doesn't make much sense to set all 3 to the same policy, user authentication policy, service authentication policy, computer authentication policy
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Optional description for the authentication silo.
</para></listitem>
</varlistentry>
- <varlistentry>
- <term>--policy</term>
- <listitem><para>
- Use single policy for all principals in this silo.
- </para></listitem>
- </varlistentry>
<varlistentry>
<term>--user-policy</term>
<listitem><para>
Optional description for the authentication silo.
</para></listitem>
</varlistentry>
- <varlistentry>
- <term>--policy</term>
- <listitem><para>
- Use single policy for all principals in this silo.
- </para></listitem>
- </varlistentry>
<varlistentry>
<term>--user-policy</term>
<listitem><para>
Option("--description",
help="Optional description for authentication silo.",
dest="description", action="store", type=str),
- Option("--policy",
- help="Use single policy for all principals in this silo.",
- dest="policy", action="store", type=str),
Option("--user-policy",
help="User account policy.",
dest="user_policy", action="store", type=str),
raise CommandError(e)
def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
- description=None, policy=None, user_policy=None,
- service_policy=None, computer_policy=None, protect=None,
- unprotect=None, audit=None, enforce=None):
+ description=None, user_policy=None, service_policy=None,
+ computer_policy=None, protect=None, unprotect=None, audit=None,
+ enforce=None):
if protect and unprotect:
raise CommandError("--protect and --unprotect cannot be used together.")
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
- # If --policy is present start with that as the base. Then optionally
- # --user-policy, --service-policy, --computer-policy can override this.
- if policy is not None:
- user_policy = user_policy or policy
- service_policy = service_policy or policy
- computer_policy = computer_policy or policy
-
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
try:
Option("--description",
help="Optional description for authentication silo.",
dest="description", action="store", type=str),
- Option("--policy",
- help="Set single policy for all principals in this silo.",
- dest="policy", action="store", type=str),
Option("--user-policy",
help="Set User account policy.",
dest="user_policy", action="store", type=str),
raise CommandError(e)
def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
- description=None, policy=None, user_policy=None,
- service_policy=None, computer_policy=None, protect=None,
- unprotect=None, audit=None, enforce=None):
+ description=None, user_policy=None, service_policy=None,
+ computer_policy=None, protect=None, unprotect=None, audit=None,
+ enforce=None):
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
if protect and unprotect:
raise CommandError("--protect and --unprotect cannot be used together.")
- # If --policy is set then start with that for all policies.
- # They can be individually overridden as well after that.
- if policy is not None:
- user_policy = user_policy or policy
- service_policy = service_policy or policy
- computer_policy = computer_policy or policy
-
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
try:
@classmethod
def setUpTestData(cls):
- cls.create_authentication_policy(name="Single Policy")
cls.create_authentication_policy(name="User Policy")
cls.create_authentication_policy(name="Service Policy")
cls.create_authentication_policy(name="Computer Policy")
cls.create_authentication_silo(name="Developers",
description="Developers, Developers",
- policy="Single Policy")
+ user_policy="User Policy")
cls.create_authentication_silo(name="Managers",
description="Managers",
- policy="Single Policy")
+ user_policy="User Policy")
cls.create_authentication_silo(name="QA",
description="Quality Assurance",
user_policy="User Policy",
assert "Deleted authentication policy" in out
@classmethod
- def create_authentication_silo(cls, name, description=None, policy=None,
+ def create_authentication_silo(cls, name, description=None,
user_policy=None, service_policy=None,
computer_policy=None, audit=False,
protect=False):
# Base command for create authentication policy.
cmd = ["domain", "auth", "silo", "create", "--name", name]
- # If --policy is present, use a singular authentication policy.
- # otherwise use --user-policy, --service-policy, --computer-policy
- if policy is not None:
- cmd += ["--policy", policy]
- else:
- cmd += ["--user-policy", user_policy,
- "--service-policy", service_policy,
- "--computer-policy", computer_policy]
+ # Authentication policies.
+ if user_policy:
+ cmd += ["--user-policy", user_policy]
+ if service_policy:
+ cmd += ["--service-policy", service_policy]
+ if computer_policy:
+ cmd += ["--computer-policy", computer_policy]
# Other optional attributes.
if description is not None:
result, out, err = self.runcmd("domain", "auth", "policy", "list")
self.assertIsNone(result, msg=err)
- expected_policies = [
- "Single Policy", "User Policy", "Service Policy", "Computer Policy"]
+ expected_policies = ["User Policy", "Service Policy", "Computer Policy"]
for policy in expected_policies:
self.assertIn(policy, out)
# we should get valid json
policies = json.loads(out)
- expected_policies = [
- "Single Policy", "User Policy", "Service Policy", "Computer Policy"]
+ expected_policies = ["User Policy", "Service Policy", "Computer Policy"]
for name in expected_policies:
policy = policies[name]
def test_authentication_policy_view(self):
"""Test viewing a single authentication policy."""
result, out, err = self.runcmd("domain", "auth", "policy", "view",
- "--name", "Single Policy")
+ "--name", "User Policy")
self.assertIsNone(result, msg=err)
# we should get valid json
policy = json.loads(out)
# check a few fields only
- self.assertEqual(policy["cn"], "Single Policy")
+ self.assertEqual(policy["cn"], "User Policy")
self.assertEqual(policy["msDS-AuthNPolicyEnforced"], True)
def test_authentication_policy_view_notfound(self):
def test_authentication_policy_create_already_exists(self):
"""Test creating a new authentication policy that already exists."""
result, out, err = self.runcmd("domain", "auth", "policy", "create",
- "--name", "Single Policy")
+ "--name", "User Policy")
self.assertEqual(result, -1)
- self.assertIn("Authentication policy Single Policy already exists", err)
+ self.assertIn("Authentication policy User Policy already exists", err)
def test_authentication_policy_create_name_missing(self):
"""Test create authentication policy without --name argument."""
def test_authentication_policy_modify_audit_enforce_together(self):
"""Test modify auth policy using both --audit and --enforce."""
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
- "--name", "Single Policy",
+ "--name", "User Policy",
"--audit", "--enforce")
self.assertEqual(result, -1)
self.assertIn("--audit and --enforce cannot be used together.", err)
def test_authentication_policy_modify_protect_unprotect_together(self):
"""Test modify authentication policy using --protect and --unprotect."""
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
- "--name", "Single Policy",
+ "--name", "User Policy",
"--protect", "--unprotect")
self.assertEqual(result, -1)
self.assertIn("--protect and --unprotect cannot be used together.", err)
with patch.object(SamDB, "modify") as modify_mock:
modify_mock.side_effect = ModelError("Custom error message")
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
- "--name", "Single Policy",
+ "--name", "User Policy",
"--description", "New description")
self.assertEqual(result, -1)
self.assertIn("Custom error message", err)
silo = silos[name]
self.assertIn("msDS-AuthNPolicySilo", list(silo["objectClass"]))
self.assertIn("description", silo)
- self.assertIn("msDS-ComputerAuthNPolicy", silo)
- self.assertIn("msDS-ServiceAuthNPolicy", silo)
self.assertIn("msDS-UserAuthNPolicy", silo)
self.assertIn("objectGUID", silo)
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "singlePolicy",
- "--policy", "Single Policy")
+ "--user-policy", "User Policy")
self.assertIsNone(result, msg=err)
# Check silo that was created
silo = self.get_authentication_silo("singlePolicy")
self.assertEqual(str(silo["cn"]), "singlePolicy")
- self.assertIn("Single Policy", str(silo["msDS-UserAuthNPolicy"]))
- self.assertIn("Single Policy", str(silo["msDS-ServiceAuthNPolicy"]))
- self.assertIn("Single Policy", str(silo["msDS-ComputerAuthNPolicy"]))
+ self.assertIn("User Policy", str(silo["msDS-UserAuthNPolicy"]))
self.assertEqual(str(silo["msDS-AuthNPolicySiloEnforced"]), "TRUE")
def test_authentication_silo_create_multiple_policies(self):
def test_authentication_silo_create_policy_dn(self):
"""Test creating a new authentication silo when policy is a dn."""
- policy = self.get_authentication_policy("Single Policy")
+ policy = self.get_authentication_policy("User Policy")
self.addCleanup(self.delete_authentication_silo,
name="singlePolicyDN", force=True)
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "singlePolicyDN",
- "--policy", policy["dn"])
+ "--user-policy", policy["dn"])
self.assertIsNone(result, msg=err)
# Check silo that was created
silo = self.get_authentication_silo("singlePolicyDN")
self.assertEqual(str(silo["cn"]), "singlePolicyDN")
self.assertIn(str(policy["name"]), str(silo["msDS-UserAuthNPolicy"]))
- self.assertIn(str(policy["name"]), str(silo["msDS-ServiceAuthNPolicy"]))
- self.assertIn(str(policy["name"]), str(silo["msDS-ComputerAuthNPolicy"]))
self.assertEqual(str(silo["msDS-AuthNPolicySiloEnforced"]), "TRUE")
def test_authentication_silo_create_already_exists(self):
"""Test creating a new authentication silo that already exists."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "Developers",
- "--policy", "Single Policy")
+ "--user-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Authentication silo Developers already exists.", err)
def test_authentication_silo_create_name_missing(self):
"""Test create authentication silo without --name argument."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
- "--policy", "Single Policy")
+ "--user-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Argument --name is required.", err)
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "auditPolicies",
- "--policy", "Single Policy",
+ "--user-policy", "User Policy",
"--audit")
self.assertIsNone(result, msg=err)
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "enforcePolicies",
- "--policy", "Single Policy",
+ "--user-policy", "User Policy",
"--enforce")
self.assertIsNone(result, msg=err)
"""Test create authentication silo using both --audit and --enforce."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "enforceTogether",
- "--policy", "Single Policy",
+ "--user-policy", "User Policy",
"--audit", "--enforce")
self.assertEqual(result, -1)
self.assertIn("--audit and --enforce cannot be used together.", err)
"""Test create authentication silo using --protect and --unprotect."""
result, out, err = self.runcmd("domain", "auth", "silo",
"create", "--name", "protectTogether",
- "--policy", "Single Policy",
+ "--user-policy", "User Policy",
"--protect", "--unprotect")
self.assertEqual(result, -1)
self.assertIn("--protect and --unprotect cannot be used together.", err)
"""Test create authentication silo with a policy that doesn't exist."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "policyNotFound",
- "--policy", "Invalid Policy")
+ "--user-policy", "Invalid Policy")
self.assertEqual(result, -1)
self.assertIn("Authentication policy Invalid Policy not found.", err)
add_mock.side_effect = ModelError("Custom error message")
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "createFails",
- "--policy", "Single Policy")
+ "--user-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Custom error message", err)
# Create non-protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteTest",
- "--policy", "User Policy")
+ "--user-policy", "User Policy")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteTest")
self.assertIsNotNone(silo)
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteProtected",
- "--policy", "User Policy",
+ "--user-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteProtected")
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteForceFail",
- "--policy", "User Policy",
+ "--user-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteForceFail")
# Create regular authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=regularSilo",
- "--policy", "User Policy")
+ "--user-policy", "User Policy")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("regularSilo")
self.assertIsNotNone(silo)
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=protectedSilo",
- "--policy", "User Policy",
+ "--user-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("protectedSilo")