# Tests start here
#
-class AclTests(samba.tests.TestCase):
-
- def delete_force(self, ldb, dn):
- try:
- ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_NO_SUCH_OBJECT)
-
- def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext"])
- self.assertEquals(len(res), 1)
- return res[0]["defaultNamingContext"][0]
-
- def find_domain_sid(self, ldb):
- res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
- return ndr_unpack(security.dom_sid,res[0]["objectSid"][0])
+class AclTests(samba.tests.DsdbTestCase):
def setUp(self):
super(AclTests, self).setUp()
self.ldb_admin = ldb
- self.base_dn = self.find_basedn(self.ldb_admin)
+ self.base_dn = ldb.domain_dn()
self.domain_sid = self.find_domain_sid(self.ldb_admin)
self.user_pass = "samba123@"
- res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE,
- attrs=["configurationNamingContext"])
- self.configuration_dn = res[0]["configurationNamingContext"][0]
+ self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
print "baseDN: %s" % self.base_dn
def get_user_dn(self, name):
elif isinstance(desc, security.descriptor):
mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
self.ldb_admin.modify_ldif(mod)
-
- def add_group_member(self, _ldb, group_dn, member_dn):
- """ Modify user to ge member of a group
- e.g. User to be 'Doamin Admin' group member
- """
- ldif = """
-dn: """ + group_dn + """
-changetype: modify
-add: member
-member: """ + member_dn
- _ldb.modify_ldif(ldif)
def create_ou(self, _ldb, ou_dn, desc=None):
ldif = """
self.create_active_user(self.ldb_admin, self.get_user_dn(username))
self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
- def set_dsheuristics(self, dsheuristics):
- m = Message()
- m.dn = Dn(self.ldb_admin, "CN=Directory Service, CN=Windows NT, CN=Services, "
- + self.configuration_dn)
- if dsheuristics is not None:
- m["dSHeuristics"] = MessageElement(dsheuristics, FLAG_MOD_REPLACE,
- "dSHeuristics")
- else:
- m["dSHeuristics"] = MessageElement([], FLAG_MOD_DELETE, "dsHeuristics")
- self.ldb_admin.modify(m)
-
- def set_minPwdAge(self, value):
- m = Message()
- m.dn = Dn(self.ldb_admin, self.base_dn)
- m["minPwdAge"] = MessageElement(value, FLAG_MOD_REPLACE, "minPwdAge")
- self.ldb_admin.modify(m)
-
#tests on ldap add operations
class AclAddTests(AclTests):
self.create_enable_user(self.regular_user)
# add admins to the Domain Admins group
- self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn(self.usr_admin_owner))
- self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn(self.usr_admin_not_owner))
+ self.ldb_admin.add_remove_group_members("Domain Admins", self.usr_admin_owner,
+ add_members_operation=True)
+ self.ldb_admin.add_remove_group_members("Domain Admins", self.usr_admin_not_owner,
+ add_members_operation=True)
self.ldb_owner = self.get_ldb_connection(self.usr_admin_owner, self.user_pass)
self.ldb_notowner = self.get_ldb_connection(self.usr_admin_not_owner, self.user_pass)
self.create_enable_user(self.u2)
self.create_enable_user(self.u3)
self.create_security_group(self.ldb_admin, self.get_user_dn(self.group1))
- self.add_group_member(self.ldb_admin, self.get_user_dn(self.group1), \
- self.get_user_dn(self.u2))
+ self.ldb_admin.add_remove_group_members(self.group1, self.u2,
+ add_members_operation=True)
self.ldb_user = self.get_ldb_connection(self.u1, self.user_pass)
self.ldb_user2 = self.get_ldb_connection(self.u2, self.user_pass)
self.ldb_user3 = self.get_ldb_connection(self.u3, self.user_pass)
def test_search_anonymous3(self):
"""Set dsHeuristics and repeat"""
- self.set_dsheuristics("0000002")
+ self.set_dsheuristics(self.ldb_admin, "0000002")
self.create_ou(self.ldb_admin, "OU=test_search_ou1," + self.base_dn)
mod = "(A;CI;LC;;;AN)"
self.dacl_add_ace("OU=test_search_ou1," + self.base_dn, mod)
self.assertEquals(len(res), 1)
self.assertTrue("dn" in res[0])
self.assertTrue(res[0]["dn"] == Dn(self.ldb_admin, self.configuration_dn))
- self.set_dsheuristics(self.dsheuristics)
+ self.set_dsheuristics(self.ldb_admin, self.dsheuristics)
def test_search1(self):
"""Make sure users can see us if given LC to user and group"""
self.minPwdAge = res[0]["minPwdAge"][0]
# Set the "dSHeuristics" to have the tests run against Windows Server
- self.set_dsheuristics("000000001")
+ self.set_dsheuristics(self.ldb_admin, "000000001")
# Set minPwdAge to 0
- self.set_minPwdAge("0")
+ self.set_minPwdAge(self.ldb_admin, "0")
def tearDown(self):
super(AclCARTests, self).tearDown()
#restore original values
- self.set_dsheuristics(self.dsheuristics)
- self.set_minPwdAge(self.minPwdAge)
+ self.set_dsheuristics(self.ldb_admin,self.dsheuristics)
+ self.set_minPwdAge(self.ldb_admin, self.minPwdAge)
self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp))
self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_pc))
add: userPassword
userPassword: thatsAcomplPASS2
""")
+ # This fails on Windows 2000 domain level with constraint violation
except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or
+ num == ERR_UNWILLING_TO_PERFORM)
else:
self.fail()
+
def test_change_password7(self):
"""Try a password change operation without any CARs given"""
#users have change password by default - remove for negative testing
self.fail()
mod = "(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS)"
self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
- self.ldb_user.modify_ldif("""
+ try:
+ self.ldb_user.modify_ldif("""
dn: """ + self.get_user_dn(self.user_with_wp) + """
changetype: modify
replace: userPassword
userPassword: thatsAcomplPASS1
""")
+ # This fails on Windows 2000 domain level with constraint violation
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
def test_reset_password3(self):
"""Grant WP and see what happens (unicodePwd)"""
"""Explicitly deny WP but grant CAR (userPassword)"""
mod = "(D;;WP;;;PS)(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS)"
self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
- self.ldb_user.modify_ldif("""
+ try:
+ self.ldb_user.modify_ldif("""
dn: """ + self.get_user_dn(self.user_with_wp) + """
changetype: modify
replace: userPassword
userPassword: thatsAcomplPASS1
""")
+ # This fails on Windows 2000 domain level with constraint violation
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
class AclExtendedTests(AclTests):
self.create_enable_user(self.u1)
self.create_enable_user(self.u2)
self.create_enable_user(self.u3)
- self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn,
- self.get_user_dn(self.u3))
+ self.ldb_admin.add_remove_group_members("Domain Admins", self.u3,
+ add_members_operation=True)
self.ldb_user1 = self.get_ldb_connection(self.u1, self.user_pass)
self.ldb_user2 = self.get_ldb_connection(self.u2, self.user_pass)
self.ldb_user3 = self.get_ldb_connection(self.u3, self.user_pass)