA", - "174" : "O:DAG:DA", - "175" : "O:DAG:DA", - }, - } - # Discover 'msDS-Behavior-Version' - res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \ - attrs=['msDS-Behavior-Version']) - res = int(res[0]['msDS-Behavior-Version'][0]) - if res < DS_DOMAIN_FUNCTION_2008: - self.DS_BEHAVIOR = "ds_behavior_win2003" - else: - self.DS_BEHAVIOR = "ds_behavior_win2008" - - def tearDown(self): - super(DescriptorTests, self).tearDown() - self.deleteAll() - - def check_user_belongs(self, user_dn, groups=[]): - """ Test wether user is member of the expected group(s) """ - if groups != []: - # User is member of at least one additional group - res = self.ldb_admin.search(user_dn, attrs=["memberOf"]) - res = [x.upper() for x in sorted(list(res[0]["memberOf"]))] - expected = [] - for x in groups: - expected.append(self.get_users_domain_dn(x)) - expected = [x.upper() for x in sorted(expected)] - self.assertEqual(expected, res) - else: - # User is not a member of any additional groups but default - res = self.ldb_admin.search(user_dn, attrs=["*"]) - res = [x.upper() for x in res[0].keys()] - self.assertFalse( "MEMBEROF" in res) - - def check_modify_inheritance(self, _ldb, object_dn, owner_group=""): - # Modify - ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account - if owner_group != "": - self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace) - else: - self.modify_desc(_ldb, object_dn, "D:" + ace) - # Make sure the modify operation has been applied - desc_sddl = self.get_desc_sddl(object_dn) - self.assertTrue(ace in desc_sddl) - # Make sure we have identical result for both "add" and "modify" - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - print self._testMethodName - test_number = self._testMethodName[5:] - self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res) - - def test_100(self): - """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN - """ - user_name = "testuser1" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_group(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_101(self): - """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN - """ - user_name = "testuser2" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_group(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_102(self): - """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN - """ - user_name = "testuser3" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "OU=test_domain_ou1," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - # Create additional object into the first one - object_dn = "CN=test_domain_user1," + object_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_user(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - # This fails, research why - #self.check_modify_inheritance(_ldb, object_dn) - - def test_103(self): - """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN - """ - user_name = "testuser4" - self.check_user_belongs(self.get_users_domain_dn(user_name), []) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "OU=test_domain_ou1," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - # Create additional object into the first one - object_dn = "CN=test_domain_user1," + object_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_user(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - #this fails, research why - #self.check_modify_inheritance(_ldb, object_dn) - - def test_104(self): - """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN - """ - user_name = "testuser5" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_group(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_105(self): - """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN - """ - user_name = "testuser6" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_group(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_106(self): - """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN - """ - user_name = "testuser7" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_group(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_107(self): - """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN - """ - user_name = "testuser8" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_group(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - # Control descriptor tests ##################################################################### - - def test_108(self): - """ Enterprise admin group member creates object (custom descriptor) in DOMAIN - """ - user_name = "testuser1" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_domain_group(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - - def test_109(self): - """ Domain admin group member creates object (custom descriptor) in DOMAIN - """ - user_name = "testuser2" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_domain_group(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - - def test_110(self): - """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN - """ - user_name = "testuser3" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "OU=test_domain_ou1," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - # Create a custom security descriptor - # NB! Problematic owner part won't accept DA only !!! - desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) - # Create additional object into the first one - object_dn = "CN=test_domain_user1," + object_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_user(_ldb, object_dn, desc_sddl) - desc = self.read_desc(object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - - def test_111(self): - """ Regular user with CC right creates object (custom descriptor) in DOMAIN - """ - user_name = "testuser4" - self.check_user_belongs(self.get_users_domain_dn(user_name), []) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "OU=test_domain_ou1," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - # Create a custom security descriptor - # NB! Problematic owner part won't accept DA only !!! - desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) - # Create additional object into the first one - object_dn = "CN=test_domain_user1," + object_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_user(_ldb, object_dn, desc_sddl) - desc = self.read_desc(object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - - def test_112(self): - """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN - """ - user_name = "testuser5" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_domain_group(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - - def test_113(self): - """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN - """ - user_name = "testuser6" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_domain_group(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - - def test_114(self): - """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN - """ - user_name = "testuser7" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_domain_group(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - - def test_115(self): - """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN - """ - user_name = "testuser8" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_domain_group(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - - def test_999(self): - user_name = "Administrator" - object_dn = "OU=test_domain_ou1," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(D;CI;WP;;;S-1-3-0)" - #mod = "" - self.dacl_add_ace(object_dn, mod) - desc_sddl = self.get_desc_sddl(object_dn) - # Create additional object into the first one - object_dn = "OU=test_domain_ou2," + object_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - - ## Tests for SCHEMA - - # Defalt descriptor tests ################################################################## - - def test_130(self): - user_name = "testuser1" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;;WDCC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, class_dn) - - def test_131(self): - user_name = "testuser2" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;CI;WDCC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, class_dn) - - def test_132(self): - user_name = "testuser3" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;CI;WDCC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - #self.check_modify_inheritance(_ldb, class_dn) - - def test_133(self): - user_name = "testuser4" - self.check_user_belongs(self.get_users_domain_dn(user_name), []) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - #Change Schema partition descriptor - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;CI;WDCC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - #self.check_modify_inheritance(_ldb, class_dn) - - def test_134(self): - user_name = "testuser5" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - #Change Schema partition descriptor - mod = "(A;CI;WDCC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, class_dn) - - def test_135(self): - user_name = "testuser6" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;CI;WDCC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, class_dn) - - def test_136(self): - user_name = "testuser7" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;CI;WDCC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, class_dn) - - def test_137(self): - user_name = "testuser8" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;CI;WDCC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, class_dn) - - # Custom descriptor tests ################################################################## - - def test_138(self): - user_name = "testuser1" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_139(self): - user_name = "testuser2" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_140(self): - user_name = "testuser3" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create a custom security descriptor - # NB! Problematic owner part won't accept DA only !!! - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - - def test_141(self): - user_name = "testuser4" - self.check_user_belongs(self.get_users_domain_dn(user_name), []) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create a custom security descriptor - # NB! Problematic owner part won't accept DA only !!! - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - - def test_142(self): - user_name = "testuser5" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_143(self): - user_name = "testuser6" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_144(self): - user_name = "testuser7" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_145(self): - user_name = "testuser8" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Change Schema partition descriptor - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(self.schema_dn, mod) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - # Create example Schema class - class_name = self.get_unique_schema_class_name() - class_dn = "CN=%s,%s" % (class_name, self.schema_dn) - self.create_schema_class(_ldb, class_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(class_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - ## Tests for CONFIGURATION - - # Defalt descriptor tests ################################################################## - - def test_160(self): - user_name = "testuser1" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(_ldb, object_dn, ) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_161(self): - user_name = "testuser2" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(_ldb, object_dn, ) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_162(self): - user_name = "testuser3" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(self.ldb_admin, object_dn, ) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;;WDCC;;;AU)" - self.dacl_add_ace(object_dn, mod) - # Create child object with user's credentials - object_dn = "CN=test-specifier1," + object_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_specifier(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - #self.check_modify_inheritance(_ldb, object_dn) - - def test_163(self): - user_name = "testuser4" - self.check_user_belongs(self.get_users_domain_dn(user_name), []) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(self.ldb_admin, object_dn, ) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;CI;WDCC;;;AU)" - self.dacl_add_ace(object_dn, mod) - # Create child object with user's credentials - object_dn = "CN=test-specifier1," + object_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_specifier(_ldb, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - #self.check_modify_inheritance(_ldb, object_dn) - - def test_164(self): - user_name = "testuser5" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(_ldb, object_dn, ) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_165(self): - user_name = "testuser6" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(_ldb, object_dn, ) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_166(self): - user_name = "testuser7" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(_ldb, object_dn, ) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - def test_167(self): - user_name = "testuser8" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(_ldb, object_dn, ) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res) - self.check_modify_inheritance(_ldb, object_dn) - - # Custom descriptor tests ################################################################## - - def test_168(self): - user_name = "testuser1" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_configuration_container(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_169(self): - user_name = "testuser2" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_configuration_container(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_170(self): - user_name = "testuser3" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(self.ldb_admin, object_dn, ) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(object_dn, mod) - # Create child object with user's credentials - object_dn = "CN=test-specifier1," + object_dn - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - # NB! Problematic owner part won't accept DA only !!! - desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) - self.create_configuration_specifier(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - - def test_171(self): - user_name = "testuser4" - self.check_user_belongs(self.get_users_domain_dn(user_name), []) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_configuration_container(self.ldb_admin, object_dn, ) - user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) - mod = "(A;;CC;;;AU)" - self.dacl_add_ace(object_dn, mod) - # Create child object with user's credentials - object_dn = "CN=test-specifier1," + object_dn - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - # NB! Problematic owner part won't accept DA only !!! - desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) - self.create_configuration_specifier(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res) - - def test_172(self): - user_name = "testuser5" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_configuration_container(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_173(self): - user_name = "testuser6" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_configuration_container(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_174(self): - user_name = "testuser7" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_configuration_container(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - def test_175(self): - user_name = "testuser8" - self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) - # Open Ldb connection with the tested user - _ldb = self.get_ldb_connection(user_name, "samba123@") - # Create example Configuration container - container_name = "test-container1" - object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) - self.delete_force(self.ldb_admin, object_dn) - # Create a custom security descriptor - desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" - self.create_configuration_container(_ldb, object_dn, desc_sddl) - desc_sddl = self.get_desc_sddl(object_dn) - res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) - self.assertEqual("O:DAG:DA", res) - - ######################################################################################## - # Inharitance tests for DACL - -class DaclDescriptorTests(DescriptorTests): - - def deleteAll(self): - self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn) - self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn) - - def setUp(self): - super(DaclDescriptorTests, self).setUp() - self.deleteAll() - - def create_clean_ou(self, object_dn): - """ Base repeating setup for unittests to follow """ - res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \ - expression="distinguishedName=%s" % object_dn) - # Make sure top testing OU has been deleted before starting the test - self.assertEqual(res, []) - self.create_domain_ou(self.ldb_admin, object_dn) - desc_sddl = self.get_desc_sddl(object_dn) - # Make sure there are inheritable ACEs initially - self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl) - # Find and remove all inherit ACEs - res = re.findall("\(.*?\)", desc_sddl) - res = [x for x in res if ("CI" in x) or ("OI" in x)] - for x in res: - desc_sddl = desc_sddl.replace(x, "") - # Add flag 'protected' in both DACL and SACL so no inherit ACEs - # can propagate from above - # remove SACL, we are not interested - desc_sddl = desc_sddl.replace(":AI", ":AIP") - self.modify_desc(self.ldb_admin, object_dn, desc_sddl) - # Verify all inheritable ACEs are gone - desc_sddl = self.get_desc_sddl(object_dn) - self.assertFalse("CI" in desc_sddl) - self.assertFalse("OI" in desc_sddl) - - def test_200(self): - """ OU with protected flag and child group. See if the group has inherit ACEs. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn) - # Make sure created group object contains NO inherit ACEs - desc_sddl = self.get_desc_sddl(group_dn) - self.assertFalse("ID" in desc_sddl) - - def test_201(self): - """ OU with protected flag and no inherit ACEs, child group with custom descriptor. - Verify group has custom and default ACEs only. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Create group child object using custom security descriptor - sddl = "O:AUG:AUD:AI(D;;WP;;;DU)" - self.create_domain_group(self.ldb_admin, group_dn, sddl) - # Make sure created group descriptor has NO additional ACEs - desc_sddl = self.get_desc_sddl(group_dn) - self.assertEqual(desc_sddl, sddl) - sddl = "O:AUG:AUD:AI(D;;CC;;;LG)" - self.modify_desc(self.ldb_admin, group_dn, sddl) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertEqual(desc_sddl, sddl) - - def test_202(self): - """ OU with protected flag and add couple non-inheritable ACEs, child group. - See if the group has any of the added ACEs. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom non-inheritable ACEs - mod = "(D;;WP;;;DU)(A;;RP;;;DU)" - moded = "(D;;CC;;;LG)" - self.dacl_add_ace(ou_dn, mod) - # Verify all inheritable ACEs are gone - desc_sddl = self.get_desc_sddl(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn) - # Make sure created group object contains NO inherit ACEs - # also make sure the added above non-inheritable ACEs are absent too - desc_sddl = self.get_desc_sddl(group_dn) - self.assertFalse("ID" in desc_sddl) - for x in re.findall("\(.*?\)", mod): - self.assertFalse(x in desc_sddl) - self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertFalse("ID" in desc_sddl) - for x in re.findall("\(.*?\)", mod): - self.assertFalse(x in desc_sddl) - - def test_203(self): - """ OU with protected flag and add 'CI' ACE, child group. - See if the group has the added inherited ACE. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'CI' ACE - mod = "(D;CI;WP;;;DU)" - moded = "(D;;CC;;;LG)" - self.dacl_add_ace(ou_dn, mod) - desc_sddl = self.get_desc_sddl(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") - # Make sure created group object contains only the above inherited ACE - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - mod = mod.replace(";CI;", ";CIID;") - self.assertTrue(mod in desc_sddl) - self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) - - def test_204(self): - """ OU with protected flag and add 'OI' ACE, child group. - See if the group has the added inherited ACE. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'CI' ACE - mod = "(D;OI;WP;;;DU)" - moded = "(D;;CC;;;LG)" - self.dacl_add_ace(ou_dn, mod) - desc_sddl = self.get_desc_sddl(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") - # Make sure created group object contains only the above inherited ACE - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) - self.modify_desc(self.ldb_admin, group_dn, "D:" +moded) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) - - def test_205(self): - """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group. - See if the group has the added inherited ACE. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'OA' for 'name' attribute & 'CI' ACE - mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" - moded = "(D;;CC;;;LG)" - self.dacl_add_ace(ou_dn, mod) - desc_sddl = self.get_desc_sddl(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") - # Make sure created group object contains only the above inherited ACE - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) - self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) - - def test_206(self): - """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group. - See if the group has the added inherited ACE. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'OA' for 'name' attribute & 'OI' ACE - mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" - moded = "(D;;CC;;;LG)" - self.dacl_add_ace(ou_dn, mod) - desc_sddl = self.get_desc_sddl(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") - # Make sure created group object contains only the above inherited ACE - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) - self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) - - def test_207(self): - """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group. - See if the group has the added inherited ACE. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE - mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" - moded = "(D;;CC;;;LG)" - self.dacl_add_ace(ou_dn, mod) - desc_sddl = self.get_desc_sddl(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") - # Make sure created group object contains only the above inherited ACE - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) - self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) - - def test_208(self): - """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group. - See if the group has the added inherited ACE. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE - mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" - moded = "(D;;CC;;;LG)" - self.dacl_add_ace(ou_dn, mod) - desc_sddl = self.get_desc_sddl(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") - # Make sure created group object contains only the above inherited ACE - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) - self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) - - def test_209(self): - """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group. - See if the group has the added inherited ACE. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'CI' ACE - mod = "(D;CI;WP;;;CO)" - moded = "(D;;CC;;;LG)" - self.dacl_add_ace(ou_dn, mod) - desc_sddl = self.get_desc_sddl(ou_dn) - # Create group child object - self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") - # Make sure created group object contains only the above inherited ACE(s) - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl) - self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) - self.modify_desc(self.ldb_admin, group_dn, "D:" + moded) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl) - self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) - - def test_210(self): - """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored. - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - self.create_clean_ou(ou_dn) - # Add some custom ACE - mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)" - self.create_domain_group(self.ldb_admin, group_dn, mod) - # Make sure created group object does not contain the ID ace - desc_sddl = self.get_desc_sddl(group_dn) - self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl) - - def test_211(self): - """ Provide ACE with CO SID, should be expanded and replaced - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'CI' ACE - mod = "D:(D;CI;WP;;;CO)" - self.create_domain_group(self.ldb_admin, group_dn, mod) - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl) - - def test_212(self): - """ Provide ACE with IO flag, should be ignored - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - # Add some custom 'CI' ACE - mod = "D:(D;CIIO;WP;;;CO)" - self.create_domain_group(self.ldb_admin, group_dn, mod) - # Make sure created group object contains only the above inherited ACE(s) - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl) - self.assertFalse("(D;;WP;;;DA)" in desc_sddl) - self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl) - - def test_213(self): - """ Provide ACE with IO flag, should be ignored - """ - ou_dn = "OU=test_inherit_ou," + self.base_dn - group_dn = "CN=test_inherit_group," + ou_dn - # Create inheritable-free OU - self.create_clean_ou(ou_dn) - mod = "D:(D;IO;WP;;;DA)" - self.create_domain_group(self.ldb_admin, group_dn, mod) - # Make sure created group object contains only the above inherited ACE(s) - # that we've added manually - desc_sddl = self.get_desc_sddl(group_dn) - self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl) - - ######################################################################################## - - -class SdFlagsDescriptorTests(DescriptorTests): - def deleteAll(self): - self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn) - - def setUp(self): - super(SdFlagsDescriptorTests, self).setUp() - self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)" - self.deleteAll() - - def test_301(self): - """ Modify a descriptor with OWNER_SECURITY_INFORMATION set. - See that only the owner has been changed. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) - desc_sddl = self.get_desc_sddl(ou_dn) - # make sure we have modified the owner - self.assertTrue("O:AU" in desc_sddl) - # make sure nothing else has been modified - self.assertFalse("G:AU" in desc_sddl) - self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) - self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) - - def test_302(self): - """ Modify a descriptor with GROUP_SECURITY_INFORMATION set. - See that only the owner has been changed. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) - desc_sddl = self.get_desc_sddl(ou_dn) - # make sure we have modified the group - self.assertTrue("G:AU" in desc_sddl) - # make sure nothing else has been modified - self.assertFalse("O:AU" in desc_sddl) - self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) - self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) - - def test_303(self): - """ Modify a descriptor with SACL_SECURITY_INFORMATION set. - See that only the owner has been changed. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) - desc_sddl = self.get_desc_sddl(ou_dn) - # make sure we have modified the DACL - self.assertTrue("(D;;CC;;;LG)" in desc_sddl) - # make sure nothing else has been modified - self.assertFalse("O:AU" in desc_sddl) - self.assertFalse("G:AU" in desc_sddl) - self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) - - def test_304(self): - """ Modify a descriptor with SACL_SECURITY_INFORMATION set. - See that only the owner has been changed. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) - desc_sddl = self.get_desc_sddl(ou_dn) - # make sure we have modified the DACL - self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) - # make sure nothing else has been modified - self.assertFalse("O:AU" in desc_sddl) - self.assertFalse("G:AU" in desc_sddl) - self.assertFalse("(D;;CC;;;LG)" in desc_sddl) - - def test_305(self): - """ Modify a descriptor with 0x0 set. - Contrary to logic this is interpreted as no control, - which is the same as 0xF - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"]) - desc_sddl = self.get_desc_sddl(ou_dn) - # make sure we have modified the DACL - self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) - # make sure nothing else has been modified - self.assertTrue("O:AU" in desc_sddl) - self.assertTrue("G:AU" in desc_sddl) - self.assertTrue("(D;;CC;;;LG)" in desc_sddl) - - def test_306(self): - """ Modify a descriptor with 0xF set. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"]) - desc_sddl = self.get_desc_sddl(ou_dn) - # make sure we have modified the DACL - self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) - # make sure nothing else has been modified - self.assertTrue("O:AU" in desc_sddl) - self.assertTrue("G:AU" in desc_sddl) - self.assertTrue("(D;;CC;;;LG)" in desc_sddl) - - def test_307(self): - """ Read a descriptor with OWNER_SECURITY_INFORMATION - Only the owner part should be returned. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) - # make sure we have read the owner - self.assertTrue("O:" in desc_sddl) - # make sure we have read nothing else - self.assertFalse("G:" in desc_sddl) - self.assertFalse("D:" in desc_sddl) - self.assertFalse("S:" in desc_sddl) - - def test_308(self): - """ Read a descriptor with GROUP_SECURITY_INFORMATION - Only the group part should be returned. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) - # make sure we have read the owner - self.assertTrue("G:" in desc_sddl) - # make sure we have read nothing else - self.assertFalse("O:" in desc_sddl) - self.assertFalse("D:" in desc_sddl) - self.assertFalse("S:" in desc_sddl) - - def test_309(self): - """ Read a descriptor with SACL_SECURITY_INFORMATION - Only the sacl part should be returned. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) - # make sure we have read the owner - self.assertTrue("S:" in desc_sddl) - # make sure we have read nothing else - self.assertFalse("O:" in desc_sddl) - self.assertFalse("D:" in desc_sddl) - self.assertFalse("G:" in desc_sddl) - - def test_310(self): - """ Read a descriptor with DACL_SECURITY_INFORMATION - Only the dacl part should be returned. - """ - ou_dn = "OU=test_sdflags_ou," + self.base_dn - self.create_domain_ou(self.ldb_admin, ou_dn) - desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) - # make sure we have read the owner - self.assertTrue("D:" in desc_sddl) - # make sure we have read nothing else - self.assertFalse("O:" in desc_sddl) - self.assertFalse("S:" in desc_sddl) - self.assertFalse("G:" in desc_sddl) - - -class RightsAttributesTests(DescriptorTests): - - def deleteAll(self): - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr")) - self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2")) - self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) - - def setUp(self): - super(RightsAttributesTests, self).setUp() - self.deleteAll() - ### Create users - # User 1 - self.create_enable_user("testuser_attr") - # User 2, Domain Admins - self.create_enable_user("testuser_attr2") - self.add_user_to_group(self.ldb_admin, "testuser_attr2", "Domain Admins") - - def test_sDRightsEffective(self): - object_dn = "OU=test_domain_ou1," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - print self.get_users_domain_dn("testuser_attr") - user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) - #give testuser1 read access so attributes can be retrieved - mod = "(A;CI;RP;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - _ldb = self.get_ldb_connection("testuser_attr", "samba123@") - res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, - attrs=["sDRightsEffective"]) - #user whould have no rights at all - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["sDRightsEffective"][0], "0") - #give the user Write DACL and see what happens - mod = "(A;CI;WD;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, - attrs=["sDRightsEffective"]) - #user whould have DACL_SECURITY_INFORMATION - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL) - #give the user Write Owners and see what happens - mod = "(A;CI;WO;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, - attrs=["sDRightsEffective"]) - #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER)) - #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins - _ldb = self.get_ldb_connection("testuser_attr2", "samba123@") - res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, - attrs=["sDRightsEffective"]) - #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION - self.assertEquals(len(res), 1) - self.assertEquals(res[0]["sDRightsEffective"][0], \ - ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL)) - - def test_allowedChildClassesEffective(self): - object_dn = "OU=test_domain_ou1," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) - #give testuser1 read access so attributes can be retrieved - mod = "(A;CI;RP;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - _ldb = self.get_ldb_connection("testuser_attr", "samba123@") - res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, - attrs=["allowedChildClassesEffective"]) - #there should be no allowed child classes - self.assertEquals(len(res), 1) - self.assertFalse("allowedChildClassesEffective" in res[0].keys()) - #give the user the right to create children of type user - mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, - attrs=["allowedChildClassesEffective"]) - # allowedChildClassesEffective should only have one value, user - self.assertEquals(len(res), 1) - self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1) - self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user") - - def test_allowedAttributesEffective(self): - object_dn = "OU=test_domain_ou1," + self.base_dn - self.delete_force(self.ldb_admin, object_dn) - self.create_domain_ou(self.ldb_admin, object_dn) - user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr")) - #give testuser1 read access so attributes can be retrieved - mod = "(A;CI;RP;;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod) - _ldb = self.get_ldb_connection("testuser_attr", "samba123@") - res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, - attrs=["allowedAttributesEffective"]) - #there should be no allowed attributes - self.assertEquals(len(res), 1) - self.assertFalse("allowedAttributesEffective" in res[0].keys()) - #give the user the right to write displayName and managedBy - mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid) - # also rights to modify an read only attribute, fromEntry - mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid) - self.dacl_add_ace(object_dn, mod + mod2 + mod3) - res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE, - attrs=["allowedAttributesEffective"]) - # value should only contain user and managedBy - self.assertEquals(len(res), 1) - self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2) - self.assertTrue("displayName" in res[0]["allowedAttributesEffective"]) - self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"]) - -if not "://" in host: - if os.path.isfile(host): - host = "tdb://%s" % host - else: - host = "ldap://%s" % host - -ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"]) - -runner = SubunitTestRunner() -rc = 0 -if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful(): - rc = 1 -if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful(): - rc = 1 -sys.exit(rc) diff --git a/source4/lib/ldb/tests/python/urgent_replication.py b/source4/lib/ldb/tests/python/urgent_replication.py deleted file mode 100755 index 5e9f4ad128..0000000000 --- a/source4/lib/ldb/tests/python/urgent_replication.py +++ /dev/null @@ -1,386 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -import optparse -import sys -import os - -sys.path.append("bin/python") -import samba -samba.ensure_external_module("subunit", "subunit/python") -samba.ensure_external_module("testtools", "testtools") - -import samba.getopt as options - -from samba.auth import system_session -from ldb import (SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, Message, - MessageElement, Dn, FLAG_MOD_REPLACE) -from samba.samdb import SamDB -import samba.tests - -from subunit.run import SubunitTestRunner -import unittest - -parser = optparse.OptionParser("urgent_replication [options] ") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -host = args[0] - -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) - -class UrgentReplicationTests(samba.tests.TestCase): - - def delete_force(self, ldb, dn): - try: - ldb.delete(dn) - except LdbError, (num, _): - self.assertEquals(num, ERR_NO_SUCH_OBJECT) - - def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - self.assertEquals(len(res), 1) - return res[0]["defaultNamingContext"][0] - - def setUp(self): - super(UrgentReplicationTests, self).setUp() - self.ldb = ldb - self.base_dn = self.find_basedn(ldb) - - print "baseDN: %s\n" % self.base_dn - - def test_nonurgent_object(self): - """Test if the urgent replication is not activated - when handling a non urgent object""" - self.ldb.add({ - "dn": "cn=nonurgenttest,cn=users," + self.base_dn, - "objectclass":"user", - "samaccountname":"nonurgenttest", - "description":"nonurgenttest description"}); - - # urgent replication should not be enabled when creating - res = self.ldb.load_partition_usn(self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should not be enabled when modifying - m = Message() - m.dn = Dn(ldb, "cn=nonurgenttest,cn=users," + self.base_dn) - m["description"] = MessageElement("new description", FLAG_MOD_REPLACE, - "description") - ldb.modify(m) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should not be enabled when deleting - self.delete_force(self.ldb, "cn=nonurgenttest,cn=users," + self.base_dn) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - - def test_nTDSDSA_object(self): - '''Test if the urgent replication is activated - when handling a nTDSDSA object''' - self.ldb.add({ - "dn": "cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn, - "objectclass":"server", - "cn":"test server", - "name":"test server", - "systemFlags":"50000000"}); - - self.ldb.add_ldif( - """dn: cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,%s""" % (self.base_dn) + """ -objectclass: nTDSDSA -cn: NTDS Settings test -options: 1 -instanceType: 4 -systemFlags: 33554432""", ["relax:0"]); - - # urgent replication should be enabled when creation - res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should NOT be enabled when modifying - m = Message() - m.dn = Dn(ldb, "cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn) - m["options"] = MessageElement("0", FLAG_MOD_REPLACE, - "options") - ldb.modify(m) - res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should be enabled when deleting - self.delete_force(self.ldb, "cn=NTDS Settings test,cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn) - res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - self.delete_force(self.ldb, "cn=test server,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration," + self.base_dn) - - - def test_crossRef_object(self): - '''Test if the urgent replication is activated - when handling a crossRef object''' - self.ldb.add({ - "dn": "CN=test crossRef,CN=Partitions,CN=Configuration,"+ self.base_dn, - "objectClass": "crossRef", - "cn": "test crossRef", - "dnsRoot": lp.get("realm").lower(), - "instanceType": "4", - "nCName": self.base_dn, - "showInAdvancedViewOnly": "TRUE", - "name": "test crossRef", - "systemFlags": "1"}); - - # urgent replication should be enabled when creating - res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should NOT be enabled when modifying - m = Message() - m.dn = Dn(ldb, "cn=test crossRef,CN=Partitions,CN=Configuration," + self.base_dn) - m["systemFlags"] = MessageElement("0", FLAG_MOD_REPLACE, - "systemFlags") - ldb.modify(m) - res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - - # urgent replication should be enabled when deleting - self.delete_force(self.ldb, "cn=test crossRef,CN=Partitions,CN=Configuration," + self.base_dn) - res = self.ldb.load_partition_usn("cn=Configuration," + self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - - - def test_attributeSchema_object(self): - '''Test if the urgent replication is activated - when handling an attributeSchema object''' - - try: - self.ldb.add_ldif( - """dn: CN=test attributeSchema,cn=Schema,CN=Configuration,%s""" % self.base_dn + """ -objectClass: attributeSchema -cn: test attributeSchema -instanceType: 4 -isSingleValued: FALSE -showInAdvancedViewOnly: FALSE -attributeID: 0.9.2342.19200300.100.1.1 -attributeSyntax: 2.5.5.12 -adminDisplayName: test attributeSchema -adminDescription: test attributeSchema -oMSyntax: 64 -systemOnly: FALSE -searchFlags: 8 -lDAPDisplayName: test attributeSchema -name: test attributeSchema -systemFlags: 0""", ["relax:0"]); - - # urgent replication should be enabled when creating - res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - except LdbError: - print "Not testing urgent replication when creating attributeSchema object ...\n" - - # urgent replication should be enabled when modifying - m = Message() - m.dn = Dn(ldb, "CN=test attributeSchema,CN=Schema,CN=Configuration," + self.base_dn) - m["lDAPDisplayName"] = MessageElement("updated test attributeSchema", FLAG_MOD_REPLACE, - "lDAPDisplayName") - ldb.modify(m) - res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - - def test_classSchema_object(self): - '''Test if the urgent replication is activated - when handling a classSchema object''' - try: - self.ldb.add_ldif( - """dn: CN=test classSchema,CN=Schema,CN=Configuration,%s""" % self.base_dn + """ -objectClass: classSchema -cn: test classSchema -instanceType: 4 -subClassOf: top -governsID: 1.2.840.113556.1.5.999 -rDNAttID: cn -showInAdvancedViewOnly: TRUE -adminDisplayName: test classSchema -adminDescription: test classSchema -objectClassCategory: 1 -lDAPDisplayName: test classSchema -name: test classSchema -systemOnly: FALSE -systemPossSuperiors: dfsConfiguration -systemMustContain: msDFS-SchemaMajorVersion -defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCD - CLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO) -systemFlags: 16 -defaultHidingValue: TRUE""", ["relax:0"]); - - # urgent replication should be enabled when creating - res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - except LdbError: - print "Not testing urgent replication when creating classSchema object ...\n" - - # urgent replication should be enabled when modifying - m = Message() - m.dn = Dn(ldb, "CN=test classSchema,CN=Schema,CN=Configuration," + self.base_dn) - m["lDAPDisplayName"] = MessageElement("updated test classSchema", FLAG_MOD_REPLACE, - "lDAPDisplayName") - ldb.modify(m) - res = self.ldb.load_partition_usn("cn=Schema,cn=Configuration," + self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - - def test_secret_object(self): - '''Test if the urgent replication is activated - when handling a secret object''' - - self.ldb.add({ - "dn": "cn=test secret,cn=System," + self.base_dn, - "objectClass":"secret", - "cn":"test secret", - "name":"test secret", - "currentValue":"xxxxxxx"}); - - - # urgent replication should be enabled when creating - res = self.ldb.load_partition_usn(self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should be enabled when modifying - m = Message() - m.dn = Dn(ldb, "cn=test secret,cn=System," + self.base_dn) - m["currentValue"] = MessageElement("yyyyyyyy", FLAG_MOD_REPLACE, - "currentValue") - ldb.modify(m) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should NOT be enabled when deleting - self.delete_force(self.ldb, "cn=test secret,cn=System," + self.base_dn) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - - def test_rIDManager_object(self): - '''Test if the urgent replication is activated - when handling a rIDManager object''' - self.ldb.add_ldif( - """dn: CN=RID Manager test,CN=System,%s""" % self.base_dn + """ -objectClass: rIDManager -cn: RID Manager test -instanceType: 4 -showInAdvancedViewOnly: TRUE -name: RID Manager test -systemFlags: -1946157056 -isCriticalSystemObject: TRUE -rIDAvailablePool: 133001-1073741823""", ["relax:0"]) - - # urgent replication should be enabled when creating - res = self.ldb.load_partition_usn(self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should be enabled when modifying - m = Message() - m.dn = Dn(ldb, "CN=RID Manager test,CN=System," + self.base_dn) - m["systemFlags"] = MessageElement("0", FLAG_MOD_REPLACE, - "systemFlags") - ldb.modify(m) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should NOT be enabled when deleting - self.delete_force(self.ldb, "CN=RID Manager test,CN=System," + self.base_dn) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - - def test_urgent_attributes(self): - '''Test if the urgent replication is activated - when handling urgent attributes of an object''' - - self.ldb.add({ - "dn": "cn=user UrgAttr test,cn=users," + self.base_dn, - "objectclass":"user", - "samaccountname":"user UrgAttr test", - "userAccountControl":"1", - "lockoutTime":"0", - "pwdLastSet":"0", - "description":"urgent attributes test description"}); - - # urgent replication should NOT be enabled when creating - res = self.ldb.load_partition_usn(self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should be enabled when modifying userAccountControl - m = Message() - m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) - m["userAccountControl"] = MessageElement("0", FLAG_MOD_REPLACE, - "userAccountControl") - ldb.modify(m) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should be enabled when modifying lockoutTime - m = Message() - m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) - m["lockoutTime"] = MessageElement("1", FLAG_MOD_REPLACE, - "lockoutTime") - ldb.modify(m) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should be enabled when modifying pwdLastSet - m = Message() - m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) - m["pwdLastSet"] = MessageElement("1", FLAG_MOD_REPLACE, - "pwdLastSet") - ldb.modify(m) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should NOT be enabled when modifying a not-urgent - # attribute - m = Message() - m.dn = Dn(ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) - m["description"] = MessageElement("updated urgent attributes test description", - FLAG_MOD_REPLACE, "description") - ldb.modify(m) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - # urgent replication should NOT be enabled when deleting - self.delete_force(self.ldb, "cn=user UrgAttr test,cn=users," + self.base_dn) - res = self.ldb.load_partition_usn(self.base_dn) - self.assertNotEquals(res["uSNHighest"], res["uSNUrgent"]); - - -if not "://" in host: - if os.path.isfile(host): - host = "tdb://%s" % host - else: - host = "ldap://%s" % host - - -ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp, - global_schema=False) - -runner = SubunitTestRunner() -rc = 0 -if not runner.run(unittest.makeSuite(UrgentReplicationTests)).wasSuccessful(): - rc = 1 -sys.exit(rc) diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh index 706c01a88c..3f2cb82915 100755 --- a/source4/selftest/tests.sh +++ b/source4/selftest/tests.sh @@ -493,21 +493,21 @@ plantestsuite "samba3sam.python" none PYTHONPATH="$PYTHONPATH:$samba4srcdir/dsdb plantestsuite "subunit.python" none $SUBUNITRUN subunit plantestsuite "rpcecho.python" dc:local $SUBUNITRUN samba.tests.dcerpc.rpcecho plantestsuite "winreg.python" dc:local $SUBUNITRUN -U\$USERNAME%\$PASSWORD samba.tests.dcerpc.registry -plantestsuite "ldap.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/lib/ldb/tests/python/ldap.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN -plantestsuite "schemaInfo.python" dc PYTHONPATH="$PYTHONPATH:$samba4srcdir/lib/ldb/tests/python/" $SUBUNITRUN dsdb_schema_info -U"\$DOMAIN/\$DC_USERNAME"%"\$DC_PASSWORD" -plantestsuite "urgent_replication.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/lib/ldb/tests/python/urgent_replication.py \$PREFIX_ABS/dc/private/sam.ldb +plantestsuite "ldap.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/dsdb/tests/python/ldap.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN +plantestsuite "schemaInfo.python" dc PYTHONPATH="$PYTHONPATH:$samba4srcdir/dsdb/tests/python/" $SUBUNITRUN dsdb_schema_info -U"\$DOMAIN/\$DC_USERNAME"%"\$DC_PASSWORD" +plantestsuite "urgent_replication.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/dsdb/tests/python/urgent_replication.py \$PREFIX_ABS/dc/private/sam.ldb for env in "dc" "fl2000dc" "fl2003dc" "fl2008r2dc"; do - plantestsuite "ldap_schema.python" $env PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/lib/ldb/tests/python/ldap_schema.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN + plantestsuite "ldap_schema.python" $env PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/dsdb/tests/python/ldap_schema.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN plantestsuite "ldap.possibleInferiors.python" $env $PYTHON $samba4srcdir/dsdb/samdb/ldb_modules/tests/possibleinferiors.py ldap://\$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN - plantestsuite "ldap.secdesc.python" $env PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/lib/ldb/tests/python/sec_descriptor.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN - plantestsuite "ldap.acl.python" $env PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/lib/ldb/tests/python/acl.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN - plantestsuite "ldap.passwords.python" $env PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/lib/ldb/tests/python/passwords.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN + plantestsuite "ldap.secdesc.python" $env PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/dsdb/tests/python/sec_descriptor.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN + plantestsuite "ldap.acl.python" $env PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/dsdb/tests/python/acl.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN + plantestsuite "ldap.passwords.python" $env PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/dsdb/tests/python/passwords.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN done plantestsuite "upgradeprovisiondc.python" dc:local $SUBUNITRUN samba.tests.upgradeprovisionneeddc plantestsuite "upgradeprovisionnodc.python" none $SUBUNITRUN samba.tests.upgradeprovision plantestsuite "xattr.python" none $SUBUNITRUN samba.tests.xattr plantestsuite "ntacls.python" none $SUBUNITRUN samba.tests.ntacls -plantestsuite "deletetest.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/lib/ldb/tests/python/deletetest.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN +plantestsuite "deletetest.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python:../lib/testtools" $PYTHON $samba4srcdir/dsdb/tests/python/deletetest.py \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN plantestsuite "policy.python" none PYTHONPATH="$PYTHONPATH:lib/policy/tests/python" $SUBUNITRUN bindings plantestsuite "blackbox.samba3dump" none $PYTHON $samba4srcdir/scripting/bin/samba3dump $samba4srcdir/../testdata/samba3 rm -rf $PREFIX/upgrade -- cgit